In This Episode
Join us for Episode 29 of Mighty Finsights, where Rory Holland interviews Jack Macy, founder and COO of CSTMR, and Alex Bates with Dark Rock Cybersecurity about the journey CSTMR took to achieve SOC 2 compliance. They explore the importance of SOC 2 for building trust with clients, the challenges faced during the process, and the benefits of being a certified vendor in the financial services industry. The conversation also covers the selection of the right SOC 2 partner and offers advice for organizations considering pursuing SOC 2 compliance, including why it’s helpful to have an expert coach to guide you through the process.
Key Takeaways
- SOC 2 compliance is an excellent way to improve organizational health and build client trust.
- CSTMR’s proactive approach to SOC 2 is unusual for service-based business, especially agencies.
- The SOC 2 process helps formalize risk management practices and “harden” security protocols.
- Data breaches incur significant costs and reputational harm for organizations.
- Selecting the right SOC 2 partner will make a big difference in your experience and the quality of your results.
- Investing in compliance should be viewed as a long-term strategy.
- Training and educating the organization as a whole is key to successful implementation.
- SOC 2 is a report of compliance, not a “certification.”
Episode Introduction
Rory (00:02)
All right, hello and welcome to this special episode of Mighty Finsights. I’m Rory Holland, your host and founder and CEO at CSTMR. With me today, I have two special guests. First, my friend and co-founder of CSTMR, Jack Macy. And Jack and I have been building financial and fintech brands for more than 15 years now. So Jack, awesome to have you here.
Also with us today is Alex Bates, owner of Dark Rock Cybersecurity, a consultancy offering customized cybersecurity solutions for small businesses. Alex worked alongside us to help CSTMR with our SOC 2 process and we’re excited that he agreed to appear on Mighty Finsights.
So in today’s conversation, we’ll be discussing the process we recently went through here at CSTMR to achieve our SOC 2 compliance and what we learned along the way. Gentlemen, really, really grateful to have you guys here today. Thanks so much for coming on the show. Honestly, SOC 2 can feel intimidating, particularly when I think about when we decided to enter it into it here at CSTMR.
And intimidating for lot of folks in our industry, I suspect as well. And I’m looking forward to sharing with you guys and with those that are listening the experience that we went through and hopefully make the topic more accessible and a little bit less daunting. And we’ll be covering some great questions, including how to decide if SOC 2 is right for you and your organization, why CSTMR decided to pursue SOC 2, and then some of the biggest challenges our team faced in the process.
And before we dive in, I’m just gonna read exactly what SOC 2 actually is, for those of who might be wondering it. And the reason why, part of the reason why we entered into it, is it helps organizations build trust with their customers and stakeholders by demonstrating that the organization have robust security practices in place to safeguard sensitive information. So with all that, I’m gonna jump right in. And Jack, I’d love to start with you.
Jack (01:58)
Yeah.
Why Did CSTMR Pursue SOC 2?
Rory (01:58)
Why did we as a marketing services agency feel SOC 2 was essential for our company’s health and our clients’ protection?
Jack (02:06)
Yeah, it was, like you said, was a conversation we had for a while that really felt like the right choice once we got into it, but it felt a little daunting as we started to have that conversation. So we really recognize that there was two things that were the main reasons for us and that it was an unusual step for a services-based agency to take. But we felt it was important enough for two main reasons. One was really to look after our own organizational and business health for CSTMR. So ensuring we have risk management, practices and guidelines in place for the systems we use, the team that uses that system and for our clients. So on one hand it’s also protective of CSTMR and protective of our clients. It’s also educational in the process I think for our team to really understand what’s expected of them as a vendor for our clients and what level is required in order to meet that expectation. So that was really great. The second main reason I think was really to, we wanted to reinforce our commitment to financial services companies. And we provide them with marketing services, with branding, with data services through marketing that… We want them to see us as a trusted vendor and understand that we take risk management seriously, that we can be trusted, and that we care deeply about our work with them. I think those two were really the driving factors for us. And this was really forward looking. We wanted to look into the future to see what we want CSTMR to be and what type of client services we want to provide well on for years to come.
