More than a buzzword, security transparency is a business imperative. At Tag1, we embraced that drive to achieve SOC 2 compliance in record time. Our new Trust Center lets anyone verify our security controls on demand.

In our latest Tag1 Team Talk, we share how modern tools, expert partnerships, and a commitment to excellence can dramatically accelerate your security certification journey. Learn how services and tools from Vanta and expert guidance from BD Emerson made this complex process efficient and manageable. Whether you're thinking about starting your own SOC 2 journey or simply want to understand its impact, this episode offers valuable insights and tips on security, compliance, and continuous improvement.

Hello and welcome to Tag1 TeamTalks, the podcast of Tag1 Consulting.

I'm really proud that Tag1 has received its SOC 2 attestation.

And in today's episode, we're going to talk through, uh, that whole process

and the steps that has been behind many of the innovation that have made

Drupal the big success that it is today.

It's become the number two, uh, used CMS on the Internet.

Um, and it's that expertise that we have in building large scale

systems that power millions of websites, uh, that our clients.

Uh, bring us on board to help them with their mission critical projects,

uh, and ensure their success.

So if you need help with your project, uh, please email us at info@tag1.com

that's TAG, the number one.

com.

There's so much to talk about today.

So we're just going to jump right in.

Uh, my guests, uh, Jeff Sheltren, one of the partners at Tag1 and

our CIO who led our SOC 2 efforts.

Welcome Jeff.

Thank you.

Hi.

Uh, Drew Danner, who is the managing director at BD Emerson.

Uh, we're going to talk a lot about this, but we knew we need partners, uh,

to help us quickly and cost effectively get through the SOC 2 process.

Uh, from our first call, uh, Drew and the BD Emerson team really impressed us.

They exceeded our expectations, you know, throughout the entire process.

Uh, and so we really appreciate your help getting here.

Uh, and thank you for joining us as well.

Thanks for having me.

Faisal Khan, who's a subject matter expert in security, privacy,

governance, risk, and compliance at Vanta, is also here joining us today.

Uh, Vanta is an amazing software package, and it was really

key to how we approached this.

Uh, our success in getting things done efficiently, um, and is also a big part

of that monitoring, uh, to ensure that we stay in compliance at all times.

And I, I can't imagine going through, you know, the SOC 2 process or what it

was like to do this, uh, before Vanta.

So I'm really excited to get into more about what it is and how it works.

Um, Faisal, thank you so much for joining us as well.

Happy to be here looking forward to chatting.

So before we dive into some of the details, um, about, you know, how

it works and what we did, uh, Drew, can you just give a high level over

folks, you know, what is SOC 2?

And in particular, like I was shocked that it wasn't a. Certification, right?

I would say, Oh, we're getting our SOC 2 certification.

Like what, what is an attestation?

Uh, and, and why is it called that?

So, uh, SOC, SOC actually stems from some tragedies that happened in the early

2000s with Enron, where we decided that instead of allowing, um, companies to

go around and make claims, uh, we were going to require certain elements of

certain businesses like public companies.

Uh, to undergo controls over their financial reporting, which is where,

uh, SOC 1 and, and Sarbanes Oxley stem.

So Sarbanes and Oxley were senators, they passed an act, and, uh, the AICPA,

the American Institute of Certified, um, Professional Accountants, They

went and they developed a framework to audit companies for their controls.

That's privacy controls, governance controls, compliance,

security, you have it.

Stemming from that, there were sectors of business that didn't necessarily need

controls tied to financial reporting, and they moved to a IT and security

compliance check, which is your SOC 2.

The reason SOC 2 isn't a certification is there isn't a

standardized set of controls.

SOC 2 relies on what's called COSO principles.

So auditors actually have this list of principles and auditors work with

their customers to then set what controls the company is going to

commit to and then will be audited against over a period of time.

SOC 2 controls, uh, typically stem from your regulatory requirements,

your contractual requirements, security best practices, uh, and specific

items that affect your business.

Wouldn't it somewhat like customized and tailored to, you know, for like our needs.

Exactly.

Um, one of the very interesting things about SOC 2 that people don't realize is

that most audit firms, even before these compliance automation tools came about,

they had a standardized list of controls that they'd like customers to meet.

We call them ITGCs, Information Technology General Controls.

These are things that we define as industry best practices or things that,

you know, throughout the course, we've seen, you know, this is what a good

security or compliance program looks like.

Now, you fast forward into, um, you know, what, 2017, 2018, and

along comes tools like, like Vanta.

Um, I say tools like Vanta, but, You know, we've used all the tools in the space

and I think Vanta is on a leg by its own.

What Vanta does is Vanta helps customers like yourself by giving

you a predefined list of controls that you're looking to commit to.

