This is a transcript. For the video, see: Improving Drupal CMS Performance with Gander: Real-World Wins and Lessons
[00:00:00] Michael Meyers: Hello and welcome to Tag1 TeamTalks, the podcast of Tag1 Consulting. I'm really proud that Tag1 has received its SOC 2 attestation. And in today's episode, we're going to talk through, uh, that whole process and the steps that we went through to achieve that. To do so, we've invited the experts who helped us get there to share their knowledge and insights along the way.
[00:00:25] Michael Meyers: So whether you're considering pursuing SOC 2 for your organization, uh, you're trying to help a client get theirs, or just curious as to what this entails in this episode, we're going to provide you with the information, uh, that you're going to need to understand what it is, how it works and what you need to do.
[00:00:41] Michael Meyers: Uh, and we're also going to share some of the difficult decisions that we struggled with along the way, like. We didn't want to monitor our employees computers and phone and install spyware. Uh, and how we address that, um, as well as some of the biggest benefits that we saw, uh, that we didn't necessarily anticipate, including automated compliant tests with [00:01:00] Vanta.
[00:01:01] Michael Meyers: I'm Michael Meyers. I'm the Managing Director at Tag1. Uh, at Tag1, we build large scale applications with Drupal, as well as many other technologies for leading organizations in every sector, including Google, Pfizer, The New York Times. Department of Energy and the ACLU, just to name a few. A lot of organizations hire us because of our major contributions to open source projects, including Drupal.
[00:01:24] Michael Meyers: For over 20 years, our team has been behind many of the innovation that have made Drupal the big success that it is today. It's become the number two, uh, used CMS on the Internet. Um, and it's that expertise that we have in building large scale systems that power millions of websites, uh, that our clients.
[00:01:41] Michael Meyers: Uh, bring us on board to help them with their mission critical projects, uh, and ensure their success. So if you need help with your project, uh, please email us at info@tag1.com that's TAG, the number one. com. There's so much to talk about today. So we're just going to jump right in. Uh, my [00:02:00] guests, uh, Jeff Sheltren, one of the partners at Tag1 and our CIO who led our SOC 2 efforts.
[00:02:07] Michael Meyers: Welcome Jeff.
[00:02:08] Jeff Sheltren: Thank you. Hi.
[00:02:11] Michael Meyers: Uh, Drew Danner, who is the managing director at BD Emerson. Uh, we're going to talk a lot about this, but we knew we need partners, uh, to help us quickly and cost effectively get through the SOC 2 process. Uh, from our first call, uh, Drew and the BD Emerson team really impressed us.
[00:02:26] Michael Meyers: They exceeded our expectations, you know, throughout the entire process. Uh, and so we really appreciate your help getting here. Uh, and thank you for joining us as well.
[00:02:37] Drew Danner: Thanks for having me.
[00:02:39] Michael Meyers: Faisal Khan, who's a subject matter expert in security, privacy, governance, risk, and compliance at Vanta, is also here joining us today.
[00:02:48] Michael Meyers: Uh, Vanta is an amazing software package, and it was really key to how we approached this. Uh, our success in getting things done efficiently, um, and is also a big part of that monitoring, [00:03:00] uh, to ensure that we stay in compliance at all times. And I, I can't imagine going through, you know, the SOC 2 process or what it was like to do this, uh, before Vanta.
[00:03:09] Michael Meyers: So I'm really excited to get into more about what it is and how it works. Um, Faisal, thank you so much for joining us as well.
[00:03:16] Faisal Khan: Happy to be here looking forward to chatting.
[00:03:20] Michael Meyers: So before we dive into some of the details, um, about, you know, how it works and what we did, uh, Drew, can you just give a high level over folks, you know, what is SOC 2?
[00:03:32] Michael Meyers: And in particular, like I was shocked that it wasn't a. Certification, right? I would say, Oh, we're getting our SOC 2 certification. Like what, what is an attestation? Uh, and, and why is it called that?
[00:03:43] Drew Danner: So, uh, SOC, SOC actually stems from some tragedies that happened in the early 2000s with Enron, where we decided that instead of allowing, um, companies to go around and make claims, uh, we were going to require certain elements of certain businesses like public companies.
[00:03:59] Drew Danner: Uh, to [00:04:00] undergo controls over their financial reporting, which is where, uh, SOC 1 and, and Sarbanes Oxley stem. So Sarbanes and Oxley were senators, they passed an act, and, uh, the AICPA, the American Institute of Certified, um, Professional Accountants, They went and they developed a framework to audit companies for their controls.
[00:04:20] Drew Danner: That's privacy controls, governance controls, compliance, security, you have it. Stemming from that, there were sectors of business that didn't necessarily need controls tied to financial reporting, and they moved to a IT and security compliance check, which is your SOC 2. The reason SOC 2 isn't a certification is there isn't a standardized set of controls.
[00:04:43] Drew Danner: SOC 2 relies on what's called COSO principles. So auditors actually have this list of principles and auditors work with their customers to then set what controls the company is going to commit to and then will be audited against over a period of time. SOC [00:05:00] 2 controls, uh, typically stem from your regulatory requirements, your contractual requirements, security best practices, uh, and specific items that affect your business.
[00:05:11] Michael Meyers: Wouldn't it somewhat like customized and tailored to, you know, for like our needs.
[00:05:17] Drew Danner: Exactly. Um, one of the very interesting things about SOC 2 that people don't realize is that most audit firms, even before these compliance automation tools came about, they had a standardized list of controls that they'd like customers to meet.