Rory (03:52)
Yeah, thanks Jack. Alex, welcome my friend.
Alex Bates (03:55)
Thanks, thanks for having me, Rory. This is awesome.
The Importance of SOC 2 for Professional Services
Rory (03:58)
All right, so from your perspective, maybe discuss a little bit about why SOC 2 matters for professional services organizations or other organizations for that matter.
Alex Bates (04:08)
Of course, and thanks again for having me on Mighty Finsights, O think this is gonna be exciting. Hitting on a few words that Jack said. We’re gonna keep using the word trust because it’s gonna be the buzzword of today’s meeting, but ultimately just boiling that down, business inherently is made because we don’t trust each other. That’s why we use a known currency. That’s why we ultimately do month-end reconciliations, transparency reports. Everything that we’ve created is ultimately at the end of the day to create visibility and to say, should I go with company A versus company B versus company C? And so diving in on that word trust, the reason why a SOC 2 was ultimately created, because it’s a little bit different. It’s not necessarily pulling on the financial statements. It’s not necessarily pulling on the ethics and board composition. It’s really diving into security and the availability and confidentiality of all that data that ultimately companies are handling. And so in CSTMR’s situation, ultimately, your goal when you’re working with some of your financial customers is to level up, is to basically say, can trust me because of X, Y, Z. And in today’s current measure, the SOC 2 is very much that vehicle to help accomplish it. Diving into some of the other considerations for financial companies as well as the industry as a whole. As you know, finance runs on compliance. As I mentioned, some of those opportunities for reporting, for schedule Ks, just everything that goes into the end of year getting ready, this is where we ultimately go through SOC 2s, SOC 1s, as well to see what are these reports that help our stakeholders as well as our customers understand how we can better make decisions to support our own investments down the road. And so I would say just diving into it, it’s the biggest top A to Z to give your clients an understanding of what you do as well as understanding how you do it in a secure manner.
Rory (06:09)
Yeah, and then financial services and the fintech clients that we serve. Historically a lot of professional service agencies haven’t pursued this and we talked a little bit about this Alex, I’m curious when you think about for our industry that we serve security as a requirement. It’s how they have to operate but then they have third-party vendors partners others like professional services firms whether that’s marketing like CSTMR or other types of services might be provided. When you think about that, and securities requirement for them, what has been your experience working with professional services organizations, maybe like CSTMR or adjacent to us, when they think about pursuing SOC 2 and what is like the process they go through, because there’s probably so many different experiences you could share.
Challenges in Achieving SOC 2 Compliance
Alex Bates (06:55)
Of course. And just to kind of reiterate what you were saying there, Rory. CSTMR as a whole, there’s no regulatory requirements driving you to do this. So I do have to just give you guys some major props here because this was a proactive compliance adjustment which just positioned yourself completely different in the market than some of your peers. So I do have to just say that is a fantastic opportunity that was very much taken advantage of by you and Jack. One of the things that is really important to understand when looking about, when understanding your third parties, when understanding your own clients, is ultimately you create your own ecosystem. And so similar to a sports team when you’re looking for that nice free agent pickup that would really help round out your offense or really give you that lockdown corner for defense. You want the same with your business partners as well. You want to make sure that they have the right pedigree, that they’ve done the right stuff, they’ve performed the due diligence and they’re also maintaining the due care. And so I think just from the consideration for looking into a golden standard go-to-market compliance certification like SOC 2. I think that just shows it wasn’t just the foundational check the box activity. It was a let’s make sure we’re positioned in the market, in the race. So there’s basically nothing stopping CSTMR from being a trusted partner for their clients. But then kind of looking at your industry as a whole. I do have to say, and Jack and Rory we’ve talked about this a little bit as well, you guys are mavericks in that sense. Just going back to that point, there was nothing driving you to do this, except, you know, being able to demonstrate trust, you know, and that transparency. And so when looking at that, specifically with some of the crackdown that is coming down from regulatory bodies as well, you know, you have the SEC in the United States where they’re really starting to pop the lid over disclosures. You know, what happens when there’s a security incident?
