In this blog post shared by our Co-founder and Head of Operations, Michelle Tyler, she discusses our pursuit of SOC 2 and ways your organization can get started on doing it too.
As a Co-founder and the Head of Operations at New Era ADR, my daily task list is always brimming with a wide-range of business, procedural, and compliance related to-dos. Over the past year this has included the planning and implementation of our information privacy initiatives. So much of my job happens in the background. I often joke that this work isn’t for people that crave the spotlight. An essential prerequisite to success for any operations or compliance professional is having a penchant for the satisfaction and pride that can only be found in the hard but important behind-the-scenes work that supports an organization’s overall growth and development. But once in a while, upon the completion of a meaningful milestone or the achievement of a significant undertaking, those of us in the proverbial machine room get to come out from behind the curtain to take a bow.
After a busy year of planning and implementation, I’m delighted to share a significant investment we’ve made to enhance data privacy protection efforts here at New Era ADR. Our team recently completed certification for SOC 2 Type 1 compliance for the New Era ADR Platform.
SOC 2 Type 1 compliance is a review of the design of an organization’s internal controls at a point in time. It’s one of the highest and most stringent levels of independent third-party validation of a company’s enterprise security.
New Era is still a small company, but we are a group of seasoned tech operators. We planned building and making this investment early to not only demonstrate how seriously we take our commitments to our clients, but to also instill and foster a culture of security and compliance as we grow steadily while continuing to innovate at full tilt.
You might be wondering how a small, young company achieved this high standard of compliance typically reserved for larger, more established companies. It can really be summed up in one word.
Commitment from everyone at all levels. Scaling this mountain took serious coordination and the help of every person here. That said, this level of commitment is attainable by any small enterprise that has aspirations to follow our same path. As I reflect on the past year and humbly thank the members of our spectacular team for all of the hard work that went into getting us to this point, I’d also like to encourage others in our space considering the SOC 2 journey to push past any hesitation and take the plunge. I understand the doubts that arise when one is faced with all of the potential work SOC 2 invariably involves. Nonetheless, upon closer inspection, you may be surprisingly pleased to learn that you unknowingly might already have a handful of controls in place which could hopefully help you break away from reluctance and build momentum for yourself and those around you.
What was once a “nice to have” has quickly moved to the camp of “absolute must” when pitching to technologically sophisticated business prospects. Arming and educating your sales professionals with information pertaining to your in-house security controls not only helps build trust with your current and prospective clients but can also differentiate you from competitors that have yet to consider this undertaking. If you are thinking about SOC 2 but are unsure where to start, here are some factors to consider so you can find your jumping-off point.
Assess your starting position:
Take stock of your foundation and find the tools that are already checking boxes for you. Inherited controls like automatic encryption, 2-factor authentication, and built-in security device options all provide great points to push off from. Keep in mind SOC 2 requires a full suite of administrative, technical, and physical controls, so you’ll definitely have some work to do; however, finding that you already have a strong foundation builds momentum and proves you aren’t completely starting from scratch.
Get your decision makers to buy in and champion your cause:
If leadership can demonstrate vulnerability to admit to themselves and everyone around them that they are able and willing to do better, it encourages others at various levels of the org to do the same. A “tone at the top mood in the middle” approach helps drive initiatives to all department layers and is a leap in the right direction. SOC 2 means reexamining the way you do things, individually and as an organization. This almost always means making some big (sometimes uncomfortable) changes. It’s critical that leaders across the organization and at various levels are committed to the overall vision and mission. Be sure to empower managers and stakeholders across the company to have open and honest conversations with their teams. Equipping everyone with the correct context and background will help everyone understand why the company is pursuing SOC 2, how it benefits the company, including its customers, and how critical each person’s role is to the overall goal. Understanding the “why” at all stages not only helps your teams build accountability and confluence but also adherence to the practices involved to maintain compliance. Everyone will quickly realize that security is much more than firewalls, encryption, and passwords. It’s an effort that involves individual efforts and procedures across the organization — all of which are reviewed when it comes to SOC 2 audit time.
Conduct an informal risk assessment of your organization as a whole:
Before you start thinking about your security controls, take a step back and do a full review of your company’s practices. Taking an objective look at how you do things is key in identifying areas for improvement. Looking for ways to reduce the risk of negative impact on your business, service, or product gives you an advantage when initiating the implementation and monitoring of controls. Security should be seen as holistic, going well beyond a company’s systems, processes, and software. It includes but isn’t limited to personnel management, vendor management and physical, on-site security. Do you need to reassess pre-pandemic protocols to consider recent trends and events across the cyber threat landscape? How can you update and enhance security protocols to meet the moment?
The priority when starting out is to identify everything you can keep in place instead of identifying the areas that need improvement. Without assessing your safeguards along with your gaps, you risk establishing unnecessary policies and procedures that risk the productivity and efficiency of teams across your organization. Maintaining alignment with practical day-to-day protocols while avoiding distractions and keeping compliant is the name of the game.
Create a plan and strategy that integrates with and enhances your organization’s culture:
Once you’ve identified the practices and processes you are doing well, document and evangelize them as often as you can. Publicly praise those team members going the extra mile and encourage other stakeholders to do the same. While you work on upgrades in areas deemed necessary, try to stay positive as you progress toward some of the more complex or cumbersome security controls. Meeting the requirements doesn’t have to be daunting. Try to remember that there is more than one way to peel a potato. Creativity and ingenuity while sticking to guidelines can expedite implementation, lessen the workload, reduce spending and minimize disruptions when applying controls. Do your homework on the current tools and systems you use and work to establish how they can be integrated to interact with one another. Centralizing as much information as possible can greatly increase the velocity in which issues are flagged and action is taken on urgent matters by the appropriate team members. Instead of having admins monitor a dashboard or wait on email alerts, many security notifications or events from many of the monitoring solutions such as your IDS (intrusion detection system), can be routed and disseminated via the many integrations found in communication apps you’re likely already using such as Slack or iMessage. Finding as many ways to quickly and easily get the attention of critical team members using tools you already have in place does nothing but swiftly solve issues and reinforce your safeguards.
Of course, many of your controls won’t have integrations that allow you to further centralize all of your SOC 2 related data but getting as much in one place as possible not only benefits your workflows but also lends a helping hand during the audit.
Another way to significantly reduce time to compliance and help build a hub for your compliance workflows is to engage with a modern Compliance as a Service company. Many offer integrations with popular cloud providers that can help to automatically run SOC 2 compliance tests against your systems. These systems are a commitment and can be pricey so do your research to see if their offerings are right for your teams.
No matter when or how you decide to approach your SOC 2 aspirations, the great news is it’s getting easier and more accessible for small companies to put critical controls into practice well ahead of audit time.
Though we are very proud to say we’ve achieved SOC 2 Type 1 certification, we are laser focused on the multi-month monitoring phase to achieve Type 2 compliance. Showing this level of commitment to our clients is extremely important to us and we are determined to continue to work hard to maintain these controls while striving to reinforce and expand upon our security posture over time.