What should I do when asked for SOC2?

It might mean that they are not a qualified lead because an SOC2 (whatever that is) is not part of your ordinary service. That means the prospect is not in your existing market segment, and pursuing the company as a client means entering a new market segment.

Sometimes that makes sense. Other times it doesn't. If you're a one person shop and the new market segment is generally served by multi-employee firms, then it is probable that your business structure is unsuitable for the new market segment. If for no other reason, than preparing an SOC2 is an additional marketing expense for you and not baked into previous cost structure.

On the other hand, maybe it is a market segment that you want to enter. However, odds are that the market is relatively efficient and there is a reasonable alignment between market size and the number of people providing services to meet its unique requirements. It is also probable that the customers in that market have existing business relationships with existing providers.

Or to put it another way, entering an established market segment is typically a long term process and requires a meaningful commitment of resources before profits are likely. Often, small shops are used for price comparison and beating down the company that was always going to get the contract. It's worth being cautious when a prospect educates you about your own business because it means the prospect might not have a high opinion of your KSA's in regard to their needs. Good luck.

Do they know you are a small company? An assembled and audited SOC2 report is not inexpensive and is a lot to ask of a small firm to have already. What is reasonable is if they are asking you to produce your processes/procedures of how you feel you meet the requirements of SOC2. Also if you are using something like AWS, that can help you satisfy some of the compliance side too.

I have been in your shoes where I ran a small company and got an opportunity (eventual deal) with a large Fortune 500 firm and they were asking me for SOC and ISO type reports early on. I was up front with them and said I was happy to share all the details why I felt we were meeting those requirements but I couldn't justify the $10's of thousands of dollars to assemble and have audited these standards and reports at the time. Essentially they had their typical vendor checklist they were looking at and just asked because it was on the checklist. Once I went through the details, they were pretty understanding and helped me get them the information they needed to demonstrate compliance without us having to go through the insanity for a small company that some of these standards require.

If you are hosted on cloud, you can probably ask your cloud provider for it. for instance digital ocean provides it (i was recently asked for the same for one of my services, and you can say no to banks)

https://www.digitalocean.com/community/questions/is-digitalo...

> Our NYC2 facility is SSAE16 SOC-2 Type II certified. > Our NYC3 facility is SSAE16 SOC-2 and SOC-3 compliant.

Honestly, say no. You are going to spend a large amount of time, energy, and possibly money, on what amounts to a sales lead.

Instead, tell them that if the SOC2 is required to sign a deal with them, you want to resolve all other due diligence first, and sign a preliminary contract stating that if you then perform a successful audit, they will become a customer. At that point, you aren't putting the money into a sales lead, you are taking on a large step to on-board a new large customer.

Ok, so I’ve read the comments here and from a business perspective, none of them really hit the right answer.

I noticed in your post you mention that your clients are really big companies. Which leads me to wonder how you haven’t seen a SOC2 request yet as it’s fairly prevalent among larger clientele.

The real answer here lies in what your offering and who your target client is. If they’re large clients, going through a SOC2 audit and compliance cert is more than worthwhile as you’ve likely been lucky so far in not needing it. You’re going to need it once you’ve hit that stage where you aren’t just selling demos to team leads anymore and actually negotiating contracts with legal departments.

I have 2 buddies that have built SAAS type solutions for enterprise (both ex enterprise engineers building solutions for the same jobs they left) that are solo and have gone through SOC2 because the clients they’re selling to require it.

The real answer to this is more about who your building for and selling to.

At the end of the day, it’ll be an annoying process, but not overly complicated for a 1-person company to go through. It’s largely documentation based, which most of that is easily c/p from a template all the overpriced consultants use. I don’t mean to downplay the integrity of the cert, it’s that the experience for just you isn’t going to be the compliance nightmare that it is for large teams of people that need to worry about door access control or group policy defaults.

As long as all of the underlining tools and platforms you use are also Compliant, you’re audit will be easier. Just plan to have to spend a TON of time in MS Word.

Yes. We're undergoing this now, and it's a very involved process that should not be undermined.

We've looked into companies that help with this stuff, and usually it's around 50k to get setup, and a minimum of 20-30k annually to get "re-certified" with a SOC2 report.

There's a newer SaaS company that claims to help with this sort of stuff called Vanta. Haven't looked into them, but I've been meaning to. https://www.vanta.com/

Please understand that it's almost irrelevant on if your cloud provider has a SOC2 report. SOC2 reports are centered around your internal processes, your organizational procedures, how you store and protect data, etc.