Well, it’s really hard traditionally in the IT world to put a dollar amount on a data breach or to put a dollar amount on an IT incident because it doesn’t necessarily reflect in the financial statements, but it does reflect in the reputational value.
And so when you do apples to oranges there, it starts to really paint a bigger picture of, okay, is this a nice to have or is this us putting ourselves forward in our own investment, in our own strategy and roadmap? And so I think that’s ultimately the decisions that come into play. As people are starting to wake up as well, compliance very much has, I’d say, emerged into the executive boardroom where you guys are making decisions for your own business and if you don’t make the right steps it’s really easy to take two steps back as well and just in regards to a hiccup or something that wasn’t done just properly in that sense.
Real-World Security Failures
Rory (09:52)
Yeah, and you mentioned hiccup. Different forms of that, I suspect, when we think about some of the data breaches historically, or just talking about software failures as a whole. I think of like CrowdStrike and Microsoft, for those of us that were.
I’m sadly flying that day, getting hung up and just the impact and ripple effects of that. Can you speak to maybe some of that in our industry too, Alex and Jack, you might have some thoughts on this too, when we explored this as CSTMR and deciding what we wanted to do, we certainly did our own research and investigating and know how important security is in protecting our customers’ data, in making sure that we’re not only doing it the right way, but we’re going above and beyond. And so can you speak to maybe some of those breaches?
Alex Bates (10:36)
Yeah, yeah, and not to go too heavy in the paint on CrowdStrike and Microsoft, but I think that was the highlight of the summer of 2024 for many folks. That was ultimately two trusted partners of, as we quickly realized, almost 70 % of the global economy was impacted by that. So that not only means there was an investment or a footprint there, but you know, when you have CrowdStrike, a trusted vendor, interacting with Microsoft, which is also everywhere as well, it created ultimately a perfect storm for us. And so with a SOC 2, a lot of that ultimately does get fleshed out. You highlight and you identify some of those critical vendors. And we specifically did as well within the CSTMR SOC 2. These are people that we trust. We review their SOC 2 as well. And at the end of the day, everything that we put in place is actually a mitigation factor. So when that happened, basically 60 % of all airline traffic over the European Union was shut down, people immediately went to something that we built for a CSTMR as well, which was business continuity disaster recovery plans. We pulled up the incident response plan. And these are areas that teams, when they have the right steps in place, it’s a break glass moment and then you start to perform. It’s similar to when you are working with your family and you ultimately they’re saying, hey, if there is a fire, this is what we do. And then you coach it, you train it, you enforce it. And then in many organizations that recovered correctly, that was what they did. And these are the requirements of the SOC 2 as well. And so just in regards to really talking about that, there’s, know, for the bleeding edge technology, these are ways that companies are mitigating it.
Even going into the next example, Southwest, I’m not sure if it was covered too much in the CrowdStrike piece, but CrowdStrike Southwest wasn’t actually affected because they were using such an older version of their operating system that it didn’t even interact with CrowdStrike and the Microsoft updates at that point. And so there’s two considerations. There’s insulate what Southwest did, or there’s bleeding edge, which a lot of companies are doing. And you have to find that right medium in risk management, in your IT operations, and all that ultimately comes into effect when you start to really map out how you do things.