It actually cuts out probably about 40 percent of the prep and planning that goes

into the control defining process that you used to do with your auditor right

now, you subscribe to tools and Faisal.

I know that Vanta has done a great job with their initial set that they

recommend, um, the goal of the product that was always to be really configurable

to meet all the customer's needs, right?

Yeah, absolutely.

Like, we come pre mapped to the list of controls, whether it's a security criteria

or the other for availability, processing integrity, confidentiality, privacy,

uh, but of course, like depending on the organization and their scope, what's

actually applicable, there's always that degree of customization that's possible.

So why does a company, uh, go about doing this?

You know, are they required to, is it something that they, you know, take on of

their own volition for a certain reason?

I'd say the most common reason is because someone told him to do it, right?

Um, that ends up being a revenue enabler for a lot of organizations.

But if we, if I think, put my security hat on as an InfoSec and

Compliance professional, I think it's a really good framework to establish

foundational controls for yourself.

When it comes down to how do you protect those sensitive, sensitive

data, uh, systems that handle those, that data, people, locations, and

really establishing that rigor for yourself downstream so that you can

further mature your program over time as the complex needs continue to grow.

And I, I think, I think more and more businesses do it

because of the ripple effect.

So, right, post 2002, we started requiring these large financial customers to do

audits over their security controls.

And as part of that, they all commit to do third party risk

management or vendor risk management.

And then you start working for those companies.

So now they require you to do it.

And then it goes downstream and downstream and downstream and, you know, we're 10

generations removed from the original requirement, but you're doing it that way.

We can sign a contract with a customer.

And like Faisal said, you're looking to enable revenue, but you're also,

you're looking to mitigate risk.

Right.

And business, you know, even, even in our business of compliance, the goal isn't

to do an infinite amount of security.

Right.

So my background, I was Army for 10 years and I worked in

the intelligence communities.

Uh, in the U. S. And I lived in a box.

I worked in what was called a skiff.

It's a secret compartmentalized information facility.

Everything we did stayed in a room.

Computers were built in a room that that's supposed to be right.

That's the top of what we think security to be.

Security is all about what's necessary.

What's there to enable your business?

Too much security hurts your business.

Not enough security opens you up for risk.

So what one of the things that we believe that the COSO framework from

SOC does is it establishes The right amount of controls to mitigate the

80, 80, 20 rule, 80 percent of your risks are going to stem from the

controls that you're implementing.

So let's get that out of the way.

Let's enable business and let's, let's protect your business.

And what you described, uh, you know, applies directly, uh, to us.

I mean, you know, Jeff, you can get a little, uh, shed a little

light on this, but like we were.

Basically, you know, it was like, if we wanted to capitalize on a

business opportunity, we needed to become, you know, SOC 2 compliant.

Yeah, I mean, it's, it's kind of funny that being around for 17 ish years

that, uh, none of our clients have ever required us to be a SOC 2 compliant.

Uh, I had actually walked through a couple of clients of ours, uh, helping

them get their SOC 2 attestations, but it's been a decade plus, uh, like pre

Vanta and all these automated tools.

And I gotta say this experience was so much better.

Like, um, Just having the automations, having the like, almost like cookie

cutter, like, here's what you need.

You can kind of customize it for your business.

Um, and, and save so much hours of work, uh, has been pretty impressive.

Um, but yeah, we, we finally were required to do this as part of becoming

a D seven Drupal seven extended support provider for the Drupal association.

Uh, and.

You know, we dragged our feet about it a little bit having gone through it so

many years ago and it was painful um Didn't see a ton of value saw some value.

Um, but definitely have come around and it's um We, we put a lot of work into it,

but I think like as a growing company, like Tag1, uh, going from a small number

of employees to like a hundred people or whatever we are now, it's, it's been

great to solidify some of these processes and policies that we're kind of like,

oh, we have that on a wiki somewhere, let me find you in a bookmark, and now it's

like, oh, we have a full set of published policies, uh, that actually anyone can go

view online if you go to our trust center.

Uh, because Vanta automates all that for us and collects that information.

And it was, it was the ripple effect that you mentioned, Drew, like the new CEO

of the Drupal Association came on board.

His background is in, you know, uh, you know, the Beltway, Washington, and

he came from a world where, you know, everybody did that and he was shocked.

He's like, what do you mean?

You're not SOC 2 compliant.

You're like, everybody's SOC 2 compliant, you know?

Um, and so, you know, we, we wanted to pursue this opportunity.

But yeah, we realized that there's no way we could do this on our own.

Certainly not in an efficient and cost effective manner.

Uh, this can be a very time consuming and, and costly endeavor,

depending upon how you approach it.

Um, and so we went through our network and we asked everybody, other agencies,

like, you know, have you done this?

You know, like, who did you work with?

