Skip to content

Richard Stiennon is Chief Research Analyst of IT-Harvest, where he focuses on data-driven cybersecurity industry analysis. Richard is also a former Gartner Vice President of Research and security auditor for PriceWaterhouseCoopers (now PwC). The 2022 edition of his popular and widely read Security Yearbook, which tracks more than 2,800 cybersecurity vendors, became available on May 25, 2022.

In a wide-ranging and informative conversation with Trustero Vice President of Marketing and Business Development Kimberly Rose, Richard describes how the pursuit of SOC 2 compliance can improve cybersecurity. He also offers views on some of the cybersecurity challenges facing SMBs. Below is an edited summary of highlights from that conversation.

SOC 2 has some pretty rigorous cybersecurity requirements. Can the pursuit of SOC 2 compliance help improve cybersecurity for a business?

Yes, for sure. Depending on the business, the requirement to be SOC 2 compliant introduces them to the need to be secure. For example, a lot of SaaS [Software as a Service] companies just want to get their product out there, get people using it, and get their first customers. But then, the more mature customers will ask them for assurances that they’re following basic security procedures.

Those customers want to see measures in place such as strong password authentication, two-factor authentication, monitoring and alerting, and some sort of proper data governance. They want to know that you’re not going to leak data accidentally or allow their data to be exposed to other users of their SaaS platform. All these things and more are embodied in SOC 2 compliance requirements. You may have nothing, and then suddenly, you have to become SOC 2 compliant. Going through that process, you have to invest in security processes, tools, and technology. And, of course, that means hiring people as well. You end up with a better overall cybersecurity ecosystem when companies strive to become SOC 2 compliant.

The need for effective cybersecurity implies SaaS companies need to go beyond the “check the boxes” approach some have been known to take to SOC 2 compliance.

Security professionals always harp on people to build security in from the beginning. You might discover that there are things you have to change in your product or delivery or infrastructure to make them easier to secure and manage afterwards. But going forward, as you grow or add features, you don’t want to have things drift. That’s when you start thinking about, “Hey, how is this going to impact our SOC 2 compliance requirements? And what new things will we have to do if we launch a feature that collects all this data on people, for instance?”

How is the cybersecurity marketplace evolving and how should SMBs pursuing SOC 2 compliance respond to those changes?

There are two drivers in the industry. The primary driver is the evolution of the threat actors. They’re evolving new methodologies to monetize access to people’s systems. So they’re constantly evolving and going broader and deeper into organizations. That’s where ransomware came from. So you must do something to counter that. SOC 2 compliance has a lot of features that will help you counter ransomware attacks.

The other driver is regulatory requirements. Regulations are changing the way the security industry operates. And to comply fully with all relevant regulations and laws, The SMB has to do everything that Bank of America does. They just don’t have a half-billion-dollar budget or 2,000 people to do it with. But they must find ways to become and remain compliant to secure their operations. This often involves using third parties – either having consultants come in or outsourcing to an MSP [managed service provider].

To see and hear more about SOC 2 compliance and cybersecurity from Richard, see his complete Everything Compliance interview with Kimberly here. And to learn more about IT-Harvest or purchase the 2022 Security Yearbook, visit and use the promotional code “trustero1” for a 20% discount.