What it isn’t, what it is and why it matters
SOC for cybersecurity suffers from a serious misperception. To clarify, Andres Castañeda, Grant Thornton principal in Risk Advisory Services, said, “Too many organizations think SOC for cybersecurity is a certification that we will give them an opinion ensuring they are safe from a cybersecurity perspective.”
Vincent Concialdi, Grant Thornton partner in Risk Advisory Services, put it even more directly: “They believe it’s an opinion that they won’t get a breach.” SOC for cybersecurity is not a security framework either, but works with multiple security frameworks including COBIT, NIST CSF, NIST SP 800-53, CCS, HITRUST CSF and SO 27001.
What SOC for cybersecurity isn’t: A promise of no breaches
Castañeda explained that the idea there will be no breaches is wrong. “One of the concepts integral to the process of developing the SOC for cybersecurity framework was the understanding that a cyberattack was likely to happen. The question is when, not if. What you do after it's occurred is what’s important.” Breaches are to be expected, and if you don’t expect them, you may be caught unprepared. Of course, you want to act aggressively to prevent breaches. But assuming you can prevent them is a crucial mistake that could have serious ramifications for your business.
Instead of guaranteeing prevention, SOC for cybersecurity indicates preparedness. This means rapid detection, prompt response and effective mitigation.
“You need to put a net over it as soon as possible,” Concialdi warned. This requires robust planning. “If you haven’t got a plan in place, and a breach occurs, it will be a disaster.”
What SOC for cybersecurity is: An evaluation of preparedness
If SOC for cybersecurity isn’t a guarantee, what is it? Castañeda described the process as “a standardized, demonstrated and disciplined approach for evaluating efforts.” Issued in 2017, the framework comprises the cybersecurity guide, description criteria and trust services criteria for security, availability and confidentiality. He contrasted SOC for cybersecurity and the reviews conducted by technology consultants including Grant Thornton: “Those engagements can very good, but they tend to be technology focused, and each provider is going to follow the approach and cover the scope based on their own cyber methodologies.”
SOC for cybersecurity provides a standardized reporting framework with the highest level of testing and documentation. It’s a way of communicating the effectiveness of cybersecurity management programs to stakeholders. It provides evidence of due diligence and due care. And provided it is performed annually, it is this standardization that serves to reassure those stakeholders — CEOs and board members — that the company can detect, respond to and mitigate attacks when they do occur. It is this standardization that makes SOC for cybersecurity so useful. A standardized reporting framework provides a consistent approach and evaluations to be able to compare the cybersecurity programs across organizations.
SOC for cybersecurity evaluates and predicts response. Castañeda returned to the earlier point that attacks are inevitable. “What the market looks at is how you respond to it.”