“Changing your mindset may change the situation” - Lisa Rusczyk, 50 Things to Know to Downsize Your Life.
Whether or not we are aware of it, our mindsets are incredibly important drivers in basically every area of life. In psychobabble terminology, mindset is defined as “a set of beliefs that shape how you make sense of the world and yourself. It influences how you think, feel, and behave in any given situation.”
In other words, our mindsets help form our reality.
Enough Psych 101 Class, back to SOC 2 and Compliance now.
Actually, the concept of mindset plays an important role in how companies approach SOC 2, and Compliance in general. Not sure how this psychology theory could possibly play out? Consider the following: If you think of SOC 2 as a burden to be bypassed as painlessly as possible, well then, it will be just that–a hurdle to be side-stepped. And of course, the opposite is true too–by perceiving SOC 2 and Compliance as allies, you’ll be in the frame of mind to reap the many benefits.
So right in time for the new year, we bring you the top 5 SOC 2 mindsets to break free of in 2022, intended to steer you towards a year filled with growth and expansion.
- “Quick ‘n dirty” is the way to go - Meeting SOC 2 is a major undertaking and it's easy to get caught up in the mindset of wanting to get it done as effortlessly as possible. But by adopting the quick ‘n dirty outlook, you miss the true point of SOC 2.
Well, what is the true point, you say? The true point is to help businesses establish a roadmap with which to improve and support security posture, as well the posture of any of the other chosen Trust Criteria. By viewing SOC 2 requirements, i.e., the controls and policies, as indicators of where your security posture needs to be heading, you can establish, and then must adhere to, certain processes. In this sense, taking a positive view of SOC 2 can help you instill a security-by-design approach in your Compliance efforts.
- Relationships with stakeholders don't matter - A SOC 2 report is supposed to be a holistic reflection of the state of security maturity of your IT environment and tech stack. To this end, it should cover tools from various departments, like HR, sales, R&D, etc. In order to make this a reality, you need to build relationships with stakeholders from each of these departments.
But what happens when you fail to build solid relationships with stakeholders? What happens when they aren’t invested in the process? By establishing a mindset wherein stakeholders MATTER, and they clearly understand the importance of their involvement, those players will have a better knowledge of their responsibility in this ecosystem, leading to fewer gaps and better audit outcomes.
- Internal audits are a waste of time - Many companies bristle at the thought of performing internal audits, since initially, they create more work. Moreover, it may seem like a LOT of effort to expend for something that has little tangible ROI.
But think about it; Internal audits are like the pre-test, wherein you get the chance to find out about all of those unknowns before the big day. They can point out gaps and risks before they become sources of trouble and can be a safe way to experiment with new tools and technologies before the big day. By adopting a “pretests-are-good” mindset and putting in the extra effort beforehand, you’ll get to know your strengths and weaknesses, so when that day arrives, you’ll be optimally prepared.
- SOC 2 isn't about long term goals - Thanks to the tedious work involved, many companies see getting that SOC 2 report as the goal. While achieving SOC 2 is clearly a goal in and of itself, with the right outlook, it can be seen as a part of a larger goal, one that will benefit your company in the long run.
Obviously, you’ll want to choose goals based on what matters most to your company, but here are some ideas to get you started: Getting stakeholder buy-in regarding the importance of Compliance efforts; Establishing continual awareness of all gaps and attempting to remediate them as soon as possible; Creating a comprehensive Compliance program and deploying the tools to support it, to serve your Compliance needs as you grow, etc. While these goals may not be immediately attainable, you can use them as your guiding lights, your North Stars along your Compliance journey.
- Auditors are the enemy - Many companies feel threatened by the prospect of bringing in an outside auditor. They fall into the dangerous mindset of seeing their auditor as little more than an accessory to a necessary evil, and therefore, fail to build relationships. And especially troubling, they assume they need to hide information and shortcomings, in order to pass their audit.
Trust us, these are all horrible, terrible, no-good ideas.
Instead of viewing auditors as semi-enemies, consider building transparent and open relationships–and this outlook will have a direct and lasting benefit for your company. While auditors are impartial, and therefore cannot truly be called in to consult, most would be happy to help steer you in the right directions, reach the right people, get the right material, and proactively address gaps. Sure, you may not be besties, but with the right mindset, this is a relationship that can be incredibly fruitful.
An anonymous, yet very wise person once said, “mindset is what separates the best from the rest.” As we stand on the precipice of the new year, now is the perfect time to get started with growth-oriented mindsets and to avoid these potentially dangerous ones as you move along your Compliance journey.