The Hotman Group and CyberOne Security have more than 50 years combined experience delivering risk and compliance management and SOC 2 Certification to companies of all sizes. Trust your SOC 2 readiness to certified CPAs who understand the complex control implementation and infrastructure needed to satisfy audit requirements. Maintain your control implementation, any corrective actions and automate your year-round evidence collection process on CyberOne’s modern SaaS GRC automation platform. We provide continuous, comprehensive compliance at a fraction of the cost of traditional consulting services and limited, niche compliance solutions.
CyberOne is delighted to feature today’s article from Cheri Hotman, Owner Principal of the Hotman Group.
As the federal government rolls out CMMC (the Cybersecurity Maturity Model Certification), corporations are both facing increased scrutiny and demanding higher levels of security, risk, and compliance. In today’s marketplace, doing business is an issue of security. You need it and you need to demonstrate it. SOC 2 certification applies to any company that manages data in the cloud, which is, pretty much all of us these days. It can also serve as a basis for governing regulated data (PHI or P)) and is also a highly useful means of validating cybersecurity practices to the board and all current and future clients. As such, it is quickly becoming the first question in a risk assessment (do you have a SOC 2 report?), and subsequently, it is a revenue driver and a means of expediting security review in the sales pipeline, as well as a comprehensive framework and foundation to security.
In this article, Cheri addresses the broadly publicized SolarWinds hack, its impact on the cybersecurity community and resulting measures taken by corporations to manage risk across the enterprise and in the supply chain.
The SolarWinds Breach
We’ve all heard about the recent SolarWinds breach, and for good reason. The massive software development company was hacked in 2019, leaving their clients vulnerable to attack. The company unknowingly sent out a software update this March with hidden malware embedded in it. Of their 33,000 clients, an estimated 18,000 downloaded and contracted the spyware making extremely valuable, highly sensitive information available to the hackers (Canales and Jibilian).
The initial chaos has subsided, and the resounding question now is “how?” Surely a high-level company such as the one offering services to Fortune 500 companies and the U.S. Government would detect a breach in their system- right? Unfortunately, the answer isn’t quite so simple. Cybersecurity is a complex, multidimensional practice meant to protect against digital attacks. There are countless parts to it, but as a result of this breach, the importance of one particular part has been brought to light- SOC 2.
What Exactly is SOC 2?
SOC 2 is an intense cybersecurity, risk, and technical controls audit that must be performed by a CPA. It’s used to produce a report that provides either a green light or a bold, flashing red light in regard to the controls a company has set in place to protect the product/ service (and data) they offer. Companies use them to ensure their systems are secure and functioning properly, and potential clients use them to vet their vendors. Companies that have a CPA produce these reports make their company stand out by simplifying the process of deciding on a vendor, and make it cost-effective and confidence-building for potential clients.
There are two types of SOC 2 audits: Type 1, which determines whether a company’s cybersecurity and technical controls are designed appropriately as of a specific point of time (think: April 3, 2021- it could have been compromised the day before and could become compromised the day after, but this type of audit only attests to the date of the report). Next is Type 2, which measures a business’ control design and operation over a period of time (typically over the course of 12 months). Most companies and clients seek out Type 2 reports due to the detail and assurance made available. Here, more is more– companies and clients alike want little-to-no room for error in knowing the controls in place are reducing risk as they’re supposed to.
How to be Successful with SOC 2:
The SolarWinds breach has accounted for numerous companies seeking out their first SOC 2 report, which can be an overwhelming process. Fortunately, it doesn’t have to be daunting! SOC 2 is attainable for every company. First to know is that your commitment to managing your systems and risk will make or break the success of your SOC 2 audits, meaning it’s essential to have an ongoing program built into your company to effectively design and continuously monitor controls. The goal here is to be ready for an audit before the audit. Doing so leaves less room for failure, and results in less stress and scrambling to get things in place last-minute. There are several GRC tool options built to help you do this successfully! Use one to simply and continuously monitor your controls, communicate metrics, and produce evidence for it via documentation. As a part of these programs, you need to have corrective action processes for when you catch failures, because they will happen, and that’s okay- so long as you have a plan! Lastly, it is best to hire someone to help you design and run your control environment. Because it is an ongoing and complex process, this will save you time, hassle and error. Focus on what you excel at while allowing a SOC 2 expert to focus on what they do best- minimizing waste, guessing, and failures.
Words of Wisdom:
Although this is a completely attainable solution, there are a few things you’ll want to avoid when implementing your new SOC 2 program:
- Do not try to do this with Excel, Word, or email. It will result in a blow-up-in-your-face disaster. Go ahead and invest in a platform built for handling compliance, risk and controls. You’ll thank me later!
- Because a SOC 2 program is an ongoing one, it often seems ideal to hire someone in-house to build out and manage your program. However, this also means managing them to make sure they are doing their job correctly. Ultimately, it’s both time-consuming and expensive, so if this route doesn’t seem feasible…
- Work with a company or person that can get you set up and keep you running like a well-oiled engine. Many businesses offer implementation and management for a lower overall cost than an in-house resource.
- Although using a third party is a great option, use caution when choosing who to work with. Make sure they have the proper certifications for both SOC 2 AND security, as well as deep cybersecurity and risk practitioner expertise.
- If this sounds like a foreign language to you, you’re just overwhelmed, or you don’t know if you’re ready to begin this process, hire someone to perform a gap assessment to figure out where you are today, and what your needs are, to put you on the path to success.
About the Author:
Cheri Hotman is an enthusiastic, passionate professional. Her drive to succeed began when she graduated with an MBA from the University of Texas at Dallas, and has only grown since then. With a track record that includes a career predominately in banking, financial services, and consulting followed by a position as Vice President in the Tech/IT space, you’d think her tenacity to have faltered- and you’d be wrong. She is a CPA, now holds her CISSP (cybersecurity certification), and has launched her own cybersecurity, risk, and compliance practitioner company. If you need a cybersecurity expert, or even just some inspiration, connect with her through www.hotmangroup.com, or via LinkedIn at www.linkedin.com/in/cherihotman.