Learnings from the SOC 2 certification with Magnolia’s CISO

SOC 2 is a compliance standard for managing customer data. Based on the 5 pillars security, availability, processing integrity, confidentiality, and privacy, the SOC 2 certification process assesses whether an organization processes sensitive information on behalf of their customers securely.

As Chief Information Security Officer (CISO) at Magnolia, Jan Haderka is responsible for all things security, including ISO 27001, SOC 2, and any other security-related audits and certifications. Magnolia recently achieved the SOC 2 certification and in this interview, Jan shares his experience with the SOC 2 certification process pertaining to all areas of Magnolia’s business, from human resources, to software development, to the Magnolia DXP itself.

Sandra: Jan, our topic today is SOC 2. Can you say what SOC 2 is and why it matters?

Jan: SOC 2 is a certification that vendors can acquire to prove that they have adequate security operation controls in place, ensuring that the services they offer are secure.

Sandra: I’m talking about SOC 2 specifically with you. For the benefit of our readers, can you share what your role at Magnolia is and how it relates to SOC 2?

Jan: I’m the Chief Information Security Officer at Magnolia. As such, I'm responsible for all things security, including ISO 27001, SOC 2, and any other security-related audits and certifications we need to run the business and provide secure services to our clients.

Sandra: You mentioned ISO and other security audits, which we’ve done in the past. SOC 2 is something that you're actively working on at the moment. I would be interested in your experience during the certification process. Tell us more.

Jan: SOC 2 was completed a couple of weeks ago on an accelerated schedule. Initially, we had planned it for the end of 2023. However, the industry's increased awareness and emphasis on security over the past year prompted the team to start to prepare for the certification last September. By the end of the year, all controls were in place, and the audit began in January, and concluded a few weeks ago. The process lasted about two months and required collecting evidence, preparing for auditors, and presenting everything needed to prove that procedures and practices are in place, people are trained, and information is secure. All tests and checks were successfully passed to obtain the certification.

Sandra: Congratulations! Speaking of SOC 2, is there a SOC 1?

Jan: The naming of these certificates can be confusing. SOC 1 is primarily concerned with financial controls and certifies that a business is financially sound. However, since our Swiss-based company undergoes a Swiss financial audit every year, which is just as thorough, we did not require SOC 1.

SOC 2, on the other hand, focuses on information security, which is critical to our clients. The events of last year, such as the increase in cyberattacks, made security a top priority for many businesses. Consequently, most financial institutions in the US require all their suppliers to obtain SOC 2 certification. As this is an important segment for us, we had to comply with the requirement.

Nonetheless, we had planned to pursue SOC 2 regardless, as it is a significant milestone and demonstrates the maturity of our platform. We were able to expedite the process by preparing for the certification last September, implementing necessary controls by the end of the year, and starting the audit in January. The two-month process was intense, requiring us to present all evidence to the auditors and demonstrate that our procedures, practices, and people were all in place and trained to ensure the safety and security of information.

Sandra: What factors did the auditors look at and how did you prepare for the certification?

Jan: The work we are doing to obtain and maintain our SOC 2 certification is ongoing, rather than a one-time event that can be forgotten until the re-certification. SOC 2 requires that controls be in place over a certain time period, and auditors must verify that these controls were in place not only today, but also in the past. These controls cover all aspects of the business related to security, including employee onboarding, background checks, and training, as well as access control, data storage, disaster recovery, incident response, and software development.

We take data privacy seriously and ensure that even our employees cannot access information inappropriately. In summary, SOC 2 certification covers all aspects of the business related to security, from human resources to finance to development and operation of internal systems and the client platform.

Sandra: It sounds like this process has kept you very busy.

Jan: Yes, SOC 2 certification was quite a process. It required us to put various controls in place, and it's an ongoing effort to maintain those controls. While I played a coordinating and overseeing role, other departments in the company had to implement the policies and processes with all the necessary checks to ensure security. My role was to advise and assist them, oversee the implementation, and help resolve any conflicts or uncertainties. It was a team effort that impacted the entire business, with everyone contributing some piece of information. Despite the accelerated timeline and short notice, we were able to achieve the certification while continuing with our regular business operations. This demonstrates our readiness and I give kudos to all the people at Magnolia for their hard work and dedication.

Sandra: That's great to hear. Looking back at the last few months, what were some pitfalls you became aware of? And how did you overcome them?

Jan: One of the main pitfalls we faced during the SOC 2 certification process was the lack of awareness within the organization. It's one thing to inform people that we need to prepare and provide auditors with the necessary information, but it's another thing to execute it. For instance, when we asked people to provide logs or records of backup and restore tests, we needed them on short notice to verify our processes, but people were still questioning why we needed them. I had to explain the importance of providing timely evidence and that we could discuss any questions after the audit.

Another challenge was the vast amount of information that the auditors required from us. They had to go through all of it, verify it, and select random samples to dig deeper into. Even though I knew it would touch on all aspects of the company's work, I didn't expect the amount of data required to be this huge. The next time, I plan to collect or prepare some of the information upfront to be more ready and reduce the load during the audit period.

Sandra: You mentioned ‘controls’ previously. What are controls? And how do you implement them effectively?