[00:05:34] Drew Danner: We call them ITGCs, Information Technology General Controls. These are things that we define as industry best practices or things that, you know, throughout the course, we've seen, you know, this is what a good security or compliance program looks like. Now, you fast forward into, um, you know, what, 2017, 2018, and along comes tools like, like Vanta.
[00:05:57] Drew Danner: Um, I say tools like Vanta, but, You know, we've [00:06:00] used all the tools in the space and I think Vanta is on a leg by its own. What Vanta does is Vanta helps customers like yourself by giving you a predefined list of controls that you're looking to commit to. It actually cuts out probably about 40 percent of the prep and planning that goes into the control defining process that you used to do with your auditor right now, you subscribe to tools and Faisal.
[00:06:25] Drew Danner: I know that Vanta has done a great job with their initial set that they recommend, um, the goal of the product that was always to be really configurable to meet all the customer's needs, right?
[00:06:38] Faisal Khan: Yeah, absolutely. Like, we come pre mapped to the list of controls, whether it's a security criteria or the other for availability, processing integrity, confidentiality, privacy, uh, but of course, like depending on the organization and their scope, what's actually applicable, there's always that degree of customization that's possible.
[00:06:58] Michael Meyers: So why does a company, [00:07:00] uh, go about doing this? You know, are they required to, is it something that they, you know, take on of their own volition for a certain reason?
[00:07:09] Faisal Khan: I'd say the most common reason is because someone told him to do it, right? Um, that ends up being a revenue enabler for a lot of organizations.
[00:07:19] Faisal Khan: But if we, if I think, put my security hat on as an InfoSec and Compliance professional, I think it's a really good framework to establish foundational controls for yourself. When it comes down to how do you protect those sensitive, sensitive data, uh, systems that handle those, that data, people, locations, and really establishing that rigor for yourself downstream so that you can further mature your program over time as the complex needs continue to grow.
[00:07:48] Drew Danner: And I, I think, I think more and more businesses do it because of the ripple effect. So, right, post 2002, we started requiring these large financial customers to do audits over their security [00:08:00] controls. And as part of that, they all commit to do third party risk management or vendor risk management. And then you start working for those companies.
[00:08:06] Drew Danner: So now they require you to do it. And then it goes downstream and downstream and downstream and, you know, we're 10 generations removed from the original requirement, but you're doing it that way. We can sign a contract with a customer. And like Faisal said, you're looking to enable revenue, but you're also, you're looking to mitigate risk.
[00:08:23] Drew Danner: Right. And business, you know, even, even in our business of compliance, the goal isn't to do an infinite amount of security. Right. So my background, I was Army for 10 years and I worked in the intelligence communities. Uh, in the U. S. And I lived in a box. I worked in what was called a skiff. It's a secret compartmentalized information facility.
[00:08:43] Drew Danner: Everything we did stayed in a room. Computers were built in a room that that's supposed to be right. That's the top of what we think security to be. Security is all about what's necessary. What's there to enable your business? Too much security hurts your business. Not enough security opens you up for risk.
[00:08:59] Drew Danner: [00:09:00] So what one of the things that we believe that the COSO framework from SOC does is it establishes The right amount of controls to mitigate the 80, 80, 20 rule, 80 percent of your risks are going to stem from the controls that you're implementing. So let's get that out of the way. Let's enable business and let's, let's protect your business.
[00:09:21] Michael Meyers: And what you described, uh, you know, applies directly, uh, to us. I mean, you know, Jeff, you can get a little, uh, shed a little light on this, but like we were. Basically, you know, it was like, if we wanted to capitalize on a business opportunity, we needed to become, you know, SOC 2 compliant.
[00:09:41] Jeff Sheltren: Yeah, I mean, it's, it's kind of funny that being around for 17 ish years that, uh, none of our clients have ever required us to be a SOC 2 compliant.
[00:09:51] Jeff Sheltren: Uh, I had actually walked through a couple of clients of ours, uh, helping them get their SOC 2 attestations, but it's been a decade [00:10:00] plus, uh, like pre Vanta and all these automated tools. And I gotta say this experience was so much better. Like, um, Just having the automations, having the like, almost like cookie cutter, like, here's what you need.
[00:10:18] Jeff Sheltren: You can kind of customize it for your business. Um, and, and save so much hours of work, uh, has been pretty impressive. Um, but yeah, we, we finally were required to do this as part of becoming a D seven Drupal seven extended support provider for the Drupal association. Uh, and. You know, we dragged our feet about it a little bit having gone through it so many years ago and it was painful um Didn't see a ton of value saw some value.
[00:10:53] Jeff Sheltren: Um, but definitely have come around and it's um We, we put a lot of work into it, but I [00:11:00] think like as a growing company, like Tag1, uh, going from a small number of employees to like a hundred people or whatever we are now, it's, it's been great to solidify some of these processes and policies that we're kind of like, oh, we have that on a wiki somewhere, let me find you in a bookmark, and now it's like, oh, we have a full set of published policies, uh, that actually anyone can go view online if you go to our trust center.
[00:11:27] Jeff Sheltren: Uh, because Vanta automates all that for us and collects that information.
[00:11:32] Michael Meyers: And it was, it was the ripple effect that you mentioned, Drew, like the new CEO of the Drupal Association came on board. His background is in, you know, uh, you know, the Beltway, Washington, and he came from a world where, you know, everybody did that and he was shocked.
