SOC 2 Compliance: Definition, Basics, Benefits, Types & Next Steps
Demonstrating SOC 2 compliance allows organizations to bolster their overall cybersecurity posture and provide assurance to stakeholders, customers,…
In today's episode, Neil Watkins, co-founder and Chief Operating Officer of Asureti, shares his views on the necessity of adequate data protection. He emphasizes the importance of employing cornerstones, and their vital role in the world of complexity. Neil believes that one person or one department can make a significant impact with the risk-based step approach.
EPISODE NOTES
Top 3 Takeaways
- Defensibility is the ultimate concept that everybody drives to—whether they say it out loud or not.
- In the security landscape we see today, there are many opportunities for improvement.
- Even when I employ all of my resources, even when I put my best foot forward out there, failures can occur in my ability to protect data.
Resources
Show Transcript
[Host Megan Phee]: All right, Neil. Thank you for joining us on today's podcast of GRC & Me. So let's first off tell me more about Asureti.
[Neil Watkins]: Sure. Asureti is a company focused on SRCP. In fact, we built Asureti because in the marketplace, we couldn't find anybody who uniquely covered all those concepts. We found many companies who actually proclaimed they could do GRC, which is just typical governance, risk, and compliance.
So we've developed a concept called manage assurance. So we do it in an advisory role, an operational role, but we basically provide our services who either can't, don't want to, can't afford to insource it, or simply just want the output from it.
[MP]: And in your introduction, you mentioned the acronym SRCP. So can you share what is that, and how does it differ from traditional concepts within GRC?
[NW]: Sure. For many years, the GRC has been simply governance, risk, and compliance. We found that through our practices, there were many missing components to that framework going forward.
Security, risk, compliance, and privacy are the four acronyms used to make SRCP. So the inclusion of the security practices, which had been long since isolated, but overseen by compliance functions and directly feed to risk, were still allowed to live in a silo to operate a little bit freely from that process. So we believe its inclusion into the acronym and to the practices was key.
And as we continue to move forward into the future it has to be included as a forefront thought leader, and a process of which must be adopted to these organizations.
I want you to think about like in a military concept, where they have the concept of what's called sectors of fire. So in other words, each person had a unique landscape, but they also overlapped at the same time. And that's the same concept of that, where everybody would look out into their landscape, cover their area of visibility, but no one concept covered them all.
Well the SRCP concept creates that horizontal layer that allows the practices to operate efficiently, in concert with one another, both taking in the feeds and the inputs, and providing the feedback from their own skillsets, and operate in a much more effective way for organizations if they employ them in that manner.
[MP]: And do you find that organizations have a solid strategy around the principles of GRC today?
[NW]: It's ironic that both in public and private companies, the answer to that wants to be yes. But in the landscape that we see out there today, there are many opportunities for improvement.
So when it all kind of starts down with the mandate of operational governance, we find that many don't employ that in an effective manner, or sometimes often at all. So when it comes down to how does a policy read, or is it even a policy, we find companies sometimes don't even want to use the word policy, because it specifically gives some organizational, cultural affect to their people, that they have to behave in a certain manner. So they find it to be too restrictive in a business environment, that has to be adaptive, free-thinking, fast, and growing at a rapid rate.
So policies in that framework seem to be restrictive. So there seems to be a hesitance out there, even though it kind of makes sense for them to exist. Because that governance framework is what companies use to rely on how they operate. Each individual looking at the horizon, operating independently, can come back to that common set of rules and say, “Am I doing my job effectively? Am I doing it within the guidelines provided?” Sometimes, “Am I doing it safely?” Some of those questions are answered by that governance structure.
But ironically, sometimes it still doesn't exist. But without that cornerstone and that mandate, the programs around data protection, or the security, risk, compliance, and privacy that I spoke about earlier, are ineffective or non-existent as a result. Because even though individual departments will run around, trying in good faith to execute their skill craft on behalf of the organization, the lack of mandate prevents some of its growth and effectiveness as a result.
Well when it comes to certain things like this, the organization has to employ legal regulatory oversight. Risk, compliance, privacy, operations, executive management, and the security team have to function to provide adequate protection. Without the governance establishing that requirement, it often doesn't get done.
[MP]: And so you talked a lot about the landscape that an organization should have. So, what are the functions, or organizational pieces that need to be in place in order to achieve this?
[NW]: Sure. When I talked about it just a moment ago, and I briefly overlaid them really quick is, you have the legal department. The legal department is key for understanding regulatory requirements, interpretation of commercial effect, in other words the contracts you sign that say you have to do certain things, and the understanding of any kind of mandate the organization must find.
The risk organization, whether it's formal or informal, is the process of identifying what risks to the strategy of an organization exist. And the reason we talk about all of these in a concerted fashion is, they all feed into an element of risk to the operation. So it can be risk to revenue, risk to growth in a strategy, risk to strategic enablement, risk to the existence of an organization if absolutely done right.
And the other one, the cornerstone of that is a compliance function. I know compliance has a kind of a mixed feel for it within an organization about what it is. But it really is the entity who's responsible for making sure that what we are supposed to do is being done, and being done within an acceptable level according to what we said we were going to do, or with what a regulatory framework says you must do.
And of course, you have the privacy group on its rise to the organization now, because people, individuals and their data are becoming more aware of where it lives and what's being done with it, and they want to make sure that there's an element of control and adequate protection.
