Security: A Fable
Account Manager: Thanks everyone, for making time for this call. There are some security questions we need to clear up and then we should be able to get things finalized.
Prospective User: Our IT Director sent over our security forms for you to fill out, but we got back your SOC2 report in response so we thought a quick call could get things going. I’ll let him take the lead today.
Customer IT Director: Thanks, I reviewed your SOC2 report but it lacks the detail we need to satisfy our process, so we just need you to complete our forms. Do you have any questions about them?
AM: I’ll let our CISO address that.
CISO: Hi. No, I don’t have any questions about the forms themselves. They are pretty detailed and are basically requesting the same level of evidence that we had to submit for our SOC2 audit, so I think the SOC2 report should cover the bases here.
IT Director: Sure, but I need to see all the evidence in order to satisfy our process. The report is basically a summary that lacks the necessary detail.
CISO: Yes and no. The report specifies the Trust Services Criteria we were audited against and those are all documented on the AICPA site, so the report is really quite structured and detailed.
IT Director: I don’t really have time to trace through all of that, so I really just need you to fill out our forms.
CISO: Okay, but I’ll need to review your SOC2 report or ISO 27001 certification before I can turn any of that over.
IT Director: What? Why?
CISO: The evidence you’re requesting is basically a roadmap to exploit our platform. I have the data of hundreds of other customers to protect, so before I release the information you’re asking for, I need to understand exactly how you are going to protect our information. It’s not 100% of what someone would need to break into our systems, but it would be a really good head start for someone who knew what they were doing. I need to make sure it’s not going to end up in a folder on an old Windows server or something.
Prospective User: Well, that makes sense.
IT Director: Well, we don’t have SOC2 or ISO 27001
CISO: Oh, that’s unfortunate.
AM: There’s got to be a way forward. What can we do here?
CISO: I can email all the forms you sent to me back to you so you can fill them out. I’ll then review them and, if I’m satisfied, I’ll fill them out and send our information to you.
IT Director: Then how will I know how you’ll protect all of that information if I give it to you?
CISO: That’s in our SOC2 report.
IT Director: Nevermind, I’ll use your SOC2 and sign off on the purchase.
AM: Great! I’ll get the contract over to you.
Prospective User: Fantastic!
The moral of this story is that people who choose to ignore industry-standard audits and accreditations in favor of their own bespoke paperwork are not serious about security and are actually increasing risk for themselves, their users, and their vendors. You don’t have to play along.