Speaker 1: 0:04

You're listening to the Audit presented by IT Audit Labs. I'm your co-host and producer, joshua Schmidt. You're joined by Eric Brown and Nick Mellom, as usual, from IT Audit Labs, and today our guest is Adam Russell from Shellman. He's a Minnesota native and we brought him on the show today to talk about SOC assessments and we'll see where the conversation goes. Thanks for joining us, adam. How are you doing today? I'm doing well. I'm actually not a Minnesota native, though You're not. You live in Minnesota currently, though. Yeah, I do live in Minnesota.

Speaker 2: 0:30

yes, but I'm actually originally from New York State, right south of Rochester, New York, so a similar name to a city here and then I spent 10 years in Colorado before I moved to Minnesota in 2022.

Speaker 3: 0:41

Are you a Bills fan Adam?

Speaker 2: 0:45

No, and it's not because I don't like the Bills, I'm just not a big football guy oh gotcha, that was a heartbreak. The Bills Mafia is a real legitimate thing. I respect Mafia. Yes, they go hard. I've been to plenty Bills games, but I usually just go to experience the festivities is what the word I'll use. That's awesome.

Speaker 1: 1:04

Speaking of events and festivities, we usually start the show with an icebreaker and I wanted to ask you if you've been to any conferences lately or plan to go to any conferences this year and talking about building community, and what do you get out of conferences and what is your favorite one.

Speaker 2: 1:20

Yeah, I've been very lucky to speak at a couple of different conferences over my career. The most recent one I spoke at was the Great Audit Minds Conference, which is a collaborative effort between the Institute of Internal Auditors as well as ISACA. It was in it must have been April of 2024. So actually it's about nine months ago at this point, but that was the most recent conference I spoke at, specifically about SOC 2 reporting.

Speaker 2: 1:41

Actually, I really like conferences just because it gives you the opportunity to connect with people in a way that you wouldn't. You really get a large subset of different industries. You get auditors, you get risk professionals, you get vendors that are just utilizing these products, so it's just a really good way to get a broad basis of information. I spend all of my day talking to either my co-workers, who are all auditors or compliance professionals themselves, or my clients, and obviously we kind of just get into that loop. Spend all of my day talking to either my co-workers, who are all auditors or compliance professionals themselves, or my clients, and obviously we kind of just get into that loop where we're having the same conversations over and over again.

Speaker 2: 2:11

But it's just nice to kind of broaden your perspective and also hear what other people are doing and kind of experiencing out there in the world. So I really enjoy them. I think it's one of the best ways you can not only get a lot of exposure and experience but really the networking component you can't replace in any other way that I've so far experienced.

Speaker 1: 2:30

Absolutely. Our last guest was Alith, who is a Black Badge winner at DEF CON, and we have a couple of Wild West Hackenfest enthusiasts here. Eric likes to fly in in his personal plane, and I think they have some plans to do some other conferences this year too.

Speaker 3: 2:43

Correct, yeah, and I think they have some plans to do some other conferences this year too, correct? Yeah, and the Wild West Mile High is next week. Are you going? I'm just doing the virtual one this time around. Oh nice Wednesday through Friday.

Speaker 1: 2:55

Awesome. So, Adam, what's your background at Shellman? You work at Shellman here in Minnesota. Can you tell us a bit about your background? How you got to?

Speaker 2: 3:05

where you're at in your career at this point. Yeah, my title at Shellman is technical lead. It's kind of a unique title. They've recently developed kind of a dual pathway opportunity for individuals that aren't interested in people management In the traditional CPA or just kind of consulting firm. There's generally kind of this linear pathway where you start as an associate or analyst it kind of depends on the organization you then move up to senior manager all the way up to either partner or principal, depending on the specific titles. But I've never really had a lot of aspirations to be a people manager. It's just not something that I've been interested in doing for a number of different reasons.

Speaker 2: 3:38

I really just enjoy the actual work of doing auditing. It's a pain in the ass, yeah. Basically that has a lot to do with it, I'll be honest, but also it's just. It takes you away kind of more of the stuff that I actually enjoy about my job, which is interacting with clients, doing the actual assessments, having some opportunities to kind of delve deep into these topics. And if you are doing people management, you usually kind of start to transition away from doing that actual work.

Speaker 2: 4:09

No, it's a whole different skill set and everything as well. That, you know, just has never been my aspiration. But I'm very lucky because Shellman recognizes that and knows that a lot of people that are individual contributors might not want that. On the org chart I basically would sit at a manager level. So I still get involved in a lot of initiatives and I obviously take on more complex engagements and deal with just more challenging topics, but ultimately I still am an individual contributor.

Speaker 2: 4:30

But I've been with Shellman about two, and actually over two and a half years at this point, but have been in the audit space in some form for a little over seven years.

Speaker 2: 4:39

I started my career in a very traditional kind of CPA firm route where I started as a financial statement auditor as an intern, got hired as an associate and then stayed there until I was a senior. I then transitioned out of public accounting or consulting, however you want to define it, and then went to a credit union doing internal audit, which was great. I actually really, really enjoyed it because you got a ton of variety. It was probably the best thing I did as far as my growth potential that I could have done at that point in my career Because instead of just doing kind of the same thing over and over again, I got a broad exposure to a variety of different topics, including some IT auditing, and that's kind of where I got my first exposure to it, and then from there I was actually recruited to Shellman as a senior associate about two and a half years ago and I've been there ever since and really, really enjoy it.

