How to Simplify Your SOC2 Journey - Episode 209

On this episode, unlock the secrets to making SOC 2 compliance a strategic advantage with host Todd Coshow and expert Adam Goslin. Learn how to streamline your process, leverage existing frameworks, and implement continuous compliance strategies. This episode is perfect for security leaders and tech founders looking to simplify SOC 2 and enhance client trust. Tune in to transform compliance from a burden into a superpower.

Episode Transcript:

We're gonna be talking about the journey Adam. That's right This sock to journey and most importantly how to simplify your sock to journey So as we jump in maybe you can let the folks know The sock to feel so gosh darn hard

Well, the major difference is just, you know, structurally in general, you know, compliance is an arena that can get messy. It's got a lot of manual engagement in it. It's overwhelming at times.

You know, the talk too adds complexity because it's not a checklist style of, you know, of a compliance standard. There's not some checklist that we go down, you know, check these boxes and hopefully, you know, hopefully get there. You know, at the end of the day, you know, folks are looking to make the process a little bit easier and, you know, we're here to help.

Sure, I appreciate that. Now for the novices out there, myself included, what is SOC 2, actually?

It's kind of a directional framework where there are criteria that, you know, criteria that need to be met. And so, you know, the kind of the job, if you will, the assessor's job is to kind of look at that directional framework, you know, of these criteria or objectives that need to be met.

And then they need to evaluate the kind of controls that the organization has put in place and the testing steps for those controls to validate, you know, has the organization fundamentally met the, you know, met the objective of the criteria of that particular section, you know, that, you know, the focus that is that aspect of the control set. So it's more of a directional framework and not nearly as prescriptive.

That's interesting. Speaking of prescriptive search, for the listeners of this show, they're more familiar with, say, PCI.

As you're looking at SOC 2 versus PCI, there's got to be a mindset shift, right? What's the difference, really?

Well, in the PCI world, and I mean, honestly, for a long time, the very first standard that I had to go up against was PCI. And in many ways, it's easier. If I want to go handle access control, then I do these 35 things, and if I can be compliant. So PCI is far more prescriptive, and it's been that way for a long time.

Where other standards, you know, like we're talking about SOC 2 today, but HIPAA falls into a similar boat, you know, where it's more meet this objective. How do you go about meeting that objective? Well, you got to prove out that, you know, the things that you're doing for your organization are, you know, are in alignment with the criteria. So it's a different style of an approach to how to go about meeting the requirements of the standard.

Well, why does SOC 2 get so complicated?

Well, I mean, because it, when they've got, you know, where you need you to meet this criteria, right? Well, I mean, that'd be like me, you know, whatever. You're, you're, you're, you're in California. I'm in Michigan, right?

Um, you know, I want you to, you know, I want you to, I want you to lay out the route that one would take to get from California to Michigan. Well, I mean, shit, I mean, I go, I go up the west coast, cut across by Canada. Uh, you know, like I go through Canada, I could, you know, cut the, the closest diagonal, I could decide to go on a coast East coast road trip, all of them are going to get me there, right? Um, you know, there's, there's, there's a million ways that you can, that you can go about doing these and, uh, you know, what, what I've seen on the, on the SOC 2 engagements