Saturday, August 13, 2022

The SOC2 & ISO 27001 Certs - Are They Worth Getting?

 


In the world of IT and Cyber, there is one common denominator:  Certifications.  I have written about this before, and in fact, have even written a couple of whitepapers on this very topic for a couple of writing clients that I have. 

Back in the day of the .com craze, it was the Microsoft MCSE cert that ruled.  Btu now with everybody either going into the AWS or Azure, the plethora of certs have exploded even more.  In fact, just a few days ago, I was looking at all of the Cloud certs available, and my head just exploded.

This is an addition to the other certs that are offered through the other institutions as well, such as those of ICS(2) and CompTIA.  So its no wonder that when a person wants to get a Cyber cert, they are very often bewildered as to even where to start.  

But it is not just individuals.  The same holds true for companies as well.  Given how compliance  a lot of things are today, companies are pursuing their own type of cert that they think are relevant to them.

A lot of this relates to the data privacy laws, such as those of the GDPR, the CPPA, HIPAA, etc.  Also, many other states are now passing their own version of them, and even other countries around the as well.  Now imagine if you are a multinational company, what kind of certs do you need so that you can have the regulators and auditors stay off your backs?

This can be a difficult question to answer, as you will be subject to the data privacy laws of each country that you operate in, or at least conduct financial transactions.  In other words, at the present time at least, there does not exist a set of international standards that a company can follow. But here in the United States, the two most popular certs that companies go after tending to be the SOC2 and IOS27001. 

But now, here comes the tradeoff:  It can take up to 6 months to get one of these certs (it’s not the same as passing as a Cyber cert).  Because of this huge time commitment, it takes a drainage of employee resources, and worst yet, it can even make an impact on the bottom line, as this is considered to be a non-revenue generating activity.  So now the question comes is it really worth it?

It can actually be quite helpful from two different angles:

*By having one of these major certs, it proves to a regulating body of one these data privacy laws that you are taking compliance very seriously, and that there are very good chances the controls that you have implemented are up to snuff.  As a result, the chances that you will get audited and/or even face financial penalties are thus greatly lowered.

*Having these certs is actually a good thing to have when approaching sales prospects and new customers.  It shows to them also that you are taking Cyber and the protection of PII datasets seriously, and have a proactive mindset.

*You will have greater chances of getting quality third party vendors that you can outsource your business processes to, as they will also be required, to varying degrees to have this cert.

There are also the downsides of this as well:

*As mentioned, it is a huge expense and time commitment for a company to get one.  Perhaps it may be time to rethink if it is really worth the effort, when these resources can be diverted to other revenue generating projects.  Also, you have to keep in mind the industry that you are in.  Not all of them are subject to the guises of the data privacy laws previously described.

*Now, here is the catch 22.  Even though you have may the cert in hand, you can still become a victim of a Cyberattack.  There is no stopping that.  All the certs will do for you is have you engage in certain types of activities that will help reduce this risk from happening, such as by deploying the right set of controls and/or upgrading the existing set that you have.  Now if you are hit and have this cert, people are then going to ask you, “How did this happen?”  Unfortunately, this can be a very difficult situation to be put into.

*Even here in the United States, there is no set of best standards when it comes to the actual awarding of the certs.  As a result, the number of organizations that that put you in the ringers has increased by 4x.  So, how do you know who is for real and who is not in this regard?  This is where you have to practice your due diligence.  To make things worse, every training organization has their own methods of awarding one of these certs has their own set of guidelines in terms of rewarding it.  So how do know which one is better?

*After a company has received their cert, the chances are fairly high that they will let their guard down.  For example, being proactive is not just a one-time deal.  It has to happen on a daily basis, with each and every employee.  Obtaining the cert has taught you and your employees valuable skills to keep that mindset. But after achieving it, many companies let out a sigh of relief and forget all that they have been through.

My Thoughts On This:

So in the end, the fundamental question remains: Should your company get either one of these certs that have been examined in this blog?  Once again, it comes down to the market you are in.  If you are business that deals with a lot of data, then of course it makes sense to have one. 

But if you are not one, then it may make more sense to pursue a cert that is closely aligned to what you are actually doing. 

But keep in mind that if you decide to get this kind of cert, it is merely a starting point.  You still need to keep your guard up, by conducting routine drills, security awareness programs, and pen testing exercises (it is highly recommended that the last two be done on at least a quarterly basis). 

Also, make sure that you carefully vet out the testing agency who will be awarding your cert in the end.

 

No comments:

Post a Comment

How To Improve Your Code Signing Process: 6 Golden Tips

  With the advent of AI, one of the biggest issues that face all businesses and individuals alike is making sure that whatever receive is ac...