Speaker 4: 5:25

I remember my first. I started in management early on in my career because I thought I could do more good by advocating for the people in the department and growing the department that way than actually being a good hands-on keyboard person. So early on I must have been 24 or something. I was working at a startup in New Jersey. The company did internet marketing and it was in like 2000, no 98, something like that, and we were hiring a, or we hired a um exchange admin as we were kind of growing out our exchange mind. This is a real small company like a hundred people.

Speaker 4: 6:17

We got a guy whose resume looked good, he interviewed really good and his first two weeks on the job he was awesome.

Speaker 4: 6:24

He was just banging a workout and then it took a turn and, um, he was drinking like a pot of coffee a day and no problem drinking the coffee I drink a lot of coffee too but um, he would go, he'd go and take these long naps over lunch in his car and they started out. You know it's like an hour, then it was two hours and then he was taking naps at various times during the day and working about two or three hours. So, long story short, that was the first person that we had to terminate and I was so green, you know, at the time but it turned out that he had like some other night job or something that he was doing and he was drinking all that coffee to stay up. But you know, you could just imagine now that's probably relatively not uncommon with the remote workforce. This was all in person, where you know you never know what people are up to in their personal lives and where that crosses over into the professional area.

Speaker 3: 7:30

Doesn't Google have nap time at their offices? He should have went to work for Google, right, yeah?

Speaker 2: 7:40

I think that's what they use to promote.

Speaker 1: 7:43

That's what they use to promote. Right, you can take a nap time. I have a night job, so I like coffee and I like naps. I feel slightly attacked right now.

Speaker 2: 7:54

Well, I don't have a night job and I like coffee and naps.

Speaker 3: 7:57

So really it's just kind of universal. I'm with. Adam.

Speaker 1: 8:01

Yeah Well, adam, we wanted to get into SOC assessments today. That's kind of your passion and, doing a pre-production, it seemed like you had a kind of a fire to educate people and probably your clients and probably even beyond. I'd love to hear what you think about SOC assessments in general, but also why they're so important for organizations to consider as a part of their security makeup.

Speaker 2: 8:25

Yeah, so SOC is great I'm obviously not going to say anything other than that because I do SOC audits but it truly is a great assessment framework. I just think there's a lot of misconceptions and misunderstandings about it, which is kind of interesting to me because they've actually been around for a long time. Soc audits as we know them today. They really kind of came about about 15 years ago. About this point, 2010 is when they turned into what they were. But there's a history going back even to the early 90s. There was an old auditing standard called SAS 70, which was essentially the framework that SOC as we know it today was built off of.

Speaker 2: 9:01

So it's been around for close to 30 years, or actually more than 30 years at this point, I think because it's not as prescriptive of a framework as something like ISO 27001, people just don't necessarily always understand it. And also, I think, with the just huge growth we've seen in the startup space around SaaS applications, especially over the last 10 years especially, there's just been a lot of organizations that all of a sudden knew they needed to get this thing called SOC. But it was especially a bunch of startup people. They didn't really understand what it is, but they just had, you know, their customers kept bringing it up about whether or not they have a SOC audit, and so it's just kind of one of those things that is very important and has a lot of impact on the industry. But like a lot of impact on the industry, but like a lot of things, it's actually quite complex because it isn't always clear as to how you're actually going to accomplish your goals with it. So ultimately, a SOC audit is intended to validate the security program that's in place at an organization. The problem is it's not super prescriptive.

Speaker 2: 10:01

As I said earlier, it's based around the COSO framework. So there's essentially just these criteria that are very broad. So one of them, for example, is just like how do you promote ethics within your organization? You can do that in all sorts of different ways. You can do it through training, you can do it through policies, you can do it through all sorts of different things, but it doesn't give you an actual like. You must do A, b and C, whereas some of the other information security frameworks out there, like ISO 27001, or there's all sorts of numbers, they actually do have prescriptive controls that an organization has to comply with, and it's a little bit more spelled out as to how you can actually get to that end solution. That's not to say that one is better than the other, but there's just a lot more squishiness to it. That I think, and I also think there's been a couple of factors that haven't happened, especially in the last several years, which is there's been a lot of really great governments risking compliance applications that have come out.

Speaker 2: 10:54

They have kind of built out a lot of promises, I think, to a lot of their organizations, as you know oh, you can get SOC ready in two weeks. They also sometimes are just frankly incorrect. You actually some of the questions you'd sent over prior you would use the term SOC certification and I actually see this all the time. Soc is not a certification. I'll see organizations promoting themselves on social media or even in marketing materials would say like oh, we just achieved our SOC certification and it always kind of A makes me a little bit sad, but I'm also like well, that's not really a thing. So I'm not quite sure what you're trying to promote there. So there's just a lot of misconceptions around it because it is so squishy. There's basically five different principles and criteria that can apply to a SOC audit. Security is the only one that's required, but there's four others that you basically can scope in depending on the needs of the organization, and they're processing integrity, confidentiality, privacy and I'm forgetting oh availability excuse me, are the total five you could have in there.

