Explain SOC 2 to Me Like I’m a Child: with Marie Joseph, Senior Security Solutions Engineer at Trava

Jara Rowe: You're listening to episode 6 of The Tea on Cybersecurity. What is SOC 2? To be completely honest, " SOC 2" was a term that I had heard before I started at Trava. The very first tech company I worked for was in a frenzy to become SOC 2 certified in order for a customer to sign with us. It was a requirement of the customer for us to be SOC 2 certified, so I heard in meetings them trying to go through the different steps to be certified, but I never stopped to ask questions of what SOC 2 was. I just knew it was important to get that customer over the line. During this episode, that is all going to change. We are going to have a better understanding of what SOC 2 is and why it's important. The guest on this episode is Marie Joseph and she is going to talk to us like we're children about SOC 2. Hi, Marie.

Marie Joseph: Hello, Jara.

Jara Rowe: How's it going?

Marie Joseph: Going great. I can't wait to be here and talk about SOC 2.

Jara Rowe: And we're really excited about it. So go ahead and introduce yourself for our listeners.

Marie Joseph: I'm a security solutions engineer here at Trava. I originally started as a customer success analyst and then moved up to the security solutions engineer role. I help a lot with our baseline cyber risk assessments; but most importantly, I help with a lot of our compliance management projects, so I help get customers SOC 2 or ISO certified. We're here to talk about SOC 2. I do it every single day and I've helped several customers get through it. My background's in cybersecurity risk management. I got a master's degree in that at Indiana University. So all the different realms of cyber.

Jara Rowe: I'm excited. You're the girl for me for this episode. For sure. So before we jump straight into SOC 2, in your words, why do you think people find cybersecurity so intimidating?

Marie Joseph: I think the main reason is: a lot of the times when I tell people what I do, I say" cybersecurity" and people have absolutely no idea what that means. So I think that whole phrase, that's what scares people the most. But then, the people that do know what cybersecurity is after they get a better understanding too, you often hear people say, " This is what keeps me up at night." They worry that if they have some sort of security risk at their company, they could lose everything. It can be so damaging what money- wise, or just reputation- wise, that if you were to have some security breach, that is pretty intimidating. And the whole cyber crime aspect is a little scary.

Jara Rowe: It is very scary and can ruin organizations for sure.

Marie Joseph: Yep.

Jara Rowe: So, " SOC." It's not like socks we put on our feet. I know that it's an acronym. Can you tell me what it stands for?

Marie Joseph: Yes. It's Service Organization Control 2, so" SOC 2." And basically, it kind of gives regulation and standards. A third party created it and it gives us standards, mainly for security, and then you can choose to add on different types of control areas, which are privacy, availability, processing integrity, and confidentiality. But most people just go for the security factor when they're starting off.

Jara Rowe: So you started going into what it is exactly, but I need you to dumb the language down just a little bit.

Marie Joseph: Got it.

Jara Rowe: Talk to me like you're talking to your niece. What does that mean?

Marie Joseph: Since security and compliance are different, so it just sets this standard of how an organization should be practicing security in order to not hit that cyber crime we talked about earlier. It isn't security, which I'm sure we'll probably talk about later, but I guess the best way to put it is that you're putting the pieces together to build some sort of program that will give other companies that satisfaction that you're doing something in regard to security. You're not doing everything, but you're doing something. And that's always reassuring when companies are coming and looking at your own security posture.

Jara Rowe: So why do other customers or companies care if someone is SOC 2 certified or not?

Marie Joseph: They mainly care because it gives them... One of the best things I always learn is: if you're taking in a company, whether it be for business or acquiring them, you take on their risks; so if they're not secure at all, you're taking on all of those open flaws that they have. So a lot of these certifications, it gives them that reassurance that they have something there and they're not taking on a completely vulnerable company and giving their data. Because when the data start crossing, that's your own customer's data, and that's a lot of liability for them and that's where a lot of cases people could lose a lot of money and damage their reputation.

Jara Rowe: Oh my gosh, so scary.

Marie Joseph: inaudible. It's a little scary.

