• Home
  • Blog
  • Why SOC2 Matters (Interview with Hayden Kerr)
Hari Iyer | SyncEzy

Hari Iyer | SyncEzy

CEO
  • Reading Icon 5 Min Read
  • Reading Icon Aug 17, 2022
Why SOC2 Matters?

The team at SyncEzy has been working through the compliance steps needed to progress towards SOC2 status and beyond. I caught up with Hayden Kerr from SyncEzy to hear (the simplified version) of their work and why it matters.

Hayden: As we have customers who depend on the software and technology that we provide, they need assurance that SyncEzy’s business, finance, IT, security and other associated processes are correct and validated in how we manage our customers’ data. SOC2 is System and Organization Controls. It is a voluntary compliance framework focused on key criteria around security, that is audited by licensed CPA’s. In layman’s; It states that we have processes in place such as peer code review, do we have a support desk, how do we hire new employees, etc.  There are two stages of SOC2. First is the Type 1 report, that is a line in the sand. It shows that we have processes and documentation to state what we do. Type 2 continues this, but over an observation period to ensure that we are following, documenting and reviewing our processes, continually.

Hayden: A lot of the processes and procedures are similar between them both. In fact around 60% is the same. The main difference, when looking at a high level view, is who completes the audit. As mentioned, we work with our audit partner, AssuranceLab for our Type 1 and Type 2 audits who are CPA certified. ISO certifications are from a recognised ISO compliant auditor. But often enough, these audit and compliance businesses provide both services.

You're in the process of getting SOC2 certified, what made you want to start this journey?

Hayden: It is to give our customers confidence that we are following industry best practices. Not only do we state this as our intent and action, we have this verified by our audit partners. Customers in Australia and Europe tend to have stronger requirements for ISO-compliant business like ourselves, whereas SOC2 is stronger and more widespread in the United States. Our growth has been in the North American market and these customers have been asking for this.

What's been the hardest part of the certification path?

Hayden: Security and compliance implementations are not just documentation and process; they are a cultural change in the way that people and teams work.  Every team member has to understand the reasons why we are tackling this. Getting the team from the top down, to step back, review their processes and document steps and changes hasn’t been difficult, but it presents a new muscle that our business has had to build, and sometimes this can be a challenge. It can slow down releases, but in the end, allows for a better, more secure and structured product.

What type of company would you recommend to get SOC2 certified ASAP?

Hayden: In my opinion any business that develops software should attain SOC2. Compliance is not required for business by governments, yet, but wouldn’t it be better to be on the front foot and have it in play? Smaller businesses that are service based can gain a lot from attaining ISO 9001 accreditation which outlines the Quality Management System framework. These help tighten up their project and service processes, as well as similar steps for the other business processes that can impact projects, such as finance, HR, etc.

A business should ensure that their cyber security practices and risk exposure are documented. Attacks and hacking on business is increasing evermore, especially during Covid, where remote work took hold. In Australia, as part of the Australian Cyber Security Center, they have documented the Essential Eight maturity model, as a suggested framework that outlines strategies to mitigate cyber security incidents. Good for any business to align with. Essential Eight Maturity Model | Cyber.gov.au
There is a lot in there, but one of the best ways to get in-check with the process is with an Australian company that focuses on small business and cyber security. Cynch.com.au. They have an excellent platform, that allows you to self check your business and get the latest updates and security alerts focussed to the local market.

What are your top tips for other companies going through the process?

Hayden: Know that it is going to take time, and understand that the journey is a circular movement every year. Having the managers and team members as part of the process really helps cement the requirements.

Do you have any additional tools that you found that helped you complete some of the steps?

Hayden: A good strong coffee. Always helps! To collate and ensure that all our policies are reviewed, checked and maintained along with risk registers, and other information security documents  we use TugBoat Logic platform. To create our workflows and processes maps, I use Miro. The collaborative documentation and review processes makes it so easy. Plus I can link to a specific spot within a board. Curricula for our security awareness training; it makes security fun. The rest would be the standard suite of office productivity tools such as spreadsheets and word processing tools.

What's next?

Hayden: We have attained our SOC2 Type 1, and have an observation period over the next 9-12 months, where we log what we do. This is never ending, and as mentioned above, it is a business culture change that we have to make to ensure that we keep on this. As our markets grow in non-United States markets, such as Australia and Europe, we may start the process for ISO27001.

Author

Hari Iyer | SyncEzy
Hari Iyer | SyncEzy
CEO

Hari Iyer is the Founder and CEO of SyncEzy, a pioneering company at the forefront of data integration and automation solutions. With a deep understanding of the power of technology and a passion for solving complex business challenges, Hari has emerged as a visionary leader in the industry. His relentless pursuit of excellence and commitment to delivering tangible results have earned SyncEzy a loyal global clientele.

He is not only a successful entrepreneur but also an active contributor to the technology community, sharing his insights through thought leadership articles, speaking engagements, and mentorship programs. Hari’s ability to navigate the complexities of remote work serves as an inspiration for leaders, highlighting the importance of flexibility, work-life balance, and a results-oriented approach in today’s evolving work landscape.

Under his guidance, SyncEzy has gained widespread recognition for its deep integration solutions that seamlessly connect software applications, eliminate data silos, and enhance operational efficiency.

When not working, Hari is trying to be a better father, reading tech news, playing FPS games, and not exercising as he should.