Every profession has its own language to distinguish itself from other professions and to establish an official code that governs its practices. For the Compliance and Information Security team at a typical Fortune 500 company they rely on vendor assessment documents with acronyms like: SIG, SIG Lite, VAF, VQA, SQR, SoW, VDD, MSA etc. It's essentially a set of documents or a massive multi-tab excel spreadsheet (sometimes with a cool pivot table or glossary of approved response codes!- exciting!) that is trying to answer one key question:
“Is your product or service going to put our network, business or client data at risk?” - That’s it.
The very fact that the SIG, or VQA, that the InfoSec team sent you that has literally hundreds of questions is testament to the real starting position they are taking which is: “From an security and compliance perspective, we don’t actually want your solution in our network, but the line of business is telling us we have to look at you”.
The vendor due diligence process that security and compliance is putting you through boils down to three key questions that you must address successfully as a prospective vendor. (I’ve placed in parentheses what InfoSec’s real agenda is)
Let’s break each of these steps down.
The average cost of a SOC-2 Type 1 certification will average somewhere between $30,000 USD and $60,000 USD depending on the size of your organization, complexity of products/services and the scope of the audit. A SOC-2 Certification consists of two parts - the gap assessment and the audit. An audit firm will allocate anywhere from $15,000 to $30,000 for each part of the process depending on your scope. With Tugboat Logic, we help reduce the overall cost of SOC-2 by empowering you do the gap assessment and readiness yourself, and thereby reduce the cost of the overall audit as you’ll be jumpstarting the process.Further, you can re-use the work you did in preparing for SOC-2 and apply that readiness for other certifications like ISO 27,001 or SOC-2 HITRUST.Since your SOC-2 certification must be renewed annually, you’ll need an evergreen system of record like Tugboat Logics Virtual CISO Platform to track all of your controls implementations, evidentiary documentation, gap analysis, and procedures to re-use each year. By using Tugboat Logic’s Virtual CISO Platform, you can reduce the prep and readiness time by 30%, and reduce the cost of the entire certification process by up to 20%.
What if you don’t have 3-5 months to get a SOC-2 audit completed? What if you’re already in the miles of broken glass hell that is the procurement department of your customer? You can take control of the procurement process, prove compliance and do it yourself.Tugboat Logic’s RFP/Audit Response solution can help you organize your response by gathering your proof of compliance in one hub, and create key reporting documents like the Tugboat Logic’s Security Assurance Report and Information Security Policy Document. These pre-formatted docs will allow your company to both communicate your InfoSec program to prospects but also enable you to tell the entire story of your company’s security and compliance posture with additional data about your company, solution architecture and privacy compliance (like GDPR readiness) that will support your sales proposals and help close deals faster. Even if you don’t have a SOC-2 audit completed yet, providing your clients with proof that you do have a security program in place and that you’re getting prepared for a SOC-2 audit with a defined time frame can sometimes be enough to get you past the procurement hurdle.
Remember - your customer is just trying to shift as much risk and liability as possible onto you, so your champion doesn’t get fired should things go awry.
Security requirements management does not need to be painful. With Tugboat Logic, you can prepare yourself to answer the toughest client questions in minutes not months, making you a hero to your sales team.