[00:11:47] Michael Meyers: He's like, what do you mean? You're not SOC 2 compliant. You're like, everybody's SOC 2 compliant, you know? Um, and so, you know, we, we wanted to pursue this opportunity. But yeah, we realized that there's no way [00:12:00] we could do this on our own. Certainly not in an efficient and cost effective manner. Uh, this can be a very time consuming and, and costly endeavor, depending upon how you approach it.
[00:12:09] Michael Meyers: Um, and so we went through our network and we asked everybody, other agencies, like, you know, have you done this? You know, like, who did you work with? And, you know, most people hadn't done it. And, and a few folks. That had, you know, weren't able to refer us to anybody, you know, so, um, we went on Google and we, you know, we, we, we called you up and, you know, it was a great conversation, um, and, uh, you know, we decided to work together, um, can, you know, um, can you give folks, you know, just, uh, you know, what is BD Emerson do, you know, like, why do you need a partner, uh, to go through this process?
[00:12:47] Drew Danner: That's a, that's a great question. Um, So the short of it, so BD Emerson is a, we're, we're a consulting firm, a law firm and a CPA audit firm. Right. So we actually have [00:13:00] a, um, kind of an umbrella of businesses. Uh, Tag1 worked primarily with the consulting firm to implement the controls. And then when it comes time for any additional work, right, we, we have these other capabilities that we offer.
[00:13:13] Drew Danner: Uh, one of the things that we find ourselves most frequently doing, not just in this space, But it's really helping people understand what what's next, right? Um, typically where we have clients come is, um, like yourself, right? Someone's gonna give you a requirement, but the requirements bland. It's it's go get socked to.
[00:13:32] Drew Danner: And as we talked about, sock to doesn't really have a list of required controls that that's for you to develop. So one of the things we do is we help customers understand what are their requirements. So from the legal aspect. We take a look at your contracts. We go through and we see what commitments you have made that we should add to your control list.
[00:13:52] Drew Danner: You know, you, you, you leverage a tool like Vanta or not, we want to make sure that the things that you're committing to your customers, you're also going to commit to being checked by an [00:14:00] auditor. Uh, we find that, I mean, that's, that's the core part of this. One of, one of the things that, that you found us to help you do is not just hold your hand, but help you build these processes and help you implement these controls and help you.
[00:14:11] Drew Danner: You know, we, we work from the paper to the end of the stack. So we have, we have team members that are going to analyze your requirements, build processes and document. We have engineers that are going to fix, you know, coding your product. If you were, we were asked to, in this case, you know, your, your stack was pretty clean.
[00:14:28] Drew Danner: You know, I don't know if, uh, if you tell people that, but, uh, I'll say it on the call. It was a very low risk environment. You do a great job of managing risks and vulnerabilities. Um, but typically BD Emerson does everything from the left end to the right end. We, we advise on security requirements and we make sure they get built in your process and product.
[00:14:49] Faisal Khan: Well, hey, now, now you, you can definitely tell people that your stack is clean because you got a trust center that says it. All right. That's the, that's the whole idea of trust centers with Vanta, just [00:15:00] being able to surface that information and make that available for those that need to see it.
[00:15:05] Drew Danner: Yeah, I think, I think that's the biggest part of you know, I, I love, I love people in the space that say compliance isn't security and the rights are right.
[00:15:13] Drew Danner: Compliance isn't security. Um, good compliance makes you more secure and good security makes you better. Um, when you do the little things right, you mitigate, again, the 80 20 rule, a lot of the risks. Um, you're a services company. You also have a product. Where's the bulk of your risk today? You said you have a hundred endpoints, right?
[00:15:32] Drew Danner: Well, we focus in security and hardening hardware and software. It's always the meatware. It's the people. It's what's between our ears that's always falling to scams, to, you know, easy, easy things that we can prevent easy things that understanding what our process is, what our policies are, uh, being trained on what's what to do and what not acceptable use.
[00:15:54] Drew Danner: Those are the elements of any good security program that there are certain security professionals that [00:16:00] say, well, that's, that's not security. And you're coming from the government that that's 90 percent of our security is processed. It's, these are the phases, these are the steps, this is how we do it. And, you know, that's typically the longest part and that was a part that you guys executed very well.
[00:16:17] Michael Meyers: I feel like Jeff is looking at me right now that I'm the bulk of the risk.
[00:16:21] Drew Danner: It's typically, it's typically the C suite. It's typically finance, CEOs that are not technical, that there's a, there's a lot of. Um, what do they call it now? There's a, like a spearfishing, right? Isn't, isn't that the name we call it now?
[00:16:39] Drew Danner: It's, it's phising, but at the top levels of an organization, you're prone to move quickly, you have a lot on your plate, you're a lot, you know, executives are mobile more frequently than other people. So you click on a link, you know, it's a Mamba 2FA attack. It looks just like a regular sign in and you give them your credentials.
[00:16:58] Drew Danner: Now they have access to [00:17:00] everything. They dump everything. Security is not a, if it's a, when, and when you build compliance, like a SOC 2, you've already built in a couple of those layers for if something happens, how do you react when this happens? What's our backup strategy. What's our disaster recovery plan?
[00:17:19] Drew Danner: What's our incident response plan? Those are elements that you went through with with Vanta's guidance with BD Emerson's guidance and now you have a, if stuff happens this is how we move forward.
