Have you ever wished you could run a marathon? I have run a few and I can tell you it is hard work and takes a lot of training just to complete it, let alone run a good time. The body is not naturally conditioned to run for that long, as it can only physically store so much energy. When your body runs out of energy (aka glycogen) everything wants to shut down and it becomes hard to function, let alone run. And while glycogen is like fuel, you need to think of it more like a battery pack than a gas engine. It takes a long time to recharge, and so you can’t just stop and top up. The only way to combat this is to train your body in advance to be able to store more of it and to become more efficient in how you consume it. And the more marathons you train for, the better you will hopefully get.
Of course, that doesn’t stop hundreds of companies from marketing products that claim to make running a marathon “easy”. Some say they can prepare you in just a few weeks, others offer equipment that makes it easier to run and some even sell “magical beans” they say will help you run faster and longer. But while there are many legitimate products that can help improve your running, you cannot defy science. Fundamentally, there is no substitute for preparation, hard work, and training.
Building a security program is a bit like running a marathon, with the major difference being there is no finishing line, only a never-ending series of staging posts (audits). Like running a marathon, building an effective security program requires a lot of preparation. Most security frameworks, including SOC 2, require an organization to build out and demonstrate compliance to hundreds of security controls. Some security frameworks, including SOC 2 Type 2, require a retrospective reporting period of a minimum of 3 months. And oftentimes, to meet a particular control requirement, additional investments might be necessary such as an incremental security system, a new vendor, or additional headcount, the implementation of which can also add time.
And so with all that said, it has been interesting to see so many ads on my social media feeds recently from security and audit platform companies claiming to “make security easy” and offering to help organizations pass a SOC2 in as little as a “two weeks”. I am always curious as to who falls for this type of overly simplistic advertising. Serious runners don’t fall for gimmicks, and neither do serious security professionals. But like the ‘magic bean’ brigade, the platform companies come with their own set of justifications. Most claim to offer countless system integrations giving the false impression that once set up these will automatically gather the evidence for your audit. Others offer slick high-level demos hoping no one notices it only covers a fraction of the controls required for the audit and that no one actually asks complex questions until after purchase. Others just rely on the desperation of inexperienced and overworked security managers who want to believe it is really that easy.
But this type of marketing is disingenuous at best, and downright irresponsible at worst. It promotes the idea that successfully navigating an audit is the sole objective and so the easier the process the better. But the purpose of an audit is to ensure an organization has implemented effective security and risk management controls, with the intent of making the organization more secure and reducing risk. It is not to simply get a certificate it can wave to the world. What is the value of an easily earned certificate, particularly if the organization is less secure as a result?
At Ostendio we will never claim to make the process of preparing and negotiating a security audit easy or simple, but we do promise to make it easier and simpler. Any experienced runner will extol the value of good equipment, a good diet, and an effective exercise plan. This combined with preparation and hard work will make them a more effective runner. And to answer the question of how long it will take? Our answer is simple - as long as necessary to meet your security and risk management objectives. For mature organizations (or experienced runners) that may be only a few weeks. For the rest of us, it will probably take a little longer. But then if it is worth doing, it is worth doing right.
So don’t fall for “easy button” marketing. It is not easy if you have to do it all over again.
Ostendio has experience helping companies prepare for and complete complex security audits. The Ostendio Professional Services team can also help customers as they implement their security programs. Engaging the Ostendio Professional Services team is the perfect solution to supplementing your organization’s compliance team when you are setting up your security program for the first time or preparing for an audit. When you are ready to learn more, speak to one of our experts who can answer any questions and provide a demo of how the Ostendio MyVCM platform could benefit your security program.
Not sure where to start?
The NIST Guide can help. We can also provide you with a free copy of Ostendio’s password policy, as an example. Just contact us at firstname.lastname@example.org.
Complete guide to SOC 2 audits
Download your copy of this essential guide to SOC audits including 12 pages of strategies, tactics, and tips to help you understand everything you need to know about SOC 2 audits.