SOC 2 - The Customer Security Questionnaire Killer


Last week, I had a conversation with the Founder and CTO of Tripwire, @RealGeneKim on Twitter.  Gene was lamenting the fact that each of his bank customers hands them a 300 question security survey to complete in order to prove that they are secure.  He said that they answered 1,000 of these in 2011 alone.  

I popped in on his timeline and said that a SOC2 engagement, and subsequent report could help reduce or eliminate those surveys.  He said he loved it because,"300q surveys are like Distributed Denial of Service (DDoS) attacks on suppliers."

This is a widespread issue facing CISOs and CTOs.  In fact, a CEO (@ebellis), and Chief Security Architect (@mortman) at two well-known companies also joined in the conversation and confirmed the headaches and resource drain these surveys cause.

This is just one of the opportunities that SOC 2 reports present to service providers and service auditors.  The reason these survey exist is that security professionals know that SAS70, and SSAE16 are unreliable indicators of an organization's security posture.  User organizations figured out a long time ago that if they want confirmation of how secure their suppliers are, they have to find out for themselves because a sufficient third party attestation did not exist. 

This is also where the challenge to service auditors is though.  In order to replace customer security surveys and customers exercising their "right to audit", the SOC 2 engagement and resulting report needs to be at least as thorough as customer surveys.  That's not all though...there's some disturbing news.  

In dialoguing back and forth with @ebellis and @mortman, it became apparent to me that they would prefer a kick to the tires level of an audit like SAS70 or SSAE16, and live with the security surveys.  That's a huge problem for service auditors.  Why might this be the case?  We went back and forth about stricter audits not being the answer, and talked about the transparency CloudAudit provides, but here's my analysis.  Service auditors have a lot of work to do to earn the trust of security professionals. To quote @mortman, "Why trust auditors more than vendors?"  This problem also manifested in a SOC 2 audit clause that I blogged about in my post titled, "Do You Trust Your Service Provider's Auditor?"  

This is an extremely damning statement that should be taken seriously by service auditors.  How in the world did we get to the place where auditors are not trusted?  I can tell you how I think it could have happened.  Could it be that conflict of interest has established a foothold in the risk assurance industry?  Please see my posts on the topic titled: "Conflict of Interest is the Root of Cheap Risk Assurance" and "What is the Value Proposition of Knowing My Son's Password?"


All of that being said, I still firmly believe that SOC 2 presents an opportunity for service auditors to win  the trust of security professionals and help them reduce or eliminate the workload that answering customer surveys places on their daily lives.  Hopefully we will help them increase their productivity, and contribute to increasing their bottom lines.  

The formula for trust is when expertise intersects with intent.  If auditors do a good job of matching security expertise with the service organization's intent of answering their customer's security questions, we will establish trust.  Service auditors and security professionals will not get there, however, with a business as usual approach, and a "we can do it all" mentalilty as I discussed in my post title, "Don't Worry, I've Got This."

Upload a security questionnaire from your customers, and if you already have a SOC 2 report through one of our CPA firm partners, we'll map it to your SOC 2 controls for you.  If you have not had a SOC 2 engagement, we will map it to the Trust Services Principles and Criteria for you.  Just leave your contact information in the comments field.

_____
    UPDATE from Gene Kim



7 comments:

  1. Good lord, yes. I did a talk on this last year at Source Seattle... how hard it is to build a decent security program when auditors and questionnaires are trying to pound you into some best practice monstrosity that has no relevant bearing on what you actually do. http://www.sourceconference.com/seattle/speakers_2011.asp#rpompon

    ReplyDelete
  2. Thanks for your comment Ray. Please let me know how I can help.

    ReplyDelete
  3. Part of the problem is also that there is a risk organisation at the customer that has a job to do. If that job becomes SOC 2 check they will become obsolete.

    And i have no idea how SOC 2 is set up but how free are you to fill in the blanks.
    With ISO27001 you can, to a certain extend, cherry pick the relevant controls.

    If that is the same with SOC 2 then they will need to check how well your SOC 2 design is and they will have to do the work.

    With they way it's set up now they are the customer so they can demand! that you fill in their forms and these forms then feed into a nicely crafted response validation engine (i assume i'm the one filling in the long lists ;)
    And this will spit out one or more measures/follow up questions.

    One benefit of any system is that you have done your homework so you can fill them in as you have stuff in place (where stuff varies enough between customers to keep you busy)

    ReplyDelete
  4. Franc, thank you so much for your comment. I agree, we'll probably never get rid of all the questionnaires, so lets make their job easier for them, and the service organization. I'm willing to map the questionnaire to the service organization's control environment for free. I'm also planning to develop a tool that will do it automatically.

    ReplyDelete
  5. I read this article, The Customer Security Questionnaire Killer article very informative and interesting.Believe me i have never ever read this type of article, I refer your blog to many of my friends as well.
    Thanks for sharing knowledge..
    Questionnaire Questions

    ReplyDelete
  6. Has anyone known of SOC 2 - The Customer Security Questionnaire Killer ?


    Awsume security service

    ReplyDelete