And, you know, most people hadn't done it.

And, and a few folks.

That had, you know, weren't able to refer us to anybody, you know, so, um, we went

on Google and we, you know, we, we, we called you up and, you know, it was a

great conversation, um, and, uh, you know, we decided to work together, um, can, you

know, um, can you give folks, you know, just, uh, you know, what is BD Emerson

do, you know, like, why do you need a partner, uh, to go through this process?

That's a, that's a great question.

Um, So the short of it, so BD Emerson is a, we're, we're a consulting firm,

a law firm and a CPA audit firm.

Right.

So we actually have a, um, kind of an umbrella of businesses.

Uh, Tag1 worked primarily with the consulting firm to implement the controls.

And then when it comes time for any additional work, right, we, we have

these other capabilities that we offer.

Uh, one of the things that we find ourselves most frequently doing, not just

in this space, But it's really helping people understand what what's next, right?

Um, typically where we have clients come is, um, like yourself, right?

Someone's gonna give you a requirement, but the requirements bland.

It's it's go get socked to.

And as we talked about, sock to doesn't really have a list of required controls

that that's for you to develop.

So one of the things we do is we help customers understand

what are their requirements.

So from the legal aspect.

We take a look at your contracts.

We go through and we see what commitments you have made that we

should add to your control list.

You know, you, you, you leverage a tool like Vanta or not, we want to make sure

that the things that you're committing to your customers, you're also going to

commit to being checked by an auditor.

Uh, we find that, I mean, that's, that's the core part of this.

One of, one of the things that, that you found us to help you do is not

just hold your hand, but help you build these processes and help you

implement these controls and help you.

You know, we, we work from the paper to the end of the stack.

So we have, we have team members that are going to analyze your requirements,

build processes and document.

We have engineers that are going to fix, you know, coding your product.

If you were, we were asked to, in this case, you know, your,

your stack was pretty clean.

You know, I don't know if, uh, if you tell people that, but,

uh, I'll say it on the call.

It was a very low risk environment.

You do a great job of managing risks and vulnerabilities.

Um, but typically BD Emerson does everything from the

left end to the right end.

We, we advise on security requirements and we make sure they get built

in your process and product.

Well, hey, now, now you, you can definitely tell people that

your stack is clean because you got a trust center that says it.

All right.

That's the, that's the whole idea of trust centers with Vanta, just being able to

surface that information and make that available for those that need to see it.

Yeah, I think, I think that's the biggest part of you know, I, I love, I love

people in the space that say compliance isn't security and the rights are right.

Compliance isn't security.

Um, good compliance makes you more secure and good security makes you better.

Um, when you do the little things right, you mitigate, again, the

80 20 rule, a lot of the risks.

Um, you're a services company.

You also have a product.

Where's the bulk of your risk today?

You said you have a hundred endpoints, right?

Well, we focus in security and hardening hardware and software.

It's always the meatware.

It's the people.

It's what's between our ears that's always falling to scams, to, you know,

easy, easy things that we can prevent easy things that understanding what

our process is, what our policies are, uh, being trained on what's what

to do and what not acceptable use.

Those are the elements of any good security program that there are certain

security professionals that say, well, that's, that's not security.

And you're coming from the government that that's 90 percent

of our security is processed.

It's, these are the phases, these are the steps, this is how we do it.

And, you know, that's typically the longest part and that was a part

that you guys executed very well.

I feel like Jeff is looking at me right now that I'm the bulk of the risk.

It's typically, it's typically the C suite.

It's typically finance, CEOs that are not technical, that

there's a, there's a lot of.

Um, what do they call it now?

There's a, like a spearfishing, right?

Isn't, isn't that the name we call it now?

It's, it's phising, but at the top levels of an organization, you're prone to move

quickly, you have a lot on your plate, you're a lot, you know, executives are

mobile more frequently than other people.

So you click on a link, you know, it's a Mamba 2FA attack.

It looks just like a regular sign in and you give them your credentials.

Now they have access to everything.

They dump everything.

Security is not a, if it's a, when, and when you build compliance, like a SOC

2, you've already built in a couple of those layers for if something happens,

how do you react when this happens?

What's our backup strategy.

What's our disaster recovery plan?

What's our incident response plan?

Those are elements that you went through with with Vanta's guidance with BD

Emerson's guidance and now you have a, if stuff happens this is how we move forward.

Yeah, coupled with things like training and education and you know we have

systems that send us those messages to see whether or not, you know,

we're dumb enough to click on them and, you know, call us out on it.

Um, so you said it's comprehensive.

Yeah.

And it's also a really good segue to continuous monitoring, right?

Um, now that you've done it once you're implementing those tests, those docs

areas, the things that you need, you know, you need to be doing having that

real time monitoring to your tech stack and being able to just know when things

are out and be notified of those things.

