March 10, 2025 • 35 mins
Are SOC audits just another compliance requirement, or do they provide real security value? In this episode of The Audit, we sit down with Adam Russell from Schellman to debunk common misconceptions about SOC audits and explore why they’re more than just a checkbox exercise—especially for startups.
Adam joins the IT Audit Labs team for a deep dive into the often-misunderstood world of attestations, sharing expert insights on how organizations can effectively prepare for a SOC audit and determine which security assessments best fit their needs.
In this episode we discuss:
- The biggest mistakes startups make with SOC audits
- Why SOC 2 is more flexible than you might think
- The myth that big companies are always secure
- How SOC assessments can strengthen security culture
- Gamified training & newsletters for better compliance engagement
- How external auditors can empower internal teams
Whether you're preparing for your first SOC audit or navigating complex compliance requirements, this episode is packed with actionable insights to help you enhance security and compliance strategies.
🔔 Subscribe for more cybersecurity insights!
#Cybersecurity #SOCAudit #Compliance #StartupSecurity #TheAuditPodcast
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Joshua Schmidt (00:04):
You're listening to the Audit presented by IT
Audit Labs.
I'm your co-host and producer,joshua Schmidt.
You're joined by Eric Brown andNick Mellom, as usual, from IT
Audit Labs, and today our guestis Adam Russell from Shellman.
He's a Minnesota native and webrought him on the show today to
talk about SOC assessments andwe'll see where the conversation
goes.
Thanks for joining us, adam.
How are you doing today?
I'm doing well.
(00:24):
I'm actually not a Minnesotanative, though You're not.
You live in Minnesota currently, though.
Yeah, I do live in Minnesota.
Adam Russell (00:30):
yes, but I'm actually originally from New
York State, right south ofRochester, New York, so a
similar name to a city here andthen I spent 10 years in
Colorado before I moved toMinnesota in 2022.
Nick Mellem (00:41):
Are you a Bills fan Adam?
Adam Russell (00:45):
No, and it's not because I don't like the Bills,
I'm just not a big football guyoh gotcha, that was a heartbreak
.
The Bills Mafia is a reallegitimate thing.
I respect Mafia.
Yes, they go hard.
I've been to plenty Bills games, but I usually just go to
experience the festivities iswhat the word I'll use.
That's awesome.
Joshua Schmidt (01:04):
Speaking of events and festivities, we
usually start the show with anicebreaker and I wanted to ask
you if you've been to anyconferences lately or plan to go
to any conferences this yearand talking about building
community, and what do you getout of conferences and what is
your favorite one.
Adam Russell (01:20):
Yeah, I've been very lucky to speak at a couple
of different conferences over mycareer.
The most recent one I spoke atwas the Great Audit Minds
Conference, which is acollaborative effort between the
Institute of Internal Auditorsas well as ISACA.
It was in it must have beenApril of 2024.
So actually it's about ninemonths ago at this point, but
that was the most recentconference I spoke at,
specifically about SOC 2reporting.
(01:41):
Actually, I really likeconferences just because it
gives you the opportunity toconnect with people in a way
that you wouldn't.
You really get a large subsetof different industries.
You get auditors, you get riskprofessionals, you get vendors
that are just utilizing theseproducts, so it's just a really
good way to get a broad basis ofinformation.
I spend all of my day talkingto either my co-workers, who are
(02:02):
all auditors or complianceprofessionals themselves, or my
clients, and obviously we kindof just get into that loop.
Spend all of my day talking toeither my co-workers, who are
all auditors or complianceprofessionals themselves, or my
clients, and obviously we kindof just get into that loop where
we're having the sameconversations over and over
again.
But it's just nice to kind ofbroaden your perspective and
also hear what other people aredoing and kind of experiencing
out there in the world.
So I really enjoy them.
I think it's one of the bestways you can not only get a lot
(02:23):
of exposure and experience butreally the networking component
you can't replace in any otherway that I've so far experienced
.
Joshua Schmidt (02:30):
Absolutely.
Our last guest was Alith, whois a Black Badge winner at DEF
CON, and we have a couple ofWild West Hackenfest enthusiasts
here.
Eric likes to fly in in hispersonal plane, and I think they
have some plans to do someother conferences this year too.
Nick Mellem (02:43):
Correct, yeah, and I think they have some plans to
do some other conferences thisyear too, correct?
Yeah, and the Wild West MileHigh is next week.
Are you going?
I'm just doing the virtual onethis time around.
Oh nice Wednesday throughFriday.
Joshua Schmidt (02:55):
Awesome.
So, Adam, what's yourbackground at Shellman?
You work at Shellman here inMinnesota.
Can you tell us a bit aboutyour background?
How you got to?
Adam Russell (03:05):
where you're at in your career at this point.
Yeah, my title at Shellman istechnical lead.
It's kind of a unique title.
They've recently developed kindof a dual pathway opportunity
for individuals that aren'tinterested in people management
In the traditional CPA or justkind of consulting firm.
There's generally kind of thislinear pathway where you start
as an associate or analyst itkind of depends on the
organization you then move up tosenior manager all the way up
(03:28):
to either partner or principal,depending on the specific titles
.
But I've never really had a lotof aspirations to be a people
manager.
It's just not something thatI've been interested in doing
for a number of differentreasons.
I really just enjoy the actualwork of doing auditing.
It's a pain in the ass, yeah.
Basically that has a lot to dowith it, I'll be honest, but
(03:50):
also it's just.
It takes you away kind of moreof the stuff that I actually
enjoy about my job, which isinteracting with clients, doing
the actual assessments, havingsome opportunities to kind of
delve deep into these topics.
And if you are doing peoplemanagement, you usually kind of
start to transition away fromdoing that actual work.
No, it's a whole different skillset and everything as well.
That, you know, just has neverbeen my aspiration.
(04:11):
But I'm very lucky becauseShellman recognizes that and
knows that a lot of people thatare individual contributors
might not want that.
On the org chart I basicallywould sit at a manager level.
So I still get involved in alot of initiatives and I
obviously take on more complexengagements and deal with just
more challenging topics, butultimately I still am an
individual contributor.
But I've been with Shellmanabout two, and actually over two
(04:33):
and a half years at this point,but have been in the audit
space in some form for a littleover seven years.
I started my career in a verytraditional kind of CPA firm
route where I started as afinancial statement auditor as
an intern, got hired as anassociate and then stayed there
until I was a senior.
I then transitioned out ofpublic accounting or consulting,
(04:53):
however you want to define it,and then went to a credit union
doing internal audit, which wasgreat.
I actually really, reallyenjoyed it because you got a ton
of variety.
It was probably the best thingI did as far as my growth
potential that I could have doneat that point in my career
Because instead of just doingkind of the same thing over and
over again, I got a broadexposure to a variety of
different topics, including someIT auditing, and that's kind of
(05:14):
where I got my first exposureto it, and then from there I was
actually recruited to Shellmanas a senior associate about two
and a half years ago and I'vebeen there ever since and really
, really enjoy it.
Eric Brown (05:25):
I remember my first.
I started in management earlyon in my career because I
thought I could do more good byadvocating for the people in the
department and growing thedepartment that way than
actually being a good hands-onkeyboard person.
So early on I must have been 24or something.
(05:50):
I was working at a startup inNew Jersey.
The company did internetmarketing and it was in like
2000, no 98, something like that, and we were hiring a, or we
hired a um exchange admin as wewere kind of growing out our
(06:14):
exchange mind.
This is a real small companylike a hundred people.
We got a guy whose resume lookedgood, he interviewed really
good and his first two weeks onthe job he was awesome.
He was just banging a workoutand then it took a turn and, um,
he was drinking like a pot ofcoffee a day and no problem
drinking the coffee I drink alot of coffee too but um, he
(06:36):
would go, he'd go and take theselong naps over lunch in his car
and they started out.
You know it's like an hour,then it was two hours and then
he was taking naps at varioustimes during the day and working
about two or three hours.
So, long story short, that wasthe first person that we had to
(06:57):
terminate and I was so green,you know, at the time but it
turned out that he had like someother night job or something
that he was doing and he wasdrinking all that coffee to stay
up.
But you know, you could justimagine now that's probably
relatively not uncommon with theremote workforce.
(07:19):
This was all in person, whereyou know you never know what
people are up to in theirpersonal lives and where that
crosses over into theprofessional area.
Nick Mellem (07:30):
Doesn't Google have nap time at their offices?
He should have went to work forGoogle, right, yeah?
Adam Russell (07:40):
I think that's what they use to promote.
Joshua Schmidt (07:43):
That's what they use to promote.
Right, you can take a nap time.
I have a night job, so I likecoffee and I like naps.
I feel slightly attacked rightnow.
Adam Russell (07:54):
Well, I don't have a night job and I like coffee
and naps.
Nick Mellem (07:57):
So really it's just kind of universal.
I'm with.
Adam.
Joshua Schmidt (08:01):
Yeah Well, adam, we wanted to get into SOC
assessments today.
That's kind of your passion and, doing a pre-production, it
seemed like you had a kind of afire to educate people and
probably your clients andprobably even beyond.
I'd love to hear what you thinkabout SOC assessments in
general, but also why they're soimportant for organizations to
(08:21):
consider as a part of theirsecurity makeup.
Adam Russell (08:25):
Yeah, so SOC is great I'm obviously not going to
say anything other than thatbecause I do SOC audits but it
truly is a great assessmentframework.
I just think there's a lot ofmisconceptions and
misunderstandings about it,which is kind of interesting to
me because they've actually beenaround for a long time.
Soc audits as we know themtoday.
They really kind of came aboutabout 15 years ago.
(08:46):
About this point, 2010 is whenthey turned into what they were.
But there's a history goingback even to the early 90s.
There was an old auditingstandard called SAS 70, which
was essentially the frameworkthat SOC as we know it today was
built off of.
So it's been around for close to30 years, or actually more than
30 years at this point, I thinkbecause it's not as
(09:07):
prescriptive of a framework assomething like ISO 27001, people
just don't necessarily alwaysunderstand it.
And also, I think, with thejust huge growth we've seen in
the startup space around SaaSapplications, especially over
the last 10 years especially,there's just been a lot of
organizations that all of asudden knew they needed to get
this thing called SOC.
(09:28):
But it was especially a bunchof startup people.
They didn't really understandwhat it is, but they just had,
you know, their customers keptbringing it up about whether or
not they have a SOC audit, andso it's just kind of one of
those things that is veryimportant and has a lot of
impact on the industry.
But like a lot of impact on theindustry, but like a lot of
(09:52):
things, it's actually quitecomplex because it isn't always
clear as to how you're actuallygoing to accomplish your goals
with it.
So ultimately, a SOC audit isintended to validate the
security program that's in placeat an organization.
The problem is it's not superprescriptive.
As I said earlier, it's basedaround the COSO framework.
So there's essentially justthese criteria that are very
broad.
So one of them, for example, isjust like how do you promote
ethics within your organization?
(10:12):
You can do that in all sorts ofdifferent ways.
You can do it through training,you can do it through policies,
you can do it through all sortsof different things, but it
doesn't give you an actual like.
You must do A, b and C, whereassome of the other information
security frameworks out there,like ISO 27001, or there's all
sorts of numbers, they actuallydo have prescriptive controls
that an organization has tocomply with, and it's a little
(10:33):
bit more spelled out as to howyou can actually get to that end
solution.
That's not to say that one isbetter than the other, but
there's just a lot moresquishiness to it.
That I think, and I also thinkthere's been a couple of factors
that haven't happened,especially in the last several
years, which is there's been alot of really great governments
risking compliance applicationsthat have come out.
(10:54):
They have kind of built out alot of promises, I think, to a
lot of their organizations, asyou know oh, you can get SOC
ready in two weeks.
They also sometimes are justfrankly incorrect.