[00:17:32] Michael Meyers: Yeah, coupled with things like training and education and you know we have systems that send us those messages to see whether or not, you know, we're dumb enough to click on them and, you know, call us out on it.
[00:17:43] Michael Meyers: Um, so you said it's comprehensive.
[00:17:46] Faisal Khan: Yeah. And it's also a really good segue to continuous monitoring, right? Um, now that you've done it once you're implementing those tests, those docs areas, the things that you need, you know, you need to be doing having that real time monitoring to your tech stack and [00:18:00] being able to just know when things are out and be notified of those things.
[00:18:03] Faisal Khan: It's really crucial because now you have process and really a broader program as drew was emphasizing earlier.
[00:18:10] Michael Meyers: And that's one of the best things that came out of this for us, I think, you know, in talking with you, Jeff, you know, and, and like the trust center on our website, but like, um, you know, that the, the process, the automation, having constant insight into this is one of the biggest benefits, right?
[00:18:27] Jeff Sheltren: Yeah. It's been amazing. I, I can't explain how happy I am with it. Uh, I'll give an example, like, uh, should we spin up a new service on AWS? We have Vanta integrated there. Uh, and it's going through all our, all the controls that we defined and doing all these tests to match the controls. If, if for example, someone goes in and sets up a new database and they forget to tick the box to like encrypt data at rest.
[00:18:57] Jeff Sheltren: Uh, in the past, that would have gone [00:19:00] unseen for a while until someone went in and reviewed it. Uh, and now Vanta is like sending me an email and a Slack notification like, Hey, you have a failing test. What's going on? Uh, same for like when we onboard new employees or off board employees. It's like, Oh, did you go through your onboarding checklist?
[00:19:19] Jeff Sheltren: Uh, Did, or the offboarding checklist. Did you remove their access to this? And this it'll even be like, Oh, you remove their Google account, but they still have a Slack account. What's up with that? Um, and that's been just amazing. And eyeopening, very helpful.
[00:19:35] Michael Meyers: I wanted, I mean, I called BS. I, you know, like we looked at Vanta and I'm like, there's no way this can do like what is claiming.
[00:19:43] Michael Meyers: And I'm like, you know, it is
[00:19:44] Faisal Khan: Michael. Let's see how it is.
[00:19:47] Michael Meyers: No, I mean, I still don't understand how it could possibly do it. And, and, and it's, and it works and it, and like it plugs into all these things. And it like, um, it's, it's, we build software. I know a lot [00:20:00] about software and, and Vanta blows my mind. As to like how it integrates and ties into all those different things and give us that insight.
[00:20:08] Michael Meyers: I, I didn't think it would be, uh, possible to deliver on that. And it, and it does.
[00:20:14] Drew Danner: I think one of the other things that people overlook that, you know, Jeff, Jeff and my team have spent a great deal of time on and Jeff's probably annoyed is how do we document our risks? Um, there are tools on the market that can go monitor a control, right?
[00:20:29] Drew Danner: We can, we can get a hook into an API and do a read and see if a, if a control that we've documented, you know, is not yes, right? If something is marked, no, you know, we get a zero back and we flag it. We say, Hey, we need to go fix this. But what about the process? Um, you build software, all software has vulnerabilities.
[00:20:49] Drew Danner: All software, right? We leverage third party packages to complete tasks, right? This isn't, this isn't the 80s. We don't build everything by ourselves anymore. We use what's on the market. So when we do that, we open up [00:21:00] ourselves to all of this third party risk. So how do you identify those risks and how do you mitigate those risks?
[00:21:05] Drew Danner: And one of the things that you're leveraging is the, the integration with Vanta and the Dependabot in GitHub, right? So you're, you're getting all those third party packages, their dependencies. Any, any patching, any outdated software that you're using as part of your stack. You're learning about it. That way we can build those mitigation plans where in the past, even if you were doing pin testing or scanning, you know, once a year, what are you going to do with that?
[00:21:30] Drew Danner: You just generated a backlog for next year. I guess we'll get to it. Right? But now in real time, every time you push a build, right, you're learning what we've introduced into the product. You're doing static code analysis. You're doing static testing. You're learning. We've just introduced a new critical vulnerability.
[00:21:48] Drew Danner: It makes smart people come to the table. It makes Jeff go talk to engineers and say, Is it critical? What are the dependencies tied? How do we decouple? Is there a patch available? Is there an update? That's going to [00:22:00] keep your customers safe in your app. That's going to keep your business safe from, you know, would be attackers.
[00:22:05] Drew Danner: And that's because of, like you said, right, there's some magic to it. There's they thought of, let's build this integration. Let's make this partnership with this company that people regularly use so we can pull in this telemetry and we can service the customer.
[00:22:19] Faisal Khan: Yeah, it's a continual improvement almost, right?
[00:22:22] Faisal Khan: If we think about just vulnerabilities continuing to be assessed, maybe it's resources not being encrypted constantly. You kind of have to take a step back and go. Well, why, like, why is this keep happening and give yourselves that opportunity to go back in update process, whether it's a configuration standard that you need to go update.
[00:22:41] Faisal Khan: Maybe it's a YAML file for the pipeline that's deploying the code, set those things up, make sure it doesn't happen again. And it really encourages that forward thinking and a bit more proactive approach to security world.
[00:22:54] Michael Meyers: Yeah, it's amazing how it integrates into so many aspects of our business from the process to the, [00:23:00] you know, the software that we're building.
