Catch this episode on YouTube, Apple or Spotify.
Welcome to the inaugural episode summary of GRC Uncensored, our pilot season that dives into the intricate world of governance, risk, and compliance, or GRC. Hosted by GRC Meme King, Troy Fine, and Elliot Volkman, the series aims to explore the realities and misconceptions surrounding GRC.
Joining them in this candid conversation is Kendra Cooley, a seasoned cybersecurity professional who shares her insights and experiences in navigating the compliance landscape. And with that, we walk right into the depths of GRC hell and discuss whether or not there is value in SOC 2 reports today. Spoiler alert - it depends.
We Need Your Feedback
Troy and Elliot have been plotting this series for a long time, and as we progress through our pilot season, your feedback will help us determine whether to continue. Hate it? Tell us why. Love it? That’s weird, but we’ll take the comments. Do you think we didn’t cover a topic adequately? Let us know so that we can ensure balanced perspectives.
Setting the Stage
In this first episode, the discussion starts by acknowledging the love-hate relationship many professionals have with GRC. Kendra Cooley, with over a decade of experience, opens the dialogue by highlighting its utility and challenges. While compliance frameworks like SOC 2 can facilitate organizational security direction, they often don't translate into best practices, leading to a strained relationship between security teams and compliance mandates. AKA people check the box and go on about their way, or worse, they feel they are now sufficiently secure.
The Commoditization of SOC 2
A focal point of the discussion is the commoditization of SOC 2 compliance. As Kendra and Troy explore, the market has seen a rise in 'SOC 2 in a box' services that promise rapid compliance at the expense of thoroughness. These services can paint a misleading picture of security, offering a checkbox solution that organizations lean on without fully understanding the underlying security implications. Kendra humorously notes how marketing often oversimplifies these complex processes, leading to unrealistic expectations from leadership about the speed and simplicity of audits.
Challenges with Auditor Quality and Assurance
The lack of standardization among auditors exacerbates the issue. Kendra shares her skepticism about reports from certain audit firms, which she describes as having a 'rubber stamp' approach, ultimately leading her to question their validity in risk assessments. This lack of trust in the quality of audits prompts a more vigilant approach to evaluating vendors, often necessitating additional layers of diligence that surpass mere compliance reports. This particular topic will also get an episode of its own.
Evolving Perspectives and Potentials for Change
The trio then discusses the evolving landscape of cybersecurity audits, with a noted shift from SOC 2 to ISO certifications in some cases. The conversation pivots to the broader implications for the industry, questioning how compliance frameworks contribute to or detract from actual security improvements. The commoditization trend is seen as potentially damaging, fostering a false sense of security among companies that leads to complacency.
Looking Towards Future Solutions
The team ends the episode by reflecting on possible paths forward, suggesting the need for collective industry standards that elevate quality assurance without imposing unmanageable burdens. Elliot suggests that a concept like Secure by Design could pave the way for more meaningful frameworks while acknowledging the challenges of implementing such changes without federal oversight.
As organizations increasingly rely on compliance attestations like SOC 2 for market credibility, there's a growing need for industry dialogue on how to recalibrate these systems to genuinely enhance security postures.
Stay tuned for the next episode, where the conversation will delve deeper into audit quality and the real impact of GRC frameworks on organizational security.
Show Transcript
This transcript was automatically created and is undoubtedly filled with typos. As usual, we blame the machines for any errors.
Elliot Volkman: Hello, and welcome officially to episode one of our pilot for GRC Uncensored. I have with me our host, Mr. Troy Fine, or if you prefer our GRC Meme King, and a wonderful guest, who's going to be able to kick us off with a topic. Which should hopefully make it pretty clear of what we're going through for this series.
Now, just for a little bit of context before we kind of just jump right into it. In about two episodes, you will get a little bit of behind the scenes from Troy and I talking through why the hell we're doing any of this. We're not going to be just talking about controls and all of these. Absolutely lovely and horribly boring things that come along with GRC, but instead we're going to give you the uncensored version of GRC.
So to skip ahead of that, just wait a couple episodes. You'll get some of that behind the scenes. So we're just going to jump right into this and go from there. But first, maybe we should introduce our guests. So we have Kendra Cooley, who has been at least in our cybersecurity world for a decade, probably a little bit more than that.
And of course has quite a bit of exposure to the wonderful world of risk and compliance and governance and not exactly that order, but you get the hint. So, Kendra, anything that you would like to add upon that? What is your what's your general take on GRCC? Is it a love hate thing? You're obviously not specifically in the GRCC, but yeah, what's your take?
Kendra Cooley: it's definitely a bit of a love hate relationship. I would say, depending on the day, I think, you know, governance, risking compliance is one of those things that's really helpful as a security professional to be able to point to especially when you're trying to influence the organization to move in a certain direction.
