A Journey in Security: From Zero to SOC 2 Type 2 in 601 Days

Late in 2018, I started talking with the wonderful folks at Lessonly about joining the team. One of the things we dreamed about together was achieving a clean SSAE 18 SOC 2 Type 2 report. 

My last few employers had promised me that there would be interest in and funding for such a project (or perhaps ISO27001 or HITRUST) but in the end, no project was ever launched. Years ago, I was part of a team that got National Government Services’ Next Generation Desktop team to CMMi Level 3, but at this point, I had never been the overall lead for such a project. Long story short, leading the push for a SOC 2 Type 2 report was a dream opportunity for me. 

What’s the ROI on great security?

I have always been of the opinion that security and compliance need to show a return on investment, just like any other work a company does. Obviously we’re not talking about the work itself making money, but that it either reduces risk or improves sales enough to pay for itself. In Lessonly’s case, we were primed for this. 

A number of high dollar deals had fallen through in 2018. One of the primary reasons why? Our lack of a program like SOC 2. The potential payback was obvious. If Lessonly could only sign one or two enterprise-level customers per year as a result of a) having the report, and b) the improved ability to tell the story of the security of the Lessonly system and business, then the ROI would be plain to see. 

The Start

After a number of conversations, I felt that the basic security of the Lessonly system was solid and that the company was highly motivated, but that there would be significant work to be done to document the controls required by SOC 2. I’m sure most of you have heard the compliance litany. 

  • Say what you do (i.e. write it down)
  • Do what you say (and keep records) 
  • Prove it (give auditors what they need to demonstrate your compliance)

I also knew that I really liked everyone I spoke with. The company culture would be a good fit for me, and that there was top-down support for the program. When the offer came, it was pretty much a no-brainer to say yes. 

Buckle up… here’s the process!

If you are familiar with SOC 2, you already know about the controls that have to be put in place to comply with AICPA’s requirements, so I won’t go into detail about that. But to give you an idea of what had to be accomplished before we could start our Type 2 gap assessment, here’s a list of the big items: 

  • Implement a third-party Security Operations Program for the Lessonly system (Rook Security, now Sophos,was selected before I started, and I enthusiastically supported their selection) 
  • Move from 100% BYOD laptops to company-provided and managed devices, including selecting an  Information Technology vendorPlan for and find a vendor to support our new office network (i.e. one only used to gain access to the internet so no customer data is managed on site) 
  • Plan for and find a vendor to support access management for the new building
  • Evaluate and select a vendor to support our SOC 2 Type 2 project
  • Evaluate and select a vendor for our annual third party penetration testing
  • Evaluate and select a vendor for our own vulnerability scanning 
  • Select and implement a security training system 
  • Provide ongoing support to the sales organization around security, including completing security questionnaires and participating in prospect and customer calls

We received the results of our SOC 2 Readiness Review in September 2019, and our Type 1 report in early November. We began sharing our Type 1 right away, and communicated to prospects that we expected to have our Type 2 report in September 2020. 

The Result

I am pleased and proud to report that we received our Type 2 report on August 24th. And I’m extremely pleased to see that there are no exceptions noted.

 

I can’t say enough about the positivity and enthusiasm shown by everyone at Lessonly for this project. Most companies only see compliance programs as a burden that increases complexity and bureaucracy; however,  the advantages they give to the sales process and to risk reduction are innumerable. 

Everyone at Lessonly understood exactly what this work would accomplish if we were successful, and that we would see immediate benefits from improved communication with our prospects about the safety of their data. Everyone was less worried about the extra work than they were about getting it right. The entire project ran smoothly and according to plan, with no major delays or deviations, from day 1 to day 601. How often does anyone get to say that? 

I’m so very proud of what this team has accomplished, and my thanks go out to every Lessonly employee. I’m obviously biased, but it’s a wonderful organization, and I’m proud to be a part of it.  

 

Want to see how Lessonly helps frontline teams like yours? 💛

Our training software helps over 1000 business teams across the globe learn, practice, and do better work. Click any of the tiles below to discover more of what we’re about at Lessonly! Or, if you don’t know where to start or have lots of questions, here are the 5 most important things to know about us.

The Bridge
10 Quotes From A Professional Ballerina About Practice, Artistry, Freedom, and Perfection