Operations of an organization in its generic form, those are the ones out there trying to execute the strategy, tactically employing these things, moving information along. They are a cornerstone to this as well, because it's not unheard of for them to move at the speed of business, and sometimes forego their requirements for adequate protection or compliance and everything else, because the most cornerstone of their job is to enable the speed of the business, and the growth of whatever their strategy is.
And of course, technology and security teams, where they're a last part of that. So technology drives how the mission is done in most companies. So they are strategic to that, and the security team is the one who's wake up every day in a vigilant fashion, to find ways to use technology to make sure that what we said we were going to do, what we need to do, and of course at its cornerstone, what they feel compelled must happen, gets done in a unique way.
So those cornerstones are legal, risk, compliance, privacy, operations, executive management, technology and security teams. Listen to the complexity and number of participants in a simple design of adequate data protection.
Sure. Good enough is the concept that I use to describe what we should aspire to do. There are many people out there that believe it's all a nuisance and a drag on operational expense to an organization. I will do this with the minimum amount of effort and spend necessary, because I must focus on driving my company's strategy, profitability, or non-profitability if that is the case.
The other out there think in a lot of ways, that they must do it to the best of their ability at all times, every day. And that is what you want to employ culturally, but the reality of all that is, if you do everything with the most expensive, most time-consuming, most focus, it will be an effective program until somebody simply undermines a common principle. We see this happen all the time in the headlines, where somebody will spend millions of dollars on a security function. And yet they're breached and people are wondering, how did that happen? Well that just kind of shows you the adversary's willfulness, their discipline to approach, and everything else in some of those cases.
So here you are, the operational leader of the organization says, “I spent millions of dollars and it still happened.” How does that occur? Well, it occurs because perfection was never the goal. But to understand where the threats may be, to prepare for adequacy on that, to look at it and understand the risks of it, and to continuously prepare to harden that response really is the goal from that perspective, that leads to that good enough principle.
And in the end, it is the combination of an organization's risk appetite, risk understanding, landscape, financial wherewithal, and operational constraints that will create good enough.
[MP]: All right. Thanks for sharing that. And you, you've also mentioned in discussions kind of this concept of defensibility. So can you share, what does that mean for organizations in practice? And what should they be thinking about, whether it's in terms of preparedness or potential consequences to their organization?
[NW]: Sure. Defensibility's kind of the ultimate concept that everybody drives to, whether they say it out loud or not. You have to think about anything that you're going to defend the decisions that you made. So that is kind of the root of defensibility. Did we do it, did we do it right, and did we do it adequate will always be the question, either as an assessment factor, or as after-effect of something unfortunate happening, a business disruption, a loss of data or key information.
Again, it doesn't take much to grab from a headline that you look out there and see massive amounts of data were lost in the most simplistic of ways. And then at the time, the organization tries to go back like we do so many times, and recreate why it happened. And then they find that it's a simple failure of things. In the world of this complexity, and when I talked about all these things working in a concerted fashion, something like that is always bound to happen. It doesn't make it excusable, but it makes it a realistic approach to all of that.
So the defensibility is the idea around some key components that I'm going to spell out, that prepares an organization should it go through this, to say these key things. So even when I employ all of my resources, even when I put my best foot forward out there, failures can occur in my ability to protect data. The speed of business drives it, change and evolution drives it, all kind of things. But if I'm looking at it from as a core component, I have the governance in place, I have the right assignments and I have the right team engaged, that's kind of the first pillar of all of that.
But when you asked about the landscape out there, I would argue that still companies struggle with that, because they don't understand the importance of it. And you hear the cliché of, well nothing bad has every happened before. Well nothing bad happens until it does, and that this kind of opportunity and this kind of approach prepares you for that moment should it ever occur. And quite frankly, even if it doesn't, there are some things out there that say you really must do this.
And it was ironic that the Department of Justice had released some recent documentation over these things, and it's really ironic that they talk about the effects of a disciplined operating compliance program. And I'll read the three things that they talk about. It says, "Is the program well designed? Is it applied effectively? And does it work in practice?"
The concept of defensibility covers all of those. With good governance and strategy that you have around these programs, overlaying it with a horizontal function that allows them to be seen uniquely, and then steps of defensibility I measured out a moment ago, would uniquely answer all of those questions, as is part of the normal operations.
[MP]: That's wonderful. Well, thank you. So Neil. You shared with us some really great concepts there, around SRCP, the landscape organizations should be mindful of, the concepts of defensibility. Anything else that you'd like to share with our listeners?
[NW]: Yep. The last part is, all of this seems to be very daunting, large, and effective. And as a result, most people don't even start. They use that as the barrier to their success, or the fear of their success in that regard. My encouragement is, find technology enablers, like LogiGate out there, that are quick and effective to market to help you create that horizontal overlay and visibility into what's happening, and to monitor and engage at a very cultural level the willingness of it, the importance of it, the training to do so. And of course, the continuous assessment of are we doing it well against it?
Because again, these things constantly change, but I hear more times than not, the barrier to this is either culture, speed of business, or the right technology enablers. Because it is so broad, those things can cause people to not start. Don't let that be the problem in all of this. One person, one department can make significant impact to all of these requirements if they simply just take it in a very pragmatic, risk-based, stepped approach.
[MP]: Fantastic. Well thank you Neil, for sharing your insights and your thoughts with us today. We appreciate it, and stay tuned for another episode of GRC & Me.