But at the end of the day, you know, there are certain things I think we can all agree that, you know. Just because a compliance control says that you should do something doesn't necessarily make it a security best practice. Right? So it's love, hate,
Elliot Volkman: Love it. That is a
Troy Fine: more like a love hate with the frameworks more than GRC. That's what that sounded like to me.
Kendra Cooley: fair, fair. I would tend to agree.
Elliot Volkman: All right, that is our great pivot point. So, Mr. Fine, if you would like to tee up what we're going to be discussing this episode, then go from there.
Troy Fine: I think we're going to be talking love hate relationships with GRC. I think that's a perfect segue into the topic today. But really we just wanted to talk with Kendra or myself, right? I might add my own opinion here and there. I tend to do that if you follow me on LinkedIn.
But you know, just talking about compliance, GRC, how it might be coming a little bit more commoditized, how it might be losing its value and what its intended purpose is really supposed to be, we might touch on some other topics such as other cyber security realms that aren't necessarily compliance focused, but really getting down to maybe what's causing this, how do we solve this problem potentially?
And what's really going on here and how do small businesses or medium sized businesses, how do they convince their leadership that this really is important. And it's not just a check the box exercise to show, Hey, we're, we have, we are SOC 2 certified. That was a joke. People
Elliot Volkman: There's a lot of
Kendra Cooley: going to say, I can't believe you just said that word
Troy Fine: It's amazing how you can build a brand around SOC 2 certification when you don't even mean to, I'll just put it that way.
Elliot Volkman: That's going to be our promo clip. I'm just going to put that out there. So that, that was a lot of information. So maybe we'll start with 1 question to kick it off. And then just for a little bit of a caveat, we will have a separate episode to specifically talk about. Do you need a tool or technology to go through the GRC process? I don't know, maybe touch on that a little bit, but let's zoom out and focus on that big picture. I think the starting question that we can look at is are things like SOC 2 becoming SOC 2 in a box where organizations are for their first time going through an audit, being asked for this thing, don't really know how to go through it, they've never gone through the motion I don't know, what's your hot take, Kendra, what is the state of these like entry level, you know, compliant and entry points?
Yeah,
Kendra Cooley: To go through the SOC 2 process. And I think a lot of that has to do with the fact that the SAS companies see that as their golden ticket in the door to even start having conversations with, especially, you know, the medium or larger size businesses.
And so a few months ago, I think obviously this is where this conversation was kind of born out of. I made a post on LinkedIn about how I feel that, you know, SOC 2 is, has Lost, it's a value in a way, largely due to kind of these sock in a box type platforms that are just helping organizations get through it so painlessly, you know, what does it sock to type two and four minutes, I think is the tagline for some of these companies.
And as someone who's taken multiple companies through this process, on several occasions, I can't help but see those taglines and just laugh and be like, what a joke. It doesn't work like that.
Elliot Volkman: That would be a little painful. I will say, at least having worked in that marketing seat. A lot of that was phased out. I think fortunately from exact feedback that you're providing, but maybe I'm wrong. Troy, you still seeing some of that floating out there as our auditor, who you I don't know.
Are they knocking on the doors like, Yeah, this will only take 10 minutes, right?
Troy Fine: You know, I don't see that as much probably because I was the one that brought it up when I saw SOC 2 in two weeks, I think when I initially I made a post about that and that kind of got things moving. I think it actually translated to the auditor side as well, right? So we'll have companies come to us and just expect us to be able to do this in two days or Hey, we do this.
We have all these controls in place. We do this. Like, why does it cost so much money? I'm getting this quote for 5, 000 and they can do it in a week and be done and give us a SOC 2 report next week. It's I can't even do planning in a week if I want to do this the right way or scope this the right way.
So it is translating into you know, now that I'm doing the audit side again, when we talk to prospects and it's, they don't know necessarily what they're doing. They're just being told what to do and they're seeing the market go a certain way. Transcribed Sometimes I like to say it's the blind leading the blind, right?
That unfortunately that's kind of what's going on with the smaller companies. When you get the bigger companies that people have, like somebody like Kendra working for them who've been through this before, they kind of, they can kind of see through it a little bit, but yeah, we are still seeing it from here's this silver bullet auditor.
Like what, why is this taking you so long and why does it cost so much?
Kendra Cooley: Yeah. And I mean, just to kind of add to that, I mean, again, I've had multiple experiences now walking into organizations where they're like, all right, how fast can we get this done? We feel like we're in a really good place. And I have to take a step back with them and be like, all right, well, you know, you think you're in a good position.
Let me just, you know, get the lay of the land, see where you are. And I start poking around, and I'm like, Y'all don't even have MDMs under your machines. You don't have 2FA enabled anywhere. This is It's not a good situation to be in, especially if you're telling me you want to kick off your SOC 2 audit in, you know, two weeks, SOC 2 type 2 at that.
So a lot of, you know, what I've had to do, especially in my career is like step into these positions and get leadership to understand that, okay, I understand that You've been sold this, you know, either product or pipe dream of Hey, you can get through the SOC 2 in less than a month, but that's really not the reality of the situation, especially if you want to go about this the right way.