You actually some of thequestions you'd sent over prior
you would use the term SOCcertification and I actually see
this all the time.
Soc is not a certification.
I'll see organizationspromoting themselves on social
(11:16):
media or even in marketingmaterials would say like oh, we
just achieved our SOCcertification and it always kind
of A makes me a little bit sad,but I'm also like well, that's
not really a thing.
So I'm not quite sure whatyou're trying to promote there.
So there's just a lot ofmisconceptions around it because
it is so squishy.
There's basically fivedifferent principles and
criteria that can apply to a SOCaudit.
(11:37):
Security is the only one that'srequired, but there's four
others that you basically canscope in depending on the needs
of the organization, and they'reprocessing integrity,
confidentiality, privacy and I'mforgetting oh availability
excuse me, are the total fiveyou could have in there.
So that's also the misconceptionI think that comes in is like
(11:57):
people think that it's asecurity assessment, which it is
, but then they'll also behearing about like, oh well,
this applies to a privacyprogram as well, and so I think
sometimes people just getconfused and wrapped up in some
of the nuance.
Eric Brown (12:08):
So, adam, wouldn't you say that just a high level
kind of layman's way ofdescribing it is?
It's a way for an organizationto have attestation of their
controls.
Adam Russell (12:21):
Yes, that's exactly what it is, and so when
you really boil it down to thatsimple terminology, it can make
sense.
But even like I havediscussions with people that
they don't even necessarily likewhat does attestation mean?
That some of these words forpeople that aren't in this
industry especially, you know,like I said, going up,
especially to startups, reallyyou'll have a bunch of people
that are in sales but they keephearing this term and so they
(12:42):
know they need to get this thing, and so then they hear these
words like attestation orcertification or whatever it is,
and they get confused as towhat it all means, Adam, we have
to use.
Eric Brown (12:49):
it's in the manual.
We have to use those becausethen we can charge more for the
services, right?
Adam Russell (12:56):
We gotta use big words, that is yes, big words
always makes it better.
Joshua Schmidt (13:01):
There's a whole vocabulary and lingo to your
guys's uh industry that I've hadto really brush up on.
I did have to look upattestation as well, uh, in
preparing for this.
But yeah, I would like to heara little bit round out the
conversation and and kind ofmaybe kick it to nick and uh and
eric and see what kind of youknow experience have you had
with sock assessments and maybeeducation around that?
Nick Mellem (13:25):
yeah, I, I think for me, when we're dealing with
SOC audits, I was thinkingsimilar to Adam, that one thing
that a lot of questions we getto us is a lot of it's up to
interpretation.
Right, you interpret whatthey're meeting and what they're
saying versus another subseteven something like PCI or PHI,
abiding to these CEGIS, evenabiding to these subsets of they
(13:49):
have rules and regulations thatare pretty clearly spelled out.
And then you come to SOC andyou might read a specific
question and it's really up forthe organization to interpret
how they're going to secure thator perform those duties.
A lot of organizations they getthis and then they just think
they're good, right, like it'snot an ongoing that now they're
just like secure for life,somehow They've unlocked some
(14:10):
secret and then they're good.
But it's really an ongoingbattle to continue to stay
compliant but then continue toride the flow of compliance.
Right, things are changing allthe time.
We could give a recommendationto an organization and three to
six months later we have tomaybe double back or change
something because a auditingorganization has changed or
(14:33):
flipped because of, maybe, thethreat landscape.
Eric Brown (14:35):
But I'd say those are two of the big ones for me
other day, and this doesn'thappen very often, but I was
actually struck dumb bysomething that I had heard in an
account we were working with.
They were bringing on a newvendor, that multi-million
(14:56):
dollar software as a servicethat was going to be involved in
their PCI environment.
And when I asked them, I said,well, you know, do you have a
SOC 2 that we can take a look at?
No, we don't provide those.
(15:16):
But if you want us to do one,then we can do it, but you have
to pay for it.
And they actually phrased it ina way that they started out I
thought it was on a game showwhere they're like Well, do you
know how much a sock to costs?
And I was like, okay, this is,this is going in a different
(15:37):
direction.
And then they launched into howthey don't do them.
But if a customer wanted them,then the customer would pay for
it.
So I had never heard thatbefore and I must have had a
look on my face like SteveHarvey in Family Feud.
Have you run into somethinglike that before, adam?
(16:00):
Have you heard of that?
Adam Russell (16:02):
We have actually We've had a couple of clients
that have come to us and it'sreally they're doing it because
they have one specific strategicaccount that's requiring it.
I will say I don't exactly knowwhat the true payment terms
ended up being in that specificscenario, but yeah, that's
actually not the first time thatI've heard it.
But kind of to Nick's point andto your point as well, that's
(16:22):
the thing Remaining compliantwith any sort of framework,
whether it be informationsecurity, health care, whatever
it might be it takes a lot ofwork and that's why
organizations struggle with them, I think is because they don't
necessarily always give them theresources that they really need
in order to support theseprograms.
But they are very important.
(16:43):
And so there's this constantstruggle between, you know,
compliance versus reality, whichis compliance is always trying
to catch up with whatever thethreat landscape is.
And you have a lot oforganizations that are kind of
filtering in and out and theyaren't necessarily know they
don't want to put the resourcesin there to kind of get what
they need to, but at the end ofthe day, a lot of times they
(17:05):
usually can't secure this keyaccount if they don't have these
things in place.
So it's kind of like what'sdriving the cart really.
Eric Brown (17:12):
With a SOC.
An organization can have theirown security controls and some
of them may not adhere to aframework, but you're
essentially just going in andtesting their controls to see if
they're adhering to them.
Have you run across anythingwhere you're like, oh, that's
interesting.
Or, on the other side, have youbeen surprised with something
(17:34):
that was really cool?
Adam Russell (17:35):
Oh yeah, no, tons of times.
I think a lot of times peoplethink that the size of the
organization can sometimes makeit more secure, better than
smaller organizations, and I'veseen some really robust, really
great information securityprograms at very small
organizations and, conversely,I've seen some huge
organizations that frankly don'thave a very robust or effective
(17:57):
information security program.
So I think that's sometimes amisconception is especially with
larger entities, becausethey've got so many things um
going on.
They again depending on theresource and then, like a small
organization, they might onlyneed to support one or two
different frameworks, whereas,nick, you had mentioned earlier
pci, hipaa, sock2, iso 27001,nist.
(18:20):
There's all these differentframeworks out there and
sometimes they think that ohwell, we're good in one, so
we're good in all, and thatdoesn't apply.
So the nice thing about SOC, asI mentioned earlier, is it is a
little bit more flexible as tohow you can actually arrive at
something.
But yeah, a lot of times peopletry and put things in there
that doesn't necessarily makesense.
I mentioned the five differentcriteria you could have in there
(18:41):
and sometimes organizationswill try and kind of I don't
want to say double dip, butthey'll want to bring in certain
controls or things to make themlook better, but they don't
necessarily apply to thecriteria they're in.
Nick Mellem (18:53):
I think you know I was working with an organization
and I do often and one of theroles is, you know, vetting
vendors that are coming in tothe organization.
And a lot of times the peoplethat I work with in this group,
they see SOC 2 and theyautomatically think, oh, we can
just bypass all of our controlsbecause they are SOC 2.
(19:14):
So we should be good, good togo, and we always echo back to
them we still need to do ourprocess, have them fill out
these questionnaires so we canbetter understand what their
controls are, just because wealways want to to make sure
everybody knows, because theyhave met sock to at one point.
Right, they're continuing upwith it.
You know we need to make surewe continue to vet them.
(19:35):
But and what I'm saying herealso branches into a question
you know, adam is, you know,does sock to to you mean
something different if it's afinancial organization versus
maybe a Fortune 500 IT company?
Is there different meanings tohow SOC might go to those
organizations?
Adam Russell (19:55):
Yeah, I think Really the nice part with those
different criteria is they canapply really nicely depending on
the type of organization thatyou're dealing with.
So, for example, as I mentionedearlier, security is required
for all of it.
If you want to get a SOC 2report or a SOC 2 audit, you
have to have security in scope.
But we'll have a lot oforganizations like, for example,
health care.
In that case.
(20:22):
That's where you knowconfidentiality and privacy is
going to be a lot higherscrutiny and consideration that
they may want to consider inscope, whereas, like a financial
institution, yeah, of coursethose are still going to be
relevant, but maybe somethinglike the processing integrity
criteria is going to be moreapplicable because, especially
like a payroll processor isprobably the easiest one to use
in this example.
If they're processing payroll,you want to make sure that all
of the inputs match what theoutputs are, particularly in
(20:43):
that case you could make thatargument for any sort of data
processing.
But there are certainindustries where certain things
are just higher risk than others, and so, yeah, that's kind of.
Again, the nice thing is it isso flexible.
You can apply it in a lot ofdifferent ways.
But that also comes with itsown challenges, because that's
the thing People get confusedabout how this can actually
apply to their organization.
Eric Brown (21:03):
So, adam, a couple of questions for you.
I've just been thinking, asyou've been talking through
these, of some applications.
So let's say you're on theconsulting side and you're going
in to help an organization andthe organization is going to
onboard a new SaaS solution, forexample, and the company says,
(21:25):
well, we don't have a currentSOC 2, but we do have an ISO
27001.
Where would you see that a27001 would be an okay
substitution for a SOC 2?
Adam Russell (21:42):
So I don't want to say they're comparable, but
they serve different purposes.
But ultimately they're bothinformation security frameworks
and assessments.
We have a lot of clients thatwill either do one or the other
or both.
And I've seen in tons of vendorquestionnaires, particularly
when we're analyzing thisparticular part of an
organization, where they'll say,like, on their security
questionnaire, they'll kind ofgive an either.
Where they'll say, like, ontheir security questionnaire,
they'll kind of give an either.
(22:03):
Or they'll say like, do youhave a SOC 2 or an ISO 27001?
But there are validity to bothof them.
To be clear, I work with our ISOteam but it's not something I'm
an expert in, so I wouldn'twant to speak to like why it's
better or not.
But they kind of servedifferent purposes.
And again this goes back to ISOis a lot more prescriptive.
It has its listing of controlsthat an organization has to
(22:25):
comply with, with the exceptionof course they can scope certain
ones out if it just doesn'tactually apply to them for any
number of reasons.
But it's just a lot more strictin the way that you actually
have to get to your end point,whereas with SOC you have a lot
more flexibility in the way youcan actually get to that.
(22:45):
But they both have their prosand cons.
One's not necessarily betterthan the other.
They just kind of servedifferent purposes and some
organizations they're reallydead set on one or the other.
I've also seen that wherethey're like you know, we only
accept an ISO certification, weonly accept SOC.
And I've had that conversationwith them to try and understand
like what's the reasoning.
And some of it is becausethey've been burned by something
(23:05):
in the past where they're likeoh, we got this really terrible
SOC report that really didn'tmake sense or it was for an
application that we thought itapplied to and it didn't even
apply to it.
So that's kind of where youneed to make sure that you're
having those relevantconversations with people,
making sure that they areunderstanding what they are
getting from the third partythat they're getting this from,
whether it be a SOC report or anISO cert.
Eric Brown (23:23):
And where would you see that it would be okay to
just get the summary of the SOCreport instead of actually
seeing the SOC 2, where acompany might say, well, we're
not comfortable giving you thisbecause it does have some of the
things that might be moresensitive to our organization.
(23:44):
But you know, here's the SOC 3.
Adam Russell (23:47):
I personally have not run into this very often.
I do know that someorganizations they do hold their
SOC 2 report pretty close tothe chest, which I think is kind
of interesting because it isn'tintended to be just fully
publicly available.
You mentioned SOC 3, and that'sthe entire intent of a SOC 3 is
it is supposed to be publiclyfacing.
It basically strips out a lotof the more just you know we'll
(24:08):
call it sensitive information alot of the detail behind it.