[00:23:02] Michael Meyers: Um, now I know that there's, there's SOC 2, type 1, SOC 2, type 2. Um, you know, just at a high level, could you give us a sense of the process here? You know, we talked about defining, you know, the aspects that you know, we think apply to us, you know, where do you go from there? And
[00:23:24] Drew Danner: So it's a great question.
[00:23:25] Drew Danner: So, um, SOC 2, SOC in general audits in general. So a type one audit, a type one audit is an audit of the design of your controls. Um, what the auditor is looking to do is make sure that, uh, you have a control that is related to the COSO principle that is important to your business, right? So, you know, maybe we, we sell software, right?
[00:23:48] Drew Danner: Then we almost have to meet all the criteria from management to personnel, to systems, to hardware. Now, how do we tie that control in? And is the control effective? Not the [00:24:00] test of the control in theory. So think of the blueprint of the house. Uh, we built a square box. We didn't put any doors in it. Okay, so let's put a door in it.
[00:24:08] Drew Danner: Does the, does the door have a lock? We're going to plan for a lock. Does it, does it have some windows? Do they open and close? The design of your, your system, right? So in an ISO world, we call it your ISMS, your information security management system. In your management system for your SOC, Did we design processes correctly?
[00:24:28] Drew Danner: Did we design the controls in a way that's suitable? The auditor is going to check a point in time to make sure that occurred. And once it did, auditors issue a SOC 2 Type 1, which you've achieved. A Type 2 is the test of control effectiveness. You made this commitment to encrypt your, your devices, right?
[00:24:48] Drew Danner: Their, their hard disks are encrypted. Now, to your point, um, you opted to give your employees some privacy. You have European employees. You didn't want to go through the process of fully [00:25:00] automating this, which is not uncommon, but you understood the goal of the commitment. So what we did was you worked and you built a manual process and you leverage technology to read and make sure individual users are enforcing the controls on their own machines.
[00:25:16] Drew Danner: And you use smart people to do this instead of technology. That's, that's the test now that the auditor during the type two is going to go test. They're going to say over this monitoring window. Which your monitoring window to start is 90 days. Very common for most companies to start with a 90 day monitoring window over those 90 days, did all of those devices keep their hard disk encrypted?
[00:25:39] Drew Danner: Did all of those devices have antivirus on them? Um, did your cloud infrastructure always require NFA for console access? Did we rotate our keys? Those controls that you committed to, the auditor is now going to test those. So they're going to do some population requests. They're going to gather evidence that is going to come from Vanta.
[00:25:58] Drew Danner: You know, if you have [00:26:00] systems and processes that aren't integrated, they're going to come from outside of Vanta. And then you're going to substantiate. You're going to show them this is what happened during the window, and they're going to test. I think one of the struggles for auditors, customers typically feel like, you know, insulted when there's findings, but, and that's not what this is for, right?
[00:26:20] Drew Danner: The auditor's job is to be tough. If the auditor isn't tough, then you didn't gain anything. It's a pencil, you know, you wasted your time, you wasted your money. Tough audits, audits that look to find things. That's going to make your business better, to what Faisal said, it's all about continuous maturity.
[00:26:38] Drew Danner: Say we had a process where we onboarded someone on a Friday, we didn't integrate their systems and set up their controls until the following Wednesday, but we had an SLA documented that we're going to, you know, commit to this service level agreement SLA. We're going to make sure that all of our devices meet all of the requirements within 24 hours, what have you.[00:27:00]
[00:27:00] Drew Danner: There are these exceptions, so the auditor documents the exception, and then the goal is. Right. We have a management response. We tell them, listen, we understand this is what happened. This is why we're, this is how we're going to get better next time. And then they're going to, they're going to double down on your next audit.
[00:27:13] Drew Danner: They're going to make sure that you did what you said you did. And, and that's, that's the goal of audit, right? That's the goal of the SOC two type two.
[00:27:21] Michael Meyers: I think one of the things I love the most about the outcome of this is that third party validation, right? Because, you know, in our world, agencies go around like, Oh, we're the number one contributor to Drupal.
[00:27:31] Michael Meyers: Everybody says that, you know, like everybody makes all of these claims. Um, and, and it's hard to, you know, uh, differentiate. And so, you know, to, to, you know, have something you can point to and say, this has been thoroughly audited, you know, this has, you know, serious controls in place, um, I think is, you know, a differentiator for us that sets us apart from, you know, almost every other agency, uh, you know, using the technologies we [00:28:00] do, because I, you know, I haven't seen any of them talk about SOC 2, I don't see any of them, you know, have this in place.
[00:28:05] Michael Meyers: And so for, for me, that's a big benefit. Um, Jeff, coming out of this, you know, what is one of the biggest benefits that you see?
[00:28:15] Jeff Sheltren: Uh, you know, I think for me, it's kind of formalizing a lot of our, what used to be very informal processes or policies. Um, you know, I kind of mentioned we would toss some, write something up on a wiki real quick and just point new hires there and be like, there's your, your onboarding documentation.
[00:28:36] Jeff Sheltren: Uh, and now, you know, we have a full set of like, Of policies that have been reviewed, uh, you can see who wrote the policy, who approved the policy, when it happens, we track that new employees have accepted the policies. It's not just kind of a wink and a nod sort of deal. Uh, that's been huge, um, and definitely [00:29:00] like back to the Vanta integrations, um, being able to just.