And sure there are opportunities for shortcuts when it comes to completing some of these audits, but. I've got a little bit of integrity, and I like to make sure that things are done the right way. So it's an education especially for the founders and the leaders as, as well as helping to mature the organization.
But also getting them to understand that compliance is not equal security. And I think we can all agree that likely, you know. SOC 2 as, as helpful as it can be to get, you know, your foot in the door with some of these larger organizations especially as a SAS company, but we know what goes into these audits and it doesn't make you secure.
So
Elliot Volkman: bit
Troy Fine: Yeah, well, you know, sticking to that topic, when you're working with a bigger company, are they devaluing SOC 2 when you give them a SOC 2 report? Are they just checking their bias? They don't care who the audit firm is? Are they looking at it closely more? Or have you seen any changes from that perspective when you're talking to these bigger companies and looking at your SOC 2 report?
Kendra Cooley: Know for me personally, when I'm doing my due diligence on a company, there are certain auditors that if I see their name on a SOC 2 report, I pretty much throw it in the trash. Because it's basically a rubber stamp audit and I. I don't hold any value to anything that's in it. And at that point I transitioned to more of a questionnaire and asking for like actual evidence on myself.
I kind of turned into the auditor a little bit. But I guess on the other side of that, you know, from a customer perspective for the last several companies that I've worked for, I haven't. Had an experience where a customer has been like, you know, like soft two isn't necessarily good enough. There have been situations where certain companies that I worked with, just given the industry that they're in, they don't really understand what a SOC 2 is.
So it's been interesting to see, you know, like law enforcement agencies and things like that. When we say here's our SOC 2 report, they're like, what the hell is that? And so. You know, so, so that's been interesting, but I've also seen a lot more requests for ISO certifications in the last, I would say like 12 months or so.
So that's been definitely a transition. It
Troy Fine: we did is not sitting in there.
Kendra Cooley: surely isn't.
Troy Fine: But yeah, no, that's interesting. I never really considered to that. Some companies might not even know what a SOC 2 is. And if that's your like security package, part of your security package to get them home on your security and they don't know what it is, then it's okay, well, what's plan B here?
What do they ask for then? Are they just sending you this thousand page? questionnaire or are they, I mean, I guess it depends how sophisticated their risk management team
Kendra Cooley: Yeah, well, and that definitely is interesting, right? It does transition, I would say, from industry to industry. So again, the organization that I was working for previously that worked with a lot of law enforcement agencies again they didn't really know what the SOC 2 was. And honestly from a due diligence perspective, they didn't really have a, you know, Large list of things that they wanted to see.
And I think a lot of that was just because of the fact that they just simply weren't used to having to ask for that information from vendors. And so as part of our sales process, we wanted to get as much information in front of them as possible and explain our security posture. And they just kind of were overwhelmed.
Like what is this? You know, so it then becomes a little bit of a, an education back to them as well, which I enjoy doing.
Troy Fine: Yeah. Yeah. I have another interesting question too. Are you seeing in your circles, your GRCs, your professional circles bashing SOC 2 at all in those circles? Bashing might be the wrong word, but talking about the commoditization of SOC 2, any other compliance framework and really not placing the value on it.
In terms of when they're evaluating a vendor, SOC 2, yeah, we have to check the box because our internal auditors say, yeah, we need to get this, but we're really going to do all these other things now because we really just don't believe in SOC 2. It's
Kendra Cooley: A hundred percent. A hundred percent. A lot of the conversations that I have are definitely, you know, more behind the scenes with, you know, fellow security practitioners and things like that, but you know, when you've, been through enough of these audits and you've seen how different auditors will audit them.
It also kind of takes away, I think like the seriousness or like how much you can actually count on what they're looking at for some of these audits. And that's also why I tend to stay away from certain audit firms that I know are just doing more of a rubber stamp. If you don't have an auditor, that's like particularly tech savvy, or really knows how to dive into the controls and get to what the heart of them are looking for.
It's so easy to be like, Hey, look over here. We don't actually have this really where it should be. But if you look over here, you know, it's you can kind of dazzle them with compensating controls that are almost like.
Elliot Volkman: more
Troy Fine: Fluff.
Kendra Cooley: Irrelevant. Yeah. And so, yeah, definitely there. I've had many conversations with, you know, fellow practitioners that are just like, yeah, whatever.
Like another SOC audit coming down the pipeline another report to look at, you know, it's gotten to the point where a lot of them are just kind of like skimming through these reports as like a check the box exercise, which is unfortunate because for those of us who are spending the time getting organizations ready to go through these.
Through these audits and actually spending the time with the auditors and the thousands of dollars that it takes to get to the point of producing that report. It's like, all right, well, what's the point of this and how long are we going to stay on this train before something else comes up?