The Direct Impact on a Brand
Jack (12:57)
We work a lot with, a lot of the companies we work with, we deal with developing brands for them and Strengthening those brands and figuring out the best way to express those brands to help them grow and thrive as an organization and If you’re a you know a large enterprise organization like the ones we’ve mentioned. You know if you have a good plan for disaster recovery, likely you have the resources to weather the storm. But if you’re a mid-sized company or, forbid, maybe even a startup, that’s going to be a massive blow. And it’s going to be much harder to come off of that from a reputation perspective. The financial, the technical work you might have to do, the remediation you might have to do is one thing. The brand perception out there can hurt you dramatically when you don’t have as big of a foothold in your industry. And so that’s another consideration where we’re kind of looking at it as an agency from both sides. One is we’re helping you to create a great brand that’s really strong. And we’re also doing this for ourselves as part of the protection as being a vendor for you to make sure that brand stays viable for a long time.
Rory (14:08)
Yeah, I mean, that’s, go ahead, Alex.
Alex Bates (14:11)
No, I was just going to say, mean, it’s totally right. It’s the reason why we ultimately build policies, layer those controls in. It’s all the stuff behind the scenes, it’s to be able to provide better assurances to your clients.
Jack (14:26)
Yeah.
The Prevalence of SOC 2 in the Marketing Space
Rory (14:27)
And Alex, you’ve been doing this for a long time with your organization and you’ve worked with, I’m certain, other agencies, professional services firms, other third parties that chose to go this route too. When you think about it from the perspective of whether it’s financial services or technology, do you see any other marketing agencies pursuing this?
Alex Bates (14:48)
No, no, and that was, I think, one of our first conversations with you guys was really understanding the purpose. And I think in many ways, it’s a reactive consideration. I’m gonna lose a contract. I need to get this. I need to get this fast. I need to get this yesterday. You guys actually came onto the scene and did it in a completely different way, where you were saying, this is what we are seeing out there. How do we get to this level of standard?
And I think that’s fascinating to think about because as other organizations watch CSTMR and see the efforts that you and Jack put into implementing these processes, I think the biggest question in self-realization is what’s to stop us as a small business to doing that same step? And so Rory, to answer your question, mean, it’s rare in that nature.
Jack (15:39)
Yeah, across services organizations really. I mean, I imagine you mostly work with technology-based organizations or organizations with their own infrastructure or that have significant dealings or data movement or things like that and far less of any kinds of services organizations.
Alex Bates (15:58)
Exactly, and I think that’s the cool part and Jack I think you and I saw this. SOC 2 can be tailored in many ways. This is, it’s more like going and getting your clubs fitted for you. Not everything fits right out the box, everyone has their own swing. Everyone has their own style. And so I think that when your clients have the opportunity to read read the CSTMR SOC 2 it is it really built well because it handles everything that you do and it gets away from asking aspirational level work, which I believe a lot of people in marketing specifically with the introduction of AI as well. Everyone loves being aspirational or best in class, but it’s not real. That’s why a SOC 2 is so important is because it ultimately in order to get it published you have to have a CPA come and put their brand, their identity on there. I think that’s it just is a completely different tone at the top thana lot of people with a lot of material out there.
Benefits to CSTMR’s Clients
Rory (16:56)
Yeah, and Jack, I wanted to just pose a question here. When you think about all of the Fintech and financial companies we serve, from your perspective, what do you think is some of the benefits or maybe value that our clients get knowing that they’re working with a vendor that has a SOC 2?
Jack (17:12)
I mean, like we have talked about the biggest benefit that we see but I think also that hopefully a prospective client would see is the reduced risk for our clients and then you know for us after that it’s our own own risk but really first and foremost this is how can we be a vendor and a service provider in a market in a authentic and trustworthy way so that you know, you’re in good hands working with us. And I think that’s probably the biggest piece of it. I mmean, there was definitely some challenges along the way with setting it up, some interesting unexpected benefits too as we went through the process with Alex. And Alex was a fantastic guide through the process as there were many pieces of it that we didn’t even know what they meant or what they were referring to. And he kind of laid out the structure and took us through that process.