But usually if someone's reallybeing hesitant to share their
SOC 2, it would kind of make mewonder what's in it a little bit
more.
Is there a bunch of testingexceptions?
Is there something in therethat maybe they're not
necessarily happy with howsomething went?
Or maybe they just know thatthere's a particular area that
(24:29):
their customers keep askingabout and they just either
haven't built out that part ofthe program or, like I said,
there was some sort of testingexception that I don't say
they're trying to hide, butpotentially they're trying to
hide.
So if I like I said, I haven'trun into this super frequently,
but if someone was being superhesitant, especially during
either some sort of reassessmentwhere they've previously
(24:50):
provided it to you, or you'retrying to establish a new
relationship with some new SaaSprovider and they're just being
really cagey about it, thatwould give me a little bit of
pause and I would want tounderstand kind of why and it
could be for any number ofreasons.
Like I said, they could eitherbe proud of it, it could be that
they're not done with it yet.
That could also be somethingwhere they're kind of just
trying to hold up the processbecause they don't have one yet,
(25:12):
and they're still going throughtheir assessment, or they did
get one and it didn't go superwell and so they're now like
well, I have this, but basicallyit doesn't give me a lot of
creep or cadence because itdoesn't have a lot of good
information and it's becausethere was a testing section, so
it was a full on qualifiedreport where there was enough
issues where we actually had toqualify the opinion, whatever it
might be.
Joshua Schmidt (25:33):
I'm curious to know if Eric has any tricks on
getting organizations preparedfor an audit or a SOC assessment
.
I know, Eric, you work with alot of different types of folks.
I'd love to hear what's in yourbag of tricks and how you kind
of take an overview of anorganization so they're prepared
for something like this.
Eric Brown (25:53):
I think one of the first things that we want to
understand is what business arethey in, what sort of data they
have that they need to protect.
And then, what have they donein the past?
And who is the audience of this?
Is there some sort ofregulatory work that they're
doing?
Do they have customers that areasking for something?
(26:15):
And then, as you get moregranular, well, what controls do
they already have in place?
What's their informationsecurity policies?
What do those look like?
What sort of standards do theyhave?
So all of that will inform howmuch work actually has to be
done before you could evenassess the organization, either
(26:36):
using a framework that hascriteria around what you're
going to assess, or, going backto the attestation piece, if
they have those controls inplace or if they need to write
those controls so that you knowwhat it is you're going to
measure.
Joshua Schmidt (26:51):
It sounds like communicating is a huge part of
your job and just educating,which we've already established.
Have you seen any kind ofinnovative ways other than just
talking over a Zoom meeting orsitting down for a cup of coffee
at a conference table?
Have you gotten any kind ofcreative input on maybe coming
up with videos or any other wayto educate internally?
(27:13):
Yeah, I mean there's tons ofdifferent ways.
Adam Russell (27:14):
So Shellman actually does a really good job
of promoting a lot of externalfacing learning content.
We have a whole learning centerwhere people create content
around all sorts of things, socobviously being one of the big
ones.
But we have a whole ISO team.
We have PCI.
They put out a lot of contentout there kind of explaining
some of the nuances of that.
So I kind of echo a lot ofthings that Eric said.
(27:35):
One of the best things you cando as an organization who's
considering going down the SOCpath is really getting a good
understanding of what it is, andI think this is where people
then I alluded to this earlierthey just do a quick Google of
it and they sometimes get theseorganizations that will
literally promote and say, likewe can get you SOC ready in two
weeks.
Joshua Schmidt (27:53):
Eric's smiling.
Adam Russell (27:57):
They don't.
There's a lot of issues withthat and it's exactly that
there's.
For those that are not familiar, there's two different types of
well.
There's multiple differenttypes of SOC reports, but
there's two different types ofassessments you can go through.
There's a type one assessmentand a type two assessment,
(28:21):
provided some control language.
When an independent auditorcomes in, we essentially just
look to say like, okay, you'vesaid you have this in place.
And we'll look and say like,yes, that is true, whatever that
might be, whether it be apolicy or monitoring tools or
whatever it is.
But we don't really dig muchdeeper than that.
We don't say like, okay, areyou actually using these?
We're not testing to saywhether or not the
organization's really compliantwith it.
A type two assessment assessesthe operating effectiveness of
your controls and that's whereit's actually looking over a
(28:42):
period of time.
And let's say they're sayinglike, okay, we had an
infrastructure monitoring toolin place that generates alerts
based on predefined criteria ofsome sort of control language
like that.
That's when we, as the auditors,will come in and say like okay,
basically prove that this wasin place for this entire period.
And that's where then sometimeswe're like oh yeah, well, we
actually turned it on like amonth ago and like the alerting
(29:03):
capabilities we didn't reallyget fully honed in.
And that's when you kind of getinto that nuance of like, okay,
you can't really say that thatis really an operating control
if you only turned it on twoweeks ago and you're trying to
say like, oh yeah, for the lastyear we've been good.
So that's where some of thedifficulty comes in, because,
yeah, there's a lot of pre-workand there's a lot of ways that
you kind of need to set yourselfup for success, and really
(29:26):
getting a good understanding ofthe framework beyond just a
simple Google is obviously thebest way.
But then, yeah, if you alreadyare kind of compliant with some
other assessment framework, thatobviously makes it easier.
Joshua Schmidt (29:44):
But if you're really just kind of building a
program from scratch, you kindof need to do a holistic
internal review of like what dowe really have in place and what
are people actually doing?
I know that brings up policiesand procedures, which is Nick's
main focuses.
And, nick, how does a SOCassessment kind of tie into,
like what Adam was talking about, with policies and procedures
and communicating that within anorganization?
Nick Mellem (30:01):
It's probably one of the biggest portions for me
at least it's.
It's one of the areas I thinkorganizations are probably the
most junior in that I've workedwith is they don't continually
continue to either update orcreate new policies and
procedures that you know canguide.
You know employees and theirtechnical people.
You know how do we keep themwithin the bumpers to either
(30:23):
stay SOC compliant or become SOCcompliant.
So things that I've worked withorganizations on is like
outreach you could gamifytraining, for example right,
incentivize employees, right,you know.
On training, right, teach themhow to do things, teaching them
you're creating these policiesand procedures and you're
keeping the two in tow with eachother.
(30:44):
Newsletters is a big one thatyou know we've worked with
organizations on to train theirstaff, but we've spent a
considerable amount of time.
You know tailoring and I thinkthat's the conversation that
we've been having today.
You can tailor these SOC auditsand we know when we're doing
these assessments withorganizations.
I think one of the big piecesthat we're tailoring is those
(31:07):
policies and procedures to kindof whip them into shape so they
do follow the prescription thatwe're giving for SOC, right, how
do we get them ready?
And you know, going all the wayback, talking about being SOC
ready in X amount of days.
I want to know two things iswhat's their success rate and
what do you get if they're not,if they don't get you ready in
(31:27):
two weeks, because anytime we'vedone SOC right, it's much
longer than that.
Obviously, it would depend onthe maturity of the organization
.
But, yeah, policies andprocedures, tech for me, you
know.
Eric Brown (31:39):
As you've said, josh , we spend a lot of time there,
so we'll get Adam just a coupleof stories here, because
sometimes they're funny, butwe'll get pulled into
organizations to help them.
Usually there's an inflectionpoint they need some help, so
we'll come in and give them somestrategic help, some help, so
(32:03):
we'll come in and give them somestrategic help.
And then sometimes we'll end upleading in a VCISO type of role
or VCIO or what have you, andthen we have staff members from
those companies reporting intous, right, so giving direction
at the organization level.
And I've come across two thingsrecently that I've just it's.
One of them was around browserextensions, where there were I
(32:26):
think 1700 browser extensionsthat were enabled, when the
access control standard clearlysays browser extensions are
denied and the company has anallow list, that that wasn't
being managed and users couldjust install whatever browser
extension.
So I mean there were cryptominers, there were games um, you
(32:50):
know, you name it, it was inthere I was gonna say in 1700
you'd have to have a broad uhvariety there yeah, like some
things I never even heard ofbefore, right, um.
But so then you know we, we turnthat off and then it's like
whack-a-mole.
Then they that now they're.
Then they go over to adifferent browser and then
(33:11):
they're extent installing theextension.
So it was, it was staying ontop of, in in front of that.
And then you know we're, we'rethe bad people for enforcing the
policy that the organizationhad.
And I heard feedback.
Well, you know, I didn't knowwhat the policy was.
It's like well, if you go to aforeign country and you rent a
(33:35):
car and you're driving down theroad at 90 kilometers or
whatever it is that you're doing, and you get pulled over, is it
that country's law enforcementofficer's responsibility to say
oh, I'm sorry, you didn't knowthat.
You know there was a speedlimit.
(33:56):
I'm going to sit down, I'mgoing to read these to you, then
I'll quiz you on them and we'llmake sure that you understand,
and maybe we eat cookies too.
Or is it your responsibility,before you get in the car, get
on the road and drive in thatcountry, that you fully know the
laws of that country?
And it's the same thing.
(34:17):
Local admin, right?
I mean, it's just a battle ofremoving these things that are
against the standard and againstthe policy, but yet somehow
they were allowed to persist inthe organization and then,
certainly when you takesomething away, there's that
perception that people arelosing the ability to do their
(34:38):
job.
But I certainly don't want tobe in the news and under the
bright lights and I mean, howembarrassing would that be if,
oh, nation state or whatevertook advantage of this
organization and there was datatheft?
Well, how'd that happen?
Oh well, they had local adminLike okay, why didn't you turn
that off?
Well, they didn't feel like it.
Adam Russell (34:54):
Yeah, we didn't want to.
People complained.
Joshua Schmidt (34:57):
It sounds like it can be.
You know, once again, educationand educating people that
aren't maybe even aware of whatthe risks are when these things
aren't addressed.
And then how do we communicatethat to people in a way that
they're going to internalize itright and carry it forward into
their day-to-day activities andinto the culture of an
organization?
Adam Russell (35:21):
Yeah, I love this topic, just about policies,
procedures, organizational, justkind of culture, I think, is
kind of what we're speaking to,just kind of overarching.
I think this probably goes backmore to my internal auditing
days.
But it always shocks me whenhow much time I spent I will
actually read all the differentpolicies that an organization
will give me.
I actually do read them.
I know that can seem shockingto them, but it kind of
surprises me how frequently Iwill bring something up from
(35:42):
somebody's policy or I'llreference something and
sometimes, especially lessmature organizations, but even
very large, robust ones, becauseusually they have so many of
them.
They'll push back on me and saylike what are you talking about
?
Where did you get this language?
And I'll just be like it's thethird sentence in your
information security policy.
I didn't just fabricate thisidea out of no, like, I don't
(36:04):
know Like, and so this is alwayskind of a topic that I like to
spend, especially with my kindof less mature organizations.
It's like a policy truly is.
It's a real thing.
Like you can't just say like,oh, we have a policy and then it
gets filed on your intranet andthen you never think about it.
Like, if you just do that, thenyou don't actually have a
policy.
You have some random PDF that'ssaved on your intranet, but if
(36:31):
you're not actually driving somesort of organizational culture
with it, then it really doesn'tmatter.
And yeah, of course nobody.
I've spent my entireprofessional career in audit,
and especially when I was at myinternal audit role.
You know, whenever I would showup at people's desks, there
were, like, depending on whothey were, some people were nice
and others, but usually theyknew it's like I was rarely
there just for fun.
I would try and make that partof my job.
I actually would go around andjust say hi to people.
(36:52):
So they weren't always, youknow, like, what are you doing
here?
Yeah.
Nick Mellem (36:55):
Like a big bad wolf all the time.
Adam Russell (36:57):
Yeah, not all the time, yeah, not all the time.
Like we would do all sorts ofstuff.