Troy Fine: You're my favorite GRC person. This is an amazing first episode. I love it. This is great. I don't
Kendra Cooley: Just, I just try to, you know, say what I feel.
Troy Fine: no, this is good. I mean, that's what we need. That's what we need. That's why we're doing this. I mean, this is authentic and I already knew a lot of the answers you were going to say, right? Because I feel it too on my side. And it is unfortunate. But I'm hoping we can change that somehow.
Bringing it, you know, making people aware or, you know, hoping that it doesn't just blow up in her face one day.
Kendra Cooley: Yeah, exactly. And I mean, I think that's the benefit as well of going with like more of an ISO certification is they are a little bit more prescriptive. So, you know, when you get that sort of like report or certification, you're looking at something that's been more thoroughly audited and they're meeting particular controls.
But, I'm sure, you know. Those of us on this call understand that, you know, SOC 2 is a little bit more hand wavy and you can kind of get away with a little bit more. So you've got to actually take the time to read those reports and see what the controls are that they have in place. And that's kind of a pain.
Troy Fine: I get it.
Elliot Volkman: All right, we're going to throw out a question here. So if we hit our time machine. And you go back to the first exposure that you've had to compliance, maybe the sock to or some other framework. Hopefully, it wasn't something more important like HIPAA. But back in that period of time, when you were kind of alien to all of this, how did you navigate that situation?
And do you sort of take that approach to the organizations that you enter and try to guide them through the same journey, so to speak, in a much abbreviated fashion?
Kendra Cooley: Yeah, so actually I think SOC 2 probably is the one that sticks out the most for me earlier in my career. This would have been like back in my duo security days. Joining that team while they were going through their SOC 2 audit phase and just having absolutely no idea what any of this actually meant.
And learning. I mean, I had such an incredible team there learning kind of the ins and outs of what all the controls meant and why they were important and how they benefited the security organization. So I would say that, yes, I definitely try and take a lot of those learnings forward with me and to all of the other organizations that I'm working with to kind of give that like educational aspect of what this actually means but also being realistic about it.
I mean, I've had. Several situations where I've gone through, you know, SOC 2 audits with organizations and then, you know, there's an incident, nothing like terribly serious, but an incident occurs and they're like, yeah, but we have SOC 2. Like, how did this happen? And I'm like, all right, y'all. So, uh, yeah, yeah, exactly.
So it's very much like an educational. Aspect that or approach that I take with these organizations, just trying to help level set. And, you know, we just, the company that I'm working with now, we just recently went through our first SOP two audit for type one. And I loved the approach that the auditor took because he was like, you know, this is a marketing tool.
At the end of the day, we want to make sure that this report, speaks to what you all are doing internally with your organization and really highlights. You know, the good that you're doing from a security perspective. And I was like, you know, actually, I like that you took that approach of calling it a marketing tool, because at the end of the day I've been through this so many times and I know that, yeah, you can end up with a SOC two type two that's clean as hell, but that doesn't mean that you're, you know, exempt from hackers or, you know, breaches or things of that nature.
So I thought that was a interesting way of putting it from an auditor.
Elliot Volkman: curious to build upon that. So back, you know, when you first started to do that, the technology that is available today isn't quite the same back then. You had a little bit heavier sets. You also had a lot of spreadsheets and all that. But do you feel like there was a little bit more trust and value in those compliance frameworks back then versus where they are today?
And if so, do you feel like there's some root causes there that hopefully will not get Troy and I in trouble?
Troy Fine: Get us in trouble. That's
Kendra Cooley: so that's that's a little bit of where my post was honestly, in, in the devaluing of the SOC 2, because back when I started my career and I first started, you know, having to assist with companies going through the SOC 2 process and all that, like you felt the weight, the lift of getting an organization through that and The pressure that it put on the organization as a whole, like everyone kind of understood that they had a part to play, you know, whether it be engineering and HR and security and it, like all of these portions of the organization really had to play together in order to make this happen, the sock in a box, I think has been very transitional for how.
Organizations view and approach the sock too. And I think in a lot of ways it has. The responsibility for something that really should be impactful across the organization to either one individual or one team, oftentimes like security or it, or, you know, just the poor person that's been saddled with taking a company through stock to who has zero security experience.
And so based on that transition of, you know, having this like stock in a box. Approach that we're seeing so often now I do think that it's devalued SOC too, because in my mind, like it's taking away from the heart of what you're trying to accomplish there, which is ultimately mature, the security of your organization.
And if you're just putting all that on one person or one portion of the company's responsibility like how impactful could it really be?
Troy Fine: Yeah.
Kendra Cooley: That was a lot of words. I
Troy Fine: No, that was good. I mean, it kind of touches on something I always think about, and I've been really wanting that for a long time. I've wanted to post something about it, but I haven't because I haven't found the right words. So we're just going to discuss it right here a little bit, but
Kendra Cooley: Sure.
