Threat Stack is proud to announce that we have successfully completed a Type 2 SOC 2 examination for the Security and Availability principles with Schellman & Co for our intrusion detection platform and Oversight Managed Service.
This accomplishment is especially exciting for the Threat Stack team because we were able to pass our first SOC 2 examination with zero exceptions — without having taken the organization through any similar experiences before — underscoring our commitment to maintaining rigorous security standards in our company’s technology, processes, and personnel along with the highest level of security and privacy for our customers.
In this post, we want to share highlights of Threat Stack’s SOC 2 journey — why we chose this standard, the process we followed, and our commitment to our customers. In upcoming posts we’ll provide more detailed specifics as our customers go through similar journeys.
Type 1 or 2?
When companies consider SOC 2, they can choose between Type 1 or 2. Type 1 is a snapshot, reporting that a company had appropriate policies and controls in place at a specific point in time. While there’s an assumption that an organization will continue to use the processes they presented on that date, there is no proof of continuous adherence, whereas a Type 2 report includes an examination period that requires evidence proving continuous adherence. Achieving Type 1 is a much less rigorous process, and it does not prove the same degree of commitment and on-going capability that Type 2 does.
That’s why our CSO, Sam Bisbee, and the management team chose “to go through short-term pain for the long-term value” that Type 2 affords. “By choosing Type 2, we send the market a much stronger signal that we are able to uphold our own claims of ‘continuous compliance’ by operating with that policy internally.”
Getting Ready For SOC 2
The short-term pain Sam referred to was definitely worth it but required commitment and effort throughout the company.
Organization-Wide Commitment: To begin, organization-wide agreement to undertake Type 2 was essential given the level of cooperation and commitment the project demanded over an extended period, especially since we were “skipping” Type 1. Everyone, from new sales hires up to Threat Stack’s Board Members needed to agree to the plan and to supporting the changes that would result. Understanding and agreement were especially required between Engineering, Product Management, Support, and Operations, all teams whose day-to-day would be changed the most. Also, since the evaluation involved Threat Stack’s Oversight Managed Service as well as our intrusion detection platform, the Customer Success Managers and Security Engineers providing the service had to commit as well.
With everyone clear on what was required and onboard to do it, the SOC 2 project got off to a strong start and yielded highly successful outcomes.
Optimized DevSecOps Practices and Platform Innovations: Because we’re a security company with rigorous standards and a top-of-the-line product, we took the SOC 2 project as an opportunity to bring our Engineering, Operations, and Security teams even closer together and to take an in-depth look at our intrusion detection platform at the same time. The project challenged us to find ways of further strengthening the Threat Stack platform as well as explicit commitments like our SLAs, and implicit commitments including our claims of “continuous compliance and security.”
This meant evaluating our platform and services to identify their strengths and understand where the gaps in their capabilities were. While we concluded that our platform provides the necessary security, including the controls, monitoring, and auditability necessary to maintain both continuous security and compliance with SOC 2, we identified a few process gaps that led to improvement of our change management processes. This is often the most difficult aspect of SOC 2 for SaaS companies, balancing velocity and the ability to push code to production multiple times per day against the expected controls — especially if the goal is to achieve benefits other than a successful SOC 2 examination, such as actually improving your processes.
The most successful change management processes are typically tailored to the organization’s internal operational workflows. John Baublitz, one of our infrastructure engineers, volunteered to create tooling to embed the SOC 2 expectations into our automated processes to ensure that necessary checks were built in as part of our development process rather than as a roadblock at the end. While this has the benefit of decreasing errors and improving quality over time, those living the change management process got the added benefit of not having to think about SOC 2 or worry about “messing up our audit.”
In line with our decision to go for “short-term pain for long-term benefit,” John built sockembot, which runs checks to provide referential integrity between production, build, source code management, and JIRA. (Some of our team have described sockembot as a real-time “Clippy”.) (If you’d like more information, check out this detailed write up on sockembot.)
In total this was a 14-month journey, impacting nearly every team member, IT system, and process during that time. Such projects are rarely worth it if all you’re looking for is a piece of paper, albeit an important piece of paper. Thanks to the company-wide commitment we had throughout this process, Threat Stack not only passed its Type 2 SOC 2 examination on the first try with zero exceptions, it also squeezed as much value out of the process as possible, coming out the other side stronger and better.
At a recent company-wide meeting, Sam Bisbee expressed this sentiment:
“Now we can walk the walk and talk the talk. We made SOC 2 work for us rather than the other way around as a single team across the entire company to pass with zero exceptions, showing the market we’re a serious contender with undeniable staying power.” This process is all about building trust, both internally among teams responsible for all the cross-functional processes that a SaaS company like Threat Stack has in place, and externally where we can show the market that by choosing to go through the extra effort to undertake Type 2 SOC 2, we are fully committed to practicing what we preach.
By achieving SOC 2 compliance in the way we did, Threat Stack is letting everyone know that the platform, the people behind it, and the processes in place can be trusted to continuously adhere to strenuous compliance standards. If you’re a rapidly growing company like Threat Stack, you too need to build that trust with your users and the market as a whole in order to succeed.
If you would like to see how Threat Stack can help you attain this, sign up for a demo of our intrusion detection platform today.