We would like, literally, likeon easter, we would walk around
with a basket and hand out candyand all sorts of crazy stuff,
but, um, hey, it helped peoplelike us a little bit better and
also they're like I was like,but also I do need to talk to
you.
So here's some chocolate and Ihave some bad news, but, um,
this is, this is an area where,yeah, it really just kind of
(37:19):
like this goes back to even justour topic Like you can have a
SOC audit, but we're onlyassessing what organizations put
in there and really, at the endof the day, it has to go down
to organizational culture.
And yeah, you're always going toget pushback from certain
people who are like, well, Ineed this ability in order to do
my job.
Maybe that's true, maybe it'snot true, maybe it's not, but
you need to be able to explainto them what the risk is by you
(37:42):
know, oh, if we give everybodylocal admin access on their
laptop so that they can beinstalling whatever they want.
That could be very bad, andhere's why and sometimes people
still don't care.
But then that's where youreally need to rely on just kind
of like okay, well, it's stillgoing to be the way that it is.
At the end of the day, you needto remove that access from them
.
And so this kind of goes backto just all sorts of different
concepts within informationsecurity, which is like okay, if
(38:04):
everybody just did what theywere supposed to from the get-go
, I wouldn't have a job.
Probably none of us here wouldhave a job.
So I try to always rely on likeokay, I don't want to say like,
obviously I'm never happy aboutany of this stuff, but and by
that I mean like data breachesand stuff but there is a reason
that people have to comply withcertain things.
But I think that's where it hasto go back to.
You have to explain the why.
(38:25):
And if people lack context, ifthey lack that kind of insight
as to why something's important,they're not going to take it
seriously.
And that's applicable toanything in life.
Eric Brown (38:38):
One of the most rewarding things I have found
and you've probably seen thistoo when you go into an
organization, usually the seniorleadership on the security side
loves it when an externalauditor comes in and I've had
them just feeding me like thisis you know, we don't do this
(38:59):
good, we don't do this good, wedon't do this good, and it's do
this good, we don't do this good, and it's just like all of
these things like, well, Ihaven't even looked at it yet.
No, we don't do this good,because they want that third
party attestation to be able tothen come back write it up, and
then they'll be able to actuallyget money and maybe some clout
to actually fix some of theproblems.
Adam Russell (39:18):
Yep Drive organizational change in a
different way, and I actuallyhave that conversation with my
clients not infrequently whenthey will bring things up like
that themselves.
Because this also goes back tojust kind of a point I wanted to
make earlier.
Compliance in any form, whetherit be information security,
whatever it might be it can'tjust live in one particular
subset of the organization.
(39:38):
It can't just be the securityteam's issue.
It really is everybody's issue.
But I'll have people bring thatup specifically and I'll say,
like frankly, use us then.
Great, like, give me whateverdetail and information you need
to know so that I have theevidence that I can kind of say
like, you're right, even ifthey've brought up the same
issue 50 times within their ownorganization.
It is interesting when a thirdparty is the one that's like hey
(40:01):
, you really do have an issuehere, that all of a sudden it
does get, all of a sudden, thoseresources and scrutiny that it
should internally.
So I will often tell my clientsthat I'm like I know I'm
annoying.
I'm constantly asking you to doa bunch of work and pull a
bunch of stuff for me.
My little joke that I like tosay is that I'm a professional
nuisance because going throughan audit it's a lot of work.
It is like people and I try andlike explain this sometimes to
(40:24):
people I'm like I respect andunderstand that your job is well
beyond pulling 400 differentpieces of evidence for me.
Like you don't spend all yearjust sitting around twiddling
your thumbs waiting for Adam toroll up.
Eric Brown (40:36):
Like if you are like I want that job, adam to roll
up, like, if you are like I wantthat job, so, adam, one of the
things that I found I don't wantto say enjoyable, but where I'm
helping a company who's goingthrough an audit, right, so
(40:58):
we're essentially there to workon behalf of that company, and
then the auditor comes in andthey want to pay for you, right,
like, oh, let me see this, letme see that, let me see this.
And then it's like, okay, well,here it is, understand that
they need the information to dotheir job.
And then there's usually aroundtwo where it's like, well, okay
, you provided this, but westill need more, provide more.
And this is typically what I'veseen with the, the big four
(41:21):
firms.
Where they're, they're comingin and I I think they get paid
by the hour, I don't know.
But then you know, it just seemsto be this ongoing and I I'll
go through two rounds, but onthe third round I just say, oh,
I'm not able to provide that.
Just, you know, we'll take itas a finding, go ahead and write
it up and and that is, I'vegotten the deer in the headlight
.
Look a couple of times, becauseI don't think they're used to
(41:43):
that, but that is a way to justshut it down, like when you've
had enough, when you're overaudited.
If you just say, write it up asa finding, then that's all they
can do is write it up as afinding and you know, you know
you're going to get the finding,but you know you're also not
stuck 40 hours providing thesame information eight times.
Adam Russell (42:05):
Oh yeah, now I mean, over-auditing is
absolutely a thing.
That's why reasonable assurance, that's why it says that in the
opinion letter like reasonableassurance.
There definitely are auditorsthat get kind of like they just
really get on something and theywant to keep digging and keep
digging and keep digging,especially with some of my well,
just less experienced, um,people I've worked with over my
(42:25):
career.
All sometimes I'd be like, okay, let's say this is wrong,
what's the actual risk?
Everything should always betied back to risk and sometimes
it'll just people will getreally wrapped around the axle
on something in particular andthen it's like, okay, well,
let's say all of this is wrongor there is some sort of control
bust here.
So so what kind of is likeultimately what the conversation
should be around?
And I actually had this exactsame experience of my old
(42:46):
organization In internal audit.
We actually managed a lot ofour external assessments and I
had to have that exactconversation with an auditor and
it kind of helped that we werespeaking the same language.
Joshua Schmidt (42:57):
That makes a heck of a lot of sense in the
same language.
That makes a heck of a lot ofsense.
So, for less matureorganizations, what would you
guys recommend for them to do toget prepared for a SOC
assessment, specifically Ifwe're just getting started, you
know, maybe we have a few yearsunder our belt, but we're kind
of green to this whole scenariowhat would you say would be kind
of the quick checklist of let'shave these things in place
(43:18):
before heading down this path?
Adam Russell (43:25):
I mean, frankly, if you like, if you're an
organization that has other SOCaudits you've probably gotten
them from your vendors Startreading them and start seeing if
you have controls in place thatmatch up with what they already
have and seeing where they fitwithin the report.
That would be a great place tostart, just to understand the
language of how things are laidout.
And it's like oh yeah, thereare certain things that, just
frankly, every organization, ifyou read every SOC report, 30%
of the controls are going to bevery, very similar.
(43:46):
And it's just because, like, atthe end of the day, to meet
certain criteria they're notgoing to be word for word, but
especially in certain kind of Idon't want to say generic
criteria, but like the firstsection of every SOC report,
it's CC1 of the securitycriteria.
It's really around like HR,onboarding, governance of the
organization as a whole.
There's really only so manyways that you can really meet
(44:07):
those criteria.
So you can kind of say like,okay, yeah, of course we have a
handbook in place, we requireemployees to go through security
training, we do backgroundchecks, it can be any number of
things, and you can kind of dothat.
So kind of start building outyour actual control library and
seeing how they fit within otherSOC reports you have out there.
I would then also encourage you, if you have the kind of
(44:27):
bandwidth and the resources, youcan go through a readiness
assessment.
As an auditor, we can't everbreach independence.
We can't tell you exactly whatto do, but that kind of gives
you the opportunity to kind ofhave kind of some of these more
not informal conversations butconversations with auditors
where it's like, hey, here's theframework we have in place,
here's some of the stuff, isthis going to work?
And we can kind of give youmore of just like a yes or no
(44:49):
answer it's like, yeah, thatmakes sense, I think that would
work.
Or it's like, yeah, that's alittle shaky.
Here's how maybe you know otherorganizations do it.
Maybe here's how you shouldlike consider thinking about
expanding in this particulararea, just because you don't
really have enough there to meetthe criteria and again, we
can't tell you exactly what todo.
But it gives us the opportunityto kind of just give you like
an overarching, like finger tothe wind, like how are we doing
(45:11):
here and then from there you canthen move into a type one and
then into a type two, reallykind of I think from I I'm going
back through on the side of theimplementation of the controls
and one of the things thatcurrently wrestling with in an
account is the implementation ofthose controls.
Eric Brown (45:33):
And now, because we're making certain moves
relatively quickly without a lotof communication, now I'm the
asshole.
These are regulated industriesand it's a fine line between
communication and if there arenation state actors or threat
(45:54):
actors in the environment, do wewant to give them a heads up
that in two weeks from now weare going to be making these
changes and limiting this access, or do we want to limit the
access and then just say, oh, bythe way, we've limited the
access?
You know, it's kind of a fineline.
I'm erroring on the side oftaking the action and then
(46:15):
communicating afterwards,because it's a calculated risk
of over communicating whenthere's a potential that you do
have, especially in thepolitical climate that we're in
now nation-state actors, um,that might be adversarial to us
and taking advantage of usexcellent.
Joshua Schmidt (46:36):
And, nick, do you have any final thoughts
today?
Uh, as we wrap things up there,there's so much to grab onto.
Nick Mellem (46:42):
I think for us, when we're jumping into an
organization, you know, a lot oftimes we want to push for them
to take these pre-assessmentsright away.
Let's just see where we're atfirst off, right off the bat.
And you know, something that welike to talk about too is like
delete, delete, delete.
If we don't need to work onthis right now, let's focus on
something else.
And on the other side, if we'rehelping an organization, maybe
(47:03):
go through an audit.
I think there's a lot of timesand Adam talked about this where
they get hung up on maybe onecontrol for far too long where
we can tie these back tosomething else.
For example, I was recently inhaving an issue with an
organization going through aCGIS audit or they're trying to
become CGIS compliant with theBCA.
(47:23):
They were the new regulationstalk about commingling of data,
and so you can't commingle CGISdata with not CGIS data.
Well, the workaround a lot oftimes could be as simple as a
retention policy.
Do you have a retention policythat purges data?
let's say from teams if you needto use teams in that
(47:44):
environment.
So I think you know what Iwould say to a lot of
organizations is you know, maybetake a step back and look at
controls you already have thatprobably could just be tied to a
problem that you're having inan audit.
So try to take a step back andlook at it from a different
angle.
Eric Brown (47:59):
Adam, you're in Minnesota.
Are you in the Minneapolis area?
Adam Russell (48:03):
Yes, I live in the northeast neighborhood of
Minneapolis.
Eric Brown (48:06):
Oh nice, okay cool.
Well, come on down to gamenight.
We do game night the firstWednesday of every month, 5
o'clock.
Different board games andusually about 15 or 20 people or
so.
It's just a fun time to meetother people in the industry.
Adam Russell (48:23):
Okay, perfect.
Yeah, that'd be great.
Joshua Schmidt (48:25):
I'll make sure you get an official invitation,
Adam.
We'll follow this up afterwards, but I'll talk us out and we
can do a little debrief.
You've been listening to theAudit presented by IT Audit Labs
.
My name is Joshua Schmidt, yourco-host and producer.
You've been joined by EricBrown and Nick Mellum of IT
Audit Labs and we've beentalking today with Adam
Russell-Shelman.
Thanks so much, Adam, for yourtime.
It's been a great conversationand we hope to stay in touch.
Adam Russell (48:48):
Thank you very much for having me.
Joshua Schmidt (48:49):
Yeah, absolutely , Please like share and
subscribe and stream us whereveryou source your podcast content
.
Eric Brown (49:01):
We're on Spotify now with video and we have episodes
every other week, so hope tosee you soon.
You have been listening to theAudit presented by IT Audit Labs
.
We are experts at assessingrisk and compliance, while
providing administrative andtechnical controls to improve
our clients' data security.