Troy Fine: You kind of touched on it before, but I've always felt that because of all this, that's going on in compliance world, SOC 2 being center stage, just cause probably cause we're in the United States and all these companies are doing SOC 2, but the, with SOC in a box approach, we're creating this false sense of security, right?
For companies, like you said before, like leadership doesn't understand, Hey, we're SOC 2 certified how to begin an incident, right? And I always thought that like this causes we're trying to ensure as by creating these frameworks that you're more mature and more secure, but by commoditizing it, we've actually made it worse potentially because somebody thinks they're secure, whatever, however we wanted to find secure with the SOC 2 report, and then they become complacent oh, we don't need to do any more, we don't need to improve, which is like the total opposite of what these frameworks are trying to get at, but that's what it's become.
So I'm curious if you feel that there is this false sense of security in the world because of compliance. And did we actually make things worse potentially by forcing people to do these?
Kendra Cooley: Okay.
the ticket in the door for a lot of these, especially, you know, smaller startup SaaS companies. They understand that in order for them to even be able to get a conversation with some of these larger enterprises, they have to check that box.
So that's, you know, that's where we're drawing the baseline. But what has that caused? Right. That has caused all of these organizations to say, okay, how quickly can I get through this? How little money can I spend? And therefore we're going towards that, like sock in a box. Hey, you can get this done in two weeks.
Oh, and by the way, we have all of these auditors that we already work with. That, you know, may or may not be getting a cut from working with us or something like that. And they're going to finish that audit for you in about four minutes. And you're going to get that rubber stamp report. So yeah, it's.
In my opinion, it has really damaged the reputation of SOC 2, the value of SOC 2 and you know, and a lot of the comments that I was getting on my, on that post were like, well, did SOC 2 ever really have value? And I think it did. I think personally I think, yes, maybe I was young, naive in my career, but it did feel like it, it held a little bit more weight than it does now.
Now I get a SOC 2 and I'm like, All right, cool. Where's your penetration test that goes along with this? Like where are all the other artifacts that I can check to see that you're doing what you should be from a security perspective. And that brings up a whole other issue, which is the crap penetration testing that we've got out there now.
Troy Fine: Yeah no. That's, I think that's interesting concept as well. Cause I see that a lot with pen tests. Hey, this is just a vulnerability scam. I mean, you could have ran your automated tool and. Here's a thousand, and none of them are even, they're all false positives, right? It's not even providing any value anyway.
And then they hand it off as a pen test report, right? So,
Kendra Cooley: Don't
Troy Fine: think it does go into other parts of cyber security. It's not just compliance, I think that's an important idea. I don't know enough about other areas of cyber security, but I can imagine that compliance is not the only part where this is potentially happening.
Kendra Cooley: Oh, 100%. I think, and I think we're going to continue to see that grow. I mean, like people are really starting to understand that there's money to be made in security. And unfortunately, there are not enough people that hold positions in organizations that know anything about security. So they're falling for the snake oil and, Hey, like this vendor is offering me something that, you know, this other vendor was charging me 20 K for.
I can get it for 5, 000 here. Like, why don't I go that route? Well, cheap is expensive and you get what you pay for. Oh,
Elliot Volkman: to go on a soapbox and rant? Sure. But
Troy Fine: Zero trust is a perfect example. Zero trust. I mean, you hear all the buzzwords. AI is going to be next, right? Hey, every
Elliot Volkman: Oh, no. AI has definitely been here. It's quantum is next.
Kendra Cooley: geez.
Elliot Volkman: Yeah.
Troy Fine: Right. I mean, it's, how do you know what to believe? I mean, it's kind of scary, especially if you don't understand security and cyber and compliance and all these new things, it evolves so fast. So how do you stay on top of it? I guess, how do you stay on top of it as a security professional?
Kendra Cooley: you know, I look to my network a lot. I, there's this this crazy guy on LinkedIn named Troy that I follow. Who's always posting little tidbits
Troy Fine: just post memes. I don't know if it's really helping people. I just make people laugh. That's my
Kendra Cooley: Honestly, it is. I look for them all the time and I always crack up. I think it's great. The
Troy Fine: And that's it. That's all I want. Just
Kendra Cooley: Well, you've, yeah, you've definitely built that brand for yourself, but no, I mean, I think, you know, from, for me personally, it's a lot of just like looking to my network and trying to continue to learn and grow by going to conferences or just talking to other practitioners and just trying to expand my own knowledge and mindset, but I'm also like a fairly opinionated person.
And I. I'm okay with making my opinions known. So,
Troy Fine: then people will tell you their opinion.
Kendra Cooley: sometimes,
Troy Fine: Sometimes.
Elliot Volkman: More so behind closed doors, which is maybe one of the reasons why we're elevating these conversations to the limelight. So,
Troy Fine: Yes. Yes. For sure.