It's really crucial because now you have process and really a broader

program as drew was emphasizing earlier.

And that's one of the best things that came out of this for us, I think, you

know, in talking with you, Jeff, you know, and, and like the trust center

on our website, but like, um, you know, that the, the process, the automation,

having constant insight into this is one of the biggest benefits, right?

Yeah.

It's been amazing.

I, I can't explain how happy I am with it.

Uh, I'll give an example, like, uh, should we spin up a new service on AWS?

We have Vanta integrated there.

Uh, and it's going through all our, all the controls that we defined and doing

all these tests to match the controls.

If, if for example, someone goes in and sets up a new database and they forget to

tick the box to like encrypt data at rest.

Uh, in the past, that would have gone unseen for a while until

someone went in and reviewed it.

Uh, and now Vanta is like sending me an email and a Slack notification

like, Hey, you have a failing test.

What's going on?

Uh, same for like when we onboard new employees or off board employees.

It's like, Oh, did you go through your onboarding checklist?

Uh, Did, or the offboarding checklist.

Did you remove their access to this?

And this it'll even be like, Oh, you remove their Google account,

but they still have a Slack account.

What's up with that?

Um, and that's been just amazing.

And eyeopening, very helpful.

I wanted, I mean, I called BS.

I, you know, like we looked at Vanta and I'm like, there's no way

this can do like what is claiming.

And I'm like,

I see how it is

Michael.

I see how it is.

No, I mean, I still don't understand how it could possibly do it.

And, and, and it's, and it works and it, and like it plugs into all these things.

And it like, um, it's, it's, we build software.

I know a lot about software and, and Vanta blows my mind.

As to like how it integrates and ties into all those different

things and give us that insight.

I, I didn't think it would be, uh, possible to deliver on that.

And it, and it does.

I think one of the other things that people overlook that, you know, Jeff,

Jeff and my team have spent a great deal of time on and Jeff's probably

annoyed is how do we document our risks?

Um, there are tools on the market that can go monitor a control, right?

We can, we can get a hook into an API and do a read and see if a, if

a control that we've documented, you know, is not yes, right?

If something is marked, no, you know, we get a zero back and we flag it.

We say, Hey, we need to go fix this.

But what about the process?

Um, you build software, all software has vulnerabilities.

All software, right?

We leverage third party packages to complete tasks, right?

This isn't, this isn't the 80s.

We don't build everything by ourselves anymore.

We use what's on the market.

So when we do that, we open up ourselves to all of this third party risk.

So how do you identify those risks and how do you mitigate those risks?

And one of the things that you're leveraging is the, the integration with

Vanta and the Dependabot in GitHub, right?

So you're, you're getting all those third party packages, their dependencies.

Any, any patching, any outdated software that you're using as part of your stack.

You're learning about it.

That way we can build those mitigation plans where in the past, even

if you were doing pin testing or scanning, you know, once a year,

what are you going to do with that?

You just generated a backlog for next year.

I guess we'll get to it.

Right?

But now in real time, every time you push a build, right, you're learning

what we've introduced into the product.

You're doing static code analysis.

You're doing static testing.

You're learning.

We've just introduced a new critical vulnerability.

It makes smart people come to the table.

It makes Jeff go talk to engineers and say, Is it critical?

What are the dependencies tied?

How do we decouple?

Is there a patch available?

Is there an update?

That's going to keep your customers safe in your app.

That's going to keep your business safe from, you know, would be attackers.

And that's because of, like you said, right, there's some magic to it.

There's they thought of, let's build this integration.

Let's make this partnership with this company that people regularly

use so we can pull in this telemetry and we can service the customer.

Yeah, it's a continual improvement almost, right?

If we think about just vulnerabilities continuing to be assessed, maybe it's

resources not being encrypted constantly.

You kind of have to take a step back and go.

Well, why, like, why is this keep happening and give yourselves that

opportunity to go back in update process, whether it's a configuration

standard that you need to go update.

Maybe it's a YAML file for the pipeline that's deploying the

code, set those things up, make sure it doesn't happen again.

And it really encourages that forward thinking and a bit more

proactive approach to security world.

Yeah, it's amazing how it integrates into so many aspects of our business

from the process to the, you know, the software that we're building.

Um, now I know that there's, there's SOC 2, type 1, SOC 2, type 2.

Um, you know, just at a high level, could you give us a sense of the process here?

You know, we talked about defining, you know, the aspects that you

know, we think apply to us, you know, where do you go from there?

And

So it's a great question.

So, um, SOC 2, SOC in general audits in general.

So a type one audit, a type one audit is an audit of the design of your controls.

