Why SOC2 Matters (Interview with Hayden Kerr)

The team at SyncEzy has been working through the compliance steps needed to progress towards SOC2 status and beyond. I caught up with Hayden Kerr from SyncEzy to hear (the simplified version) of their work and why it matters.

Hayden: As we have customers who depend on the software and technology that we provide, they need assurance that SyncEzy’s business, finance, IT, security and other associated processes are correct and validated in how we manage our customers’ data. SOC2 is System and Organization Controls. It is a voluntary compliance framework focused on key criteria around security, that is audited by licensed CPA’s. In layman’s; It states that we have processes in place such as peer code review, do we have a support desk, how do we hire new employees, etc.  There are two stages of SOC2. First is the Type 1 report, that is a line in the sand. It shows that we have processes and documentation to state what we do. Type 2 continues this, but over an observation period to ensure that we are following, documenting and reviewing our processes, continually.

Hayden: A lot of the processes and procedures are similar between them both. In fact around 60% is the same. The main difference, when looking at a high level view, is who completes the audit. As mentioned, we work with our audit partner, AssuranceLab for our Type 1 and Type 2 audits who are CPA certified. ISO certifications are from a recognised ISO compliant auditor. But often enough, these audit and compliance businesses provide both services.

Hayden: It is to give our customers confidence that we are following industry best practices. Not only do we state this as our intent and action, we have this verified by our audit partners. Customers in Australia and Europe tend to have stronger requirements for ISO-compliant business like ourselves, whereas SOC2 is stronger and more widespread in the United States. Our growth has been in the North American market and these customers have been asking for this.

Hayden: Security and compliance implementations are not just documentation and process; they are a cultural change in the way that people and teams work.  Every team member has to understand the reasons why we are tackling this. Getting the team from the top down, to step back, review their processes and document steps and changes hasn’t been difficult, but it presents a new muscle that our business has had to build, and sometimes this can be a challenge. It can slow down releases, but in the end, allows for a better, more secure and structured product.

Hayden: In my opinion any business that develops software should attain SOC2. Compliance is not required for business by governments, yet, but wouldn’t it be better to be on the front foot and have it in play? Smaller businesses that are service based can gain a lot from attaining ISO 9001 accreditation which outlines the Quality Management System framework. These help tighten up their project and service processes, as well as similar steps for the other business processes that can impact projects, such as finance, HR, etc.

A business should ensure that their cyber security practices and risk exposure are documented. Attacks and hacking on business is increasing evermore, especially during Covid, where remote work took hold. In Australia, as part of the Australian Cyber Security Center, they have documented the Essential Eight maturity model, as a suggested framework that outlines strategies to mitigate cyber security incidents. Good for any business to align with. Essential Eight Maturity Model | Cyber.gov.au
There is a lot in there, but one of the best ways to get in-check with the process is with an Australian company that focuses on small business and cyber security. Cynch.com.au. They have an excellent platform, that allows you to self check your business and get the latest updates and security alerts focussed to the local market.

Hayden: Know that it is going to take time, and understand that the journey is a circular movement every year. Having the managers and team members as part of the process really helps cement the requirements.

Hayden: A good strong coffee. Always helps! To collate and ensure that all our policies are reviewed, checked and maintained along with risk registers, and other information security documents  we use TugBoat Logic platform. To create our workflows and processes maps, I use Miro. The collaborative documentation and review processes makes it so easy. Plus I can link to a specific spot within a board. Curricula for our security awareness training; it makes security fun. The rest would be the standard suite of office productivity tools such as spreadsheets and word processing tools.

Hayden: We have attained our SOC2 Type 1, and have an observation period over the next 9-12 months, where we log what we do. This is never ending, and as mentioned above, it is a business culture change that we have to make to ensure that we keep on this. As our markets grow in non-United States markets, such as Australia and Europe, we may start the process for ISO27001.