[00:29:05] Jeff Sheltren: Get, get a ping in slack from Vanta when it's like, Oh, there's a new dependabot alert or, or, Oh, there's, you know, a new server came online and it, it has this port open. What's up with that? Uh, so it's, it's almost like giving this extra set of eyes. Uh, that we never had previously. Um, that's been great.
[00:29:27] Faisal Khan: And Jeff, just to add on, I think that it also adds a bit of implicit accountability to stuff that you've already done as part of your audit for SOC 2, right?
[00:29:36] Faisal Khan: Mm hmm. These policies, procedures, these processes that you've established, the things that you're doing to keep them secure. Now, it's not just this three month observation period. Going forward, like for the full year, right? You have to do SOC 2 type 2 audits, at least annually to keep them intact.
[00:29:52] Faisal Khan: You're now on, on the hook to continue to manage that program and continually improve, as we mentioned earlier, your [00:30:00] posture over time.
[00:30:01] Drew Danner: I think, I think it also sets up, right. The world has changed pretty rapidly in the last five years. And as more and more U. S. businesses are doing business globally, uh, you see a lot of European companies and countries really, really care about security because they put privacy first.
[00:30:19] Drew Danner: Um, we look at, you know, the GDPR articles one through 99 are pretty explicit when it comes to privacy controls and what needs to happen from a user data perspective, but not necessarily from security controls, right? They, they say that, you know, you're going to use industry best practices. We, again, we'll go back to ITGCs.
[00:30:40] Drew Danner: Information technology, general controls. These are the same controls from a security perspective that, that you just committed to doing annually. Many European companies and European countries are actually moving. They, they prefer sometimes a SOC 2 to an ISO because an ISO audit is a point in time audit.
[00:30:55] Drew Danner: Now I'm not saying one is better than the other. I actually prefer ISO. Uh, for [00:31:00] certain elements, especially when it, when it comes to governance and, and management oversight and strategy, I think that the controls that you have to put in to achieve a 27, 001 make the leadership team a little more accountable to the full governance process.
[00:31:17] Drew Danner: Where SOC 2 is, you know, it's, it's, it is very unified and it's standard, but it's, can we, can we meet our controls? There are companies that aren't going to make the same control commitments that you did. Uh, but your partners, your, your prospects, your, your clients, they can see those controls and they can map them and say, you know, do these standards meet our minimum requirement as they do their vendor risk management process?
[00:31:41] Drew Danner: And that's when you point them and say, not only do we have these things committed to be tested by our auditor, we're also reporting on their status in real time. If you want to go to our trust center and you want to see how we are encrypting our databases, how we're, you know, tunneling traffic to gain access into a bastion host [00:32:00] or however we're drawing those lines of segmentation between people, process and technology, you're very transparent, and that's what that's what leads to good security, right?
[00:32:08] Drew Danner: Accountability. You can't have accountability without transparency. Again, full circle trust center, Vanta.
[00:32:18] Michael Meyers: What are some of the biggest challenges that companies face? I mean, when we were hesitant to do it, it was costly. It was, you know, time consuming. We couldn't do it on our own, you know, you know, the, the, the basic things aside, like once you get into the process, you know, what do you see as, as the, you know, the big stumbling blocks?
[00:32:39] Drew Danner: I'll turn that to Faisal first, actually, because I assume that. Faisal answer this, this question at least once a day.
[00:32:45] Faisal Khan: Yup. Yeah, a hundred percent. I actually think, I think one of, one of the core ones is that top level buy in, uh, and engagement. We think about just the, all those reasons that you were just mentioned, right?
[00:32:58] Faisal Khan: It's costly. It's going to take a [00:33:00] lot of time. It might add. It might add some maybe slowness to how operations run where you can't just be running and gutting. And now you have to follow process and do things. And there's a lot of concern around that often times at the top layer and saying, Hey, is this going to slow us down?
[00:33:17] Faisal Khan: And the reality is, it's not going to, it's less about slowing down. It's more about Like formalizing the, that guardrail and that process so that you can go faster over time, right?
[00:33:29] Drew Danner: This is when I get the army though, right? So slow is smooth and smooth is fast. Sometimes we, we run everywhere all at once, but we don't get anywhere.
[00:33:38] Drew Danner: Uh, when you, when you organize, you go slow, you move steady, right? Now we've traversed the field and look at when did you start this process? You started this process six months ago at most. There are a lot of companies and you can go speak to your cohorts. You're, you know, even people that leverage technology like Vanta.
[00:33:56] Drew Danner: I mean, it takes, I think, on average, probably 12 to [00:34:00] 15 months to ever sit for your first audit. So, to me, I agree with Faisal, but, you know, I, I, shameless plug, right? Like, I, I was an idiot. Um, I used to tell my soldiers when I was in the Army, education's free, go get it. Uh, so, I had a soldier one day who was like, you don't have a doctorate.
[00:34:17] Drew Danner: What are you, what are you doing? So, I went back to school to get a, a business, a doctorate degree in business. Um, my, you know, undergrad and masters are in technology, uh, math and computer science. And I didn't know anything about change management. To me, change management was like, like, how do we deploy our software change management?
[00:34:34] Drew Danner: I never thought about the people side. To me, one of the biggest challenges we always see is making people change. Like, how do you, how do you drag people along for change? Change is hard. Change is hard. John Cotter wrote a book in the 70s. called Leading Change. And today it's still one of the best books of like, how do we undergo digital transformation?