Kendra Cooley: yeah. And I think you know, to the, to that point You know, in terms of like, how do we fix this? Like, how do we, you know, kind of start to, you know, To maybe add value back into SOC 2 or even just see like a positive change in the security industry itself. I think you know, individuals who know better have to be willing and able to stand up and say Hey, this is not acceptable.
I know for me personally, like I've gotten many. Especially penetration test reports from potential vendors. And I've sent it back to them and I've been like, this doesn't count. This is a vulnerability assessment. This is not a penetration test and they just don't know better. So like I've spent a lot of time with vendors, like sharing penetration testing firms that I like that you know, I know produce good work and yeah, they're going to cost a lot more than this piece of crap that you just handed me, but at the same time, you're going to actually have value from it.
And honestly, like it's just really sad and disgusting to me that people are paying even a thousand dollars for a burp suite scan. You can buy a pro license of burp suite for 500 bucks and run your own damn scan. Stop scamming people. It's bull.
Troy Fine: Yeah. Yeah. No. No. This is Everything you're saying is correct. And I think it takes people like you to stand up and speak up and let people know. And taking that back to compliance a little bit, it's the same idea, right? You said we need to check your trash can, right? Because it's not providing any value if it's a certain, you know, you've developed a certain optics with certain firms, right?
So to speak. Wherever that came from, you, you've, you know, and everyone has their own opinions on audit firms. But I do think it. It takes that in order to change, right? I always say the only way it's going to change is if AWS or a bigger company will say Hey, we're not going to accept this SOC 2 report and we don't want to work with you anymore.
If somebody started doing that, then I think we would have like major changes and it'd be a change, but I'm not sure that's happening. It's happening in little places here and there. Cause I hear it sometimes people like you, you know, Or they'll post on LinkedIn like we don't accept reports from certain firms, but I've never actually experienced it.
I've never heard of, I've never seen somebody like, when I do audits, because we always do vendor management, I've never had a client tell us like, oh, we didn't accept that client's been, that audit report because they were using a certain firm. So I've never seen it personally, but maybe people just aren't telling me.
I don't
Kendra Cooley: It very well could be that. And I mean, to be fair, I've never had a situation where it has been a vendor that would be like scoped into a SOC 2 audit, meaning like they're a subprocessor of ours or you know, a crucial part of our infrastructure that I've had to push back on and be like, this is crap.
It's usually just the smaller vendors, or, you know, the ones that are newer in the space that are, you know, performing some like kind of niche functionality or activity for us that I've really had to push back on, but I 1000 percent agree. If AWS starts pushing back and saying no, we're not going to accept this particular, either audit firm or even SOC 2 anymore, like it's just not good enough for us anymore.
That's going to be a huge shift and a huge change in the security industry. But But what's next? What do we follow that up
Troy Fine: ISO. Yeah.
Kendra Cooley: I mean, sure.
Troy Fine: Maybe that's the reason they haven't done it is because what they don't know what to do next. Maybe they are thinking that, but they have to check their own boxes from a risk management perspective, right? Because if something happens, they got to be able to show their people.
We did all of our due diligence and look, it's not on us, but they got a sock to go talk to, if it's a bad sock too, that's not my problem. Go talk to whoever governs them. Right.
Kendra Cooley: Yeah, absolutely. Well, okay. Let me turn the tables now and ask a question back to you all. Do you think that kind of the lack of laws, regulations, things like that, that we have in the U S around security are allowing us to stay very stagnant in what's acceptable, what's required for organizations in order to handle PII or, you know, sensitive data.
Elliot Volkman: Well, Troy, you and I just had this conversation on the other podcast. I'm going to leave that to you. You had very neutral and logical, I think, take on that one. I am more of a ranter but I let Neil do most of that for me. So yeah, let's start with you.
Troy Fine: Well, well, yeah, that's a tough question. The problem is, I think government, I think we'd have the same issue even if government got involved, to be honest. If there were laws that said I mean, I guess I'll take a step back. Because they do have laws around FedRAMP, right? So government does say if you're an agency and you're using a cloud service provider, you have to do FedRAMP.
And FedRAMP's a beast, right? Depending on the level you have to do. Right. So in that case, I probably made it a little bit worse because there's a lot of money being spent on it. And people don't understand like, is FedRAMP really helping me? We almost have the opposite with FedRAMP, right? They make you do all these things and it becomes like so expensive that it's did this little control like really matter for us?
And we went through all this blah, blah, blah, blah. So in that case, I think government kind of went too far. That's what government does. But if we're saying government overseeing the private sector and requiring it, I think then we just get the same commodity, right? Because the government doesn't have the scalability to enforce or care.
I mean, if there's, if you think about government, they'd have to set up a whole new agency to be like we got to review these SOC 2 reports and make sure they're quality and do all this. It's taken six years for the DOD to even get CMMC through the door and get those rules finalized.
So I don't think that it would change much if they were trying to govern the private sector, at least in my opinion, because I just don't think they have, they don't have the scalability to do it. In my opinion, I think privacy might be a different story. I think obviously privacy requires regular regulation because people just don't know what to do and they're going to take advantage of people's data without it.
