For $9,000 you can have a “GRC automation platform” and a SOC 2 Type 2 report issued by an audit firm accredited by the AICPA. If the “industry standard” is a SOC2 Type 2 report “without deviations noted” and that is the barrier to entry and to unlocking business, we are actually saying that security compliance simply has an entry tax of $9,000. If so, what does that say about our industry and what it has become?
Let’s go back to the beginning of the compliance “framework” story and remind ourselves what it is all about - as with everything in the world of GRC, it is all about risk management (yes, even the governance and the compliance are things done in order to reduce risk). Regardless of whether it is SOC2, ISO 27001 or any other acronymed control listing, these are simply groups of control statements or objectives that should be implemented or met in order to effectively reduce the impact or likelihood of a list of risks.
So, “does SOC2/ISO 27001/XJ1D5H3 require me to perform a risk assessment?” How often do these kinds of questions pop up on LinkedIn? This kind of question is a key indicator of how “tick-the-box” exercises have become a norm in our industry and the extent to which the standard has deteriorated. First things first, before any audits or anything of the like, an organization should understand the risks that are relevant to their business, industry, processes, assets etc. and implement effective measures in order to reduce these risks. Perhaps, if one of the risks around “losing business as a result of ineffective sales processes due to vendor due diligence concerns in the information security realm” were to be deemed relevant, undergoing a SOC2 audit may be an effective mitigating control to put in place. Then, another risk assessment would be advised in order to establish which controls would be in scope for the audit. Note, the implementation of the control framework is a subset of risk management, and not vice versa.
If I am an organization performing vendor due diligence in 2024 and I have defined that a SOC2 Type 2 report is sufficient to alleviate my concerns, what does that say about my own risk management practices? Do I really have an effective strategy to assess and mitigate vendor risk? Not only may I be relying on rubber-stamp reports, I may also be rubber stamping my own risk management program. I may be turning my own work into a farce.
The underlying point is clear, let’s stop sacrificing our own professional integrity for the sake of conforming to the industry hype - let’s raise the industry standard such that we can take pride in our efforts. All this is not to say that compliance should be limited to organizations with large budgets and vast resource allocation, this is to say that formal external attestations of compliance should be limited to those working according to best practices. Adhering to best practices simply requires know-how and above all, care.
My 2024 wish to us all - to be rid of rubber-stamp “SOC-in-a-box” reports (as aptly coined by Kendra Cooley last week). To be rid of risk-in-a-box just to fulfill a requirement of SOC2. And finally, to be rid of selling ourselves short.
Compliance is about business enablement via trust - but if the journey to enablement comes at the expense of integrity, credibility and even business endangerment, then the associated risk is unacceptable. Let’s start doing it right 🙂