Our threat assessments find thesoft spots before the bad guys
do, identifying likelihood andimpact.
Or our security controlassessments rank the level of
(49:23):
maturity relative to the size ofyour organization.
Thanks to our devoted listenersand followers, as well as our
producer, joshua J Schmidt, andour audio video editor, cameron
Hill.
You can stay up to date on thelatest cybersecurity topics by
giving us a like and a follow onour socials and subscribing to
this podcast on apple, spotifyor wherever you source your
(49:47):
security content.
You're listening to the Audit presented by IT
Audit Labs.
I'm your co-host and producer,joshua Schmidt.
You're joined by Eric Brown andNick Mellom, as usual, from IT
Audit Labs, and today our guestis Adam Russell from Shellman.
He's a Minnesota native and webrought him on the show today to
talk about SOC assessments andwe'll see where the conversation
goes.
Thanks for joining us, adam.
How are you doing today?
I'm doing well.
(00:24):
I'm actually not a Minnesotanative, though You're not.
You live in Minnesota currently, though.
Yeah, I do live in Minnesota.
Adam Russell (00:30):
yes, but I'm actually originally from New
York State, right south ofRochester, New York, so a
similar name to a city here andthen I spent 10 years in
Colorado before I moved toMinnesota in 2022.
Nick Mellem (00:41):
Are you a Bills fan Adam?
Adam Russell (00:45):
No, and it's not because I don't like the Bills,
I'm just not a big football guyoh gotcha, that was a heartbreak
.
The Bills Mafia is a reallegitimate thing.
I respect Mafia.
Yes, they go hard.
I've been to plenty Bills games, but I usually just go to
experience the festivities iswhat the word I'll use.
That's awesome.
Joshua Schmidt (01:04):
Speaking of events and festivities, we
usually start the show with anicebreaker and I wanted to ask
you if you've been to anyconferences lately or plan to go
to any conferences this yearand talking about building
community, and what do you getout of conferences and what is
your favorite one.
Adam Russell (01:20):
Yeah, I've been very lucky to speak at a couple
of different conferences over mycareer.
The most recent one I spoke atwas the Great Audit Minds
Conference, which is acollaborative effort between the
Institute of Internal Auditorsas well as ISACA.
It was in it must have beenApril of 2024.
So actually it's about ninemonths ago at this point, but
that was the most recentconference I spoke at,
specifically about SOC 2reporting.
(01:41):
Actually, I really likeconferences just because it
gives you the opportunity toconnect with people in a way
that you wouldn't.
You really get a large subsetof different industries.
You get auditors, you get riskprofessionals, you get vendors
that are just utilizing theseproducts, so it's just a really
good way to get a broad basis ofinformation.
I spend all of my day talkingto either my co-workers, who are
(02:02):
all auditors or complianceprofessionals themselves, or my
clients, and obviously we kindof just get into that loop.
Spend all of my day talking toeither my co-workers, who are
all auditors or complianceprofessionals themselves, or my
clients, and obviously we kindof just get into that loop where
we're having the sameconversations over and over
again.
But it's just nice to kind ofbroaden your perspective and
also hear what other people aredoing and kind of experiencing
out there in the world.
So I really enjoy them.
I think it's one of the bestways you can not only get a lot
(02:23):
of exposure and experience butreally the networking component
you can't replace in any otherway that I've so far experienced
.
Joshua Schmidt (02:30):
Absolutely.
Our last guest was Alith, whois a Black Badge winner at DEF
CON, and we have a couple ofWild West Hackenfest enthusiasts
here.
Eric likes to fly in in hispersonal plane, and I think they
have some plans to do someother conferences this year too.
Nick Mellem (02:43):
Correct, yeah, and I think they have some plans to
do some other conferences thisyear too, correct?
Yeah, and the Wild West MileHigh is next week.
Are you going?
I'm just doing the virtual onethis time around.
Oh nice Wednesday throughFriday.
Joshua Schmidt (02:55):
Awesome.
So, Adam, what's yourbackground at Shellman?
You work at Shellman here inMinnesota.
Can you tell us a bit aboutyour background?
How you got to?
Adam Russell (03:05):
where you're at in your career at this point.
Yeah, my title at Shellman istechnical lead.
It's kind of a unique title.
They've recently developed kindof a dual pathway opportunity
for individuals that aren'tinterested in people management
In the traditional CPA or justkind of consulting firm.
There's generally kind of thislinear pathway where you start
as an associate or analyst itkind of depends on the
organization you then move up tosenior manager all the way up
(03:28):
to either partner or principal,depending on the specific titles
.
But I've never really had a lotof aspirations to be a people
manager.
It's just not something thatI've been interested in doing
for a number of differentreasons.
I really just enjoy the actualwork of doing auditing.
It's a pain in the ass, yeah.
Basically that has a lot to dowith it, I'll be honest, but
(03:50):
also it's just.
It takes you away kind of moreof the stuff that I actually
enjoy about my job, which isinteracting with clients, doing
the actual assessments, havingsome opportunities to kind of
delve deep into these topics.
And if you are doing peoplemanagement, you usually kind of
start to transition away fromdoing that actual work.
No, it's a whole different skillset and everything as well.
That, you know, just has neverbeen my aspiration.
(04:11):
But I'm very lucky becauseShellman recognizes that and
knows that a lot of people thatare individual contributors
might not want that.
On the org chart I basicallywould sit at a manager level.
So I still get involved in alot of initiatives and I
obviously take on more complexengagements and deal with just
more challenging topics, butultimately I still am an
individual contributor.
But I've been with Shellmanabout two, and actually over two
(04:33):
and a half years at this point,but have been in the audit
space in some form for a littleover seven years.
I started my career in a verytraditional kind of CPA firm
route where I started as afinancial statement auditor as
an intern, got hired as anassociate and then stayed there
until I was a senior.
I then transitioned out ofpublic accounting or consulting,
(04:53):
however you want to define it,and then went to a credit union
doing internal audit, which wasgreat.
I actually really, reallyenjoyed it because you got a ton
of variety.
It was probably the best thingI did as far as my growth
potential that I could have doneat that point in my career
Because instead of just doingkind of the same thing over and
over again, I got a broadexposure to a variety of
different topics, including someIT auditing, and that's kind of
(05:14):
where I got my first exposureto it, and then from there I was
actually recruited to Shellmanas a senior associate about two
and a half years ago and I'vebeen there ever since and really
, really enjoy it.
Eric Brown (05:25):
I remember my first.
I started in management earlyon in my career because I
thought I could do more good byadvocating for the people in the
department and growing thedepartment that way than
actually being a good hands-onkeyboard person.
So early on I must have been 24or something.
(05:50):
I was working at a startup inNew Jersey.
The company did internetmarketing and it was in like
2000, no 98, something like that, and we were hiring a, or we
hired a um exchange admin as wewere kind of growing out our
(06:14):
exchange mind.
This is a real small companylike a hundred people.
We got a guy whose resume lookedgood, he interviewed really
good and his first two weeks onthe job he was awesome.
He was just banging a workoutand then it took a turn and, um,
he was drinking like a pot ofcoffee a day and no problem
drinking the coffee I drink alot of coffee too but um, he
(06:36):
would go, he'd go and take theselong naps over lunch in his car
and they started out.
You know it's like an hour,then it was two hours and then
he was taking naps at varioustimes during the day and working
about two or three hours.
So, long story short, that wasthe first person that we had to
(06:57):
terminate and I was so green,you know, at the time but it
turned out that he had like someother night job or something
that he was doing and he wasdrinking all that coffee to stay
up.
But you know, you could justimagine now that's probably
relatively not uncommon with theremote workforce.
(07:19):
This was all in person, whereyou know you never know what
people are up to in theirpersonal lives and where that
crosses over into theprofessional area.
Nick Mellem (07:30):
Doesn't Google have nap time at their offices?
He should have went to work forGoogle, right, yeah?
Adam Russell (07:40):
I think that's what they use to promote.
Joshua Schmidt (07:43):
That's what they use to promote.
Right, you can take a nap time.
I have a night job, so I likecoffee and I like naps.
I feel slightly attacked rightnow.
Adam Russell (07:54):
Well, I don't have a night job and I like coffee
and naps.
Nick Mellem (07:57):
So really it's just kind of universal.
I'm with.
Adam.
Joshua Schmidt (08:01):
Yeah Well, adam, we wanted to get into SOC
assessments today.
That's kind of your passion and, doing a pre-production, it
seemed like you had a kind of afire to educate people and
probably your clients andprobably even beyond.
I'd love to hear what you thinkabout SOC assessments in
general, but also why they're soimportant for organizations to
(08:21):
consider as a part of theirsecurity makeup.
Adam Russell (08:25):
Yeah, so SOC is great I'm obviously not going to
say anything other than thatbecause I do SOC audits but it
truly is a great assessmentframework.
I just think there's a lot ofmisconceptions and
misunderstandings about it,which is kind of interesting to
me because they've actually beenaround for a long time.
Soc audits as we know themtoday.
They really kind of came aboutabout 15 years ago.
(08:46):
About this point, 2010 is whenthey turned into what they were.
But there's a history goingback even to the early 90s.
There was an old auditingstandard called SAS 70, which
was essentially the frameworkthat SOC as we know it today was
built off of.
So it's been around for close to30 years, or actually more than
30 years at this point, I thinkbecause it's not as
(09:07):
prescriptive of a framework assomething like ISO 27001, people
just don't necessarily alwaysunderstand it.
And also, I think, with thejust huge growth we've seen in
the startup space around SaaSapplications, especially over
the last 10 years especially,there's just been a lot of
organizations that all of asudden knew they needed to get
this thing called SOC.
(09:28):
But it was especially a bunchof startup people.
They didn't really understandwhat it is, but they just had,
you know, their customers keptbringing it up about whether or
not they have a SOC audit, andso it's just kind of one of
those things that is veryimportant and has a lot of
impact on the industry.
But like a lot of impact on theindustry, but like a lot of
(09:52):
things, it's actually quitecomplex because it isn't always
clear as to how you're actuallygoing to accomplish your goals
with it.
So ultimately, a SOC audit isintended to validate the
security program that's in placeat an organization.
The problem is it's not superprescriptive.
As I said earlier, it's basedaround the COSO framework.
So there's essentially justthese criteria that are very
broad.
So one of them, for example, isjust like how do you promote
ethics within your organization?
(10:12):
You can do that in all sorts ofdifferent ways.
You can do it through training,you can do it through policies,
you can do it through all sortsof different things, but it
doesn't give you an actual like.
You must do A, b and C, whereassome of the other information
security frameworks out there,like ISO 27001, or there's all
sorts of numbers, they actuallydo have prescriptive controls
that an organization has tocomply with, and it's a little
(10:33):
bit more spelled out as to howyou can actually get to that end
solution.
That's not to say that one isbetter than the other, but
there's just a lot moresquishiness to it.
That I think, and I also thinkthere's been a couple of factors
that haven't happened,especially in the last several
years, which is there's been alot of really great governments
risking compliance applicationsthat have come out.
(10:54):
They have kind of built out alot of promises, I think, to a
lot of their organizations, asyou know oh, you can get SOC
ready in two weeks.
They also sometimes are justfrankly incorrect.
You actually some of thequestions you'd sent over prior
you would use the term SOCcertification and I actually see
this all the time.
Soc is not a certification.
I'll see organizationspromoting themselves on social
(11:16):
media or even in marketingmaterials would say like oh, we
just achieved our SOCcertification and it always kind
of A makes me a little bit sad,but I'm also like well, that's
not really a thing.
So I'm not quite sure whatyou're trying to promote there.
So there's just a lot ofmisconceptions around it because
it is so squishy.
There's basically fivedifferent principles and
criteria that can apply to a SOCaudit.