Jara Rowe: It is. So you talked a little bit about security and compliance. Can you just go over the difference between those and then how they actually work together?

Marie Joseph: Yep. So with compliance, what I was kind of saying earlier is it's just a set of standards and regulations, which are just rules that people have to follow. But the people creating these rules are just a third party, so there's a lot of different compliance frameworks and certifications out there. So they all look a little different, have different acronyms they use, but it basically just sets some sort of standard, and a lot of different ones are accepted for different reasons, depending on who you're talking to. I can't think of a better way to say it. But in some cases, that includes security within those frameworks. But it's important to know that compliant is not security, but they do intertwine in a way. So a lot of times, like the SOC 2 for example, it deals a lot with security. The control you have to put in place are the security controls. And I know I mentioned several other areas. There's four other areas you could add, too, but this one just starts at your operations and your mechanisms, different ways, whether it be technology or the way your procedures and how you operate, are kind of focused on security.

Jara Rowe: Okay. Can you give some examples of those security controls?

Marie Joseph: Yes. So some examples would be: one big one that I feel like everyone kind of knows is an antivirus software. So it's evaluating those different companies and which one's going to be the best fit for your company and putting in that type of control, like technology control. And then, another thing that's very important that you probably hear a lot are backups. So it's making sure you're routinely backing up all your data so you're not losing any of your customer's data. Because as a customer yourself, if you were to log into a software and they lost all the work you've done in that software, that would be pretty alarming and that company could lose a lot of money for doing that.

Jara Rowe: Oh yeah. That, again, sounds terrifying. Definitely don't want that.

Marie Joseph: Nope.

Jara Rowe: So you've mentioned some other compliance, like ISO and a bunch of numbers at the end. Can you just name some of the other compliance, I guess, platforms or... What's the right term-

Marie Joseph: The frameworks.

Jara Rowe: Frameworks.

Marie Joseph: Frameworks. Yeah.

Jara Rowe: Compliance frameworks.

Marie Joseph: Yes. " Frameworks" are the best way to put it. That's the typical term you hear. So besides SOC 2, you often hear about ISO 27001. And recently, there was an ISO 27002 that was released this year, about a month ago. And that one is also just a security framework. It's really focused on security. Then, there's other frameworks with compliance that are privacy related that you often will hear a lot. GDPR is probably one of the bigger ones. That's a European privacy framework. So that's making sure that the data is being kept private and with a whole bunch of different options to have your data expunged. And then, there's also CCPA, which is a California privacy one. And you will often hear a lot of states in the US currently putting in their own privacy frameworks, too.

Jara Rowe: Interesting.

Marie Joseph: So there are different states right now... I believe Colorado. Virginia. There's a few others that are looking at it, too. California's the bigger one, but a lot of states are doing it separately, so it leaves that big, open question: at what point is it going to be something federally regulated?

Jara Rowe: Interesting. Wow. So outside of the different state- regulated ones, what's the biggest difference between SOC 2 and one of the ISO ones? Which one should a company choose when, or is one better than the other? How does that work?

Marie Joseph: It's going to really depend. You pick it based on what your prospects are asking for. SOC inaudible easiest way to look at it is really: it's North American based, while ISO is international based. So if you're going to be just focusing on North American clients, then SOC 2 is the perfect way to go. It's the perfect way to start. But if you know you're going to eventually expand over to Europe and then anywhere else internationally, ISO is pretty common.

Jara Rowe: All right, so SOC 2: North American- based. ISO is international.

Marie Joseph: Yep.

Jara Rowe: Got it. So another thing I know with SOC 2 is that there are different types. What are the different types, and what's the difference between those two?

Marie Joseph: Yes. So there is a Type 1 and a Type 2. The best way to look at a Type 1 is it's putting all those controls and mechanisms I talked about earlier... It's just a screenshot in time, so it's like you just take a screenshot of your whole system and that's all the auditors are going to look at. And then, there's a Type 2 where they, instead of looking at just the screenshot, they look at it in 3 months to a 12- month interval; and that way, it's actually being tested and making sure those controls actually work. So that Type 1 is just looking at the snapshot point in time. It's everything kind of frozen in place. And then, it's like you press play for the Type 2, and then test each month separately, and take different tests out of every month.

