Note: This is the final part in a series of blog posts Alliant will publish on its experiences achieving SOC 2 certification. You can download the entire series here.
Compliance with standards must be document- ed and withstand annual audits. Changes to the network must be evaluated and tested. New bugs and vulnerabilities in software must be fixed. New requirements must be accommodated, forever. It all requires ongoing effort and material investments.
Ultimately, though, this is the right choice — if your organization intends to retain the privilege of accessing and maintaining consumer data. At Alliant, we consider our security to be foundational investments for being a trusted link in the secure data supply chain.
There’s no way around it: obtaining a qualified third-party auditor is difficult, and not cheap. Beware auditors that “align” with ISO standards, or auditors that will “review” your policies and procedures. You need to find qualified auditors that are certified to review the standard you are looking for. If you want to become SOC2 certified, for example, you need an accounting firm to audit you.
Companies that can document their security posture are well-positioned in the current marketplace to meet evolving client requirements. Since data owners can be held liable for vendor negligence in handling confidential data, entrusting PII to a third-party without data protection measures can embroil them in regulations and lawsuits. For this reason, many organizations are requiring that other companies handling their data demonstrate objective proof of reasonable cybersecurity measures.
Consumers and lawmakers are also, rightfully, concerned about mismanagement of personal information. There will likely be more lawsuits and more laws in 2019 related to privacy, information disclosure, and breaches than in any prior year. Companies that audit their data flows will substantially reduce their chances of a breach, and will be able to provide evidence of reasonable security practices. These companies will also gain a head-start on new compliance regulations, as compared to companies that are waiting for regulators to define minimum legal standards.
It is clear that enough companies are taking privacy and data security seriously enough that we are going to see a “new normal” in 2019. Companies that take cybersecurity seriously will band together and keep data in the secure infrastructure, while companies that are not continually improving will find themselves shut out and left in the cold. Sharing information with organizations that cannot reasonably safeguard that information will further be seen as unreasonable, on par with failing to lock the building doors at night.
As companies that can trust each other band together, highly secure information sharing and security practices will increasingly become the norm. If your organization wants to be a part of this 21st century transformation, you’ll need to prove you can play. In the digital age, leaky pipes can affect the entire pipeline. And those that won’t shape up will be cut off.
This is my perspective, from having shepherded the organization I work with through an audit. It was a rewarding experience, both professionally and personally, to ensure that the information we keep on behalf of our clients is objectively secure. We may not be required to reach these standards, but the people I work with were happy to push themselves to reach them. We all take our responsibility to the data seriously. If you feel the same way, or have questions about the process, please contact me. I’d be happy to answer any questions you have about the process or the results.
*This post is provided for informational purposes only and is not legal advice. Each organization should work with qualified counsel to understand its obligations and opportunities for improved data quality and approved certifications.
What is SOC 2?
SOC 2 is an auditing procedure that ensures a service provider securely manages data to protect its clients. For security-conscious businesses, SOC 2 compliance is a mandatory requirement when considering a service provider. The SOC 2 standard is based on the criteria outlined in the Description Criteria authored by the AICPA, the American Institute of Certified Public Accountants