(11:37):
Security is the only one that'srequired, but there's four
others that you basically canscope in depending on the needs
of the organization, and they'reprocessing integrity,
confidentiality, privacy and I'mforgetting oh availability
excuse me, are the total fiveyou could have in there.
So that's also the misconceptionI think that comes in is like
(11:57):
people think that it's asecurity assessment, which it is
, but then they'll also behearing about like, oh well,
this applies to a privacyprogram as well, and so I think
sometimes people just getconfused and wrapped up in some
of the nuance.
Eric Brown (12:08):
So, adam, wouldn't you say that just a high level
kind of layman's way ofdescribing it is?
It's a way for an organizationto have attestation of their
controls.
Adam Russell (12:21):
Yes, that's exactly what it is, and so when
you really boil it down to thatsimple terminology, it can make
sense.
But even like I havediscussions with people that
they don't even necessarily likewhat does attestation mean?
That some of these words forpeople that aren't in this
industry especially, you know,like I said, going up,
especially to startups, reallyyou'll have a bunch of people
that are in sales but they keephearing this term and so they
(12:42):
know they need to get this thing, and so then they hear these
words like attestation orcertification or whatever it is,
and they get confused as towhat it all means, Adam, we have
to use.
Eric Brown (12:49):
it's in the manual.
We have to use those becausethen we can charge more for the
services, right?
Adam Russell (12:56):
We gotta use big words, that is yes, big words
always makes it better.
Joshua Schmidt (13:01):
There's a whole vocabulary and lingo to your
guys's uh industry that I've hadto really brush up on.
I did have to look upattestation as well, uh, in
preparing for this.
But yeah, I would like to heara little bit round out the
conversation and and kind ofmaybe kick it to nick and uh and
eric and see what kind of youknow experience have you had
with sock assessments and maybeeducation around that?
Nick Mellem (13:25):
yeah, I, I think for me, when we're dealing with
SOC audits, I was thinkingsimilar to Adam, that one thing
that a lot of questions we getto us is a lot of it's up to
interpretation.
Right, you interpret whatthey're meeting and what they're
saying versus another subseteven something like PCI or PHI,
abiding to these CEGIS, evenabiding to these subsets of they
(13:49):
have rules and regulations thatare pretty clearly spelled out.
And then you come to SOC andyou might read a specific
question and it's really up forthe organization to interpret
how they're going to secure thator perform those duties.
A lot of organizations they getthis and then they just think
they're good, right, like it'snot an ongoing that now they're
just like secure for life,somehow They've unlocked some
(14:10):
secret and then they're good.
But it's really an ongoingbattle to continue to stay
compliant but then continue toride the flow of compliance.
Right, things are changing allthe time.
We could give a recommendationto an organization and three to
six months later we have tomaybe double back or change
something because a auditingorganization has changed or
(14:33):
flipped because of, maybe, thethreat landscape.
Eric Brown (14:35):
But I'd say those are two of the big ones for me
other day, and this doesn'thappen very often, but I was
actually struck dumb bysomething that I had heard in an
account we were working with.
They were bringing on a newvendor, that multi-million
(14:56):
dollar software as a servicethat was going to be involved in
their PCI environment.
And when I asked them, I said,well, you know, do you have a
SOC 2 that we can take a look at?
No, we don't provide those.
(15:16):
But if you want us to do one,then we can do it, but you have
to pay for it.
And they actually phrased it ina way that they started out I
thought it was on a game showwhere they're like Well, do you
know how much a sock to costs?
And I was like, okay, this is,this is going in a different
(15:37):
direction.
And then they launched into howthey don't do them.
But if a customer wanted them,then the customer would pay for
it.
So I had never heard thatbefore and I must have had a
look on my face like SteveHarvey in Family Feud.
Have you run into somethinglike that before, adam?
(16:00):
Have you heard of that?
Adam Russell (16:02):
We have actually We've had a couple of clients
that have come to us and it'sreally they're doing it because
they have one specific strategicaccount that's requiring it.
I will say I don't exactly knowwhat the true payment terms
ended up being in that specificscenario, but yeah, that's
actually not the first time thatI've heard it.
But kind of to Nick's point andto your point as well, that's
(16:22):
the thing Remaining compliantwith any sort of framework,
whether it be informationsecurity, health care, whatever
it might be it takes a lot ofwork and that's why
organizations struggle with them, I think is because they don't
necessarily always give them theresources that they really need
in order to support theseprograms.
But they are very important.
(16:43):
And so there's this constantstruggle between, you know,
compliance versus reality, whichis compliance is always trying
to catch up with whatever thethreat landscape is.
And you have a lot oforganizations that are kind of
filtering in and out and theyaren't necessarily know they
don't want to put the resourcesin there to kind of get what
they need to, but at the end ofthe day, a lot of times they
(17:05):
usually can't secure this keyaccount if they don't have these
things in place.
So it's kind of like what'sdriving the cart really.
Eric Brown (17:12):
With a SOC.
An organization can have theirown security controls and some
of them may not adhere to aframework, but you're
essentially just going in andtesting their controls to see if
they're adhering to them.
Have you run across anythingwhere you're like, oh, that's
interesting.
Or, on the other side, have youbeen surprised with something
(17:34):
that was really cool?
Adam Russell (17:35):
Oh yeah, no, tons of times.
I think a lot of times peoplethink that the size of the
organization can sometimes makeit more secure, better than
smaller organizations, and I'veseen some really robust, really
great information securityprograms at very small
organizations and, conversely,I've seen some huge
organizations that frankly don'thave a very robust or effective
(17:57):
information security program.
So I think that's sometimes amisconception is especially with
larger entities, becausethey've got so many things um
going on.
They again depending on theresource and then, like a small
organization, they might onlyneed to support one or two
different frameworks, whereas,nick, you had mentioned earlier
pci, hipaa, sock2, iso 27001,nist.
(18:20):
There's all these differentframeworks out there and
sometimes they think that ohwell, we're good in one, so
we're good in all, and thatdoesn't apply.
So the nice thing about SOC, asI mentioned earlier, is it is a
little bit more flexible as tohow you can actually arrive at
something.
But yeah, a lot of times peopletry and put things in there
that doesn't necessarily makesense.
I mentioned the five differentcriteria you could have in there
(18:41):
and sometimes organizationswill try and kind of I don't
want to say double dip, butthey'll want to bring in certain
controls or things to make themlook better, but they don't
necessarily apply to thecriteria they're in.
Nick Mellem (18:53):
I think you know I was working with an organization
and I do often and one of theroles is, you know, vetting
vendors that are coming in tothe organization.
And a lot of times the peoplethat I work with in this group,
they see SOC 2 and theyautomatically think, oh, we can
just bypass all of our controlsbecause they are SOC 2.
(19:14):
So we should be good, good togo, and we always echo back to
them we still need to do ourprocess, have them fill out
these questionnaires so we canbetter understand what their
controls are, just because wealways want to to make sure
everybody knows, because theyhave met sock to at one point.
Right, they're continuing upwith it.
You know we need to make surewe continue to vet them.
(19:35):
But and what I'm saying herealso branches into a question
you know, adam is, you know,does sock to to you mean
something different if it's afinancial organization versus
maybe a Fortune 500 IT company?
Is there different meanings tohow SOC might go to those
organizations?
Adam Russell (19:55):
Yeah, I think Really the nice part with those
different criteria is they canapply really nicely depending on
the type of organization thatyou're dealing with.
So, for example, as I mentionedearlier, security is required
for all of it.
If you want to get a SOC 2report or a SOC 2 audit, you
have to have security in scope.
But we'll have a lot oforganizations like, for example,
health care.
In that case.
(20:22):
That's where you knowconfidentiality and privacy is
going to be a lot higherscrutiny and consideration that
they may want to consider inscope, whereas, like a financial
institution, yeah, of coursethose are still going to be
relevant, but maybe somethinglike the processing integrity
criteria is going to be moreapplicable because, especially
like a payroll processor isprobably the easiest one to use
in this example.
If they're processing payroll,you want to make sure that all
of the inputs match what theoutputs are, particularly in
(20:43):
that case you could make thatargument for any sort of data
processing.
But there are certainindustries where certain things
are just higher risk than others, and so, yeah, that's kind of.
Again, the nice thing is it isso flexible.
You can apply it in a lot ofdifferent ways.
But that also comes with itsown challenges, because that's
the thing People get confusedabout how this can actually
apply to their organization.
Eric Brown (21:03):
So, adam, a couple of questions for you.
I've just been thinking, asyou've been talking through
these, of some applications.
So let's say you're on theconsulting side and you're going
in to help an organization andthe organization is going to
onboard a new SaaS solution, forexample, and the company says,
(21:25):
well, we don't have a currentSOC 2, but we do have an ISO
27001.
Where would you see that a27001 would be an okay
substitution for a SOC 2?
Adam Russell (21:42):
So I don't want to say they're comparable, but
they serve different purposes.
But ultimately they're bothinformation security frameworks
and assessments.
We have a lot of clients thatwill either do one or the other
or both.
And I've seen in tons of vendorquestionnaires, particularly
when we're analyzing thisparticular part of an
organization, where they'll say,like, on their security
questionnaire, they'll kind ofgive an either.
Where they'll say, like, ontheir security questionnaire,
they'll kind of give an either.
(22:03):
Or they'll say like, do youhave a SOC 2 or an ISO 27001?
But there are validity to bothof them.
To be clear, I work with our ISOteam but it's not something I'm
an expert in, so I wouldn'twant to speak to like why it's
better or not.
But they kind of servedifferent purposes.
And again this goes back to ISOis a lot more prescriptive.
It has its listing of controlsthat an organization has to
(22:25):
comply with, with the exceptionof course they can scope certain
ones out if it just doesn'tactually apply to them for any
number of reasons.
But it's just a lot more strictin the way that you actually
have to get to your end point,whereas with SOC you have a lot
more flexibility in the way youcan actually get to that.
(22:45):
But they both have their prosand cons.
One's not necessarily betterthan the other.
They just kind of servedifferent purposes and some
organizations they're reallydead set on one or the other.
I've also seen that wherethey're like you know, we only
accept an ISO certification, weonly accept SOC.
And I've had that conversationwith them to try and understand
like what's the reasoning.
And some of it is becausethey've been burned by something
(23:05):
in the past where they're likeoh, we got this really terrible
SOC report that really didn'tmake sense or it was for an
application that we thought itapplied to and it didn't even
apply to it.
So that's kind of where youneed to make sure that you're
having those relevantconversations with people,
making sure that they areunderstanding what they are
getting from the third partythat they're getting this from,
whether it be a SOC report or anISO cert.
Eric Brown (23:23):
And where would you see that it would be okay to
just get the summary of the SOCreport instead of actually
seeing the SOC 2, where acompany might say, well, we're
not comfortable giving you thisbecause it does have some of the
things that might be moresensitive to our organization.
(23:44):
But you know, here's the SOC 3.
Adam Russell (23:47):
I personally have not run into this very often.
I do know that someorganizations they do hold their
SOC 2 report pretty close tothe chest, which I think is kind
of interesting because it isn'tintended to be just fully
publicly available.
You mentioned SOC 3, and that'sthe entire intent of a SOC 3 is
it is supposed to be publiclyfacing.
It basically strips out a lotof the more just you know we'll
(24:08):
call it sensitive information alot of the detail behind it.
But usually if someone's reallybeing hesitant to share their
SOC 2, it would kind of make mewonder what's in it a little bit
more.
Is there a bunch of testingexceptions?
Is there something in therethat maybe they're not
necessarily happy with howsomething went?
Or maybe they just know thatthere's a particular area that
(24:29):
their customers keep askingabout and they just either
haven't built out that part ofthe program or, like I said,
there was some sort of testingexception that I don't say
they're trying to hide, butpotentially they're trying to
hide.
