An Inside Look at the Evolution of Threat Stack’s SOC 2 Processes

Year 1: Building the Foundation

In Year 1 (2017), we chose SOC 2 because we’re a security company that helps customers with SOC 2 compliance, and we believe it’s important to lead by example by completing the examination ourselves. We chose Type 2 over Type 1 since it demonstrates a much more rigorous process as well as proof of continuous adherence. As Sam Bisbee, Threat Stack’s CSO, stated: “By choosing Type 2, we sent the market a much stronger signal that we are able to uphold our own claims of ‘continuous compliance’ by operating with that policy internally.”

Once we committed to pursuing Type 2 SOC 2, we used the period before the examination to build a strong foundation of controls, processes, and governance. Specifically, we implemented new policies and technologies to fortify our infrastructure and instill security in every phase of product development. In addition, we took the opportunity to better integrate our Security team within our DevOps practices. Finally, we created tooling to embed SOC 2 expectations in our automated processes to ensure that necessary checks were built into our development process rather than added on as a roadblock at the end. 

The results: By passing the examination with no exceptions, we demonstrated that the Threat Stack Cloud Security Platform®, the people behind it, and the processes in place could be trusted to continuously adhere to strenuous compliance standards. 

Year 2: Establishing a Dedicated GRC Function & Optimizing Processes 

While Year 1 was highly successful, it became clear that we could achieve the same or better results in an even more rigorous and efficient manner moving forward. With that in mind, we used Year 2 to:

• Create a distributed, company-wide approach to supporting audits by building a dedicated governance, risk, and compliance (GRC) function inside our Security team, leveraging the Engineering, Operations, and Platform Security teams.
• Design and execute a rigorous internal audit before the formal, onsite SOC 2 evaluation to evaluate and improve the end-to-end effectiveness of our controls, policies, and processes, and to determine which tools we could build or leverage to achieve greater accuracy and efficiency. 

The payoff was significant. Not only did we strengthen our governance and underlying foundation, but we also continued to improve our internal processes before the official examination. While our internal examination took approximately one month to complete, the official examination only required auditors to be present onsite for three days. (We actually reduced the time the auditors needed to be onsite because the internal audit had prepared us to quickly identify and pull evidence that the auditors required.)

The results: Streamlined processes, a shortened onsite visit, and a successful examination with no exceptions!

Year 3: Expanding Our Scope & Incorporating New Controls

Year 3 was both interesting and challenging. One might assume that two successful, exception-free examinations would make it easy to achieve a third. But given the constant change that characterizes the cybersecurity industry generally, and the change and growth we’ve experienced at Threat Stack, this was definitely not the case. To address the challenges brought on by changes in scope and the introduction of new controls, we focused our efforts on three areas:

• Validating Existing Monitoring and Controls: Although we had built and enhanced a solid foundation of policies, procedures, and controls in our first two years, that by itself, does not ensure continuous compliance (and hence there is a requirement for an annual re-examination). Anticipating this, we ensured that we had built in internal checks and audits that would enable us to validate the effectiveness of our existing processes and also let us easily demonstrate compliance to the examiners. In short, we took a proactive approach that allowed us to test our systems prior to the examination, thus ensuring end-to-end effectiveness and compliance. By integrating these processes into standard operations, we were able to ensure that maintaining continuous compliance was a work enabler, not a time-consuming add-on at the end.
• Expanding the Scope of Our Governance to Include New Functionality: Whenever the scope of functionality changes in an organization, it’s essential to ensure that the new functionality is abiding by the same policies and procedures that govern the remainder of the organization. In our case, Threat Stack deployed a new unified application security monitoring solution mid-way through 2019, as an integral part of the Threat Stack Cloud Security Platform. In consequence, it was essential to ensure that this was being appropriately monitored and controlled and that we could demonstrate this to the examiners and provide appropriate evidence to support our demonstration. Therefore, we proactively included the application security functionality within the scope of our SOC 2 governance activities to ensure that the team responsible for appsec was addressing all of our policies and procedures, including our Change Management Process.
• Providing Evidence of Compliance With Additional Controls: As part of our 2019 examination, we were informed that we would have to provide evidence of compliance with a number of additional controls. Key among these was the ability to “Assess and Manage Risk Related to Vendors and Business Partners.”
  
  Organizations are increasingly outsourcing to qualified vendors. Responsibility for these vendors, of course, is not outsourced. Responsibility remains within your organization, and it’s essential that you include vendors within your vendor management program and govern them with the same policies, procedures, and controls that you use throughout the rest of your company. Again, because Threat Stack had taken a proactive approach to third-party vendor management, we were able to demonstrate that we already had an appropriate vendor management policy in place. Essentially, our GRC system ensured that we had anticipated this eventuality and taken vendor management requirements into account.

Building a solid framework for governing SOC 2 compliance while remaining flexible has allowed Threat Stack to adapt positively to changes in the nature and scope of its operations, and to ensure that continuous compliance has been a rewarding challenge. As we continue to validate our foundation and adapt to change, we are continually reinforcing our security posture while optimizing our operating policies and procedures. As such, compliance has become a net business enhancer and enabler that allows us to benefit internally while passing value to our customers through the Threat Stack Cloud Security Platform as well as through the learnings we share with them.

In addition to its own Type 2 SOC 2 examination, Threat Stack helps its customers simplify cloud compliance management with full stack cloud security observability, continuous monitoring, alerting, investigation, and verification of cloud infrastructure through our Cloud Security Platform.