CSO Online, which knows plenty about what goes into ensuring security, makes a strong case for hiring a virtual Chief Information Security Officer (vCISO). It notes that fulltime CISOs “can be hard to come by, often stay in their job for two years or less, and critically, especially for smaller businesses, can command six-figure salaries.”
In contrast, CSO Online explains: “vCISOs are estimated to cost between 30 percent and 40 percent of a full-time CISO and are available on-demand. The benefits go well beyond cost. Virtual CISOs usually require no training, can hit the ground running, and don’t feel obliged to play nice with office politics. In this model, it’s purely about results.”
The case for hiring a vCISO is even stronger when it comes to the specialized domain of achieving—and retaining—SOC 2 compliance. The emphasis on retaining is important because SOC 2 compliance needs to be an ongoing effort. From the simplest standpoint, the effort needs to be ongoing because the audited approval an organization gains from a SOC 2 report is only valid for 12 months. And, more importantly, the same efforts that go into achieving SOC 2 compliance are the same that keep your organization safe and secure during a time of ever increasing cybercrime intrusions.
SOC 2 Is a Must Have
Systems and Organization Controls (SOC) refers to the suite of criteria to safeguard data as defined by the American Institute of Certified Public Accountants (AICPA). SOC 1 defines internal control over financial reporting, while SOC 2 defines trust services criteria. SOC 2 defines frameworks, processes, and practices required to keep IT systems and data secure. SOC 2 applies not only to your own systems, but to cloud-based resources, vendors, and other integration points that touch your systems.
SOC 2 is often a must have to do business with other entities, especially larger enterprises. The ability to provide current SOC 2 compliance is often part of the vetting process that one business requires of another, and then can become an ongoing contractual commitment. This means that you need to have SOC 2 compliance already in hand, because the time it takes to move from non-compliant to compliance can be measured in months—a potentially fatal delay to a deal that comes to a halt with your inability to show SOC 2 compliance.
SOC 2 Isn’t DIY Friendly
SOC 2 compliance isn’t something to throw over the cubicle wall for a volunteer to handle. It isn’t do-it-yourself friendly. SOC 2 compliance is a long, involved, three-part process: 1) Putting in place the architecture, policies, practices and tools that are required to meet SOC 2 criteria; 2) Passing an SOC 2 audit, administered by an SOC 2-qualified CPA; 3) Retaining ongoing compliance to be validated by annual SOC 2 audits.
Mistakes and oversights during the first phase: Creating the IT framework, policies, and practices required by SOC 2, can mean failing the audit, looping you back to phase one to begin anew. Put another way, if your car needed its transmission rebuilt, you could take on the task yourself through diligent study—and perhaps offering to try out your new knowledge on your neighbor’s car before attempting to rebuild your own. But the question is whether the time and effort invested would be worth it, whether the rebuild would actually work as well as if a professional had done it, and . . . well you get the idea. And if you are that rare individual who might actually know how to rebuild an automatic transmission, then just shift the analogy to brain surgery, or perhaps performing a root canal—again, practicing first on a neighbor, but not on the customer requesting proof of your SOC 2 compliance.
So the take-home message is concentrate on your organization’s core competency, and bring in a professional—in the person of a vCISO—to do what they already know and are well-practiced at.
Elements of SOC 2 Compliance
A vCISO can help assess your current infrastructure, policies, and practices to identify what is already working, and what needs to be addressed—and specifically how to address it. The AICPA provides Trust Services Criteria (TSC) for use in SOC 2 engagements. The basic TSC requirements include:
- Security. Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
- Availability. Information and systems are available for operation and use to meet the entity’s objectives.
- Processing Integrity. System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
- Confidentiality. Information designated as confidential is protected to meet the entity’s objectives.
- Privacy. Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.
Four of these categories (not Security) also have an additional series of criteria which can be optionally included in an audit.
The above refers to just one potential element of an audit.
Given enough time and instruction, an organization could learn to do this and more in-house, but from a pragmatic standpoint, the entire process will be faster, smoother, and more successful if you have a battle-tested resource, such as a vCISO with deep SOC 2 audit experience. Life is short, and audits can be long.
The Good News
The good news is that the same efforts that go into becoming—and remaining—SOC 2 compliant are the same efforts that go into better securing your IT environment. There’s a reason SOC 2 was created: The ever greater need to protect data, in an ever more complex network of IT environments—from backend servers, to cloud-based resources, to third-party software as a service providers, as well as partner and vendor IT integrations.
Working with a vCISO with deep SOC 2 experience, helps protect your organization from cyberattacks, which in turn helps protect against the enormous reputational loss from a cyberbreach exposing customer data, the incalculable cost of lost intellectual property, the disruption of ransomware attacks, and a world of other threats. And along the way, you will be proactively open for business with whatever organization may request attestation of your SOC 2 compliance.