But it included things like establishing best practices for our internal processes around risk management, accountability, communication, even ethical conduct. Some of the things that are kind of externally, you know, shared and expected in SOC 2 type reporting. And then worked with us to update and implement our policies and documents and define and guide our mitigation of risk over time. He worked with us to set up, what does your evaluation look like ongoing, your ongoing monitoring of your processes? Like a lot of agencies nowadays, particularly ones since we’re fully remote and our work is mostly based in the cloud, he also helped us evaluate our cloud-based systems and work those into the SOC 2 report as well. A services agency is often very different from the ones we mentioned before in that we do have more capability to work in the cloud and we don’t have to own our own technology systems. And so it was really important to go through all of those as part of this SOC 2 process with Alex guiding us and leverage those technology systems such as Google Workspace, which is where our email and our document storage and our calendaring and other things live.
And that’s a benefit because they’re already certified at the highest levels of security and risk management. And that benefit passes on through us. And Alex helped us organize all that in a way that helped us understand where we were on good footing and where we needed to shore things up. So it was really a very thorough and excellent process.
Selecting the Right SOC 2 Partner
Rory (19:48)
And now Alex wanted to come back to you and thinking about selecting a vendor. When you think about the industry that you’re in, the number of options that people have, whether those are like the big accounting firms, the big four, or other individual and smaller organizations, can you tell us a little bit about your thoughts on how to best select a SOC 2 partner?
Alex Bates (20:10)
Yeah, yeah. And I think it’s a great question, Rory. To really start that and identify the right partner for you is similar to when CSTMR is approaching some financial clients as well. In many ways, you want a partner that can scale with you. You also want a client, a partner that can, from a brand reputation, support you. You know, if at the end of the day, you’re asking yourself, why am I doing this? And if it’s a check the box activity,
Traditionally, we’ve seen clients tend to find budget-friendly solutions for their. There are budget-friendly CPAs, as everyone knows when picking their tax preparer in many ways, but also it comes with that reputation on the back end.
The great part about SOC 2 and the CPA and the AICPA as well is there’s peer evaluation. So anyone that’s actually putting a badge on their report from a CPA with the SOC 2 logo, that means that CPA has been evaluated and that they are meeting market standards. So it’s really not an easy bumper sticker to get in that point. But again, it also goes back to that point. Is this a, in crew terms, is this an amateur on purchase or is this, am I going in and going to Neiman Marcus to ultimately buy something off the shop? As you can progress with different styles, different types of firms, there are, you’ll see different levels of reputational review and there. so, you know, selfishly from my own background, I’m working from the big four. And so the big four is Price Waterhouse, Ernst & Young, Deloitte and KPMG. I had the opportunity to see some of the companies that, you know, the Fortune 50s, 100s, 500s that needed that because these were brands that supported their stakeholders as well as their transparency and their values there. But I will say for the small to medium-sized business that some of these brands price themselves out of the market for them. And that doesn’t necessarily mean that it doesn’t, wouldn’t be a great logo for them to have. But I will say there are fantastic quality firms of individuals who were trained by those big firms that have really been popping up.
What to Look for in a SOC 2 Vendor
And so I think when finding the right organization, it’s one finding an individual who can help them walk you through the requirements of a SOC 2 before the evaluation. So, you know, similar to as we talked about pioneering, finding that right guide, right? And so really making sure we’re handling that. And then being able to digest some of the complexities of a SOC 2 into terms that make sense for your business. I think Jack and Roy, one of the things that we understand when we were talking about some of the vulnerability scans and some of the tech solutions as a whole, we were heavily pointing to some of your vendors because again, with customers tech stack as a whole, that wasn’t us. And so we wanted to make sure that we made that clear and concise as well because ultimately if someone presented penetration test results to you Rory and you Jack, I think it would be a little bit of a how do we interpret this on the first go but then obviously knowing that we do this as part of our annual review, then it goes to that next and so I do think when firms are interested it’s one find someone that you can trust you know again going back to trust it’s someone who can break down something complex into simplistic, you know, business-oriented purposes. And then using them to help kind of leverage you and introduce yourself into different firms. It’s all about, you know, getting to know the firm, how their methodology works. And also, I’m a big believer of introducing that audit once applying multiple ways. And so, for example, if you’re doing a SOC 2, but all of a sudden, you also have another regulation that comes into your ecosystem, hey, how can we do this?