Speaker 2: 11:55

So that's also the misconception I think that comes in is like people think that it's a security assessment, which it is, but then they'll also be hearing about like, oh well, this applies to a privacy program as well, and so I think sometimes people just get confused and wrapped up in some of the nuance.

Speaker 4: 12:08

So, adam, wouldn't you say that just a high level kind of layman's way of describing it is? It's a way for an organization to have attestation of their controls.

Speaker 2: 12:21

Yes, that's exactly what it is, and so when you really boil it down to that simple terminology, it can make sense. But even like I have discussions with people that they don't even necessarily like what does attestation mean? That some of these words for people that aren't in this industry especially, you know, like I said, going up, especially to startups, really you'll have a bunch of people that are in sales but they keep hearing this term and so they know they need to get this thing, and so then they hear these words like attestation or certification or whatever it is, and they get confused as to what it all means, Adam, we have to use.

Speaker 4: 12:49

it's in the manual. We have to use those because then we can charge more for the services, right?

Speaker 2: 12:56

We gotta use big words, that is yes, big words always makes it better.

Speaker 1: 13:01

There's a whole vocabulary and lingo to your guys's uh industry that I've had to really brush up on. I did have to look up attestation as well, uh, in preparing for this. But yeah, I would like to hear a little bit round out the conversation and and kind of maybe kick it to nick and uh and eric and see what kind of you know experience have you had with sock assessments and maybe education around that?

Speaker 3: 13:25

yeah, I, I think for me, when we're dealing with SOC audits, I was thinking similar to Adam, that one thing that a lot of questions we get to us is a lot of it's up to interpretation.

Speaker 3: 13:37

Right, you interpret what they're meeting and what they're saying versus another subset even something like PCI or PHI, abiding to these CEGIS, even abiding to these subsets of they have rules and regulations that are pretty clearly spelled out. And then you come to SOC and you might read a specific question and it's really up for the organization to interpret how they're going to secure that or perform those duties. A lot of organizations they get this and then they just think they're good, right, like it's not an ongoing that now they're just like secure for life, somehow They've unlocked some secret and then they're good. But it's really an ongoing battle to continue to stay compliant but then continue to ride the flow of compliance. Right, things are changing all the time. We could give a recommendation to an organization and three to six months later we have to maybe double back or change something because a auditing organization has changed or flipped because of, maybe, the threat landscape.

Speaker 4: 14:35

But I'd say those are two of the big ones for me other day, and this doesn't happen very often, but I was actually struck dumb by something that I had heard in an account we were working with. They were bringing on a new vendor, that multi-million dollar software as a service that was going to be involved in their PCI environment. And when I asked them, I said, well, you know, do you have a SOC 2 that we can take a look at? No, we don't provide those. But if you want us to do one, then we can do it, but you have to pay for it.

Speaker 4: 15:26

And they actually phrased it in a way that they started out I thought it was on a game show where they're like Well, do you know how much a sock to costs? And I was like, okay, this is, this is going in a different direction. And then they launched into how they don't do them. But if a customer wanted them, then the customer would pay for it. So I had never heard that before and I must have had a look on my face like Steve Harvey in Family Feud. Have you run into something like that before, adam? Have you heard of that?

Speaker 2: 16:02

We have actually We've had a couple of clients that have come to us and it's really they're doing it because they have one specific strategic account that's requiring it.

Speaker 2: 16:12

I will say I don't exactly know what the true payment terms ended up being in that specific scenario, but yeah, that's actually not the first time that I've heard it.

Speaker 2: 16:20

But kind of to Nick's point and to your point as well, that's the thing Remaining compliant with any sort of framework, whether it be information security, health care, whatever it might be it takes a lot of work and that's why organizations struggle with them, I think is because they don't necessarily always give them the resources that they really need in order to support these programs. But they are very important. And so there's this constant struggle between, you know, compliance versus reality, which is compliance is always trying to catch up with whatever the threat landscape is. And you have a lot of organizations that are kind of filtering in and out and they aren't necessarily know they don't want to put the resources in there to kind of get what they need to, but at the end of the day, a lot of times they usually can't secure this key account if they don't have these things in place. So it's kind of like what's driving the cart really.

Speaker 4: 17:12

With a SOC. An organization can have their own security controls and some of them may not adhere to a framework, but you're essentially just going in and testing their controls to see if they're adhering to them. Have you run across anything where you're like, oh, that's interesting. Or, on the other side, have you been surprised with something that was really cool?

Speaker 2: 17:35

Oh yeah, no, tons of times. I think a lot of times people think that the size of the organization can sometimes make it more secure, better than smaller organizations, and I've seen some really robust, really great information security programs at very small organizations and, conversely, I've seen some huge organizations that frankly don't have a very robust or effective information security program. So I think that's sometimes a misconception is especially with larger entities, because they've got so many things um going on. They again depending on the resource and then, like a small organization, they might only need to support one or two different frameworks, whereas, nick, you had mentioned earlier pci, hipaa, sock2, iso 27001, nist.

Speaker 2: 18:20

There's all these different frameworks out there and sometimes they think that oh well, we're good in one, so we're good in all, and that doesn't apply. So the nice thing about SOC, as I mentioned earlier, is it is a little bit more flexible as to how you can actually arrive at something. But yeah, a lot of times people try and put things in there that doesn't necessarily make sense. I mentioned the five different criteria you could have in there and sometimes organizations will try and kind of I don't want to say double dip, but they'll want to bring in certain controls or things to make them look better, but they don't necessarily apply to the criteria they're in.

