GRC Destroyer #2: What is Trust? Make SOC 2 public, you won't. & People I like!
Trust is really marketing + sales ops. Trust is an industry. Everyone loves Trust until it's time to do Trust. Trust needs to be done smarter.
It’s hilarious to me in 2023 that I still see Trust Centers that don’t make any sense. It’s a no brainer to nail this section of the site for any SaaS company that’s trying to close deals. I’m going to explain in 4 minutes the following:
What the competent 2023 Trust Center should look like
Why IMO a SOC 2 report should be public-facing
Harsh realities and some costs
The Ideal Trust Center
Every industry is different but there’s a logical baseline that I think below. Make it organized and logical to someone in third party vendor risk. Layout needs to be sexy.
Other stuff I missed in that pic ^^^
Bug Bounty Program
Link to SLAs - availability, uptime, real-time monitoring
FAQ section - good for GDPR and other nuanced compliance frameworks
Info on CISO??
Who to contact “privacy@company.com” “security@company.com”
Pen tests —> only if fully remediated + these should be access gated
The industry trend that I can get behind is to make these resources clickable but behind a gate for access. I wish they could all be in the open to show the upmost amount of transparency, however, the gate at least let’s you track who accessed. The biggest shortcoming in Trust is everyone gatekeeping their stuff. I understand there could be risks to overshare but a lot of this stuff is so high-level that it really doesn’t matter who gets their eyes on it. The hackers still gonna hack but the third-party risk pigeons need to do their due dilly. And this makes deals go down easier while showing the vetters you know what your doing.
SOC 2 should be public facing. Don’t yell at me
In 2023 a SOC 2 is a dime a dozen. It’ really just a ticket to play ball. Let’s briefly look at the info in a SOC 2 and you try to rationalize why these are labeled as “Restricted Use”.
DISCLAIMER* - This is an opinion piece not official advice. There are dozens of situations that this doesn’t make sense . I’m speaking through the lens of a SaaS company with a clean SOC 2 Type 2 report.
In my honest opinion none of this info seems to put the company at risk. In our crazy world I don’t care if someone puts this report under a magnifying glass… I’m gonna have to fill out a 100 question questionnaire anyway. I’d like to restate - the hackers are gonna hack. Just because an auditor verified you have MFA enabled isn’t going to give a bad actor an edge.
Feel free to disagree - drop me a comment. Teach me something
The real risk is that the days or hours it takes to give a customer this report, is directly adding time it takes to close the deal.
Harsh Realities and Costs
Harsh Realities
Even if you nail the Trust Center, customers are still going to send you a security questionnaire
Third-party risk teams are often too lazy to look at documents and find the answers themselves
No one reads a SOC 2 anymore they just make sure you have one
You need a multi-tiered strategy to get this info to customers quickly and win deals faster
Costs
SOC2 has insane ranges based on firm. Everyone already knows. $20k - $75+k
Trust Center tool is ~$20k standalone. Many compliance vendors starting to bundle this feature in their platforms.
Security Questionnaire Automation tool is $30k-$50k
People I Like!
Jake Bernardes - CISO of Whistic and huge advocate for transparency in Trust
Ayoub Fandi - Great take on this topic
Val Dobrushkin - Amazing article on this topic
I'm with Jack on this, mostly because I sit in a marketing seat and cover Zero Trust. Trust is also perception-based, and for it to have more meaning, it needs some sort of standard metrics that removes ambiguity from what that means on paper.
COSTS: There are all in one tools like OSTENDIO that reduce this cost and eliminates redundancy in work loads to stay compliant on all standards. The efficiency gains in managing an organizations Security, Risk, and Compliance programs have been documented by customers for 10 years and have proven to provide 84% efficiency ( time) gains in the management of the program. The industry continues to throw technologies at a problem, when in reality its human time issue. SOC 2 has little to no value. But operationalizing a program to guarantee everyone is secure and compliant... now thats revolutionary. My education stop thinking in the black and white TV world that GRC has lived in for decades now and start living in a colored TV world.