You know in a instead of a bootstrapped, you know duct tape approach. Let’s do this holistically, let’s build it correct and then ultimately it becomes way less effort on the back end.
How Playing Competitive Sports Informs Alex’s Work
Rory (24:13)
Yeah, so Alex, we’ve talked a little bit about your background in athletics and you’ve played competitive lacrosse. I’m curious what your experience in growing up playing competitive sports and then the latter part of your career as an athlete in lacrosse applies to some of the work that you do today.
Alex Bates (24:31)
Yeah, you know it’s funny, I read a lot of sports psychology books, I read a lot of talking about ambition, talking about the drive. I think the one thing that competitive sports has really driven out of me was maybe I’m not the most talented, maybe I’m not the smartest in this immediate moment, but what it does do is it allows you to really challenge yourself. You’re really only able to demonstrate, achieve those milestones if you’ve put in the time, if you’ve done the reps, if you’ve ultimately pushed yourself beyond. I remember growing up not really knowing much, but watching old movies like Rudy, watching old movies that you know where all of a sudden I’m 10 years old and I have a garbage bag over my body with a sweatsuit just running you know just to try to put in that extra time. That translates into professional services so heavily because a lot of it is have I done this before? That muscle memory you know but to that next level do I have enough in the tank to make it across the finish line? I think it’s just an important qualification because Rory, you and Jack being founders of a company, you guys have put in the late nights. You’ve put in the all-nighters, you know, and it’s not necessarily, can I do this? Am I sacrificing myself to do this? It’s more, I need to do this in order to achieve what I’m looking for. And so in many ways, it’s, if you’re a basketball fan, really bringing in that Mamba mentality, you know, of Kobe Bryant to say, I need to put my time into the practice in order for me to excel in the limelight. And I think that’s what a lot of folks sometimes miss. Specifically from your own training, but into your professional world. When you eventually hang up the cleats, when you say, I’m no longer a, even though we are still athletes in our minds, I am any other title, I’m a father. I’m a professional. I’m a friend. You know, it’s in many ways, it’s knowing how to prepare, knowing how to show up and knowing how to execute. And I think that in many ways is the biggest thing that I would love to teach my kids. It’s not about achieving. It’s actually, it’s more about learning to fail and being able to recover and learn how to not do that same thing in the same piece. And so, you know, the iterations, all that repetition, that’s where I found most of the value in, you know, drawing from sports. And of course, as you guys will see, you know, I always look like Adam Schefter on a lot of our meetings because it’s something that ties me into those experiences and memories so closely.
Jack (27:14)
Thanks.
Rory (27:15)
Yeah, that’s great. And Jack, for you, also a competitive athlete still today. I’m always, I love to see Jack’s videos after his weekends of competing and running. Jack, when you think about our decision, a customer to pursue SOC 2, part of it was we wanted to be better. We wanted to be leading edge. We wanted to win not only for our clients, but for ourselves, but, do it with having, having the SOC 2 in place. Like when you think about your competitive mindset, and I know you’re traveling right now for a competitive race. How does that play into your thinking when we pursue to SOC 2?