Speaker 3: 18:53

I think you know I was working with an organization and I do often and one of the roles is, you know, vetting vendors that are coming in to the organization. And a lot of times the people that I work with in this group, they see SOC 2 and they automatically think, oh, we can just bypass all of our controls because they are SOC 2. So we should be good, good to go, and we always echo back to them we still need to do our process, have them fill out these questionnaires so we can better understand what their controls are, just because we always want to to make sure everybody knows, because they have met sock to at one point. Right, they're continuing up with it. You know we need to make sure we continue to vet them. But and what I'm saying here also branches into a question you know, adam is, you know, does sock to to you mean something different if it's a financial organization versus maybe a Fortune 500 IT company? Is there different meanings to how SOC might go to those organizations?

Speaker 2: 19:55

Yeah, I think Really the nice part with those different criteria is they can apply really nicely depending on the type of organization that you're dealing with. So, for example, as I mentioned earlier, security is required for all of it. If you want to get a SOC 2 report or a SOC 2 audit, you have to have security in scope. But we'll have a lot of organizations like, for example, health care. In that case. That's where you know confidentiality and privacy is going to be a lot higher scrutiny and consideration that they may want to consider in scope, whereas, like a financial institution, yeah, of course those are still going to be relevant, but maybe something like the processing integrity criteria is going to be more applicable because, especially like a payroll processor is probably the easiest one to use in this example.

Speaker 2: 20:38

If they're processing payroll, you want to make sure that all of the inputs match what the outputs are, particularly in that case you could make that argument for any sort of data processing. But there are certain industries where certain things are just higher risk than others, and so, yeah, that's kind of. Again, the nice thing is it is so flexible. You can apply it in a lot of different ways. But that also comes with its own challenges, because that's the thing People get confused about how this can actually apply to their organization.

Speaker 4: 21:03

So, adam, a couple of questions for you. I've just been thinking, as you've been talking through these, of some applications. So let's say you're on the consulting side and you're going in to help an organization and the organization is going to onboard a new SaaS solution, for example, and the company says, well, we don't have a current SOC 2, but we do have an ISO 27001. Where would you see that a 27001 would be an okay substitution for a SOC 2?

Speaker 2: 21:42

So I don't want to say they're comparable, but they serve different purposes. But ultimately they're both information security frameworks and assessments. We have a lot of clients that will either do one or the other or both. And I've seen in tons of vendor questionnaires, particularly when we're analyzing this particular part of an organization, where they'll say, like, on their security questionnaire, they'll kind of give an either. Where they'll say, like, on their security questionnaire, they'll kind of give an either. Or they'll say like, do you have a SOC 2 or an ISO 27001? But there are validity to both of them.

Speaker 2: 22:09

To be clear, I work with our ISO team but it's not something I'm an expert in, so I wouldn't want to speak to like why it's better or not. But they kind of serve different purposes. And again this goes back to ISO is a lot more prescriptive. It has its listing of controls that an organization has to comply with, with the exception of course they can scope certain ones out if it just doesn't actually apply to them for any number of reasons. But it's just a lot more strict in the way that you actually have to get to your end point, whereas with SOC you have a lot more flexibility in the way you can actually get to that.

Speaker 2: 22:45

But they both have their pros and cons. One's not necessarily better than the other. They just kind of serve different purposes and some organizations they're really dead set on one or the other. I've also seen that where they're like you know, we only accept an ISO certification, we only accept SOC. And I've had that conversation with them to try and understand like what's the reasoning. And some of it is because they've been burned by something in the past where they're like oh, we got this really terrible SOC report that really didn't make sense or it was for an application that we thought it applied to and it didn't even apply to it. So that's kind of where you need to make sure that you're having those relevant conversations with people, making sure that they are understanding what they are getting from the third party that they're getting this from, whether it be a SOC report or an ISO cert.

Speaker 4: 23:23

And where would you see that it would be okay to just get the summary of the SOC report instead of actually seeing the SOC 2, where a company might say, well, we're not comfortable giving you this because it does have some of the things that might be more sensitive to our organization. But you know, here's the SOC 3.

Speaker 2: 23:47

I personally have not run into this very often. I do know that some organizations they do hold their SOC 2 report pretty close to the chest, which I think is kind of interesting because it isn't intended to be just fully publicly available. You mentioned SOC 3, and that's the entire intent of a SOC 3 is it is supposed to be publicly facing. It basically strips out a lot of the more just you know we'll call it sensitive information a lot of the detail behind it. But usually if someone's really being hesitant to share their SOC 2, it would kind of make me wonder what's in it a little bit more. Is there a bunch of testing exceptions? Is there something in there that maybe they're not necessarily happy with how something went? Or maybe they just know that there's a particular area that their customers keep asking about and they just either haven't built out that part of the program or, like I said, there was some sort of testing exception that I don't say they're trying to hide, but potentially they're trying to hide.

Speaker 2: 24:40

So if I like I said, I haven't run into this super frequently, but if someone was being super hesitant, especially during either some sort of reassessment where they've previously provided it to you, or you're trying to establish a new relationship with some new SaaS provider and they're just being really cagey about it, that would give me a little bit of pause and I would want to understand kind of why and it could be for any number of reasons. Like I said, they could either be proud of it, it could be that they're not done with it yet.