Jan: Controls are measures we put in place to ensure that we have a grip on various aspects of our business. They can range from protecting employee personal data by encrypting and limiting access to it, to managing our code by storing it securely, ensuring its functionality, and having the ability to roll it back if necessary. Every single security aspect that the auditors review is considered a control, whether it pertains to information or processes.

Sandra: You've been able to provide satisfactory information to the auditors, so that we've recently received our SOC 2 certification. Congratulations.

How do you plan to stay up to date with any changes to SOC 2?

Jan: It's important to be proactive and continuously educate ourselves and our team to ensure that we are implementing the latest, most secure practices. You have to stay up with the latest news in the industry to learn about, let’s say, a new type of phishing or cyber attack.

There are three things you could do:

One way to stay up-to-date on the latest security practices is to subscribe to mailing lists and keep an eye on the conversations within the security community. This allows you to stay informed about emerging trends, updates, and changes in the field, as well as understand the overall direction in which the industry is heading.

The second is continuous education by reading blogs, watching presentations, and attending conferences, as is the case with any discipline.

The third involves conducting additional security audits and tests besides SOC 2, for example, penetration testing, which we perform on all our systems to identify any vulnerabilities or weak controls, allowing us to improve and strengthen them.

Implementing tools such as cloud-based security monitoring is not only a necessary condition for passing the audit, but also helps us learn of any new recommendations or policies that need to be implemented.

Overall, it's important to stay vigilant and proactive in our approach to security to ensure that we are always staying ahead of potential threats.

Sandra: Once the auditors have reviewed all information, do they award grades or simply a pass?

Jan: You either get a pass or a fail, but auditors will also bring nonconformances to your attention or share observations. There are different levels of nonconformances, including major ones that require immediate action. If major nonconformances are identified, you typically have only 30 days to rectify them and demonstrate compliance. Failure to do so will result in a loss of certification.

Minor nonconformances don't risk the certification but still require action within a specific timeframe before the next audit.

Lastly, there are observations, which are feedback and suggestions from the auditors on how to improve your controls and processes. For instance, they might recommend more frequent testing or the written documentation of verbal controls. The audit process can be a valuable learning experience, providing insights on how to improve and maintain compliance.

Sandra: Can you say more about your learnings?

Jan: The whole audit process was a learning experience for us. We had been undergoing ISO 27001 audits for several years and while there are similarities, SOC 2 is more practical in nature. ISO focuses on information management and that you are following through with what you say you are doing.

Initially, I had thought that having gone through the ISO audit, we were 70-80% prepared for SOC 2. However, it turned out that we were only about 50% ready as there were a lot of additional requirements. The SOC2 audit process delves much deeper into the details. Overall, we learned a lot from the process.

Sandra: Speaking of learnings, do the auditors give praise and if so, did we receive any in a specific area?

Jan: Although we did not receive any specific feedback during the SOC 2 audit, we simultaneously underwent the ENS certification process for the National Security Framework in Spain and got very positive feedback from the auditors saying we are in an exceptionally good place.

The ENS audit shared about 80% of the evidence with the SOC 2 audit, which made it easier for us to provide all the information required by the auditors quickly. They were pleasantly surprised by how effortlessly we were able to meet their requirements, and I believe this should be the standard for all audits.

I will be taking steps to organize certain information, such as logs and statements, that I know will be needed for future audits. This will make it easier for me to obtain the necessary information without constantly bothering other team members. Ideally, the information will be delivered to me automatically or I will have access to it through a centralized system.

Sandra: That sounds like really good advice to yourself and anybody who's reading the blog post. Do you have any more advice for others preparing for the SOC 2 audit?

Jan: Automate as much as possible, not just for the audit itself but also for responding to customer and prospect information security questionnaires. While the questions may not be identical, they are often very similar, making conversational AI tools and modules highly effective for providing efficient and accurate answers. By feeding questions and answers into these tools, companies can streamline their response process and provide the necessary information quickly and easily.

Sandra: This sounds very sensical from a vendor perspective. Let’s take a look from a user perspective. When should companies look for an ISO, SOC 2, or ENS certification from a vendor?

Jan: As a business, you want to know that your vendors develop products securely. This becomes even more important when you opt for a vendor-based cloud, whether it's PaaS, SaaS, or any other kind of service. Handing your data to a cloud vendor means you must be diligent about the vendor's ability to protect it. This is where certifications come in.

These systems are incredibly complex, and as a client, you may not have the necessary resources or knowledge to conduct a proper audit. So, certifications act as an independent third-party assurance that the vendor's system, processes, and security are sound and safe. This way, you can have peace of mind that the vendor is ready to restore the system if anything goes wrong, and they have done their due diligence to keep the system secure.

Sandra: We spoke about SOC 2, ISO, and the ENS certification. Do they replace or complement each other? Do you need one or all?

Jan: SOC 2 and ISO certifications are complementary and focus on different aspects of information security. While ISO focuses on information management systems and processes, SOC2 looks at practical aspects such as readiness to respond to incidents and the safeguards and procedures in place for recovery.

Governmental certifications, on the other hand, are usually specific to certain countries and serve as approval stamps for use by government-owned agencies. While they may have similarities with ISO and SOC 2, they are not interchangeable.

Sandra: Thank you, Jan.