Making secure decisions
Without guidance, it can be difficult at times for a business to know the next steps in their cybersecurity journey. There are numerous options and choices to be made. However, in some cases the decision is very clear. One example of this is a SOC (Service Organization Control) 2® report. For certain organizations a SOC 2® report is an expectation when working with third-party vendors. As cybersecurity becomes a more common expectation in business agreements, the demand for compliance reports like SOC 2® is growing. The goal of a SOC 2® report is to obtain an independent confirmation that commitments to security are being met.
Staying competitive with SOC 2®
For data marketing firm, B2E Data, the need to stay competitive in the market they serve led them to seek out what is known as a SOC 2® examination. There were specific opportunities in the B2E pipeline that were requiring a SOC 2® report and current customers were starting to ask, so it was an obvious next step for the business. There was also a growing investment required to complete each customer and prospects’ security due diligence process. Having a SOC 2® report allows B2E to bypass customer forms and questionnaires because all of the needed information is clearly organized in one location with assurance provided by an external party that security controls are in place.
When B2E first decided to pursue a SOC 2® report, they didn’t know where to start. Once they connected with their accountant. LWBJ, they found the needed resources. The team at LWBJ laid out the process in detail to help B2E understand what it would require and identified the need for a cybersecurity consultant.
“Our competition is a lot bigger than us. A SOC 2® allows us to stay competitive. We’re a pretty small data marketing company, but having the SOC 2® makes us more legitimate in the eyes of potential clients,” said Keith Snow, President of B2E Data.
The path to receiving a SOC 2® report is different for everyone. For some, it starts with seeking out a cybersecurity firm to help prepare them for the audit process. For B2E, a partnership was already formed with well-respected CPA firm LWBJ. After discussing the need for a SOC 2® audit and learning about the process involved, B2E leadership realized they may need some assistance with preparation. Thankfully, LWBJ had an existing partnership with Pratum.
Finding a cybersecurity partner
LWBJ and Pratum have been working in conjunction on SOC 2® examinations for a few years now. The connection and cooperation between the two not only allow organizations a seamless transition between preparation and examination time, it gives companies like B2E experts on both sides of the process. Many CPA firms choose to perform the readiness and examination, LWBJ understands the benefit of utilizing a third-party consultant that can provide additional strategic support without compromising the firm’s independence as the examiner.
Working with two companies that are both experts in their specialties provides us an advantage. The partnership between LWBJ and Pratum is seamless.Keith Snow President - B2E
Pratum’s role starts at the beginning of the SOC 2® process with a Readiness Assessment. As cybersecurity experts, Pratum’s consultants can guide business leadership teams through the preparation phase. During this time, consultants go over the security measures already in place, what controls are missing, and whether everything is being documented within the organization. There is a significant investment in documenting security policies and analyzing the risks of the system, which is one reason it's beneficial to utilize a consultant for the process so B2E doesn't have to lose focus on its customers and employees.
“I think the biggest thing is that we may think we’re secure, but until you start documenting it, you don‘t really know for certain. That’s a requirement and that’s the proof you need,” said Snow.
Next, Pratum’s consultants make recommendations to help prepare B2E for the SOC 2® examination.
Working together for compliance
During the Readiness Assessment, LWBJ provides expertise on the guidance set forth by the AICPA for SOC 2®. They’re there to make sure the controls Pratum develops with the client will be satisfactory during the examination to eliminate surprises and complete the understanding of B2E's operations concurrently with Pratum. Pratum also works to find any potential security risks for clients, like B2E.
“For a while we actually had all three companies working together in one office. As Pratum was creating the assessments, LWBJ was documenting them, it all worked well together,” said Snow.
This integration of the two services helped B2E successfully complete their SOC 2® requirements, which they now use as a selling point to new clients. B2E was also in a good place from the beginning, putting cybersecurity as a top priority in their company. This made the SOC 2® process smoother than many.
“We were probably a lot better prepared than most companies our size, given that our core service is data marketing. We had many policies and practices already in place. We just needed more thorough documentation in a centralized location,” said Snow.
Staying cyber secure
Even though B2E has a SOC 2® report right now, they will work with LWBJ on an annual basis to keep that standing. This will keep the B2E team accountable to the policies and procedures that have been set and the testing approach by LWBJ is focused on the risk areas that are most concerning to Keith and his customers. The SOC 2® is not the only way B2E is working on improving their security posture. After completing the SOC 2® report B2E decided to extend the working relationship with Pratum to include log monitoring SIEM services.
Pratum's Managed SIEM (Security Information and Event Management) provides security expertise and a holistic view into network activity. A team of security analysts and consultants notify businesses of security incidents and guide them in making appropriate security decisions throughout the response process. This now allows B2E leadership to breathe a little easier knowing their business is in safe hands.
SIEM monitoring has been huge. If we get a security ticket opened from Pratum, letting us know something suspicious is going on, we can do something about it. It’s nice just being aware of things like that we would have never known about otherwise. It definitely gives you more comfort knowing that monitoring is going on behind the scenesKeith Snow President - B2E
Many organizations are now requiring stricter security controls, and that means being able to prove your organization’s cybersecurity is a top priority. Instead of having to repeatedly fill out questionnaires from potential clients or business partners, having a SOC 2® report is a great way to show the world your attention to security detail.