We see that all the time, but The government's trying to do too much with that, right? I think they need to start off really small and be like, okay, we're going to have a GDPR in the U. S. or similar law. It's going to have three things. Right to be forgotten. You have to tell them like where their data is going.
And you have to have a privacy policy that they can opt out of all these different things that they want to, all their data subject rights. And we're trying to make it political, right? So because they're making it political, They're never getting anything through, and then we don't have a GDPR like law.
So we're trying to, with privacy, we're trying to run before we even walk. And that's why we're seeing the states do all their things. And so now there's going to be 52 states, 100, 000 countries with their own privacy laws, and people like Kendra are going to have to figure out how to comply with all of them,
Kendra Cooley: Yeah. I'm gonna have so many spreadsheets that I gotta track.
Troy Fine: That's right, that's what's happening. And then we're back to the discussion, Did we actually help anything? Like when there's so much to try to figure out, it's like in your mind, you're like, okay, right. To be forgotten. That's probably in every single law. We better make sure we have a good right to be forgotten process and all this other stuff over here.
I can't worry about that in California and Utah and Virginia. What are the common things among all of them that we can do and make sense for us? And that's a challenge.
Kendra Cooley: Yeah. Yeah. And you, I mean, you've got like CCPA, that's kind of like setting the tone for a lot of those you know, conversations and the development of those laws and regulations. But yeah, if each individual state starts coming up with their own little individual versions of that, I mean, I think we've even seen with FedRAMP, like TextRAMP and all of the other states that have individualized, you know, the ramp process and the difficulties that kind of come along with that.
So it makes
Troy Fine: And then people say compliance isn't security. That's where all this comes from, right? Because I have to spend six months trying to figure out what all this means while my company is, you know, while nation states are knocking on my company's door, I'm trying to figure out how do I comply with text ramp?
What is text ramp? What is state ramp? How does that meet FedRAMP? And meanwhile, the actual security kind of gets forgotten about
Kendra Cooley: by the wayside, right? Yeah, and then kind of back to the initial thing that you said at the beginning, which was Once we achieve that SOC 2 or whatever that compliance framework is, like companies just kind of think, okay, cool. Like we're good. We don't have to further invest in, in actual security now.
Cause we've got this really cute little seal on our website, which makes my job definitely as a security practitioner, a lot more difficult of having to go back and say, no, I need more money,
Troy Fine: that.
Elliot Volkman: Any more stickers is what
Kendra Cooley: Yeah, exactly. Exactly.
Troy Fine: Kendra on again for another episode. I know there's lots of talking,
Kendra Cooley: Happy to.
Elliot Volkman: We'll see if she approves all the the edits and whatnot we get through there. Yeah, but I try. I generally agree. I think at the federal level, privacy would be a great starting point. And I don't see there being like a world where it would try to govern the private sector for something like sock to plus if we're, I mean, looking at a comparative stance, they have introduced some stuff for publicly traded companies where there's the disclosure rules and all that.
But. You know, it's still a little bit early to tell, but anytime that we've seen stuff like that, organizations of that magnitude and of that revenue, basically just treat it as like a piece of doing business. So if it is just enforcement through fines, like they don't give a shit. Don't people start going to jail or there's direct action that's taken that has, you know, larger dire consequences, I don't think that there's going to be much done out of it.
So on the flip side, and this is more wishy washy fluffiness, but we have things like secure by design, which are sort of like these collaborative industry adopted guidelines that, you know, they don't have consequences. They're just industry best practices. And if you do these things that adds and reintroduces trust and credibility into it.
I would love to see maybe ISAC is already doing something like that, but like an organization like them to build something across many different GRC professionals to develop something like that, to increase those higher standards. Now, I know AICPA and all them are creating harder stances on some of the, what they see root causes for that situation, but it would be ideal for a more neutral organization.
organization that is representative of all the professionals to kind of chip in only because as much as I would love to see regulation move something forward, like the carrot and stick thing, it's usually more of a stick and the money just, you know, they don't care. They just pay the fine.
Troy Fine: even with secure by design that they're requiring federal agencies, several cloud service providers, they have to do this. S I forgot. Anyways, it's what's secure by design, but it is attestation for secure development framework. I think SDF, it's really just an attestation letter that you have to send in.
Now, I mean, you don't want a lot of the federal government, right. But like, you're being forced to sign an attestation. I mean, I guess that's good. All that tells me is if something goes wrong, they now have the ability to say you signed this attestation and now we can sue you and regain all this money back that we lost because of this breach.
That's what it felt like to me. It felt like more of a liability thing than an actual like we want to improve security type of thing. But
Kendra Cooley: that's more of a slap on the wrist than anything, if that.
Troy Fine: yeah, so that's where we're at.
