SOC 2 as a vendor influence tool
A vendor’s SOC 2 isn’t just a checkbox for your own audits, they can be a powerful influence tool. Most customers don’t leverage them to improve their vendors’ security. Do you?
A vendor’s SOC 2 isn’t just a checkbox for your own audits, they can be a powerful influence tool. Most customers don’t leverage them to improve their vendors’ security. Do you?
Anecdotally, I’ve found that most people don’t read the actual report. They flip through it looking for exceptions and absent any, it gets a rubber stamp.
I’m thrilled when someone cares enough to come back with questions about the report. It means I’m talking with someone who considered its contents and wants to clarify perceived or real gaps between our controls and their expectations.
It’s also the first step towards using the report as a vendor influence tool.
How can you leverage SOC 2 reports to improve vendor security?
🖥 Understand what data or systems the vendor will have access to.
📉 What’s the impact if they were to be compromised?
☠ What are the likely ways your data or systems could be compromised via this vendor?
🚧 Do the controls they’ve designed address the risks you’ve outlined above?
If they don't, follow up, but with the sales team, not directly with security.
Why that last part?
Because tying quality security controls to revenue is the best way to ensure they’re prioritized and funded.
Nothing drives visibility and resources for security like blocked revenue generation. It’s the reason they spent money to have someone poke around their systems and write a report in the first place.
Leverage is highest before the contract is signed so this is your biggest opportunity to positively influence a vendor’s security program.
By ensuring the sales team knows there is an issue that can prevent or slow signing it gets much higher internal visibility than if security teams hash it out directly. This visibility multiplies the more other customers raise the same issue.
Even if it’s not deal breaker levels of risk, you are absolutely within reason to ask for contractual commitment to address a weak or missing control by the next audit cycle.
In fact, you’re doing their security team a favor by tying their work directly to revenue and the voice of the customer.
Don’t waste it.