Jara Rowe: Got it. All right. Okay.

Marie Joseph: Does that make sense?

Jara Rowe: It does make sense. So Type 1 is a screenshot of time.

Marie Joseph: Yep.

Jara Rowe: Type 2 is a little longer of that timeframe.

Marie Joseph: Yep. It's like you press pause in a movie. I'm going to press pause and look at what your security looks like right now. Nothing's going to be working, but everything's just frozen. And then, I press play, and then it's all going and you watch it for 3 to 12 months.

Jara Rowe: Perfect analogy. I greatly appreciate that for sure. So I feel like you've talked about this a little bit, but just to reiterate to make sure it's clear, when should a company think about SOC 2 or another compliance?

Marie Joseph: Start thinking about it right now if you haven't been thinking about it yet, in my opinion. You can do a" certification readiness," and you can just constantly be ready to be SOC 2 or whatever certification you want. Just be ready for it. Because a lot of the times, you'll have a big prospect come in and ask you, " Where's your certification for this?" And in some cases, there's people that say, " We haven't even been thinking about it," and that looks bad, typically. But if you were to say you have readiness for SOC 2 or ISO, those people will find it more impressive. And then, you can also give them the confirmation that you can get a certification almost right now or go into the process of the certification because you are ready. So the sooner you start in implementing the controls the better. And then, also typically price- wise, slowly implementing those controls usually tends to look prettier, as well.

Jara Rowe: Okay. Awesome. Yeah. So start now, friends.

Marie Joseph: Yeah, start now. It's never too early.

Jara Rowe: It's never too early. I think that's true for all cybersecurity, right? So one of my final questions is: is there an end to compliance? Do you ever reach or cap out at a compliance framework, or is this something that's always changing, evolving; it's something you always have to work towards?

Marie Joseph: Oh yeah. It's always changing in a way. It's not changing exactly, but it has to be continuous. There's this thing called" continuous monitoring." So once you get that certification, you can have your little party, be so excited that you passed and got that expensive paper. But then, after that, you have to renew it. And typically certifications have about a year to three years renewal cycle, so the auditors will come in from time to time to check before you renew. So it never really ends. The standards might change, but not too much. They might change some names on the controls or say, " You need to do a little more for this next one," if the third party for the compliance framework decides to change it. But it really never ends.

Jara Rowe: Yeah. Never ends.

Marie Joseph: Yeah.

Jara Rowe: Well, there you go. There you have it. All right, Marie, it's been great. I definitely feel like I understand SOC 2 and our other compliance frameworks a little more. Look, I already got that term right, " frameworks," so I'm moving on up.

Marie Joseph: Love it.

Jara Rowe: Is there anything else you would like to share with our listeners about SOC 2 or cybersecurity in general?

Marie Joseph: Yeah. It's typical, like in all ways of security and in life, if you want to be better and more secure, you might as well just start now. Because the little pieces you do will add as you climb up that ladder.

Jara Rowe: Now that we've spilled the tea on SOC 2, it's time to go over the receipts. One of the big takeaways I have is that compliance and security are different, but compliance is just a set of rules of how you should be practicing security. SOC 2 is important for companies to have, because when you start working with other people, their companies, all of the data and everything intertwine, and then your risks become their risks and you want to make sure that everything is lined up and that everyone is secure from all sides. The biggest difference between our common compliance frameworks, which are SOC 2 and ISO. ISO is international based and SOC 2 is North American based. So if your clients are typically more in the realm of the States, it's probably okay for you just to go ahead and become SOC 2 certified. Our final episode will be episode 7, where Trava's CEO and co- founder Jim Goldman will be joining me again to talk about 2023 cybersecurity predictions. Thanks for tuning in to The Tea on Cybersecurity. If you like what you listen to be greatly appreciative if you could leave me a review. If you need anything else from me, head on over to Trava Security. Follow wherever you get your podcasts.