$50K is too high, unless you had a lot of actual process gaps to fill initially and are counting staff time in that. Also expertise isn't really that important - honestly the auditors are often (not always) minimally trained and often don't have much experience in cloud. Having someone on staff that truly understands what your unique system and processes and can articulate and document how it is (or is not) operating securely is a better use of money. Spend the $50K on actual security (training, code reviews, red team exercises, learning about TTPs and allocating time in the dev and QA cycles for these considerations).
As others have said above, the compliance part will be a by-product and will essentially fall in place modulo some extra documentation effort (which can be heavily borrowed from templates).
Vanta and StrikeGraph etc no doubt will make it more convenient to follow best practices and scaffold your continuous monitoring, but I see it as a nice to have, not a must have.
This is pretty much where I was coming from too, although better articulated. I do see value in the structure of responses, but if we have already done everything we need to then we should be able to respond to the audit formulaicly.
Though seeing the other comments that Vanta + audit being cheaper than audit alone is an interesting quality and may change the initial defensive rejection I have for receiving cold contact mail on non-public addresses (which means they also buy harvested data).
The policy docs are just filler. Auditors never look at them in any detail. They look for last revised date and last review date. Have bought $150 bundle online and submitted as-is without even replacing a single parameter and audit went fine.
but Vanta/Tugboat won't actually do the reviews and training and HR and executive reviews you need. Basically their deal is that they cut volume discounts with the audit firms and then take the rest. They have nice dashboards, don't get me wrong, but only their hand picked auditors will accept them. Others will require you to manually package up the same evidence anyway and upload to their IRL evidence system.
Vanta at least made me sign a separate contract with the auditor, so I’m not sure they’re making money on the difference. The policy docs indeed don’t seem very closely scrutinized, and I’d prioritize the service that can automate more for you. Vanta provided its own client monitoring application which exists alongside JAMF and seems to cover the same controls.
It's more that there is a market price for SOC2 that auditors can charge, and they are adding $20-25K to the price tag, so they need the auditors to subsidize that. At least when I talked to these firms, you could not bring your own audit firm. You had to go with theirs. Nothing wrong there and kudos to them for innovating on the pricing/biz dev, but you can pocket that savings yourself by negotiating the same price drop directly with the audit firm, and using your own scripts or open source to collect evidence. Vanta and Tugboat have nice UIs definitely. It's just the difference between buying a Honda vs. Mercedes. Not everyone cares about paying the lowest amount for a solution. If your budget affords high end convenience, go for it.
Christina, Vanta founder here. Can confirm we don’t make money on any difference, and no money changes hands between us and auditors. It’s just a lower price for customers.
Definitely paying too much @ $40K/$30K. Audit firms will cut their costs - don't take their first offer, it's a negotiation. Renegotiated down every year...they will want to reduce churn. Also, there are open source versions of Vanta and similar but those aren't really necessary - helpful - but not necessary. Same for pentests - I have had this conversation many times with SOC2 auditors to show me where it says you must have a pentest - many SOC2s later, never had to have one. That said customer contracts may require it, and some even specify the firms or onerous requirements for the chosen firms. We often argue Red Teaming exercises are better and win with that. I'll post a list of cost saving ideas up if anyone is interested. As for ROI - SOC2 is really only a sales enablement tool, nothing more. So it's really how many enterprise deals you will lose without SOC2 vs. how many you will win, and at what revenue. You can also negotiate transparently with your customer - most will say they want SOC2 but then if you add in extra cost to cover it, they back off. Until you have a 100K+ recurring (3 year ideally) deal ready to walk away, push back hard and be transparent with them on the added costs for paperwork. Offer to have a call with their security team and walk through your real security processes instead. Most customers are reasonable once you get past the outsourced procurement team. Helps to have a business sponsor who can cut through the red tape.
ok will do - I will also post an actual (sanitized) Type 2 IRL so we can dispel the mystery and the need for experts. It's all straightforward stuff. But give me 24 hours since my family is giving me cross looks at spending more time online than with them on a holiday weekend ;)
from what I see, and do, people just go there early AM 5 min before it opens.
Avoids the folks who flock around the free handouts at lunchtime. Parking is easy. But you can’t wait even 1/2 hour past opening. Get in right as it opens.
Ditto for fish in Hawaii. We tried both a local “fresh off the boat” market and Costco on the same trip and Costco was definitely higher quality for local caught fish.
I dunno about majority internal vs shoplifting but I saw a Kroger internal report once that ~2% revenues lost annually to “loss”. It was not broken down by category, but it was the preface to a 4 hour presentation on employee loss prevention techniques, so I’m connecting dots...
Remembering my chats with loss prevention at Walmart while I worked there: by volume customers are the worst overall, but employee theft are the worst per person. Thus catching one employee thief represents several thousand in losses. Meanwhile customer theft is dealt with in a more bulk-like fashion.
Left unchecked employee theft can scale. Think of a cashier skimming cash, or customer service person colluding with a friend to return junk. Both customer and employee theft require stoppage, but employees are tough because they are trusted by default.
Juice the limes; mince the onions in a cuisinart. Freeze in 1-4 cup restaurant style containers you can get at any restaurant supply store.
We also bbq 3 racks of ribs, 4 whole chickens, 2 3-pack chicken breasts (about a dozen breasts), 3 packs of chicken legs, and 12 pork chops at once one day every 3-4 months. Use a big spice mix from Costco. Everything is usually organic (pork is often not organic though...butcher told us there simply are not enough organic pork producers in the US.)
We sometimes invite friends and split the finished goods. Drink Costco craft beers and premium wine during prep and bbqing. (It helps to have 2 large grills).
Wrap dinner sized portions for your family size in foil (also sold at Costco of course) label with a sharpie and freeze. Dinners ready for months!
As others have said above, the compliance part will be a by-product and will essentially fall in place modulo some extra documentation effort (which can be heavily borrowed from templates).
Vanta and StrikeGraph etc no doubt will make it more convenient to follow best practices and scaffold your continuous monitoring, but I see it as a nice to have, not a must have.