As a cloud infra company, trust is absolutely fundamental, so it was relatively clear early on that some level of SOC2 compliance would be crucial and necessary. Before we got started, we only had a cursory understanding of what this entailed; mostly we thought it would be about hardening the security of our systems, but anyone who’s gone through the process knows and understands that it is much more than that. At the end of it, here’s the shiny badge we got:
Now, I won’t sugar-coat it: getting compliance has meant spending a significant number of hours going through the process (and yes, we used tools to help reduce this time as much as possible). Before starting, I had asked for some estimates, and, since we were a relatively young company, I was told that it would take in the order of 40-50 hours. One week of full-time work I thought – that’s not too bad, but could that be true? Now, I didn’t keep track of all the hours that went into this from everyone, but if you feel that 40-50 hours was on the low side of things, you’d be right: my guesstimate would be probably double that.
But SOC2 compliance has been much more than just counting the hours to get there. It’s been a journey about company maturity, and emerging out of the process as not only a much more secure company in terms of the services we provide, but also a much more ripened one.
More concretely, the audit forced us to finally put a lot of implicit policies and practices down in writing, and formalize ownerships and responsibilities. During the process we also put a much stronger and reliable monitoring and incident response system in place – being pushed in these directions is something we’re definitely grateful for. We also put branch protections and a number of other mechanisms in place in our repos, and lots and lots of CI/CD-based automated testing (we had already parts of this in place, but the audit pushed us to accelerate and mature our systems).
Beyond that, we also ensured that MFA was enabled for pretty much everything we use and MDM for employee equipment – our staff, as you can expect, loved these measures, but took it all in stride and with lots of humor. Further, we had to make sure that any vendors we use are themselves SOC2 compliant, and then more generally take lots and lots of screenshots of all of these measures as proof (I suspect the screen-shot shortcut on my laptop is the one I used the most during the months it took to get compliance 🙂).
The good news is that, as a result of setting up a continuous monitoring system in place and complying with hundreds of controls, we’re now well on our way towards other certifications such as SOC2 Type2, as well as GDRP, HIPAA, and others.
Bottom line: if SOC2 compliance is relevant to your business and you’re on the fence about it I’d recommend to go for it: we’re now a much better and mature company for it.