Automation Bliss: A SOC 2 retrospective
I’ve had a long run working in the security and risk space. I’ve advised many companies on best practices for individual security activities. I have been responsible for “herding cats” trying to gather data to report on the success of risk and security programs that board members could understand. No automated compliance tools. Instead: Access DB, Excel spreadsheets, Sharepoint sites, and PowerPoint. It was painful. Luckily, I am geeky enough that I could automate, via APIs and scripting, certain portions of the process. I also worked for some vendors that tried to make certain portions of security easier for leaders and the hands on the keyboard.
Unfortunately, it seems like many companies are stuck. They reach a point where management can’t see progress; they think the company is safe enough, or they see cybersecurity advancement projects fail because of turnover or lack of expertise. A friend recently said that he annually readjusts the risk status of his company down 30% every year. This keeps the entire company thinking of security as a process of continuous improvement. However, he has a large staff to help make this possible.
At a small startup recently, with less than 30 employees, their largest customer insisted they be SOC 2 compliant by the end of the calendar year. Since I had a compliance background, I agreed to spearhead the project even though it was my first SOC 2 certification. My previous experience was in banking.
I wasn’t up to speed on the continuous compliance automation class of tools which were on the rise, but a former employee had already purchased one, so I moved forward using the new tool.
Things that happily surprised me:
- Policy Draft/Templates – policies are one of the first points of conversation when preparing to collect data. How do we want to control devices? What do we think is a reasonable minimum timeout? Do we want/need employees working on their mobile phone? Having templates for every possible policy was a real plus!
- They provided information security training. I didn’t have to search for a vendor and didn’t have the extra cost.
- It automatically added new employees to the onboarding process, and the platform tracked their acceptance of policy, registration of new devices, security training attendance, etc. It also helped organize other onboarding tasks, as we did not yet have anyone dedicated to human resources. Things like background checks and annual reviews.
- The included assessment helped organize how I collected data about what controls we had covered already and which we had to work on. It also had workflows so that I could assign tasks to other team members.
- It included a majority of the tools we were already using as automations on the platform. All I had to do was hook them up, or assign the application owner to add them. Voila! I had data regarding a vast number of checks that would have required manual collection in the past. Cloud storage and deployment settings, two factor authentication settings, needed patching, etc was all at my fingertips.
- One giant red/green completion dial was available on the dashboard that tracked our progress and made it easy to report out our process. This kept the project top of mind for everyone. It became a genuine team effort.
- Vendor tracking included, therefore, adding our third party risk to the equation was also part of the centralized solution. I found the automatic risk rating helpful because I was sometimes on the fence between critical vs high vs medium ratings for vendors. This module also forced us to track down all the tools we were using and triggered consolidation sometimes. This reduced costs and our overall security exposure.
- Automation helped reinforce new habits. Synchronization with the tools happened every 24 hours, so when someone “went rogue,” we could catch it quickly, tighten process controls and reinforce new behaviors while things were still fresh.
The Human Touch
So with all this beautiful automation, my job was done, right? No way! Given our tight timeline, some key items may have been otherwise rushed, but because of the automations, we could devote time to some other key areas:
- High-quality process and procedure docs. I may have produced incomplete, untested, or lower quality process documents just to make the deadline. As it was, I could give those internal conversations, and the resulting documents, the attention to detail they deserved.
- Evaluation time for new tools. To bolster our posture and pass certain controls, we needed to purchase some additional tooling. We could fully vet these tools for our immediate needs and our expected growth. Had I been more rushed, I would have picked the easiest/cheapest just to get something in place.
- Internal tool development. In a few cases, we knew what technology we eventually wanted but weren’t in position financially or in terms of maturation to implement the tools. Rather than putting temporary tooling in place, we were able to script up solutions that met all the compliance requirements with our needing to rush forward with the wrong tool or the too expensive tool.
There are several great compliance automation tools on the market. Read my blog post on choosing a tool for more information.
vCISO Contributions
In closing, I’d like to highlight where I feel my knowledge of governance, risk and compliance added value, and sped up the process. It was a lucky break that I had this background and I don’t think we would have been able to execute as quickly, and with as high quality, were it not for my CISSP credentials and experience.
- Policy review and editing. Policy writing is its own art-form. You want it to be sufficiently clear without being too prescriptive. This allows the security program to grow and improve without having to change policy often.
- Process and procedures. Compliance and good security don’t necessarily go hand-in-hand. My strong security background allowed me to push for the right controls rather than the right-now controls. This set the organization up for more streamlined security maturity in the future and a better night’s sleep now.
- Table top testing. It’s not enough to have plans in place. If you haven’t walked through them, you will absolutely find holes when an actual event occurs. Challenging the team to think through permutations was enhanced by my years of experience dealing with both operational and security incidents.
The biggest benefit: Overall risk assessment. Building security posture, vendor ratings, mitigations, and outstanding improvements into risk conversation takes experience. Establishing an overall company risk appetite, documenting, rating, and tracking risks takes a knowledgeable hand. It is virtually impossible to fix everything. I was glad I could confidently say, “No, we don’t need to do that,” when appropriate. Sometimes it was because of our setup, company type, data strategy, etc. Sometimes it was just a matter of numbers: there are more CVEs, and more ways to find them, than ever before! Common sense, and experience, allowed me to logically and reasonably say, “the likelihood and impact of this risk makes it outside our remediation goals.”
It was this experience that ultimately led me to start Viridis Security. I believe it was the combination of an automated tool paired with my risk and compliance experience that resulted in the compliance effort that ultimately made the company more secure and set the company up for future success and easy maintenance moving forward.