So if I like I said, I haven'trun into this super frequently,
but if someone was being superhesitant, especially during
either some sort of reassessmentwhere they've previously
(24:50):
provided it to you, or you'retrying to establish a new
relationship with some new SaaSprovider and they're just being
really cagey about it, thatwould give me a little bit of
pause and I would want tounderstand kind of why and it
could be for any number ofreasons.
Like I said, they could eitherbe proud of it, it could be that
they're not done with it yet.
That could also be somethingwhere they're kind of just
trying to hold up the processbecause they don't have one yet,
(25:12):
and they're still going throughtheir assessment, or they did
get one and it didn't go superwell and so they're now like
well, I have this, but basicallyit doesn't give me a lot of
creep or cadence because itdoesn't have a lot of good
information and it's becausethere was a testing section, so
it was a full on qualifiedreport where there was enough
issues where we actually had toqualify the opinion, whatever it
might be.
Joshua Schmidt (25:33):
I'm curious to know if Eric has any tricks on
getting organizations preparedfor an audit or a SOC assessment
.
I know, Eric, you work with alot of different types of folks.
I'd love to hear what's in yourbag of tricks and how you kind
of take an overview of anorganization so they're prepared
for something like this.
Eric Brown (25:53):
I think one of the first things that we want to
understand is what business arethey in, what sort of data they
have that they need to protect.
And then, what have they donein the past?
And who is the audience of this?
Is there some sort ofregulatory work that they're
doing?
Do they have customers that areasking for something?
(26:15):
And then, as you get moregranular, well, what controls do
they already have in place?
What's their informationsecurity policies?
What do those look like?
What sort of standards do theyhave?
So all of that will inform howmuch work actually has to be
done before you could evenassess the organization, either
(26:36):
using a framework that hascriteria around what you're
going to assess, or, going backto the attestation piece, if
they have those controls inplace or if they need to write
those controls so that you knowwhat it is you're going to
measure.
Joshua Schmidt (26:51):
It sounds like communicating is a huge part of
your job and just educating,which we've already established.
Have you seen any kind ofinnovative ways other than just
talking over a Zoom meeting orsitting down for a cup of coffee
at a conference table?
Have you gotten any kind ofcreative input on maybe coming
up with videos or any other wayto educate internally?
(27:13):
Yeah, I mean there's tons ofdifferent ways.
Adam Russell (27:14):
So Shellman actually does a really good job
of promoting a lot of externalfacing learning content.
We have a whole learning centerwhere people create content
around all sorts of things, socobviously being one of the big
ones.
But we have a whole ISO team.
We have PCI.
They put out a lot of contentout there kind of explaining
some of the nuances of that.
So I kind of echo a lot ofthings that Eric said.
(27:35):
One of the best things you cando as an organization who's
considering going down the SOCpath is really getting a good
understanding of what it is, andI think this is where people
then I alluded to this earlierthey just do a quick Google of
it and they sometimes get theseorganizations that will
literally promote and say, likewe can get you SOC ready in two
weeks.
Joshua Schmidt (27:53):
Eric's smiling.
Adam Russell (27:57):
They don't.
There's a lot of issues withthat and it's exactly that
there's.
For those that are not familiar, there's two different types of
well.
There's multiple differenttypes of SOC reports, but
there's two different types ofassessments you can go through.
There's a type one assessmentand a type two assessment,
(28:21):
provided some control language.
When an independent auditorcomes in, we essentially just
look to say like, okay, you'vesaid you have this in place.
And we'll look and say like,yes, that is true, whatever that
might be, whether it be apolicy or monitoring tools or
whatever it is.
But we don't really dig muchdeeper than that.
We don't say like, okay, areyou actually using these?
We're not testing to saywhether or not the
organization's really compliantwith it.
A type two assessment assessesthe operating effectiveness of
your controls and that's whereit's actually looking over a
(28:42):
period of time.
And let's say they're sayinglike, okay, we had an
infrastructure monitoring toolin place that generates alerts
based on predefined criteria ofsome sort of control language
like that.
That's when we, as the auditors,will come in and say like okay,
basically prove that this wasin place for this entire period.
And that's where then sometimeswe're like oh yeah, well, we
actually turned it on like amonth ago and like the alerting
(29:03):
capabilities we didn't reallyget fully honed in.
And that's when you kind of getinto that nuance of like, okay,
you can't really say that thatis really an operating control
if you only turned it on twoweeks ago and you're trying to
say like, oh yeah, for the lastyear we've been good.
So that's where some of thedifficulty comes in, because,
yeah, there's a lot of pre-workand there's a lot of ways that
you kind of need to set yourselfup for success, and really
(29:26):
getting a good understanding ofthe framework beyond just a
simple Google is obviously thebest way.
But then, yeah, if you alreadyare kind of compliant with some
other assessment framework, thatobviously makes it easier.
Joshua Schmidt (29:44):
But if you're really just kind of building a
program from scratch, you kindof need to do a holistic
internal review of like what dowe really have in place and what
are people actually doing?
I know that brings up policiesand procedures, which is Nick's
main focuses.
And, nick, how does a SOCassessment kind of tie into,
like what Adam was talking about, with policies and procedures
and communicating that within anorganization?
Nick Mellem (30:01):
It's probably one of the biggest portions for me
at least it's.
It's one of the areas I thinkorganizations are probably the
most junior in that I've workedwith is they don't continually
continue to either update orcreate new policies and
procedures that you know canguide.
You know employees and theirtechnical people.
You know how do we keep themwithin the bumpers to either
(30:23):
stay SOC compliant or become SOCcompliant.
So things that I've worked withorganizations on is like
outreach you could gamifytraining, for example right,
incentivize employees, right,you know.
On training, right, teach themhow to do things, teaching them
you're creating these policiesand procedures and you're
keeping the two in tow with eachother.
(30:44):
Newsletters is a big one thatyou know we've worked with
organizations on to train theirstaff, but we've spent a
considerable amount of time.
You know tailoring and I thinkthat's the conversation that
we've been having today.
You can tailor these SOC auditsand we know when we're doing
these assessments withorganizations.
I think one of the big piecesthat we're tailoring is those
(31:07):
policies and procedures to kindof whip them into shape so they
do follow the prescription thatwe're giving for SOC, right, how
do we get them ready?
And you know, going all the wayback, talking about being SOC
ready in X amount of days.
I want to know two things iswhat's their success rate and
what do you get if they're not,if they don't get you ready in
(31:27):
two weeks, because anytime we'vedone SOC right, it's much
longer than that.
Obviously, it would depend onthe maturity of the organization
.
But, yeah, policies andprocedures, tech for me, you
know.
Eric Brown (31:39):
As you've said, josh , we spend a lot of time there,
so we'll get Adam just a coupleof stories here, because
sometimes they're funny, butwe'll get pulled into
organizations to help them.
Usually there's an inflectionpoint they need some help, so
we'll come in and give them somestrategic help, some help, so
(32:03):
we'll come in and give them somestrategic help.
And then sometimes we'll end upleading in a VCISO type of role
or VCIO or what have you, andthen we have staff members from
those companies reporting intous, right, so giving direction
at the organization level.
And I've come across two thingsrecently that I've just it's.
One of them was around browserextensions, where there were I
(32:26):
think 1700 browser extensionsthat were enabled, when the
access control standard clearlysays browser extensions are
denied and the company has anallow list, that that wasn't
being managed and users couldjust install whatever browser
extension.
So I mean there were cryptominers, there were games um, you
(32:50):
know, you name it, it was inthere I was gonna say in 1700
you'd have to have a broad uhvariety there yeah, like some
things I never even heard ofbefore, right, um.
But so then you know we, we turnthat off and then it's like
whack-a-mole.
Then they that now they're.
Then they go over to adifferent browser and then
(33:11):
they're extent installing theextension.
So it was, it was staying ontop of, in in front of that.
And then you know we're, we'rethe bad people for enforcing the
policy that the organizationhad.
And I heard feedback.
Well, you know, I didn't knowwhat the policy was.
It's like well, if you go to aforeign country and you rent a
(33:35):
car and you're driving down theroad at 90 kilometers or
whatever it is that you're doing, and you get pulled over, is it
that country's law enforcementofficer's responsibility to say
oh, I'm sorry, you didn't knowthat.
You know there was a speedlimit.
(33:56):
I'm going to sit down, I'mgoing to read these to you, then
I'll quiz you on them and we'llmake sure that you understand,
and maybe we eat cookies too.
Or is it your responsibility,before you get in the car, get
on the road and drive in thatcountry, that you fully know the
laws of that country?
And it's the same thing.
(34:17):
Local admin, right?
I mean, it's just a battle ofremoving these things that are
against the standard and againstthe policy, but yet somehow
they were allowed to persist inthe organization and then,
certainly when you takesomething away, there's that
perception that people arelosing the ability to do their
(34:38):
job.
But I certainly don't want tobe in the news and under the
bright lights and I mean, howembarrassing would that be if,
oh, nation state or whatevertook advantage of this
organization and there was datatheft?
Well, how'd that happen?
Oh well, they had local adminLike okay, why didn't you turn
that off?
Well, they didn't feel like it.
Adam Russell (34:54):
Yeah, we didn't want to.
People complained.
Joshua Schmidt (34:57):
It sounds like it can be.
You know, once again, educationand educating people that
aren't maybe even aware of whatthe risks are when these things
aren't addressed.
And then how do we communicatethat to people in a way that
they're going to internalize itright and carry it forward into
their day-to-day activities andinto the culture of an
organization?
Adam Russell (35:21):
Yeah, I love this topic, just about policies,
procedures, organizational, justkind of culture, I think, is
kind of what we're speaking to,just kind of overarching.
I think this probably goes backmore to my internal auditing
days.
But it always shocks me whenhow much time I spent I will
actually read all the differentpolicies that an organization
will give me.
I actually do read them.
I know that can seem shockingto them, but it kind of
surprises me how frequently Iwill bring something up from
(35:42):
somebody's policy or I'llreference something and
sometimes, especially lessmature organizations, but even
very large, robust ones, becauseusually they have so many of
them.
They'll push back on me and saylike what are you talking about
?
Where did you get this language?
And I'll just be like it's thethird sentence in your
information security policy.
I didn't just fabricate thisidea out of no, like, I don't
(36:04):
know Like, and so this is alwayskind of a topic that I like to
spend, especially with my kindof less mature organizations.
It's like a policy truly is.
It's a real thing.
Like you can't just say like,oh, we have a policy and then it
gets filed on your intranet andthen you never think about it.
Like, if you just do that, thenyou don't actually have a
policy.
You have some random PDF that'ssaved on your intranet, but if
(36:31):
you're not actually driving somesort of organizational culture
with it, then it really doesn'tmatter.
And yeah, of course nobody.
I've spent my entireprofessional career in audit,
and especially when I was at myinternal audit role.
You know, whenever I would showup at people's desks, there
were, like, depending on whothey were, some people were nice
and others, but usually theyknew it's like I was rarely
there just for fun.
I would try and make that partof my job.
I actually would go around andjust say hi to people.
(36:52):
So they weren't always, youknow, like, what are you doing
here?
Yeah.
Nick Mellem (36:55):
Like a big bad wolf all the time.
Adam Russell (36:57):
Yeah, not all the time, yeah, not all the time.
Like we would do all sorts ofstuff.
We would like, literally, likeon easter, we would walk around
with a basket and hand out candyand all sorts of crazy stuff,
but, um, hey, it helped peoplelike us a little bit better and
also they're like I was like,but also I do need to talk to
you.
So here's some chocolate and Ihave some bad news, but, um,
this is, this is an area where,yeah, it really just kind of
(37:19):
like this goes back to even justour topic Like you can have a
SOC audit, but we're onlyassessing what organizations put
in there and really, at the endof the day, it has to go down
to organizational culture.
And yeah, you're always going toget pushback from certain
people who are like, well, Ineed this ability in order to do
my job.
