Friday, January 29, 2021
By Annabel Steele, Fuel HQ
Everything was going well for AJ Yawn, but he couldn’t shake the feeling that he could be doing better.
Yawn has a bachelor’s degree in social science from Florida State University (where he played on the men’s basketball team) and a master’s degree in technology management from Georgetown University. He had spent five years in the U.S. Army, ascending to the rank of Captain. After leaving the Army, he was working in the cybersecurity field as an auditor, performing SOC 2 examinations and ensuring people’s cloud environments were meeting SOC 2 requirements. He was doing better than he had done in any previous position, and putting himself in a good financial situation. In spite of all that, Yawn felt like he could be doing more.
“I wanted to impact others in my life at a higher level and at a bigger scale than what I was doing,” Yawn says. Starting his own company would be a great way to do that, as Yawn could draw on his background and career experience to help others in a concrete way and inspire other budding entrepreneurs. Though that would require Yawn to “take a chance and be comfortable leaving something that may feel good,” as he puts it, he didn’t hesitate when his mind was made up. And so it was that Yawn and Jeff Cook, who has 20 years of experience as a certified public accountant (CPA), founded their company, ByteChek, in the middle of the COVID-19 pandemic.
ByteChek seeks to smooth out a process that Yawn and Cook are extensively familiar with: SOC 2 audits.
SOC 2 is a security framework developed by the American Institute of Certified Public Accountants (AICPA). It takes a holistic approach, evaluating service organizations’ security procedures at every level. The technical environment and cybersecurity defenses are evaluated, for example, but so are onboarding, vendor management and document policies. SOC 2 reports are compiled by independent, third-party auditors.
A positive SOC 2 report can be leveraged as a business tool, Yawn says. “You have a third party who’s subject to independent and ethical requirements come in and evaluate your environment,” he says. When the report is finalized, sales employees are able to tell potential customers that an outside individual has certified the company’s security, thereby reaffirming the would-be customers’ data will be secure — a compelling feature in today’s data-driven world.
“One of the biggest things I would educate CISOs [chief information security officers] on, is that you have to culturally prepare your organization to go through a SOC 2 assessment because it is going to touch every aspect of the business.”
In addition to serving as sales tools and business boosters, SOC 2 reports can help improve an organization’s security. According to Yawn, it is beneficial to have a third party step in and examine security environments from an outside perspective. In doing so, auditors can provide valuable insight into security practices and how to improve them, ultimately making organizations more secure.
In spite of the benefits of SOC 2 audits, some companies are unprepared and therefore fail to take full advantage of them, Yawn says.
“Going through an audit is a cultural shock. A lot of people get involved in that assessment,” Yawn says. “One of the biggest things I would educate CISOs [chief information security officers] on, is that you have to culturally prepare your organization to go through a SOC 2 assessment because it is going to touch every aspect of the business.”
The teams involved in SOC 2 audits range from security to legal, human resources and more. That is why Yawn believes CISOs should communicate the importance of SOC 2 assessments to every single employee at an organization. While employees might think a SOC 2 audit is a test or attack with negative consequences for failure, in truth the assessments are just designed to improve systems, security and overall posture. In communicating that point to employees, CISOs can ensure their teams are ready for the audit and fully understand what it entails.
Yawn also thinks CISOs should keep something else in mind when it comes to SOC 2: the framework’s flexibility. Unlike other security frameworks, SOC 2 is not prescriptive. SOC 2 audits are unique to an individual organization and can be highly customized. That is beneficial because it provides specific guidelines rather than general suggestions for companies to improve their security posture, but it is also another opportunity to highlight companies’ security strengths.
“If you’re a CISO at an organization that is doing some really cool things from a security perspective, you can talk about that in your SOC 2 report and really highlight those differences as a competitive advantage to your customers,” Yawn says.
With ByteChek, Yawn and Cook are hoping to smooth out the process of conducting a SOC 2 audit. The ByteChek platform aims to help both parties in a SOC 2 audit — the company and the auditor — cut down on waste and speed up the timeline of the audit. Yawn and Cook drew on their own experience with SOC 2 to identify opportunities to improve the process using the platform.
For example, Section 3 of a SOC 2 audit is a 20-page document prepared by the company. Yawn estimates that roughly half of the SOC 2 audits he performed in his pre-ByteChek career were delayed because of Section 3, which can cause “a lot of heartburn” for companies daunted by the prospect of writing 20 pages in audit-specific language. ByteChek’s platform helps generate that document in a matter of minutes, cutting out weeks of drafting, editing and back-and-forth emails.
“It’s really all designed to do what our tagline says: ‘Make Compliance Suck Less,’” Yawn says.
More to Explore
Check out these Fuel blog posts for further reading: