Threat Stack is now F5 Distributed Cloud App Infrastructure Protection (AIP). Start using Distributed Cloud AIP with your team today.
For the Third Straight Year, the Threat Stack Cloud Security Platform Meets Security and Availability Standards Set by the American Institute of Certified Public Accountants (AICPA) With Zero Exceptions
For the third consecutive year, Threat Stack has achieved Type 2 SOC 2 Compliance in Security and Availability with zero exceptions. This year’s examination (by Schellman & Company) was our most rigorous and comprehensive to date, and once again underscored our commitment and ability to maintain rigorous security standards in our company’s technology, processes, and personnel along with the highest level of security and privacy for our customers.
Does this year’s achievement mean that we simply repeated what we did last year and the year before? Emphatically No! Given the ever-changing nature of cybersecurity challenges and technologies, being able to adapt is essential. At Threat Stack, we take pride in our ability to continuously learn and improve, and that’s exactly what we did to achieve this year’s results. To learn more about how Threat Stack has consistently improved its SOC 2 examination processes and expanded its scope to include new controls and functionality, let’s jump into the story of SOC 2 at Threat Stack.
In Year 1 (2017), we chose SOC 2 because we’re a security company that helps customers with SOC 2 compliance, and we believe it’s important to lead by example by completing the examination ourselves. We chose Type 2 over Type 1 since it demonstrates a much more rigorous process as well as proof of continuous adherence. As Sam Bisbee, Threat Stack’s CSO, stated: “By choosing Type 2, we sent the market a much stronger signal that we are able to uphold our own claims of ‘continuous compliance’ by operating with that policy internally.”
Once we committed to pursuing Type 2 SOC 2, we used the period before the examination to build a strong foundation of controls, processes, and governance. Specifically, we implemented new policies and technologies to fortify our infrastructure and instill security in every phase of product development. In addition, we took the opportunity to better integrate our Security team within our DevOps practices. Finally, we created tooling to embed SOC 2 expectations in our automated processes to ensure that necessary checks were built into our development process rather than added on as a roadblock at the end.
The results: By passing the examination with no exceptions, we demonstrated that the Threat Stack Cloud Security Platform®, the people behind it, and the processes in place could be trusted to continuously adhere to strenuous compliance standards.
While Year 1 was highly successful, it became clear that we could achieve the same or better results in an even more rigorous and efficient manner moving forward. With that in mind, we used Year 2 to:
The payoff was significant. Not only did we strengthen our governance and underlying foundation, but we also continued to improve our internal processes before the official examination. While our internal examination took approximately one month to complete, the official examination only required auditors to be present onsite for three days. (We actually reduced the time the auditors needed to be onsite because the internal audit had prepared us to quickly identify and pull evidence that the auditors required.)
The results: Streamlined processes, a shortened onsite visit, and a successful examination with no exceptions!
Year 3 was both interesting and challenging. One might assume that two successful, exception-free examinations would make it easy to achieve a third. But given the constant change that characterizes the cybersecurity industry generally, and the change and growth we’ve experienced at Threat Stack, this was definitely not the case. To address the challenges brought on by changes in scope and the introduction of new controls, we focused our efforts on three areas:
Building a solid framework for governing SOC 2 compliance while remaining flexible has allowed Threat Stack to adapt positively to changes in the nature and scope of its operations, and to ensure that continuous compliance has been a rewarding challenge. As we continue to validate our foundation and adapt to change, we are continually reinforcing our security posture while optimizing our operating policies and procedures. As such, compliance has become a net business enhancer and enabler that allows us to benefit internally while passing value to our customers through the Threat Stack Cloud Security Platform as well as through the learnings we share with them.
In addition to its own Type 2 SOC 2 examination, Threat Stack helps its customers simplify cloud compliance management with full stack cloud security observability, continuous monitoring, alerting, investigation, and verification of cloud infrastructure through our Cloud Security Platform.
Threat Stack is now F5 Distributed Cloud App Infrastructure Protection (AIP). Start using Distributed Cloud AIP with your team today.