SOC 2: The Customer Security Questionnaire Killer

Monday, May 07, 2012

Jon Long


Last week, I had a conversation with the Founder and CTO of Tripwire, @RealGeneKim on Twitter.  

Gene was lamenting the fact that each of his bank customers hands them a 300 question security survey to complete in order to prove that they are secure.  He said that they answered 1,000 of these in 2011 alone.    

I popped in on his timeline and said that a SOC2 engagement, and subsequent report could help reduce or eliminate those surveys.  He said he loved it because,"300q surveys are like Distributed Denial of Service (DDoS) attacks on suppliers."   This is a widespread issue facing CISOs and CTOs.

imageIn fact, a CEO (@ebellis), and Chief Security Architect (@mortman) at two well-known companies also joined in the conversation and confirmed the headaches and resource drain these surveys cause.  

This is just one of the opportunities that SOC 2 reports present to service providers and service auditors.  

The reason these survey exist is that security professionals know that SAS70, and SSAE16 are unreliable indicators of an organization's security posture.  

User organizations figured out a long time ago that if they want confirmation of how secure their suppliers are, they have to find out for themselves because a sufficient third party attestation did not exist.   

This is also where the challenge to service auditors is though.  In order to replace customer security surveys and customers exercising their "right to audit", the SOC 2 engagement and resulting report needs to be at least as thorough as customer surveys.  

That's not all though... there's some disturbing news.  In dialoguing back and forth with @ebellis and @mortman, it became apparent to me that they would prefer a kick to the tires level of an audit like SAS70 or SSAE16, and live with the security surveys.  That's a huge problem for service auditors.  

Why might this be the case?  We went back and forth about stricter audits not being the answer, and talked about the transparency CloudAudit provides, but here's my analysis.  Service auditors have a lot of work to do to earn the trust of security professionals.

To quote @mortman, "Why trust auditors more than vendors?"  This problem also manifested in a SOC 2 audit clause that I blogged about in my post titled, "Do You Trust Your Service Provider's Auditor?"    

This is an extremely damning statement that should be taken seriously by service auditors.  How in the world did we get to the place where auditors are not trusted?  I can tell you how I think it could have happened.  

Could it be that conflict of interest has established a foothold in the risk assurance industry?  Please see my posts on the topic titled: "Conflict of Interest is the Root of Cheap Risk Assurance" and "What is the Value Proposition of Knowing My Son's Password?" image

All of that being said, I still firmly believe that SOC 2 presents an opportunity for service auditors to win  the trust of security professionals and help them reduce or eliminate the workload that answering customer surveys places on their daily lives.

Hopefully we will help them increase their productivity, and contribute to increasing their bottom lines.    

The formula for trust is when expertise intersects with intent.  If auditors do a good job of matching security expertise with the service organization's intent of answering their customer's security questions, we will establish trust.  

Service auditors and security professionals will not get there, however, with a business as usual approach, and a "we can do it all" mentality as I discussed in my post title, "Don't Worry, I've Got This."  

Jon Long, CISA, QSA is a Senior Manager and Practice Builder at CompliancePoint  and is currently championing an audit approach that allows organizations to combine multiple compliance requirements into a single SOC2 engagement.  Upload a security questionnaire here, and we'll map it to the Trust Services Principles and Criteria.

Cross-posted from The Risk Assurance Guy

Possibly Related Articles:
Financial Services
Compliance Risk Management SAS70 Security Audits Trust SSAE 16 Assurance survey SOC 2
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.