Jack (27:54)
Yah, good question to reflect on. The thing that comes to mind for me most is the notion of having a very thoughtful and informed training plan to get to the goal you want to achieve. And that training plan is typically based on experience of what works. And you attempt to follow it in order to meet your goal. Well, I think. There’s a similar piece here. Alex was essentially our coach, our trainer, you know, and he came in with a plan and a pathway to meet our goal. And, you know, that’s critical if you really want to achieve that high level of excellence and performance, whether it’s in your sports or in your life or in your business. And I think that piece was really foundational, having somebody come in and, you know, we knew where we wanted to get to and we knew we had the capacity to do good things as an agency for financial services company, but we wanted to get this one piece in place and having somebody coach you to get you there and follow a tried and true method to get there was critical. And it’s the same with running. And if you don’t put in the long hours and the time, it’s much harder to get the result you’re looking for.
How to Know If SOC 2 Is Right for Your Organization
Rory (29:20)
Yeah, when you think about the types of organizations that may be thinking about SOC 2, what is some advice or guidance you could provide to those folks that are listening that might be thinking about pursuing a SOC 2 to know whether it’s right for them and their organization?
Alex Bates (29:36)
Yeah, I think the business driver needs to be at the end of the day. Because as you and Jack saw, Rory, it is an investment of internal resources, of external resources to see what we need to do. Had to build a learning management system for you guys, so training your own employees, understanding that this is now a value that we ultimately need to attain to.
And I think looking at the, you know, if you’re a big believer of game theory, the game theory always presents two strategies. We can win now or we can win in the long term, which is surviving. And so I think the companies that are investing for the future, investing for best practice instead of consistently being reactive, those are the companies that survive and make it to the, you know, exit or whatever their goals are within the company.
How CSTMR Tackled the Challenges of Passing SOC 2
Rory (30:28)
Yeah, and Jack, I was going to pose something for you. When you think about what we experienced coming through it, what were maybe recounting some of the challenges we faced, whether that was operationally, mentally.
Jack (30:39)
Yeah, I think it’s interesting as I listen to Alex because for us, because we didn’t have this huge technology infrastructure that we had to thoroughly go through, probably our biggest challenges are more on the people side. People, permissions. Best practices and guidelines for the team. So, and a lot of the people that work for us have worked much of their lives in service oriented companies, not all of them, but some. And so it’s different than what you might typically experience in a larger, more tech-driven organization. Most agencies, I’ve worked at a few in my life, don’t have clear policies for managing risk and are used to kind of flying by the seat of their pants to get things done and delivered and security and risk management is often an afterthought. We didn’t want to live with that type of risk. And so the biggest challenge there is I think after Alex walked us through and we got certified, bringing the team along in that journey and helping to make sure that they’re educated, that they do the training that we had as part of it, but that we also continue to educate them over time and really create a little bit of a mind shift in our organization because we work with financial services organizations that really value that trust in a vendor, that they need to understand that and here are the processes and practices you need to do on a daily, weekly, monthly basis in order to ensure that. I would say for us that was probably the biggest one is kind of bringing the team along.
Alex Bates (32:27)
And just to add to that as well, Jack, I think the whole SOC 2 exercise is important because it’s not necessarily saying we don’t do that. Think within CSTMR, Rory, you and Jack have talked about things that affect your business, external, regulatory, financial changes, all that is discussed. But I think what a SOC 2 actually forces you to do is formalize it, how do we actually demonstrate we have done that? We did walk the walk. We did the reps before the test type of thing. And I think that is where a lot of organizations, even going through this exercise as a, you know, an achievement just to do the exercise is so important because you can say, hey, out of all the, you know, the one through nine common criteria, I think this is, you know, an important thing to realize. Where’s our gap assessment as well? You know, and really as well, when people talk about SOC 2, you know, it’s not necessarily a certification. I hope that it’s more like when you go to the grocery store and you’re putting fruits and vegetables onto the scale and all of sudden it hits, you know, what you’re trying to achieve. It’s a report of compliance, you know, to that point. So you built something that was basically ready for, in your mind it was ready for the industry, it ready for business, but then when you bring in a third party to evaluate it, it’s their opinion in many ways to say, is this ready for operation? And I think that’s an important thing because SOC 2 gets thrown in the mix of, we’re certified, we’re certified, no, we’re compliant and here’s our report to demonstrate our level of compliance as well.
