3 reasons why SOC2 is the baseline and not the goal

While SOC2 is great in helping companies build strong security practices, it should be just the baseline for your security program. In the last few years, my teams certified 3 organizations for certain compliance standards and have continued pushing forward to secure our environments, as they should have. In 2 of the 3 cases, I challenged my teams to get certified even before the service was launched, to these investments paid off for these amazing companies I had an opportunity to be a part of. To practice what I preach, BlastRadius, my company — is already SOC2 compliant.

SOC2 is important because it helps build trust between organizations. It’s a part of the threshold for doing business in the modern SaaS world. However, too many organizations see SOC2 as a checkbox project, leading to it being the ultimate goal for where they make security investments. This approach leaves their organization exposed to threats to their unique environments that general security standards can’t cover. I hope you find this post helpful in educating your team and business about the importance of good security practices alongside the continuous evolution of your security program to address risks to your company.

Below are 3 reasons why SOC2 should be your baseline, not your goal:

Compliance Standards Can’t Keep Up with Cyber Threats:

• Cyber threats evolve at the speed of light as we all know and standards can’t get updated at the same speed.
• New technologies and stacks mean new attacks, if your company uses a modern tech stack and practices, your formal program may not cover these effectively in the next 5 years.

“Compliance Gymnastics” is everywhere:

• You know what I mean, right? How often do you see products and vendors that are compliant, but deep inside you know it’s can’t be because they have great security practices?
• Ask anyone who was involved with a compliance program and they can point out an area where they have seen “Compliance Gymnastics”. One common area is security alerts where teams are required to review every important alert and they flex the definition of important to face the reality that they practically can’t review every alert.

Your Business is Your Business:

• No one knows your business processes, tech environment, properties, and weaknesses better than you!
• This could be your unique software architecture, how your trucks deliver goods, how your students learn new topics, or how you help customers take care of their pets.
• Be open about your risks and weaknesses and leverage the good baseline SOC2 creates to focus your resources in these areas.

So you’re working hard to be compliant and unlock business opportunities for your company, great you’re doing exactly what you’ve been hired for!

SOC2 is great as a baseline, it really is. It ensures good practices, a hygienic IT environment, and operations while maturing technology adoption. Building on this baseline will allow you to enable business opportunities for your company while further securing your business against fast-changing threats. Focus on threats that are relevant to your business to get stakeholder support and resources to implement.

So now go finish your SOC2 and get back to (hard) work to stop the bad guys, like we all love doing!