Does MJD offer SOC 2 readiness assessments?
A “readiness assessment” is a common exercise for your auditor to perform before a first-time SOC 2 project. Basically, you bring in the auditor and ask them to find “gaps” in your controls so you can fix them before the exam. It’s a perfectly normal and accepted procedure to complete for planning, but it’s a service we very rarely offer in the traditional sense.
I’ll explain why, but before I lose you, let me say we help all of our clients prepare and plan for the engagement. It’s basically a requirement for working with MJD, we just don’t call it a readiness or gap assessment because it is built into our process. Getting aligned with our clients and in front of surprises is one of the concepts the firm was built on. Our process achieves the same objective, so this may all feel like semantics, but I think it’s important.
The problem with “gap” assessments
If you are hiring someone with the objective of finding “gaps,” that’s exactly what they’re going to do. I have heard it in my career, “we can’t show value if we don’t find something,” which creates waste.
There’s also a bias problem in this scenario. SOC 2 inherently has no requirements, which leads to lots of decisions about the resources and spending needed to meet an objective. The auditor doesn’t have to spend that money or deal with the internal consequences but is exposed to risk if you have a problem with your security, which leads me to believe the auditor (including myself) would be the last person you would want to make decisions.
This all leads to misaligned incentives and bad decision-making. We’d rather consult and guide you than present a spreadsheet with a bunch of red marks you have to sort through.
Your auditor is not you
“The best I can be is Jamaican. And I’m telling you as a friend, if we look Jamaican, walk Jamaican, talk Jamaican, and is Jamaican… then we sure as hell better bobsled Jamaican.”
-Sanka, Cool Runnings
Cool Runnings is one of my favorite movies. It is a criminally underrated John Candy performance and reminds me of this very scenario. Stay with me this metaphor is going to work well.
The movie's hero (Derice) has spent the whole film trying to copy the world-class Swiss bobsled team. The Swiss are the best - who can blame him - but he has damaged the team's culture as a result. And that is what can happen far too often with SOC 2 when it’s the auditor calling all the shots. It can change who you are.
We immerse ourselves with our clients and understand their business at a level that allows us to provide world-class service - but we aren’t you. We don’t stay up late at night thinking about new product features, fundraising, or how to keep the team motivated after you need to RIF 15% of your staff. So why in the world would you ask us to make intimate decisions like requiring background checks and performance reviews for you?
What you need is someone to present the information in a way that you understand and can execute. The second you receive a report from an auditor that says “gap analysis” on the title and a bunch of findings - even if they say potential gaps or suggestions - it's going to be interpreted as requirements that you’ll anchor to and correct, which is the perfectly natural thing to do.
Flip the power dynamic
So, what do we do instead? Basically the same thing, but we flip the power dynamic.
Most of our clients work in cloud software and are using a compliance automation product (or we suggest one), which allows the technology to simplify the process. Those tools are designed by really smart people, we work with them a lot, and they get you most of the way there.
However, the challenge with compliance products is they weren’t designed specifically for you. Like any other SaaS product, they’re designed for a mass audience, and not everything will be relevant to you - so if you do it all, you probably have done too much.
So we ask that you get to a point where you know what you need to do, what you don’t want to do, and what you don’t understand, which is when we join the team. We encourage questions, but our involvement doesn’t make sense until the fundamentals are in place. At that stage, you’re ready, you’ve done your push start, and really just need some help guiding the sled across the finish line.
The movie Cool Runnings closes with (spoiler alert): the Jamaican team crashing their sled. It would be an easy joke to make to dispute the story here.
But here’s the thing. That team was flying down the mountain in a crappy old toboggan, which is what let them down in the end - not the culture or the skills that got them there - which is exactly what used to happen with SOC 2. No longer are clients constrained by a “rickety old sled” - there are really great tools to help get this done now - so the processes and systems of the past (i.e., like five years ago) may not get you across the finish line intact.
Thank you for reading. Peace be the journey.
Interviewing auditors is a necessary step in the process as you begin your SOC exam. Here we outline some questions and considerations to help you along the way.
You’ve completed your SOC 2 report. That first-time report can be a lot of work, and it’s worth celebrating while you hang the new AICPA logo on the website. So what’s next?
Software Secured shares exactly how penetration testing increases the ROI of your ISO 27001 compliance.