Product Habits - Why everyone should use SOC 2 software

When I first realized that we were building a security company with our pivot to Nira, it hit me like a ton of bricks.

We had to have a strong security mindset instilled within our entire organization in order to sell our software to companies of all sizes.

At first, I kept this to myself and looked into what we’d have to do to create this mindset. I spoke with friends who were selling SaaS products to companies and also talked to a few buyers at companies.

I quickly learned that IT departments were starting to use SOC 2 certifications as a requirement for software vendors that they use.

With Nira, we weren’t only selling software to companies, we were selling directly to IT teams who were very security conscious. They were our core buyers and we had to make sure that they trusted our internal security practices.

It was even more important for us to get SOC 2 compliant.

At the time, neither my co-founder Marie or I had any experience with going through a SOC 2 audit. All we had heard was how painful it was to get certified.

In spite of all that, we wanted to get our SOC 2 certification completed as quickly as possible.

I still remember Marie complaining after she tried doing research about how to get our SOC 2. She was just trying to find a simple list of things we’d have to do, and she couldn’t find anything helpful.

In talking to other founders, I had heard about software that we could use to help us get our SOC 2. Marie and I discussed it and decided to explore using compliance software.

And I’m really glad that we did.

But our decision wasn’t without road bumps. Marie is a bit of a skeptic and loves to attack problems by asking questions. Naturally, she had a lot of questions about spending so much money on software as a startup.

Do we really need this?
It’s expensive, are we sure we can’t just do this on our own?
Do the SOC 2 software vendors know what they are doing?
Are they SOC 2 Type 2 certified themselves?
What specific benefits do we get using software?
What’s the timeline of our SOC 2 with and without software?
What are the costs vs. benefits?

She grilled the salesperson until she was satisfied (he was probably dizzy) and we got our heads around the benefits of using the tool.

The sales call gave us conviction on how we could follow a really clear process with the help of the software. The process was infinitely more clear for us than just mucking our way through it on our own without knowing anything.

We’d get set up in the software by entering in/attaching information about our business and processes.

Then, the software would start running automated checks for us to make sure we’re compliant. Things like whether or not employees have 2FA on for certain applications, and if our change control process was running in GitHub.

We’d even get help finding an auditor. Then we’d add more information to the tool for the auditor to review and complete tasks like having our team do their annual security training.

And then we’d be able to get our SOC 2 certification a few months later.

Having the clarity of exactly what steps we’d need to take was such a relief. And it made our decision to buy a tool that much easier.

In total, using software for our SOC 2 Type 2 certification took us 5 months to complete the first time around. It would have taken us closer to 12+ months if we had done things ourselves.

We did have one advantage, though. We had someone on the team in DevOps who had gone through an ISO audit in a prior role. He ended up devoting about 25% of his time to compliance. That person now runs the entire SOC 2 and ISO process (amongst other things) for the company and makes sure we’re compliant.

Here’s what he had to say when Marie asked him about using a compliance tool for our SOC 2 and ISO:

“There’s so much that you need to be storing mentally without the software. SOC 2 has so many moving parts, and so many balls that have to be up in the air at the same time. Software can help offload the work and free up mental space. You can let the tool do the worrying for you.”

These are the benefits of using a compliance tool versus doing it ourselves.

Time savings

Using a tool helps cut out 75% of the work required to get your annual SOC 2 certification.

If our team decided to stop using a compliance tool, we’d have to hire someone who was completely devoted to our SOC 2 and ISO in order to get our certifications done each year.

Instead, all of our information and monitoring happens in one place.

Automation of tasks

Instead of doing things manually, with endless checklists, spreadsheets and processes, compliance tools help automate loads of tasks.

For example, the software monitors whether team members have 2FA turned on, if they have antivirus software on their computers, if they’ve accepted policies each year, completed onboarding, and done their annual security training. It also makes sure we have firewalls turned on, encryption turned on on our resources, and helps with offboarding too.

If we didn’t use software for this, we’d need to have someone on the team invent a way to automate these tasks, or do a multitude of checks every month or week.

Off the shelf processes

Instead of creating a process from scratch, we had everything ready for us.

The software told us exactly what information to upload and enter for the auditors to review. This was a great shortcut. We didn’t have to wait for our auditor to ask for things, and we didn’t need to worry about how we’d provide the information to them or where it would go.

And thanks to the tool, we had policy templates to start with and modify, like Code of Conduct, Asset Management, and Responsible Disclosure. Had we created those from scratch, it would have taken us weeks of additional work, and we could have missed processes that we should have implemented to make ourselves more secure.

Repeatability

Thanks to the software, our second SOC 2 audit and future audits will be so much easier.

We’ve already got everything set up and ready to go. The automations are all connected, the monitoring is happening, policies are completed, and the auditors know where to look for our information. It should be a breeze to get the auditors the evidence they need from now on.

It’s less stress and fewer daily tasks to manage.

One of the most time-consuming parts of our SOC 2 is something software doesn’t help us with, though. It’s figuring out where it all fits in the existing business.

Being able to map the way a business works when it’s dynamically changing like a startup is really difficult. But at least we have software to help make our compliance efforts easier and more seamless.

In future emails, I’ll dive into more details about how we transitioned to a security conscious company.

If you’ve got any questions or thoughts, please reply and let me know!

Take care,

Hiten

P.S. To get up to speed on SOC 2 compliance, we made a quick beginner’s guide, it’s right here.

Copyright © 2021 Up Advisors, LLC., All rights reserved.
You received this email because you signed up to get emails from Product Habits.

Our mailing address is:

Up Advisors, LLC.

13337 South St. #269

Cerritos, California 90623

Add us to your address book

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list

Product Habits - Why everyone should use SOC 2 software

Older messages

My favorite Twitter threads about startups

I had this nagging feeling

What COVID changed about hiring

Marie’s AMA was 🔥

How people discover new products

You Might Also Like

Youre Overthinking It

eBook: Software Supply Chain Security for Dummies

The 5 biggest AI prompting mistakes

An interactive tour of Go 1.24

Spyglass Dispatch: Bromo Sapiens

The $1.9M client

⚙️ Federal data centers

Post from Syncfusion Blogs on 01/15/2025

The Sequence Engineering #469: Llama.cpp is The Framework for High Performce LLM Inference

3 Actively Exploited Zero-Day Flaws Patched in Microsoft's Latest Security Update