Definitely paying too much @ $40K/$30K. Audit firms will cut their costs - don't take their first offer, it's a negotiation. Renegotiated down every year...they will want to reduce churn. Also, there are open source versions of Vanta and similar but those aren't really necessary - helpful - but not necessary. Same for pentests - I have had this conversation many times with SOC2 auditors to show me where it says you must have a pentest - many SOC2s later, never had to have one. That said customer contracts may require it, and some even specify the firms or onerous requirements for the chosen firms. We often argue Red Teaming exercises are better and win with that. I'll post a list of cost saving ideas up if anyone is interested. As for ROI - SOC2 is really only a sales enablement tool, nothing more. So it's really how many enterprise deals you will lose without SOC2 vs. how many you will win, and at what revenue. You can also negotiate transparently with your customer - most will say they want SOC2 but then if you add in extra cost to cover it, they back off. Until you have a 100K+ recurring (3 year ideally) deal ready to walk away, push back hard and be transparent with them on the added costs for paperwork. Offer to have a call with their security team and walk through your real security processes instead. Most customers are reasonable once you get past the outsourced procurement team. Helps to have a business sponsor who can cut through the red tape.
masonhensley|5 years ago
> open source versions of Vanta
... not aware of anything in this field. This has been on my "one day if I have time" lists to build.
rficcaglia|5 years ago