Unpacking the Gap Analysis
Jack (34:07)
There’s one point I want to jump on real quick because I think this, you just remind me that this was really a major piece on our minds, very nice mind as we went into this process, which was the gap analysis you mentioned. It’s that sense of, we’re generally, I think, doing things right, but I don’t want to assume. And I want to make sure there’s no major holes or flaws or we’re doing something that really is not validated by external measures that most people use. And I bet that’s on the mind of a lot of people who are contemplating doing a SOC 2 type certification, particularly if they’re a services company, is I don’t know what I don’t know and that kind of scares me. So I think that gap analysis was a big motivator for us as well as really making sure that we’re plugging any leaks and doing things well.
Alex Bates (34:59)
Exactly. And you know, I think just from, you know, soup to nuts in many ways, when we started that process, Jack, I think I remember presenting the controls to you and Rory and just it immediately is one of those areas where we go, no, how do we do this? And I go, no, no, no, step by step. Let’s see, because you’ll see things map in different areas. You know, we build one policy, it flies into, you know, five different requirements. And so it was one of those things where as you go, it’s that iterative process of just saying, no, no, this is exactly what we do and this is how we do it. Maybe not the way that that’s written, but let’s make sure that we really make that ours in one way as well. And again, I think that’s the way that the report is designed.
Trust Service Criteria
And I mentioned some of those categories, one through nine before. That’s what are called, those requirements are called the trust service criteria in many ways. And so the trust service criteria from one through nine is supposed to take you on that journey. And I think I remember showing you guys the heat map that I built on it. Couple are really based off entity level controls which is tone at the top. How do you and Rory run the organization? You know the ethics, the values, the communication, the details of job descriptions, background checks, who you let into your ecosystem is so important, you know, and basically how you maintain that. Then on the back end those trust service criteria are really focused on the access, how you handle change, how you handle operations and some of those security controls, as well as continuity. Again, end of the day is if we wanna ensure and provide trust to our clients, we wanna have to make sure that we’re here today. And so the SOC 2 gets us there. But with some of the exercises, it also ensures that we’re here tomorrow. So that we’re able to support their own goals, their own measures, and we’ll be there along the way. And so, again, just kind of props to you guys. It was a fun exercise, I will say. And you guys took everything in stride, and it’s exciting to see where you guys are going to continue to take it.
Jack (37:06)
Yeah, I mean, you providing that roadmap from how to get to where we started to certified was massive. I think anybody thinking about this, it’s not something you can easily do on your own, even if you’ve maybe done one at another company. it’s pretty much a requisite to use somebody like you who knows the background of these types of certification processes, but also has that roadmap ready to go and then to customize to fit your organization how best to manage risk in your specific context. And I think that was incredibly valuable to have that and you guiding us through it along the way.
Alex Bates (37:48)
Of course it was a pleasure, it was a pleasure Jack and Rory.
Rory (37:52)
Well, this has been great guys, for any other companies that are listening. If you guys want to talk to Jack or myself, we’d be happy to share more details about our experiences going through this process and can make recommendations. Of course you can connect with, with Alex Bates, Dark Rock Cybersecurity on LinkedIn. You can find his website. We’ll put Alex in, we’ll put a link to your website and the show notes as well as your LinkedIn, so folks can find you.
At this point, gentlemen, really appreciate you guys making the time this morning. Good to see you, guys. Really interesting topic. Hopefully it was helpful to everyone.
Jack (38:29)
Thanks Alex.
Alex Bates (38:30)
Thank you, Rory. Thank you, Jack. And again, just for this, you guys really knocked it out of the park. So this was a fun one.
Jack (38:39)
Team effort, team effort, sure.
***End of Transcript***