Um, what the auditor is looking to do is make sure that, uh, you have a control

that is related to the COSO principle that is important to your business, right?

So, you know, maybe we, we sell software, right?

Then we almost have to meet all the criteria from management to

personnel, to systems, to hardware.

Now, how do we tie that control in?

And is the control effective?

Not the test of the control in theory.

So think of the blueprint of the house.

Uh, we built a square box.

We didn't put any doors in it.

Okay, so let's put a door in it.

Does the, does the door have a lock?

We're going to plan for a lock.

Does it, does it have some windows?

Do they open and close?

The design of your, your system, right?

So in an ISO world, we call it your ISMS, your information

security management system.

In your management system for your SOC, Did we design processes correctly?

Did we design the controls in a way that's suitable?

The auditor is going to check a point in time to make sure that occurred.

And once it did, auditors issue a SOC 2 Type 1, which you've achieved.

A Type 2 is the test of control effectiveness.

You made this commitment to encrypt your, your devices, right?

Their, their hard disks are encrypted.

Now, to your point, um, you opted to give your employees some privacy.

You have European employees.

You didn't want to go through the process of fully automating this,

which is not uncommon, but you understood the goal of the commitment.

So what we did was you worked and you built a manual process and you

leverage technology to read and make sure individual users are enforcing

the controls on their own machines.

And you use smart people to do this instead of technology.

That's, that's the test now that the auditor during the

type two is going to go test.

They're going to say over this monitoring window.

Which your monitoring window to start is 90 days.

Very common for most companies to start with a 90 day monitoring window

over those 90 days, did all of those devices keep their hard disk encrypted?

Did all of those devices have antivirus on them?

Um, did your cloud infrastructure always require NFA for console access?

Did we rotate our keys?

Those controls that you committed to, the auditor is now going to test those.

So they're going to do some population requests.

They're going to gather evidence that is going to come from Vanta.

You know, if you have systems and processes that aren't integrated, they're

going to come from outside of Vanta.

And then you're going to substantiate.

You're going to show them this is what happened during the

window, and they're going to test.

I think one of the struggles for auditors, customers typically feel like, you know,

insulted when there's findings, but, and that's not what this is for, right?

The auditor's job is to be tough.

If the auditor isn't tough, then you didn't gain anything.

It's a pencil, you know, you wasted your time, you wasted your money.

Tough audits, audits that look to find things.

That's going to make your business better, to what Faisal said, it's

all about continuous maturity.

Say we had a process where we onboarded someone on a Friday, we didn't

integrate their systems and set up their controls until the following

Wednesday, but we had an SLA documented that we're going to, you know, commit

to this service level agreement SLA.

We're going to make sure that all of our devices meet all of the requirements

within 24 hours, what have you.

There are these exceptions, so the auditor documents the

exception, and then the goal is.

Right.

We have a management response.

We tell them, listen, we understand this is what happened.

This is why we're, this is how we're going to get better next time.

And then they're going to, they're going to double down on your next audit.

They're going to make sure that you did what you said you did.

And, and that's, that's the goal of audit, right?

That's the goal of the SOC two type two.

I think one of the things I love the most about the outcome of this is

that third party validation, right?

Because, you know, in our world, agencies go around like, Oh, we're

the number one contributor to Drupal.

Everybody says that, you know, like everybody makes all of these claims.

Um, and, and it's hard to, you know, uh, differentiate.

And so, you know, to, to, you know, have something you can point to and say, this

has been thoroughly audited, you know, this has, you know, serious controls

in place, um, I think is, you know, a differentiator for us that sets us apart

from, you know, almost every other agency, uh, you know, using the technologies we

do, because I, you know, I haven't seen any of them talk about SOC 2, I don't see

any of them, you know, have this in place.

And so for, for me, that's a big benefit.

Um, Jeff, coming out of this, you know, what is one of the

biggest benefits that you see?

Uh, you know, I think for me, it's kind of formalizing a lot of our, what used to

be very informal processes or policies.

Um, you know, I kind of mentioned we would toss some, write something up

on a wiki real quick and just point new hires there and be like, there's

your, your onboarding documentation.

Uh, and now, you know, we have a full set of like, Of policies that have been

reviewed, uh, you can see who wrote the policy, who approved the policy,

when it happens, we track that new employees have accepted the policies.

It's not just kind of a wink and a nod sort of deal.

Uh, that's been huge, um, and definitely like back to the Vanta

integrations, um, being able to just.

Get, get a ping in slack from Vanta when it's like, Oh, there's a new

dependabot alert or, or, Oh, there's, you know, a new server came online

and it, it has this port open.

What's up with that?

Uh, so it's, it's almost like giving this extra set of eyes.

Uh, that we never had previously.

Um, that's been great.