Speaker 2: 25:07

That could also be something where they're kind of just trying to hold up the process because they don't have one yet, and they're still going through their assessment, or they did get one and it didn't go super well and so they're now like well, I have this, but basically it doesn't give me a lot of creep or cadence because it doesn't have a lot of good information and it's because there was a testing section, so it was a full on qualified report where there was enough issues where we actually had to qualify the opinion, whatever it might be.

Speaker 1: 25:33

I'm curious to know if Eric has any tricks on getting organizations prepared for an audit or a SOC assessment. I know, Eric, you work with a lot of different types of folks. I'd love to hear what's in your bag of tricks and how you kind of take an overview of an organization so they're prepared for something like this.

Speaker 4: 25:53

I think one of the first things that we want to understand is what business are they in, what sort of data they have that they need to protect. And then, what have they done in the past? And who is the audience of this? Is there some sort of regulatory work that they're doing? Do they have customers that are asking for something? And then, as you get more granular, well, what controls do they already have in place? What's their information security policies? What do those look like? What sort of standards do they have? So all of that will inform how much work actually has to be done before you could even assess the organization, either using a framework that has criteria around what you're going to assess, or, going back to the attestation piece, if they have those controls in place or if they need to write those controls so that you know what it is you're going to measure.

Speaker 1: 26:51

It sounds like communicating is a huge part of your job and just educating, which we've already established. Have you seen any kind of innovative ways other than just talking over a Zoom meeting or sitting down for a cup of coffee at a conference table? Have you gotten any kind of creative input on maybe coming up with videos or any other way to educate internally? Yeah, I mean there's tons of different ways.

Speaker 2: 27:14

So Shellman actually does a really good job of promoting a lot of external facing learning content. We have a whole learning center where people create content around all sorts of things, soc obviously being one of the big ones. But we have a whole ISO team. We have PCI. They put out a lot of content out there kind of explaining some of the nuances of that. So I kind of echo a lot of things that Eric said. One of the best things you can do as an organization who's considering going down the SOC path is really getting a good understanding of what it is, and I think this is where people then I alluded to this earlier they just do a quick Google of it and they sometimes get these organizations that will literally promote and say, like we can get you SOC ready in two weeks.

Speaker 1: 27:53

Eric's smiling.

Speaker 2: 27:57

They don't. There's a lot of issues with that and it's exactly that there's. For those that are not familiar, there's two different types of well. There's multiple different types of SOC reports, but there's two different types of assessments you can go through. There's a type one assessment and a type two assessment, provided some control language.

Speaker 2: 28:21

When an independent auditor comes in, we essentially just look to say like, okay, you've said you have this in place. And we'll look and say like, yes, that is true, whatever that might be, whether it be a policy or monitoring tools or whatever it is. But we don't really dig much deeper than that. We don't say like, okay, are you actually using these? We're not testing to say whether or not the organization's really compliant with it. A type two assessment assesses the operating effectiveness of your controls and that's where it's actually looking over a period of time. And let's say they're saying like, okay, we had an infrastructure monitoring tool in place that generates alerts based on predefined criteria of some sort of control language like that.

Speaker 2: 28:52

That's when we, as the auditors, will come in and say like okay, basically prove that this was in place for this entire period. And that's where then sometimes we're like oh yeah, well, we actually turned it on like a month ago and like the alerting capabilities we didn't really get fully honed in. And that's when you kind of get into that nuance of like, okay, you can't really say that that is really an operating control if you only turned it on two weeks ago and you're trying to say like, oh yeah, for the last year we've been good. So that's where some of the difficulty comes in, because, yeah, there's a lot of pre-work and there's a lot of ways that you kind of need to set yourself up for success, and really getting a good understanding of the framework beyond just a simple Google is obviously the best way. But then, yeah, if you already are kind of compliant with some other assessment framework, that obviously makes it easier.

Speaker 1: 29:44

But if you're really just kind of building a program from scratch, you kind of need to do a holistic internal review of like what do we really have in place and what are people actually doing? I know that brings up policies and procedures, which is Nick's main focuses. And, nick, how does a SOC assessment kind of tie into, like what Adam was talking about, with policies and procedures and communicating that within an organization?

Speaker 3: 30:01

It's probably one of the biggest portions for me at least it's. It's one of the areas I think organizations are probably the most junior in that I've worked with is they don't continually continue to either update or create new policies and procedures that you know can guide. You know employees and their technical people. You know how do we keep them within the bumpers to either stay SOC compliant or become SOC compliant. So things that I've worked with organizations on is like outreach you could gamify training, for example right, incentivize employees, right, you know. On training, right, teach them how to do things, teaching them you're creating these policies and procedures and you're keeping the two in tow with each other.

Speaker 3: 30:44

Newsletters is a big one that you know we've worked with organizations on to train their staff, but we've spent a considerable amount of time. You know tailoring and I think that's the conversation that we've been having today. You can tailor these SOC audits and we know when we're doing these assessments with organizations. I think one of the big pieces that we're tailoring is those policies and procedures to kind of whip them into shape so they do follow the prescription that we're giving for SOC, right, how do we get them ready? And you know, going all the way back, talking about being SOC ready in X amount of days. I want to know two things is what's their success rate and what do you get if they're not, if they don't get you ready in two weeks, because anytime we've done SOC right, it's much longer than that. Obviously, it would depend on the maturity of the organization. But, yeah, policies and procedures, tech for me, you know.

