If you want “street cred” to show clients and prospects you take security seriously, you may want to consider SOC 2 certification. Not only can you use it as a differentiator but you may also find that bigger and more lucrative customers require it.
SOC 2 is “very significant in our ability to get clients,” says Karl Bickmore, CEO of Snap Tech IT, an MSP with offices in Georgia, Arizona, and California. “And the bigger your clients get and more dollars [they want to spend], the more likely they are to require this to be a vendor of theirs. It opens a whole new market to us we didn’t have before.”
The voluntary System and Organization Controls (SOC) were developed by the American Institute of CPAs (AICPA). There are three different types of SOC audits. SOC 2 sets guidelines on how customer data should be managed. The standard is based on criteria that include security, availability, processing integrity, confidentiality, and privacy.
SOC 2 compliance is becoming increasingly important for MSPs to have in their arsenal because it ensures they are handling sensitive information responsibly.
When Opportunity Strikes
Snap Tech has been SOC 2 compliant since 2014. Bickmore says he started the process because of a client opportunity. “It was one of those classic cases of necessity being the mother of invention,” he notes. The prospect wanted to hire Snap Tech, but only if the firm agreed to a third-party audit.
“There are customers out there that won’t do business with you unless you do a validation of your policies and procedures,” Bickmore says. “SOC 2 is one of the most well-respected and understood [standards] and works across multiple industries so [customers] specifically ask for attestation of that. We thought that makes a lot of sense and saw this as an opportunity to separate ourselves in the marketplace.”
At the time, Bickmore says Snap Tech wasn’t encountering other MSPs with SOC 2 attestation in competitive situations. Not only is it a differentiator, but “customers appreciate that you have it,” he says.
For Neal Juern, CEO of 7tech (formerly Juern Technology), an MSSP that partners with midsized businesses, SOC 2 compliance means “doing the things you say you’re doing with a third-party audit.” 7tech, headquartered in San Antonio, Texas, is aiming to finish its SOC 2 compliance process by the end of 2024.
Juern was motivated not only by the fact that the firm maintains sensitive client data but also because it will give 7tech the ability to show new prospects they are handling sensitive information properly.
Proving You Have Controls In Place
In contrast with the ISO 27001 security standard, which audits that you have an information security management system in place, a SOC 2 audit proves that you have security controls in place to protect customer data.
“SOC 2 is the go-to framework that most of my clients use and is widely accepted within the industry,” says Kevin Beaver, an independent information security consultant, writer, and professional speaker with Atlanta-based Principle Logic.
Beaver described both frameworks as “quite prescriptive” and noted that they require ongoing audits to maintain certification. “Neither is inexpensive,” he adds, “but they can both pay dividends in terms of building out a resilient information security program and providing a competitive advantage for those looking to do business with companies who take security seriously.”
There are a lot of similarities between SOC 2 certification and ISO 27001, but the big difference is that SOC 2 audits are conducted by CPAs, Juern says. He opted for SOC over ISO 27001 because “we feel like SOC 2 Type II is more aligned with MSSPs and people who host any sensitive information.”
A SOC 2 Type I audit is a snapshot of one day; a SOC 2 Type II audit looks at a larger time period, typically one year.
Prepare To Spend Time And Money On SOC 2 Compliance
Achieving SOC 2 compliance requires an investment of time and money, and it’s an annual audit.
If a firm is starting the compliance process for the first time and does not have policies written down “in a significant way,” Bickmore estimates the cost at between $25,000 and $35,000, as well as 200 person-hours.
Additionally, he says, “You may have to hire someone to help you write policies if you don’t have any.” The good news? “After you’ve done it the first time, in subsequent [audit] years, expect all those numbers to halve,” Bickmore notes.
The fastest Juern has heard of someone achieving SOC 2 compliance is six months, “but that’s because they already had good controls in the first place,” he says. “Realistically, we think it is a 9-month process.” He estimates 7tech will invest $40,000 to achieve compliance.
The process for Juern is making sure 7tech has all of its security controls defined along with a “track record” of historical evidence. “A small example is we have a computer at the front desk. It’s a visitor system and you have to sign in, so we’re logging every visitor and their purpose,” he says. “You can’t just throw that up there . . . you have to show a history of use.”
Additionally, 7ech must show standard operating procedures that indicate they are protecting sensitive customer information. “You can’t just make up a list of security controls . . . they have to [follow] industry standards” such as NIST, Juern says.
7tech did a lot of the SOC 2 certification required work in the process of achieving Cybersecurity Maturity Model Certification (CMMC) Level 1 compliance, so “the process to get to SOC 2 is much simpler,” Juern says.
Giving Clients Peace Of Mind
Both Juern and Bickmore agree that the biggest benefit of meeting SOC 2 compliance is credibility.
Once they complete their SOC 2 report, Bickmore says he shares the findings with customers or prospects who sign a nondisclosure agreement. “I always like saying to someone considering our services, ‘We’re good at security, but you don’t have to take our word for it-here’s a third-party report,’” he says.
“For retention purposes, you can use it as collateral with existing clients to say, ‘Hey, we’re working on it,’ and when you achieve it, you can announce it,” Juern says. “It gives current clients comfort that you’re doing things well.”
He has already noticed that the larger the prospect, the more likely they are to ask for a SOC 2 report. This “allows us to swim upstream in terms of client size, so that means the potential for growth is incredible,” he says.
Right now, 7tech is talking with a “very large prospect” who asked whether the firm is SOC 2 certified. When Juern said they are working on it, “[The prospect] said, ‘If you can’t provide a SOC 2 report, be prepared,’” because the questions from the prospect will be overwhelming, he recalls.
For any MSP going through the SOC 2 process, say Bickmore, it’s “all about being better at what we do and being safer and more secure, so our clients, I would argue, get peace of mind.” It gives them assurance that “we’re doing what we say we’re doing,” says Bickmore. “It means we’re a better service provider.”