And Jeff, just to add on, I think that it also adds a bit of implicit accountability

to stuff that you've already done as part of your audit for SOC 2, right?

Mm hmm.

These policies, procedures, these processes that you've

established, the things that you're doing to keep them secure.

Now, it's not just this three month observation period.

Going forward, like for the full year, right?

You have to do SOC 2 type 2 audits, at least annually to keep them intact.

You're now on, on the hook to continue to manage that program and

continually improve, as we mentioned earlier, your posture over time.

I think, I think it also sets up, right.

The world has changed pretty rapidly in the last five years.

And as more and more U. S. businesses are doing business globally, uh, you

see a lot of European companies and countries really, really care about

security because they put privacy first.

Um, we look at, you know, the GDPR articles one through 99 are pretty

explicit when it comes to privacy controls and what needs to happen

from a user data perspective, but not necessarily from security controls, right?

They, they say that, you know, you're going to use industry best practices.

We, again, we'll go back to ITGCs.

Information technology, general controls.

These are the same controls from a security perspective that, that you

just committed to doing annually.

Many European companies and European countries are actually moving.

They, they prefer sometimes a SOC 2 to an ISO because an ISO

audit is a point in time audit.

Now I'm not saying one is better than the other.

I actually prefer ISO.

Uh, for certain elements, especially when it, when it comes to governance and,

and management oversight and strategy, I think that the controls that you have

to put in to achieve a 27, 001 make the leadership team a little more accountable

to the full governance process.

Where SOC 2 is, you know, it's, it's, it is very unified and it's standard, but

it's, can we, can we meet our controls?

There are companies that aren't going to make the same control

commitments that you did.

Uh, but your partners, your, your prospects, your, your clients, they can

see those controls and they can map them and say, you know, do these standards

meet our minimum requirement as they do their vendor risk management process?

And that's when you point them and say, not only do we have these things committed

to be tested by our auditor, we're also reporting on their status in real time.

If you want to go to our trust center and you want to see how we are encrypting

our databases, how we're, you know, tunneling traffic to gain access into

a bastion host or however we're drawing those lines of segmentation between

people, process and technology, you're very transparent, and that's what that's

what leads to good security, right?

Accountability.

You can't have accountability without transparency.

Again, full circle trust center, Vanta.

What are some of the biggest challenges that companies face?

I mean, when we were hesitant to do it, it was costly.

It was, you know, time consuming.

We couldn't do it on our own, you know, you know, the, the, the basic things

aside, like once you get into the process, you know, what do you see as, as the,

you know, the big stumbling blocks?

I'll turn that to Faisal first, actually, because I assume that.

Faisal answer this, this question at least once a day.

Yup.

Yeah, a hundred percent.

I actually think, I think one of, one of the core ones is that top

level buy in, uh, and engagement.

We think about just the, all those reasons that you were just mentioned, right?

It's costly.

It's going to take a lot of time.

It might add.

It might add some maybe slowness to how operations run where you

can't just be running and gunning.

And now you have to follow process and do things.

And there's a lot of concern around that often times at the top layer and saying,

Hey, is this going to slow us down?

And the reality is, it's not going to, it's less about slowing down.

It's more about Like formalizing the, that guardrail and that process so that

you can go faster over time, right?

This is when I get the army though, right?

So slow is smooth and smooth is fast.

Sometimes we, we run everywhere all at once, but we don't get anywhere.

Uh, when you, when you organize, you go slow, you move steady, right?

Now we've traversed the field and look at when did you start this process?

You started this process six months ago at most.

There are a lot of companies and you can go speak to your cohorts.

You're, you know, even people that leverage technology like Vanta.

I mean, it takes, I think, on average, probably 12 to 15 months

to ever sit for your first audit.

So, to me, I agree with Faisal, but, you know, I, I, shameless plug, right?

Like, I, I was an idiot.

Um, I used to tell my soldiers when I was in the Army, education's free, go get it.

Uh, so, I had a soldier one day who was like, you don't have a doctorate.

What are you, what are you doing?

So, I went back to school to get a, a business, a doctorate degree in business.

Um, my, you know, undergrad and masters are in technology,

uh, math and computer science.

And I didn't know anything about change management.

To me, change management was like, like, how do we deploy

our software change management?

I never thought about the people side.

To me, one of the biggest challenges we always see is making people change.

Like, how do you, how do you drag people along for change?

Change is hard.

Change is hard.

John Cotter wrote a book in the 70s.

called Leading Change.

And today it's still one of the best books of like, how do we

undergo digital transformation?

How do we go change?

Uh, some people look at compliance like you put a tool in, you, you, you know,

you put in security tooling, you've made some changes, you underwent a

digital transformation right now you have this centralized spot in your

stack to go monitor everything from the people to the processes to the

software to your vendors to your third party, like, who do we do business with?

