Sign In


Security Theater:  Not another policy!

It’s such a common theme. You need to establish a cyber security program so that you can get your SOC 2 certification and the first thing that an ‘expert’ recommends is writing policies. A quick search of the web reveals hundreds of types of policies, thousands of templates and a ton of pseudo legal jargon. Where to even start? Is this all necessary? Is this really required for an audit? How does this help me earn money? 100% of our customers wrote a policy that was irrelevant to their organization before joining Strike Graph.

Determine Which Policies are Relevant

Strike Graph helps eliminate the security theater by eliminating low-value activities. This is especially true of unnecessary policies.  We find that there are only a few policies that are common when formalizing a security program and others come as the security program matures or as an outcome of a comprehensive security risk assessment.  Go ahead - create a Physical/Logical Access Control Policy, a Change Management Policy and an overarching Information Security Policy. These policies are essential to your program and will often be required to be shared with some customers as part of their vendor management program. Any additional policies and procedures will emerge from the results of the Strike Graph Risk Assessment. roadmap for additional policies or procedures that are truly relevant to your organization. Remove the guesswork! The results of the Risk Assessment will establish your roadmap for the additional policies or procedures that are truly relevant to your organization.

System Description - Always Relevant

With Strike Graph you can also create a document that can have more relevance to a wider group than policies and is especially useful in the seed round for start-ups. This document can help win deals pre-audit, impress investors, and is required to pass an audit when you're ready. A Win-Win-Win! Let’s create a “System Description”.

System Description to win Deals!

The System Description is prepared by management and is a required element of a SOC 2 report. According to the AICPA, in a SOC 2 report, a System Description is designed to enable customers, partners, and other intended users to understand the service organization’s system. In other words, this document needs to clearly and accurately describe the service your customers will be using and also provides a narrative of your organizational maturity and the security activities related to your organization and to your product or service. It is ultimately meant to create trust with your customers as part of a SOC 2 certification, but some organizations find that a version of the system description has been useful in gaining customer trust prior to the SOC 2 certification. Sharing a preliminary draft of this document with potential customers prior to receiving the SOC 2 certification can help them understand that your company is carefully analyzing security and developing important habits that will keep their business and data safe.

Tackle it Early!

Strike Graph helps eliminate the security theater by eliminating low-value activities.  This is especially true of unnecessary policies.  With Strike Graph you can create something better than any policy.  A document that can help win deals pre-audit and is required to pass an audit when you're ready.  Let’s create a “System Description”.

The System Description is a critical part of a SOC 2 report and writing it early can be incredibly helpful.  Having this document written before wading into an audit can help clarify to the auditor understand the scope of the audit, meaning it outlines exactly what you want them to assess and may help to limit any "gotchas" during the audit assessment. Typically consultants will charge up to $15k - $20k to help draft a System Description for your SOC 2. The Strike Graph approach eliminates the need for consultants while ensuring you meet important requirements.

Visit our Blog often for articles to help you navigate this important document.  We will be covering critical topics such as:

Our customers are publishing a System Description to get deals closed before passing an audit.  With Strike Graph you create early trust with customers.  With Strike Graph you’ll also have the added benefit of accomplishing 30% of the work required to pass an audit.  Join us as we dive deeper into how to author a great System Description.


Want to dive deeper on your own? The AICPA has published specific recommendations on the structure of a SOC 2 System Description at AICPA Illustrative Type 2 SOC 2 Report.

Justin Beals
Justin is the Co-Founder & CEO of Strike Graph, a security compliance company, which he incubated at Madrona Venture Labs in early 2020. As a serial entrepreneur with expertise in AI, cybersecurity and governance, he started Strike Graph to eliminate the confusion related to cybersecurity audit and certification processes. He likes making arcane cybersecurity standards plain and simple to achieve. As the CEO, Justin organizes strategic innovations at the crossroads of cybersecurity and compliance and focuses on helping customers get outsized value from Strike Graph. He also sets a foundational culture of employee growth. Based in Seattle, he previously served as the CTO of NextStep and Koru, which won the 2018 Most Impactful Startup award from Wharton People Analytics. Justin is a board member for the Ada Developers Academy. He is the creator of the Training, Tracking & Placement System US Patent and the author of “Aligning curriculum and evidencing learning effectiveness using semantic mapping of learning assets,” which was published in the International Journal of Emerging Technologies in Learning (iJet). Justin earned a BA in English and Theater from Fort Lewis College.

Learn how you can leverage Strike Graph for your cybersecurity needs