[00:34:56] Drew Danner: How do we go change? Uh, some people look at compliance like you put a [00:35:00] tool in, you, you, you know, you put in security tooling, you've made some changes, you underwent a digital transformation right now you have this centralized spot in your stack to go monitor everything from the people to the processes to the software to your vendors to your third party, like, who do we do business with?
[00:35:19] Drew Danner: What is our supply chain risk? Oh, we do business with it. T Mobile and T Mobile just had their 34th breach this year. So maybe we should consider doing a, sorry, T Mobile. Uh, maybe we should consider moving to Verizon, right? There are items that inform your stack. Uh, the more you do them, the better it gets.
[00:35:41] Drew Danner: But when you look at that base set of challenges, there's no value in that to people today. Um, one of the things that I love about Vanta and shameless plug to Vanta. They invested in a whole team to do analytics, not analytics on customers, you know, like use case, it's specifically [00:36:00] analytics for what's the business case to do compliance.
[00:36:04] Drew Danner: You wanted to win a contract. Is it a one time contract? Is this going to help you sell up market? Compliance has a cost and compliance should have a benefit.
[00:36:14] Drew Danner: And one of the things that Vanta does for their customers is make sure that you understand like, this is what it's costing you. This is what consulting costs is, what audit costs. But based on what science and logic and reason tell us in the field, these are the benefits. And while you did it for this initial set, you, you mentioned that you've already seen some other benefits.
[00:36:31] Drew Danner: You've had some customers other than that initial ask for this. Is that right?
[00:36:36] Jeff Sheltren: Yeah. I mean, we've had multiple leads come in to our trust center. And since we keep talking about it, I'm just going to say it's like trust.tag1consulting.com. You can go there. It's the Vanta Trust Center. And it literally is real time. Here's our controls. And there's going to be a green check mark or presumably a red thing.
[00:36:55] Jeff Sheltren: If, if we weren't meeting those controls, uh, thankfully we're meeting them so [00:37:00] far. But yeah, I mean, yeah, no, uh, anyone can go there. Uh, you do a little click wrap NDA and you can see. Like in depth details of all our controls and tests. And yeah, we've had multiple potential customers. Like that's kind of one of their first landing spots is like, Oh, can I actually trust you guys?
[00:37:22] Drew Danner: In your space, I mean, our space too, that's, that's how we settle. What differentiates you from your competitor? It's the product's great, sure. Can we, can we trust you to keep our data safe? Can we trust you not to be the, the reason that we've lost time, energy, money, and customers?
[00:37:40] Michael Meyers: I see this as a lot of, uh, maturing our business, right?
[00:37:44] Michael Meyers: Like it's, it's so, it's, you know, so much of what we've talked about resonates so strongly with like how we got here, why we did it. Um, you know, my background is in startups. I want to move fast. You know, I want to make mistakes and just keep going. Um, you know, but we're [00:38:00] at a size and point in our life cycle where we need to be.
[00:38:02] Michael Meyers: You know, more mature, you know, we're onboarding people a lot more frequently, you know, like we have more people, because we're, we're bigger, you know, so it's like having these controls in place, um, really, it doesn't slow us down. It just gives us that, like, you know, maturity.
[00:38:18] Michael Meyers: And level of operation and our entire business for 17 years has been built exclusively on people coming to us for our reputation and expertise. And we're at the point where, you know, we're going out and we're trying to, you know, grow our business. Um, and, and having this in place is like, I, I'm, I'm hoping, and I think will be a key part of that, right?
[00:38:39] Michael Meyers: So people who don't know us, who aren't seeking us out, this gives us that, that validation to say, we do know what we're talking about. And here, you don't have to, you know, listen to our words, you know, you can, you can see it in, in, in real time and, uh, you know, and so I, I think it's, you know, uh, hopefully going to be a big part of our success [00:39:00] moving forward.
[00:39:01] Michael Meyers: Um, I really appreciate you guys joining us. There's so much more I'd like to cover and get into, uh, but we're, uh, we're at time and need to wrap up, um, parting words, uh. You know, uh, Faisal, like, having gone through this with many organizations, you know, uh, you know, besides use Vanta, um, you know, uh, what would be your, your recommendations for folks there?
[00:39:25] Faisal Khan: Yeah, I'd say when thinking, when you think about establishing, um, guard, guardrails for yourself or really formalizing process internally, You want to take, as Drew was mentioning, sort of a risk based approach to things, right? Uh, consider the scope of where your sensitive data and systems live, the risk of people, their operations.
[00:39:47] Faisal Khan: And, um, take those into account when making the decisions of what framework and what, what, uh, standard you're trying to adhere to at the end of the day. Or even a framework at all. Maybe it's just a [00:40:00] attestation to a standard. Um. The CSF is a common example from a self attestation perspective. Um, but think about what is the risk to you and from there continue onward.
[00:40:12] Faisal Khan: Also, you know, of course, adding, just slowly adding in the, the Vanta bit. If we think about just the implicit benefits of as we've talked through, there's also that implicit benefit of. the network that you guys have established now. You have Vanta as the partner. You have BD Emerson's team as the partner.
[00:40:30] Faisal Khan: Heck, they're so good at their, the security and compliance space and operating things. One of our strongest partners. You have this network of professionals that now you've helped establish a program and continue to, can continue to scale with you. And, and that's the beauty of what you've established here today.