What is our supply chain risk?

Oh, we do business with it.

T Mobile and T Mobile just had their 34th breach this year.

So maybe we should consider doing a, sorry, T Mobile.

Uh, maybe we should consider moving to Verizon, right?

There are items that inform your stack.

Uh, the more you do them, the better it gets.

But when you look at that base set of challenges, there's no

value in that to people today.

Um, one of the things that I love about Vanta and shameless plug to Vanta.

They invested in a whole team to do analytics, not analytics on

customers, you know, like use case, it's specifically analytics for what's

the business case to do compliance.

You wanted to win a contract.

Is it a one time contract?

Is this going to help you sell up market?

Compliance has a cost and compliance should have a benefit.

And one of the things that Vanta does for their customers is make

sure that you understand like, this is what it's costing you.

This is what consulting costs is, what audit costs.

But based on what science and logic and reason tell us in the

field, these are the benefits.

And while you did it for this initial set, you, you mentioned that you've

already seen some other benefits.

You've had some customers other than that initial ask for this.

Is that right?

Yeah.

I mean, we've had multiple leads come in to our trust center.

And since we keep talking about it, I'm just going to say it's

like trust.tag1consulting.com.

You can go there.

It's the Vanta Trust Center.

And it literally is real time.

Here's our controls.

And there's going to be a green check mark or presumably a red thing.

If, if we weren't meeting those controls, uh, thankfully we're meeting them so far.

But yeah, I mean, yeah, no, uh, anyone can go there.

Uh, you do a little click wrap NDA and you can see.

Like in depth details of all our controls and tests.

And yeah, we've had multiple potential customers.

Like that's kind of one of their first landing spots is like, Oh,

can I actually trust you guys?

In your space, I mean, our space too, that's, that's how we settle.

What differentiates you from your competitor?

It's the product's great, sure.

Can we, can we trust you to keep our data safe?

Can we trust you not to be the, the reason that we've lost time,

energy, money, and customers?

I see this as a lot of, uh, maturing our business, right?

Like it's, it's so, it's, you know, so much of what we've talked about

resonates so strongly with like how we got here, why we did it.

Um, you know, my background is in startups.

I want to move fast.

You know, I want to make mistakes and just keep going.

Um, you know, but we're at a size and point in our life

cycle where we need to be.

You know, more mature, you know, we're onboarding people a lot more frequently,

you know, like we have more people, because we're, we're bigger, you know, so

it's like having these controls in place, um, really, it doesn't slow us down.

It just gives us that, like, you know, maturity.

And level of operation and our entire business for 17 years has been built

exclusively on people coming to us for our reputation and expertise.

And we're at the point where, you know, we're going out and we're trying

to, you know, grow our business.

Um, and, and having this in place is like, I, I'm, I'm hoping, and I think

will be a key part of that, right?

So people who don't know us, who aren't seeking us out, this gives

us that, that validation to say, we do know what we're talking about.

And here, you don't have to, you know, listen to our words, you know, you can,

you can see it in, in, in real time and, uh, you know, and so I, I think it's,

you know, uh, hopefully going to be a big part of our success moving forward.

Um, I really appreciate you guys joining us.

There's so much more I'd like to cover and get into, uh, but we're,

uh, we're at time and need to wrap up, um, parting words, uh.

You know, uh, Faisal, like, having gone through this with many organizations, you

know, uh, you know, besides use Vanta, um, you know, uh, what would be your,

your recommendations for folks there?

Yeah, I'd say when thinking, when you think about establishing, um, guard,

guardrails for yourself or really formalizing process internally, You want

to take, as Drew was mentioning, sort of a risk based approach to things, right?

Uh, consider the scope of where your sensitive data and systems live, the

risk of people, their operations.

And, um, take those into account when making the decisions of what framework

and what, what, uh, standard you're trying to adhere to at the end of the day.

Or even a framework at all.

Maybe it's just a attestation to a standard.

Um.

The CSF is a common example from a self attestation perspective.

Um, but think about what is the risk to you and from there continue onward.

Also, you know, of course, adding, just slowly adding in the, the Vanta bit.

If we think about just the implicit benefits of as we've talked through,

there's also that implicit benefit of.

the network that you guys have established now.

You have Vanta as the partner.

You have BD Emerson's team as the partner.

Heck, they're so good at their, the security and compliance

space and operating things.

One of our strongest partners.

You have this network of professionals that now you've helped establish

a program and continue to, can continue to scale with you.

And, and that's the beauty of what you've established here today.

I think, I think what I would tell people is actually be more in your shoes, right?

Move, move fast.

Um, huge, huge fan of speed, right?

Um, I, I tell my team, I, we, we say SVM, speed, violence, and momentum, right?