Maybe that's true, maybe it'snot true, maybe it's not, but
you need to be able to explainto them what the risk is by you
(37:42):
know, oh, if we give everybodylocal admin access on their
laptop so that they can beinstalling whatever they want.
That could be very bad, andhere's why and sometimes people
still don't care.
But then that's where youreally need to rely on just kind
of like okay, well, it's stillgoing to be the way that it is.
At the end of the day, you needto remove that access from them
.
And so this kind of goes backto just all sorts of different
concepts within informationsecurity, which is like okay, if
(38:04):
everybody just did what theywere supposed to from the get-go
, I wouldn't have a job.
Probably none of us here wouldhave a job.
So I try to always rely on likeokay, I don't want to say like,
obviously I'm never happy aboutany of this stuff, but and by
that I mean like data breachesand stuff but there is a reason
that people have to comply withcertain things.
But I think that's where it hasto go back to.
You have to explain the why.
(38:25):
And if people lack context, ifthey lack that kind of insight
as to why something's important,they're not going to take it
seriously.
And that's applicable toanything in life.
Eric Brown (38:38):
One of the most rewarding things I have found
and you've probably seen thistoo when you go into an
organization, usually the seniorleadership on the security side
loves it when an externalauditor comes in and I've had
them just feeding me like thisis you know, we don't do this
(38:59):
good, we don't do this good, wedon't do this good, and it's do
this good, we don't do this good, and it's just like all of
these things like, well, Ihaven't even looked at it yet.
No, we don't do this good,because they want that third
party attestation to be able tothen come back write it up, and
then they'll be able to actuallyget money and maybe some clout
to actually fix some of theproblems.
Adam Russell (39:18):
Yep Drive organizational change in a
different way, and I actuallyhave that conversation with my
clients not infrequently whenthey will bring things up like
that themselves.
Because this also goes back tojust kind of a point I wanted to
make earlier.
Compliance in any form, whetherit be information security,
whatever it might be it can'tjust live in one particular
subset of the organization.
(39:38):
It can't just be the securityteam's issue.
It really is everybody's issue.
But I'll have people bring thatup specifically and I'll say,
like frankly, use us then.
Great, like, give me whateverdetail and information you need
to know so that I have theevidence that I can kind of say
like, you're right, even ifthey've brought up the same
issue 50 times within their ownorganization.
It is interesting when a thirdparty is the one that's like hey
(40:01):
, you really do have an issuehere, that all of a sudden it
does get, all of a sudden, thoseresources and scrutiny that it
should internally.
So I will often tell my clientsthat I'm like I know I'm
annoying.
I'm constantly asking you to doa bunch of work and pull a
bunch of stuff for me.
My little joke that I like tosay is that I'm a professional
nuisance because going throughan audit it's a lot of work.
It is like people and I try andlike explain this sometimes to
(40:24):
people I'm like I respect andunderstand that your job is well
beyond pulling 400 differentpieces of evidence for me.
Like you don't spend all yearjust sitting around twiddling
your thumbs waiting for Adam toroll up.
Eric Brown (40:36):
Like if you are like I want that job, adam to roll
up, like, if you are like I wantthat job, so, adam, one of the
things that I found I don't wantto say enjoyable, but where I'm
helping a company who's goingthrough an audit, right, so
(40:58):
we're essentially there to workon behalf of that company, and
then the auditor comes in andthey want to pay for you, right,
like, oh, let me see this, letme see that, let me see this.
And then it's like, okay, well,here it is, understand that
they need the information to dotheir job.
And then there's usually aroundtwo where it's like, well, okay
, you provided this, but westill need more, provide more.
And this is typically what I'veseen with the, the big four
(41:21):
firms.
Where they're, they're comingin and I I think they get paid
by the hour, I don't know.
But then you know, it just seemsto be this ongoing and I I'll
go through two rounds, but onthe third round I just say, oh,
I'm not able to provide that.
Just, you know, we'll take itas a finding, go ahead and write
it up and and that is, I'vegotten the deer in the headlight
.
Look a couple of times, becauseI don't think they're used to
(41:43):
that, but that is a way to justshut it down, like when you've
had enough, when you're overaudited.
If you just say, write it up asa finding, then that's all they
can do is write it up as afinding and you know, you know
you're going to get the finding,but you know you're also not
stuck 40 hours providing thesame information eight times.
Adam Russell (42:05):
Oh yeah, now I mean, over-auditing is
absolutely a thing.
That's why reasonable assurance, that's why it says that in the
opinion letter like reasonableassurance.
There definitely are auditorsthat get kind of like they just
really get on something and theywant to keep digging and keep
digging and keep digging,especially with some of my well,
just less experienced, um,people I've worked with over my
(42:25):
career.
All sometimes I'd be like, okay, let's say this is wrong,
what's the actual risk?
Everything should always betied back to risk and sometimes
it'll just people will getreally wrapped around the axle
on something in particular andthen it's like, okay, well,
let's say all of this is wrongor there is some sort of control
bust here.
So so what kind of is likeultimately what the conversation
should be around?
And I actually had this exactsame experience of my old
(42:46):
organization In internal audit.
We actually managed a lot ofour external assessments and I
had to have that exactconversation with an auditor and
it kind of helped that we werespeaking the same language.
Joshua Schmidt (42:57):
That makes a heck of a lot of sense in the
same language.
That makes a heck of a lot ofsense.
So, for less matureorganizations, what would you
guys recommend for them to do toget prepared for a SOC
assessment, specifically Ifwe're just getting started, you
know, maybe we have a few yearsunder our belt, but we're kind
of green to this whole scenariowhat would you say would be kind
of the quick checklist of let'shave these things in place
(43:18):
before heading down this path?
Adam Russell (43:25):
I mean, frankly, if you like, if you're an
organization that has other SOCaudits you've probably gotten
them from your vendors Startreading them and start seeing if
you have controls in place thatmatch up with what they already
have and seeing where they fitwithin the report.
That would be a great place tostart, just to understand the
language of how things are laidout.
And it's like oh yeah, thereare certain things that, just
frankly, every organization, ifyou read every SOC report, 30%
of the controls are going to bevery, very similar.
(43:46):
And it's just because, like, atthe end of the day, to meet
certain criteria they're notgoing to be word for word, but
especially in certain kind of Idon't want to say generic
criteria, but like the firstsection of every SOC report,
it's CC1 of the securitycriteria.
It's really around like HR,onboarding, governance of the
organization as a whole.
There's really only so manyways that you can really meet
(44:07):
those criteria.
So you can kind of say like,okay, yeah, of course we have a
handbook in place, we requireemployees to go through security
training, we do backgroundchecks, it can be any number of
things, and you can kind of dothat.
So kind of start building outyour actual control library and
seeing how they fit within otherSOC reports you have out there.
I would then also encourage you, if you have the kind of
(44:27):
bandwidth and the resources, youcan go through a readiness
assessment.
As an auditor, we can't everbreach independence.
We can't tell you exactly whatto do, but that kind of gives
you the opportunity to kind ofhave kind of some of these more
not informal conversations butconversations with auditors
where it's like, hey, here's theframework we have in place,
here's some of the stuff, isthis going to work?
And we can kind of give youmore of just like a yes or no
(44:49):
answer it's like, yeah, thatmakes sense, I think that would
work.
Or it's like, yeah, that's alittle shaky.
Here's how maybe you know otherorganizations do it.
Maybe here's how you shouldlike consider thinking about
expanding in this particulararea, just because you don't
really have enough there to meetthe criteria and again, we
can't tell you exactly what todo.
But it gives us the opportunityto kind of just give you like
an overarching, like finger tothe wind, like how are we doing
(45:11):
here and then from there you canthen move into a type one and
then into a type two, reallykind of I think from I I'm going
back through on the side of theimplementation of the controls
and one of the things thatcurrently wrestling with in an
account is the implementation ofthose controls.
Eric Brown (45:33):
And now, because we're making certain moves
relatively quickly without a lotof communication, now I'm the
asshole.
These are regulated industriesand it's a fine line between
communication and if there arenation state actors or threat
(45:54):
actors in the environment, do wewant to give them a heads up
that in two weeks from now weare going to be making these
changes and limiting this access, or do we want to limit the
access and then just say, oh, bythe way, we've limited the
access?
You know, it's kind of a fineline.
I'm erroring on the side oftaking the action and then
(46:15):
communicating afterwards,because it's a calculated risk
of over communicating whenthere's a potential that you do
have, especially in thepolitical climate that we're in
now nation-state actors, um,that might be adversarial to us
and taking advantage of usexcellent.
Joshua Schmidt (46:36):
And, nick, do you have any final thoughts
today?
Uh, as we wrap things up there,there's so much to grab onto.
Nick Mellem (46:42):
I think for us, when we're jumping into an
organization, you know, a lot oftimes we want to push for them
to take these pre-assessmentsright away.
Let's just see where we're atfirst off, right off the bat.
And you know, something that welike to talk about too is like
delete, delete, delete.
If we don't need to work onthis right now, let's focus on
something else.
And on the other side, if we'rehelping an organization, maybe
(47:03):
go through an audit.
I think there's a lot of timesand Adam talked about this where
they get hung up on maybe onecontrol for far too long where
we can tie these back tosomething else.
For example, I was recently inhaving an issue with an
organization going through aCGIS audit or they're trying to
become CGIS compliant with theBCA.
(47:23):
They were the new regulationstalk about commingling of data,
and so you can't commingle CGISdata with not CGIS data.
Well, the workaround a lot oftimes could be as simple as a
retention policy.
Do you have a retention policythat purges data?
let's say from teams if you needto use teams in that
(47:44):
environment.
So I think you know what Iwould say to a lot of
organizations is you know, maybetake a step back and look at
controls you already have thatprobably could just be tied to a
problem that you're having inan audit.
So try to take a step back andlook at it from a different
angle.
Eric Brown (47:59):
Adam, you're in Minnesota.
Are you in the Minneapolis area?
Adam Russell (48:03):
Yes, I live in the northeast neighborhood of
Minneapolis.
Eric Brown (48:06):
Oh nice, okay cool.
Well, come on down to gamenight.
We do game night the firstWednesday of every month, 5
o'clock.
Different board games andusually about 15 or 20 people or
so.
It's just a fun time to meetother people in the industry.
Adam Russell (48:23):
Okay, perfect.
Yeah, that'd be great.
Joshua Schmidt (48:25):
I'll make sure you get an official invitation,
Adam.
We'll follow this up afterwards, but I'll talk us out and we
can do a little debrief.
You've been listening to theAudit presented by IT Audit Labs
.
My name is Joshua Schmidt, yourco-host and producer.
You've been joined by EricBrown and Nick Mellum of IT
Audit Labs and we've beentalking today with Adam
Russell-Shelman.
Thanks so much, Adam, for yourtime.
It's been a great conversationand we hope to stay in touch.
Adam Russell (48:48):
Thank you very much for having me.
Joshua Schmidt (48:49):
Yeah, absolutely , Please like share and
subscribe and stream us whereveryou source your podcast content
.
Eric Brown (49:01):
We're on Spotify now with video and we have episodes
every other week, so hope tosee you soon.
You have been listening to theAudit presented by IT Audit Labs
.
We are experts at assessingrisk and compliance, while
providing administrative andtechnical controls to improve
our clients' data security.
Our threat assessments find thesoft spots before the bad guys
do, identifying likelihood andimpact.
Or our security controlassessments rank the level of
(49:23):
maturity relative to the size ofyour organization.
Thanks to our devoted listenersand followers, as well as our
producer, joshua J Schmidt, andour audio video editor, cameron
Hill.
You can stay up to date on thelatest cybersecurity topics by
giving us a like and a follow onour socials and subscribing to
this podcast on apple, spotifyor wherever you source your
(49:47):
security content.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.