[00:40:47] Drew Danner: I think, I think what I would tell people is actually be more in your shoes, right? Move, move fast. Um, huge, huge fan of speed, right? Um, I, I tell my team, I, we, [00:41:00] we say SVM, speed, violence, and momentum, right? If, if you have someone who can funnel that, right, we have a, there's a guy on our team that Jeff knows well, his name is Jose and he's our funneler.
[00:41:10] Drew Danner: Jose keeps everyone organized. And if you have someone internally, who's like that, it's not really a project manager. It's more of a, can we wrangle the group and make them make decisions? Uh, decision paralysis is what really slows this down. Again, we talked about your hardest challenges. Your initial challenge was the decision to do it.
[00:41:29] Drew Danner: And once you did it, I think the rest of those decisions were rapid. You, you asked, to Faisal's point, you took a risk based approach. What's the risk of us not doing this? Or what's the risk of us adding this? And then, you know, we, we moved quick. You bounced ideas off of experts and you came to a decision.
[00:41:47] Drew Danner: And then you stood firm and you said, okay, that's our decision. Let's get audited to it. What I would tell anyone who's going to go through this process is move quick, make decisions quickly, be informed, and when you need help, raise your hand. Um, I can [00:42:00] tell you 15 other BD Emersons that I trust to do this work.
[00:42:03] Drew Danner: They're all part of Vanta's network. Uh, in our space, we don't really have competitors, right? I will refer work to our biggest competitor, because I know that they're going to do a phenomenal job. Um, everyone that Vanta went and hand picked and said, Hey, we want you to take part in this. I mean, this whole network is incredible.
[00:42:20] Drew Danner: Um, if you need help, go ask for help. There's different flavors of help. If you're going to do it by yourself, you can. Move quick. Make decisions quick. Be a group. Don't assign a task and let it sit. Group thinking, right? Like everyone come together, make decisions and move that. That's, that's what I have.
[00:42:40] Michael Meyers: Jeff, what would you tell, uh, our peers, you know, having been through this and led it for our organization, you know, run for the hills, you know, uh, uh, you know, what have you taken out of this?
[00:42:54] Jeff Sheltren: Oh, man. I mean, certainly I can see chasing after a SOC 2 [00:43:00] accreditation could be super time consuming. Uh, in our case, it was not.
[00:43:06] Jeff Sheltren: I put a lot of time in for a handful of months. Uh, like Drew mentioned, like, this could take years if you aren't being guided the right way or you're not quite sure what you're doing. Uh, so for us, like, the, having BD Emerson support us and, and kind of give us that guidance. Tell us, you know, When we're kind of going off the rails or tell us, yeah, that's totally fine.
[00:43:31] Jeff Sheltren: You just have to, you know, change, change this. And that can work for you. Uh, it was huge because yeah, we're, we're small, we're kind of different. We like to do our own thing. Uh, and we like to respect our employees and their privacy and that like inform some of our decisions. Um, And having someone expert in the field like BD Emerson kind of support us through that and, and guide us in what we kind of can and can't do, like, where's the gray lines, [00:44:00] where's the, where are the really solid lines, uh, has Just this definitely would have taken us over a year.
[00:44:08] Jeff Sheltren: I'm just pulling that number out of him out of there, but it would have taken us a very long time to complete this. Uh, and I question how our audit would have looked at the end. Um, and now going through this with BD Emerson, like I know we're, we're just finishing up our type two audit right now. Uh, We're all our tests are getting a hundred percent on Vanta.
[00:44:30] Jeff Sheltren: So I know we're in great shape. Uh, I, I have no concerns that we're going to have a very nice audit report. Um, and yeah, just leveraging the tools like Vanta. To make this kind of automated and ongoing, like, we know we're just, we're going to do this again next year, go through an audit. Um, and now Vanta, we're in the habit of just checking this stuff, um, day to day, we're probably going to set like a monthly meeting going forward internally.
[00:44:58] Jeff Sheltren: Like what's our. [00:45:00] What do we need to deal with, uh, for SOC two compliance this month? Uh, is there anything that Vanta's flagging for us? Yes or no. And, uh, just keep moving forward. Um, so yeah, I guess the, uh, the longest run of it is like, hire these guys. It's going to save you so, so much time and energy.
[00:45:19] Jeff Sheltren: And, uh, it's been absolutely great to work with.
[00:45:24] Michael Meyers: Well, yeah, thank you guys.
[00:45:26] Drew Danner: Sorry. I didn't want to cut you off. I think. You know, good consultants are one thing, but you guys are a great company and not everyone. We can't say that about every, you know, every engagement, uh, change is hard for some people. You guys have rapidly matured.
[00:45:40] Drew Danner: You took it serious. And that, I mean, we have a great relationship, so I appreciate both of you.
[00:45:46] Michael Meyers: Thank you all so much. Uh, we couldn't have done it without you and, uh, and really appreciate you joining us here today to, to share this. Um, hopefully more agencies will, will take this on. Uh, we'll put a bunch of links in the show notes, uh, to, you know, the [00:46:00] various different, uh, software Vanta, uh, and, um, you know, our Trust Center.
[00:46:04] Michael Meyers: Um, if you liked this talk, uh, please, uh, share it out. Uh, people need to know more about SOC 2, the benefits of why you should do it. If you want to see more of our team talks, check out tag1. com slash TTT. That's three T's for Tag1 Team Talks. Uh, and as always, we'd really appreciate your feedback, suggestions on future shows.
[00:46:25] Michael Meyers: You can write to us at ttt@tag1.com. Thanks. See you next time.