Speaker 4: 31:39

As you've said, josh, we spend a lot of time there, so we'll get Adam just a couple of stories here, because sometimes they're funny, but we'll get pulled into organizations to help them.

Speaker 4: 31:54

Usually there's an inflection point they need some help, so we'll come in and give them some strategic help, some help, so we'll come in and give them some strategic help. And then sometimes we'll end up leading in a VCISO type of role or VCIO or what have you, and then we have staff members from those companies reporting into us, right, so giving direction at the organization level. And I've come across two things recently that I've just it's. One of them was around browser extensions, where there were I think 1700 browser extensions that were enabled, when the access control standard clearly says browser extensions are denied and the company has an allow list, that that wasn't being managed and users could just install whatever browser extension. So I mean there were crypto miners, there were games um, you know, you name it, it was in there I was gonna say in 1700 you'd have to have a broad uh variety there yeah, like some things I never even heard of before, right, um.

Speaker 4: 33:01

But so then you know we, we turn that off and then it's like whack-a-mole. Then they that now they're. Then they go over to a different browser and then they're extent installing the extension. So it was, it was staying on top of, in in front of that. And then you know we're, we're the bad people for enforcing the policy that the organization had.

Speaker 4: 33:26

And I heard feedback. Well, you know, I didn't know what the policy was. It's like well, if you go to a foreign country and you rent a car and you're driving down the road at 90 kilometers or whatever it is that you're doing, and you get pulled over, is it that country's law enforcement officer's responsibility to say oh, I'm sorry, you didn't know that. You know there was a speed limit. I'm going to sit down, I'm going to read these to you, then I'll quiz you on them and we'll make sure that you understand, and maybe we eat cookies too. Or is it your responsibility, before you get in the car, get on the road and drive in that country, that you fully know the laws of that country? And it's the same thing.

Speaker 4: 34:17

Local admin, right? I mean, it's just a battle of removing these things that are against the standard and against the policy, but yet somehow they were allowed to persist in the organization and then, certainly when you take something away, there's that perception that people are losing the ability to do their job. But I certainly don't want to be in the news and under the bright lights and I mean, how embarrassing would that be if, oh, nation state or whatever took advantage of this organization and there was data theft? Well, how'd that happen? Oh well, they had local admin Like okay, why didn't you turn that off? Well, they didn't feel like it.

Speaker 2: 34:54

Yeah, we didn't want to. People complained.

Speaker 1: 34:57

It sounds like it can be. You know, once again, education and educating people that aren't maybe even aware of what the risks are when these things aren't addressed. And then how do we communicate that to people in a way that they're going to internalize it right and carry it forward into their day-to-day activities and into the culture of an organization?

Speaker 2: 35:21

Yeah, I love this topic, just about policies, procedures, organizational, just kind of culture, I think, is kind of what we're speaking to, just kind of overarching. I think this probably goes back more to my internal auditing days. But it always shocks me when how much time I spent I will actually read all the different policies that an organization will give me. I actually do read them. I know that can seem shocking to them, but it kind of surprises me how frequently I will bring something up from somebody's policy or I'll reference something and sometimes, especially less mature organizations, but even very large, robust ones, because usually they have so many of them. They'll push back on me and say like what are you talking about? Where did you get this language? And I'll just be like it's the third sentence in your information security policy.

Speaker 2: 36:00

I didn't just fabricate this idea out of no, like, I don't know Like, and so this is always kind of a topic that I like to spend, especially with my kind of less mature organizations. It's like a policy truly is. It's a real thing. Like you can't just say like, oh, we have a policy and then it gets filed on your intranet and then you never think about it. Like, if you just do that, then you don't actually have a policy. You have some random PDF that's saved on your intranet, but if you're not actually driving some sort of organizational culture with it, then it really doesn't matter. And yeah, of course nobody.

Speaker 2: 36:34

I've spent my entire professional career in audit, and especially when I was at my internal audit role. You know, whenever I would show up at people's desks, there were, like, depending on who they were, some people were nice and others, but usually they knew it's like I was rarely there just for fun. I would try and make that part of my job. I actually would go around and just say hi to people. So they weren't always, you know, like, what are you doing here? Yeah.

Speaker 3: 36:55

Like a big bad wolf all the time.

Speaker 2: 36:57

Yeah, not all the time, yeah, not all the time. Like we would do all sorts of stuff. We would like, literally, like on easter, we would walk around with a basket and hand out candy and all sorts of crazy stuff, but, um, hey, it helped people like us a little bit better and also they're like I was like, but also I do need to talk to you. So here's some chocolate and I have some bad news, but, um, this is, this is an area where, yeah, it really just kind of like this goes back to even just our topic Like you can have a SOC audit, but we're only assessing what organizations put in there and really, at the end of the day, it has to go down to organizational culture.

Speaker 2: 37:29

And yeah, you're always going to get pushback from certain people who are like, well, I need this ability in order to do my job. Maybe that's true, maybe it's not true, maybe it's not, but you need to be able to explain to them what the risk is by you know, oh, if we give everybody local admin access on their laptop so that they can be installing whatever they want.

