At Strike Graph we know the challenges faced by smaller companies and startups when they embark on their SOC 2 journey. We experienced the sticker shock: “Is it really going to cost upwards of $40k to get my company of 5 people to the point where the auditors can even audit?” We have haggled with the auditors about our security posture: “Why should we have “Fortune 100, Best Practice” security processes set up? We are less than a year old and have less than 10 employees! What gives?!”
No shame in a non-existent security program
So, yep, we get it. Our team has operated startups where we have stood up security compliance (and data privacy!) functions. We know that our customers are on a compliance journey that is uniquely their own.
Many of our customers start from ground zero and are taking the first step in the SOC 2 journey by simply establishing a foundational security program in preparation for an eventual audit. If this is you, no need to apologize for not having a program started! We get it, we have been there!
Annual risk assessment to drive security maturity
We know that for all of our customers, year over year, their security landscape will grow and mature. We built our platform to grow with you. For example, many of our customers use the risk assessment results as a roadmap for getting their company’s security program to the next level. We offer the Strike Graph Risk Assessment as a means to annually assess your risk landscape (Hey! An annual risk assessment is a great SOC 2 control!). The goal of any emerging security program is to land on Good Practice, not necessarily Best Practice, which may be costly and overkill. There is value in this journey - you will be establishing the foundations for an effective ongoing security program.
If you are starting your SOC 2 journey at a crawl, there are assets that Strike Graph provides that can help you win early deals. For example, a potential customer may be impressed by your controls or even a pre-audited draft of your System Description (also referred to as a Section 3). Then when you have your security program in place and an audit is scheduled, you can show your potential customers you are walking the walk with an auditor issued “comfort letter”. And finally, when your report is issued you can run full steam ahead with a well earned SOC 2 report.
“Are we ready for the audit?"
Whether you are crawling, walking or running towards that SOC 2 certification finish line, we have your back. If your audit is a year away, in 6 months or in 6 weeks, Strike Graph can help you self assess your ‘readiness’ for the audit and will be to get you over the finish line. Our SOC 2 Dashboard shows where control coverage may be light or where evidence of a control may be missing so that you can take action. When you are ready to take the Big Step of engaging an auditor or even if the audit is scheduled to start in 1 month or 1 day, you will have the peace of mind knowing that you are prepared and have all elements covered.
Value of a SOC 2 beyond the audit
All of the processes and procedures that you implemented and maintained to gain the SOC 2 certification don’t get shelved after the auditor issues their report. Maintaining compliance is and should be a day to day activity - operationalize these good practices! Strike Graph allows you to efficiently maintain compliance by flexing while you grow. Our library of controls cover all stages of process maturity.
There is value beyond the certification. After the audit, our customers find that deals close more quickly, security questionnaires are completed with more understanding, IT Security appendices of contracts make more sense, and they have a leg up on their competition. Crawl, walk or run, Strike Graph is your partner on the SOC 2 journey.