Elliot Volkman: I
Troy Fine: that's it. That's it. This is how do we solve all this. That'll be in the next 10 episodes. We talked about earlier. Yeah,
Kendra Cooley: episodes because I think there's definitely a lot of room for improvement like here. I know for me again you know, being the person who oftentimes has to review these vendors and make the decision as to whether or not you know, we can use them like, you know, is the risk too high?
You know, have they provided the right documentation? It's just. The answers to those questions is becoming so much harder to find because of how convoluted the market has become with rubber stamp auditors and, you know, the folks that are doing the testing on these applications to make sure that they're secure, like just not actually doing what they're supposed to be doing.
So the artifacts that I have access to, how much can I trust them? And so a lot of times it just becomes like gut. Reactions and, you know, you can send a billion questionnaires, but at the end of the day, it's that's no different than signing an attestation. You know, I can send you a 50 question questionnaire.
You can answer that however you want. I don't have any way of proving that you're doing what you actually say that you're doing. So it's, it would be nice to get to a point where I felt like. Hey, I had this piece of paper that gave me all the answers and gave me that yeah, that comfort deep down inside that I'm not signing the business up for too much risk, but we probably won't get there, but that's okay.
Troy Fine: no, but that is a
Kendra Cooley: security.
Troy Fine: Elliot. I didn't think about that one, but the pressure that people leading GRC teams might feel not having that comfort. I think that's an interesting discussion topic, right? Because ultimately if something goes wrong, they might have the finger pointed at them, unfortunately, if they're in the wrong type of organization.
Kendra Cooley: Yeah. Yeah. And it's becoming, I will say like more and more difficult for me. If you use kind of like a, you know, red, yellow, green type of assessment for vendor reviews, it's becoming more and more difficult to give any sort of like green light. Yeah. Let's move forward on a vendor, especially if they have any access whatsoever to data that you deem sensitive or, you know, are connected to business systems internally or, you know, things of that nature, it's becoming more and more difficult to say.
Yeah. Double thumbs up, like move on ahead. I'm giving a lot of yellow, like warning.
Troy Fine: yeah. Yeah, no, that, that's a very valid point. Like how could you ever be a hundred percent? How could you ever be okay giving that? That green, knowing that it's nearly impossible to,
Kendra Cooley: It is. Yeah, it's really difficult. I think, you know, like from my side, a lot of what I try to do is just highlight the potential risk to the business. And at the end of the day, you know, as a. As a person who's leading a security program, like it's my job to outline the risk to the organization. It's not my job to say whether or not we move forward with something like the business gets to make that decision.
I just have to make sure that I've documented very well, what the potential risks are. And, you know, there's a lot of times where I have to say I'm not able to verify, you know, one way or the other, if this is actual factual information that they're doing this. But here's the risk of. If they're not doing what they're saying, now go with your gut is that something that you're willing to accept?
And if it is, cool, I'm adding this to my risk register.
Troy Fine: that's the way it should be done. Right.
Elliot Volkman: Silence.
Troy Fine: This is all really good stuff.
I mean, And that all comes back to commoditization, right? Because you're looking at a SOC 2 report. You're like, I don't trust this. This is a risk. It's going on our risk register. So
Kendra Cooley: It's true. Yeah, so we'll just wait for the next company to build a platform or something there that can help solve that issue and sell
Troy Fine: sure there's a ton out there if you want me to go Google it right now. They probably have really good AI too that can just guarantee no cyber attack ever. So
Kendra Cooley: A hundred percent.
Elliot Volkman: Always silver bullets. All right that takes us to the end of the episode. So I'm going to close us out here, but if 44 something minutes and minus editing, we would Troy and I would love your feedback to help us determine if we're going to move beyond the pilot of this mini series, season, whatever.
So, throw it our way, if you see Troy post about this, rant, rave, give him some feedback, throw some topic suggestions, we'll go from there. But Kendra, thank you so much for being here, being opened having an uncensored conversation with us about GRC.
Kendra Cooley: Yeah, not a problem. It was a pleasure to be the first official guest. Thanks.
Troy Fine: fun. Good conversation. We might need to have part one and part two, Elliot. I don't know.
Elliot Volkman: We can always expand,
Troy Fine: We might be able to break this one up.
Elliot Volkman: Yeah, no worries. People listen. It was, it's good chat. For those of you continue on our next episode will be the actual technically part two actually of this, which Kendra already alluded to, which is about the quality of audits. So we're going to focus on the. Product and the output of these things.
We'll dig into something that may or may not end up in a trash can in Kendra's office. All right, we will see you next time.
Imogen: Thank you for listening to GRC Uncensored. Your hosts have been Troy Fine and Elliot Volkman. To learn more about GRC, go to GRC Uncensored.com, subscribe to our newsletter on substack, or join our GRC community on reddit. Viewpoints expressed during the show do not reflect the brands, employers, or companies of our hosts, guests, or sponsors.
The Commoditization of Compliance and SOC 2