Speaker 2: 37:49

That could be very bad, and here's why and sometimes people still don't care. But then that's where you really need to rely on just kind of like okay, well, it's still going to be the way that it is. At the end of the day, you need to remove that access from them. And so this kind of goes back to just all sorts of different concepts within information security, which is like okay, if everybody just did what they were supposed to from the get-go, I wouldn't have a job. Probably none of us here would have a job. So I try to always rely on like okay, I don't want to say like, obviously I'm never happy about any of this stuff, but and by that I mean like data breaches and stuff but there is a reason that people have to comply with certain things. But I think that's where it has to go back to. You have to explain the why. And if people lack context, if they lack that kind of insight as to why something's important, they're not going to take it seriously. And that's applicable to anything in life.

Speaker 4: 38:38

One of the most rewarding things I have found and you've probably seen this too when you go into an organization, usually the senior leadership on the security side loves it when an external auditor comes in and I've had them just feeding me like this is you know, we don't do this good, we don't do this good, we don't do this good, and it's do this good, we don't do this good, and it's just like all of these things like, well, I haven't even looked at it yet. No, we don't do this good, because they want that third party attestation to be able to then come back write it up, and then they'll be able to actually get money and maybe some clout to actually fix some of the problems.

Speaker 2: 39:18

Yep Drive organizational change in a different way, and I actually have that conversation with my clients not infrequently when they will bring things up like that themselves. Because this also goes back to just kind of a point I wanted to make earlier. Compliance in any form, whether it be information security, whatever it might be it can't just live in one particular subset of the organization.

Speaker 2: 39:38

It can't just be the security team's issue. It really is everybody's issue. But I'll have people bring that up specifically and I'll say, like frankly, use us then. Great, like, give me whatever detail and information you need to know so that I have the evidence that I can kind of say like, you're right, even if they've brought up the same issue 50 times within their own organization.

Speaker 2: 39:58

It is interesting when a third party is the one that's like hey, you really do have an issue here, that all of a sudden it does get, all of a sudden, those resources and scrutiny that it should internally. So I will often tell my clients that I'm like I know I'm annoying. I'm constantly asking you to do a bunch of work and pull a bunch of stuff for me. My little joke that I like to say is that I'm a professional nuisance because going through an audit it's a lot of work. It is like people and I try and like explain this sometimes to people I'm like I respect and understand that your job is well beyond pulling 400 different pieces of evidence for me. Like you don't spend all year just sitting around twiddling your thumbs waiting for Adam to roll up.

Speaker 4: 40:36

Like if you are like I want that job, adam to roll up, like, if you are like I want that job, so, adam, one of the things that I found I don't want to say enjoyable, but where I'm helping a company who's going through an audit, right, so we're essentially there to work on behalf of that company, and then the auditor comes in and they want to pay for you, right, like, oh, let me see this, let me see that, let me see this. And then it's like, okay, well, here it is, understand that they need the information to do their job. And then there's usually around two where it's like, well, okay, you provided this, but we still need more, provide more. And this is typically what I've seen with the, the big four firms. Where they're, they're coming in and I I think they get paid by the hour, I don't know.

Speaker 4: 41:26

But then you know, it just seems to be this ongoing and I I'll go through two rounds, but on the third round I just say, oh, I'm not able to provide that. Just, you know, we'll take it as a finding, go ahead and write it up and and that is, I've gotten the deer in the headlight. Look a couple of times, because I don't think they're used to that, but that is a way to just shut it down, like when you've had enough, when you're over audited. If you just say, write it up as a finding, then that's all they can do is write it up as a finding and you know, you know you're going to get the finding, but you know you're also not stuck 40 hours providing the same information eight times.

Speaker 2: 42:05

Oh yeah, now I mean, over-auditing is absolutely a thing. That's why reasonable assurance, that's why it says that in the opinion letter like reasonable assurance. There definitely are auditors that get kind of like they just really get on something and they want to keep digging and keep digging and keep digging, especially with some of my well, just less experienced, um, people I've worked with over my career. All sometimes I'd be like, okay, let's say this is wrong, what's the actual risk? Everything should always be tied back to risk and sometimes it'll just people will get really wrapped around the axle on something in particular and then it's like, okay, well, let's say all of this is wrong or there is some sort of control bust here. So so what kind of is like ultimately what the conversation should be around? And I actually had this exact same experience of my old organization In internal audit. We actually managed a lot of our external assessments and I had to have that exact conversation with an auditor and it kind of helped that we were speaking the same language.

Speaker 1: 42:57

That makes a heck of a lot of sense in the same language. That makes a heck of a lot of sense. So, for less mature organizations, what would you guys recommend for them to do to get prepared for a SOC assessment, specifically If we're just getting started, you know, maybe we have a few years under our belt, but we're kind of green to this whole scenario what would you say would be kind of the quick checklist of let's have these things in place before heading down this path?

