SOC-in-a-box is the idea of receiving a SOC2 report by performing tick-the-box exercises that do not lend themselves to genuine, continuous security compliance. This phenomenon has led to the commoditization of SOC2 reports, with an expedited “achievement” of a “clean” report possible within less than a month when “leveraging” an auditor prescribed GRC automation tool. The use of quotation marks aims to be indicative of my skepticism - but if you are not skeptical of this, if you are not concerned by this, what does that say about you as a GRC practitioner?
If you are a security compliance professional, what are your two key priorities? I suspect most will be in agreement here, although not necessarily regarding the order:
- Enable business operations by ensuring Compliance obligations are met (/ensure compliance does not impede business)
- Ensure data is secure and effective controls have been established and implemented.
Assuming you agree that those are your two priorities, and the order is not important (for the sake of this discussion), here is another consideration: one should not come at the expense of the other!
The SOC-in-a-box phenomenon requires you to sacrifice true security compliance, in order to prioritize “business enablement”. If you embrace this approach, what you are saying is that you are willing to cut off a limb to save the body…but it’s a needless act. The cost of the sacrifice is immense, so much so that it goes against the essence of our GRC being - risk management.
Everything a security compliance professional does is some form of risk management. When undergoing an external audit, there is a two-fold benefit - firstly, a report/certificate as an outcome reduces the risk that noncompliance will become a business blocker, and secondly, third-party endorsement that controls are effectively implemented give validation to existing risk management practices. So, what is lost when a SOC-in-a-box audit is performed?
It’s a bit of a chicken-egg question, I am not sure which comes first. Either a lack of effective control implementation leads to the contracting of third-party control validation that lacks depth and quality, or the contracting of a SOC-in-a-box audit firm leads to lax control implementations. Either way, risk exposure increases. So, in performing an act that’s very essence should aim to reduce risk, the opposite in fact occurs.
At risk of sounding like both an idealist and a crying baby,I will concede that for many organizations, sales motion > security motion. At the beginning of an organization's journey, this is almost always the case. However, as an organization’s customer base grows and, in turn, the need for customer trust, the balance tips back into equilibrium. My real concern is, has this equilibrium been forgotten about?
{{banner-image}}