- If it is a client you absolutely want to land, say to enter a sector, and if the certification is something you decide you really need because organizations in that sector require that too, could that client pay for the certification out of the amount you'd charge them for your software? Or you could you offer N months of premium support so you don't disturb your cash flow.

- Take a look at replicated.com, and enterpriseready.io and https://github.com/enterpriseready/enterpriseready).

You'll need to hire an auditor who will do an assessment. Usually pages and pages of questionnaires and high fees, the auditor will do everything remote. I've only dealt with PCI-DSS but I assume it's similar. Questions like who has physical access to your servers, how often you change your wifi password, if you have antivirus software installed on your production servers. It's a huge time sink. I'd wait for at least the second or third request. Having the report is no guarantee that more companies will approach you.

I’ve participated in a number of SOC 2 Type 2 audits. I’ve been in cybersecurity and IT audit for a long time. You might want to reach out to Vanta.Com. The first SOC report is always a bear. You’ll likely have to do one every year. But, they get easier by the second one. If you are going to sell to enterprise customers, it’s table stakes. Also see EnterpriseReady.IO for a lot of other interesting requirements!

Trust me just say no and move on. It's a huge and expensive headache that only makes sense for companies that are already large and complicated. The red tape, bullshit, bureaucracy, and processes that you will have to add and adhere to ruins any small fast-moving company.

I just wanted to say thanks a lot for great answers and perspectives. I would like to clarify that it is more than a potential customer, I am now in the reviewing process and it seems they there are no other contenders. That said I just told them that we can ride along with AWS SOC2 and they seem to be fine with it, at least for now.

Depends on the nature of your SAAS. If you are not dealing with very sensitive data, you could try to negotiate that with them and instead, prepare a "Self Assessed Security Questionnaire" and send to their IT/CIO team.

We do this for our SAAS business whenever we are asked by larger prospects but we don't deal with very sensitive data.

You probably should just pass unless you have other prospects asking for this. It's going to be quite a bit of time, effort, and money. You could also explain your situation and hope for the best.

SOC2 is an industry signal that you are committed to security, and it is table stakes for an enterprise SaaS vendor (deals >$100k). It is not relevant if you are actually committed - it's the signaling that counts. The fact that you got large customers without it means you are either lucky, sold based on prior warm relationships, or the client was negligent bordering on incompetent. Either way, congratulations - it's a good problem to have as long as you charge accordingly.

First, some wrong answers:

1. "Here is the AWS SOC2 report". Your cloud provider is just a vendor, and sending your vendors' boilerplate is unrelated to your security posture. Saying this will signal that you don't know what SOC2 is, or what they are asking for, and everything you say after this will fall on deaf ears.

2. "We don't have this as we focus on innovation and speed". For infosec people, this is the same as an aspiring F1 racer saying they never got a driving license for those reasons.

3. "We are small, and we don't need this for our operations". This is also a signal: there is no documented knowledge, repeatable processes, backups, worker redundancy, risk management, or any operational planning. "Now, can we have your data?"

If you accept SOC2 as a necessary evil in your new life, you'll need to set aside ~$30k and 100 hours over the next six months to get a Type 2 (there is no "certificate" for SOC2, that's not a thing). The absolute minimum would be four months, and for first-timers, it might take 8-10 months.

But we're talking about a signal here - to show that you take security seriously. One right answer could be something like this - "At StartupCo, we are deeply committed to information security. Our customers trust us with sensitive data because we designed our ISMS based on the industry's best practices and recommendations from CIS and NIST. Our infrastructure is designed around on the principle of the least privilege at every level - firewall rules, network permissions, server configuration (based on CIS Level 2 benchmarks), IT user accounts, and even our internal Wi-Fi routers. We encrypt all data at rest with AES-128, and in motion with TLS. All data access, including admin access, is logged off-site, and our IDS/IPS systems automatically report any unexpected activity. Next on our ISMS priority list is to engage external auditors to obtain 3rd party attestations, starting with SOC2. In our current schedule, we plan to receive the Type1 report in Q1, followed by Type2 in Q3".

Assuming your operations are sound and everything you claim is true, this will give the big company a clear signal that you understand security. You are committed to this. You have a clear pathway to external validation, and they have plausible deniability.

As much as startups boast about scaling, Enterprises do things "at scale" by default. The only way that works if you have clear rules, and your people follow those rules. "Require SOC2" one of those rules. It's not a bug; it's a feature that discloses which players understand the game. Play by their rules, get paid.

https://www.founderquestpodcast.com/episodes/what-is-penetra... talks how they (SaaS) went through the process.