Speaker 2: 43:25

I mean, frankly, if you like, if you're an organization that has other SOC audits you've probably gotten them from your vendors Start reading them and start seeing if you have controls in place that match up with what they already have and seeing where they fit within the report. That would be a great place to start, just to understand the language of how things are laid out. And it's like oh yeah, there are certain things that, just frankly, every organization, if you read every SOC report, 30% of the controls are going to be very, very similar. And it's just because, like, at the end of the day, to meet certain criteria they're not going to be word for word, but especially in certain kind of I don't want to say generic criteria, but like the first section of every SOC report, it's CC1 of the security criteria. It's really around like HR, onboarding, governance of the organization as a whole. There's really only so many ways that you can really meet those criteria. So you can kind of say like, okay, yeah, of course we have a handbook in place, we require employees to go through security training, we do background checks, it can be any number of things, and you can kind of do that. So kind of start building out your actual control library and seeing how they fit within other SOC reports you have out there. I would then also encourage you, if you have the kind of bandwidth and the resources, you can go through a readiness assessment.

Speaker 2: 44:32

As an auditor, we can't ever breach independence. We can't tell you exactly what to do, but that kind of gives you the opportunity to kind of have kind of some of these more not informal conversations but conversations with auditors where it's like, hey, here's the framework we have in place, here's some of the stuff, is this going to work? And we can kind of give you more of just like a yes or no answer it's like, yeah, that makes sense, I think that would work.

Speaker 2: 44:52

Or it's like, yeah, that's a little shaky. Here's how maybe you know other organizations do it. Maybe here's how you should like consider thinking about expanding in this particular area, just because you don't really have enough there to meet the criteria and again, we can't tell you exactly what to do. But it gives us the opportunity to kind of just give you like an overarching, like finger to the wind, like how are we doing here and then from there you can then move into a type one and then into a type two, really kind of I think from I I'm going back through on the side of the implementation of the controls and one of the things that currently wrestling with in an account is the implementation of those controls.

Speaker 4: 45:33

And now, because we're making certain moves relatively quickly without a lot of communication, now I'm the asshole. These are regulated industries and it's a fine line between communication and if there are nation state actors or threat actors in the environment, do we want to give them a heads up that in two weeks from now we are going to be making these changes and limiting this access, or do we want to limit the access and then just say, oh, by the way, we've limited the access? You know, it's kind of a fine line. I'm erroring on the side of taking the action and then communicating afterwards, because it's a calculated risk of over communicating when there's a potential that you do have, especially in the political climate that we're in now nation-state actors, um, that might be adversarial to us and taking advantage of us excellent.

Speaker 1: 46:36

And, nick, do you have any final thoughts today? Uh, as we wrap things up there, there's so much to grab onto.

Speaker 3: 46:42

I think for us, when we're jumping into an organization, you know, a lot of times we want to push for them to take these pre-assessments right away. Let's just see where we're at first off, right off the bat. And you know, something that we like to talk about too is like delete, delete, delete. If we don't need to work on this right now, let's focus on something else. And on the other side, if we're helping an organization, maybe go through an audit.

Speaker 3: 47:10

I think there's a lot of times and Adam talked about this where they get hung up on maybe one control for far too long where we can tie these back to something else.

Speaker 3: 47:14

For example, I was recently in having an issue with an organization going through a CGIS audit or they're trying to become CGIS compliant with the BCA. They were the new regulations talk about commingling of data, and so you can't commingle CGIS data with not CGIS data. Well, the workaround a lot of times could be as simple as a retention policy. Do you have a retention policy that purges data?

Speaker 3: 47:43

let's say from teams if you need to use teams in that environment. So I think you know what I would say to a lot of organizations is you know, maybe take a step back and look at controls you already have that probably could just be tied to a problem that you're having in an audit. So try to take a step back and look at it from a different angle.

Speaker 4: 47:59

Adam, you're in Minnesota. Are you in the Minneapolis area?

Speaker 2: 48:03

Yes, I live in the northeast neighborhood of Minneapolis.

Speaker 4: 48:06

Oh nice, okay cool. Well, come on down to game night. We do game night the first Wednesday of every month, 5 o'clock. Different board games and usually about 15 or 20 people or so. It's just a fun time to meet other people in the industry.

Speaker 2: 48:23

Okay, perfect. Yeah, that'd be great.

Speaker 1: 48:25

I'll make sure you get an official invitation, Adam. We'll follow this up afterwards, but I'll talk us out and we can do a little debrief. You've been listening to the Audit presented by IT Audit Labs. My name is Joshua Schmidt, your co-host and producer. You've been joined by Eric Brown and Nick Mellum of IT Audit Labs and we've been talking today with Adam Russell-Shelman. Thanks so much, Adam, for your time. It's been a great conversation and we hope to stay in touch.

Speaker 2: 48:48

Thank you very much for having me.

Speaker 1: 48:49

Yeah, absolutely, Please like share and subscribe and stream us wherever you source your podcast content.

Speaker 4: 49:01

We're on Spotify now with video and we have episodes every other week, so hope to see you soon. You have been listening to the Audit presented by IT Audit Labs. We are experts at assessing risk and compliance, while providing administrative and technical controls to improve our clients' data security. Our threat assessments find the soft spots before the bad guys do, identifying likelihood and impact. Or our security control assessments rank the level of maturity relative to the size of your organization. Thanks to our devoted listeners and followers, as well as our producer, joshua J Schmidt, and our audio video editor, cameron Hill. You can stay up to date on the latest cybersecurity topics by giving us a like and a follow on our socials and subscribing to this podcast on apple, spotify or wherever you source your security content.