Fast and Furious: A Wrong Turn for SOC 2 Compliance

October 4, 2021
SOC 2 Audits What Do Auditors Look For

If you are looking for SOC 2 compliance, you've likely heard some vendors claim they can magically make your business compliant in a ‘Fast and Furious’ fashion. But unfortunately, information security is not drag racing. If you move too fast, your efforts are likely to backfire.

Dom Toretto’s personal philosophy in The Fast and the Furious, is “I live my life a quarter-mile at a time.” Sure, Dom has guts, but he also has a 10-second car that can move his mighty muscles all 1,320 feet.

If you are looking for SOC 2 compliance, you have likely heard that “Company Who Shan't Be Named” can magically make your business compliant in a ‘Fast and Furious’ fashion. But unfortunately, information security is not drag racing. If you move too fast, your efforts are likely to backfire.

To put this into context, if you just say these 9 words “we have wholesale adopted the VGS Security Controls and policies.” — that's about all it takes to “get SOC 2 compliant.” The average English speaker can recite around 2.5 words per second. So, in theory, with VGS Control that means you can get SOC 2 compliant in as little as 4 seconds! Right?

Wrong.

That’s because “getting SOC 2 compliant” isn’t actually hard. What’s hard - is building a meaningful security program from scratch and then layering on a SOC 2 report that actually covers all of your compliance needs.text in italic At the end of the day, getting SOC 2 compliant fast means not wasting any time, not that you did it in the shortest amount of time possible.

SOC 2 At a Glance

A SOC 2 Type 1 report is relatively easy to obtain, because it merely consists of an auditor reviewing your organization’s policies and procedures. In fact, simply by adopting VGS automated policies and security controls, and by leveraging our built-in automation integrations, you can pull the required data for SOC 2 evidence within seconds. However, a “check the box” approach is not recommended, because organizations are unique, and what makes your organization unique should be highlighted in your approach to security and compliance, and in your SOC 2 report.

For a SOC 2 Type 2 report, there is no such thing as a Fast and Furious approach. An auditor will not only review your Type 1 controls, but will actually verify that everything has been enforced over a “lookback period” of 3-12 months during your Type 2. Here’s a pro tip from Jonathan Cordeau, Head of Product at VGS, “Nobody — not your customers, your partners nor regulators will take your security program seriously if you've just simply "checked the box.”

If you really want a meaningful SOC 2 report, focus less on speed. Due to the critical importance of security and compliance in today’s marketplace, your sole focus should be on quality. If your efforts to “move fast” result in a weak report, you are likely to regret it. The reason is that in today’s regulated and litigious world, you can be sure that a real compliance expert is going to read your SOC 2 report — from cover to cover, and know exactly where you cut corners.

“Getting SOC 2 compliant fast means not wasting any time, not that you did it in the shortest amount of time possible.”

The Modern Approach to SOC 2

At Very Good Security, we only focus on one aspect of SOC 2 compliance: Quality. We’ve helped more than 1,800 companies develop and foster a “security-first” mentality. We help clients who have an architecture based on “security-by-design.” Why? Because these are the same companies who want a meaningful SOC 2 report.

Even if speed is a secondary concern, the quality-first approach of VGS pays huge dividends in terms of efficiency. VGS Control simplifies the compliance process by providing detailed control descriptions, prescriptive tasks that are engineer-friendly, and dynamic policy templates that map and scale to a wide variety of frameworks.

We’ve put a tremendous amount of work into streamlining the SOC 2 process, so that our customers can implement a security-first approach, and obtain a high-quality report efficiently. We have eliminated many traditional detours and roadblocks.

Make Compliance Work For You.

Get Started

By design, VGS Control accomplishes three key compliance goals. First, Control determines exactly what evidence your organization needs. Second, Control pulls that evidence onto our platform automatically. Third, Control gives your auditor direct access to everything they need to see, and nothing they don’t.

At VGS, we eliminate bureaucracy and superfluous work. This means that your compliance journey will only last as long as it should -- and not a second more. VGS Control tailors the entire SOC 2 process to meet your organization’s precise needs.

To sum up, when going for your SOC 2, you never want to just “check the box” because that’s not what SOC 2 was intended for, and certainly not what your customers expect of you; data security is too important to the long-term health and competitiveness of your organization. What you really want is to have the best SOC 2 report possible, achieved in the most efficient way possible, without sacrificing security — and partnering with VGS is the best way to accomplish that.

Ready to Get SOC 2 Compliant?

Eliminate your compliance burden and accelerate your go-to-market with:

  • Most Automated Evidence Collection
  • Best-in-Class Active Monitoring
  • Prescriptive Tasks
  • Dynamic Policy Builder & Library
  • Real-time Auditor Collaboration

Discover how VGS Control automates the entire SOC 2 process, by booking a personalized demo from a VGS compliance expert.

Stefan Slattery Stefan Slattery

Product Marketing Lead

Share

You Might also be interested in...

Zero to One Building for SOC 2 Compliance

What is SOC 2 & Why is Everyone Talking About it?

Scalable, Sensible, Security Foundations — For Free

Scalable, Sensible, Security Foundations — For Free

Stefan Slattery January 1, 2021

Zero to One Building for SOC 2 Compliance

Building for SOC 2 Compliance: A Primer

Stefan Slattery May 7, 2021