If, if you have someone who can funnel that, right, we have a, there's a guy

on our team that Jeff knows well, his name is Jose and he's our funneler.

Jose keeps everyone organized.

And if you have someone internally, who's like that, it's

not really a project manager.

It's more of a, can we wrangle the group and make them make decisions?

Uh, decision paralysis is what really slows this down.

Again, we talked about your hardest challenges.

Your initial challenge was the decision to do it.

And once you did it, I think the rest of those decisions were rapid.

You, you asked, to Faisal's point, you took a risk based approach.

What's the risk of us not doing this?

Or what's the risk of us adding this?

And then, you know, we, we moved quick.

You bounced ideas off of experts and you came to a decision.

And then you stood firm and you said, okay, that's our decision.

Let's get audited to it.

What I would tell anyone who's going to go through this process is move quick,

make decisions quickly, be informed, and when you need help, raise your hand.

Um, I can tell you 15 other BD Emersons that I trust to do this work.

They're all part of Vanta's network.

Uh, in our space, we don't really have competitors, right?

I will refer work to our biggest competitor, because I know that

they're going to do a phenomenal job.

Um, everyone that Vanta went and hand picked and said, Hey, we

want you to take part in this.

I mean, this whole network is incredible.

Um, if you need help, go ask for help.

There's different flavors of help.

If you're going to do it by yourself, you can.

Move quick.

Make decisions quick.

Be a group.

Don't assign a task and let it sit.

Group thinking, right?

Like everyone come together, make decisions and move that.

That's, that's what I have.

Jeff, what would you tell, uh, our peers, you know, having been through this and

led it for our organization, you know, run for the hills, you know, uh, uh, you

know, what have you taken out of this?

Oh, man.

I mean, certainly I can see chasing after a SOC 2 accreditation

could be super time consuming.

Uh, in our case, it was not.

I put a lot of time in for a handful of months.

Uh, like Drew mentioned, like, this could take years if you aren't

being guided the right way or you're not quite sure what you're doing.

Uh, so for us, like, the, having BD Emerson support us and, and

kind of give us that guidance.

Tell us, you know, When we're kind of going off the rails or tell

us, yeah, that's totally fine.

You just have to, you know, change, change this.

And that can work for you.

Uh, it was huge because yeah, we're, we're small, we're kind of different.

We like to do our own thing.

Uh, and we like to respect our employees and their privacy and that

like inform some of our decisions.

Um, And having someone expert in the field like BD Emerson kind of support us through

that and, and guide us in what we kind of can and can't do, like, where's the gray

lines, where's the, where are the really solid lines, uh, has Just this definitely

would have taken us over a year.

I'm just pulling that number out of him out of there, but it would have taken

us a very long time to complete this.

Uh, and I question how our audit would have looked at the end.

Um, and now going through this with BD Emerson, like I know we're, we're just

finishing up our type two audit right now.

Uh, We're all our tests are getting a hundred percent on Vanta.

So I know we're in great shape.

Uh, I, I have no concerns that we're going to have a very nice audit report.

Um, and yeah, just leveraging the tools like Vanta.

To make this kind of automated and ongoing, like, we know we're

just, we're going to do this again next year, go through an audit.

Um, and now Vanta, we're in the habit of just checking this stuff, um, day to

day, we're probably going to set like a monthly meeting going forward internally.

Like what's our.

What do we need to deal with, uh, for SOC two compliance this month?

Uh, is there anything that Vanta's flagging for us?

Yes or no.

And, uh, just keep moving forward.

Um, so yeah, I guess the, uh, the longest run of it is like, hire these guys.

It's going to save you so, so much time and energy.

And, uh, it's been absolutely great to work with.

Well, yeah, thank you guys.

Sorry.

I didn't want to cut you off.

I think.

You know, good consultants are one thing, but you guys are a

great company and not everyone.

We can't say that about every, you know, every engagement, uh,

change is hard for some people.

You guys have rapidly matured.

You took it serious.

And that, I mean, we have a great relationship, so I appreciate both of you.

Thank you all so much.

Uh, we couldn't have done it without you and, uh, and really appreciate you

joining us here today to, to share this.

Um, hopefully more agencies will, will take this on.

Uh, we'll put a bunch of links in the show notes, uh, to, you know, the

various different, uh, software Vanta, uh, and, um, you know, our Trust Center.

Um, if you liked this talk, uh, please, uh, share it out.

Uh, people need to know more about SOC 2, the benefits of why you should do it.

If you want to see more of our team talks, check out tag1.

com slash TTT.

That's three T's for Tag1 Team Talks.

Uh, and as always, we'd really appreciate your feedback,

suggestions on future shows.

You can write to us at ttt@tag1.com.

Thanks.

See you next time.