I left my previous firm’s SOC practice in April 2023 to join the federal practice. 在那之前, I was working on larger contracts; my focus was mainly on established start-ups and enterprise clients. I spent my time outside those responsibilities helping other assessors and assisting with training and first-time project scoping.
Our audits were detailed and followed standardized methodology with controls covering not just the bare-minimum needed for SOC, 但是基线安全最佳实践, as well as crafting unique controls outside those baselines for unique implementations of things such as continuous vendor management platforms, risk-based multi-factor authentication tools, 和安全, serverless environments with better availability than that clock Jeff Bezos is building in a mountain. 在与同龄人交谈之后, 社会上的声音, and old mentors; I have discovered I was in somewhat of a bubble. The landscape was shifting around me and through my recent interviews at other firms, 我发现它们是普遍存在的问题.
这些转变的关键, 我被告知过很多次了, is the falling asking rate for an annual SOC 2. This is due to a plethora of factors – some economic such as high interest rates and reactive forecasting causing mass layoffs – some technological such as AI and the expanding collaboration between security tools and GRC firms.
At the end of the day, it has caused a dangerous contradiction. As the average competitive cost of a standard SOC 2 is going down, the skill level required to be a good assessor and perform a SOC 2 has increased and become more apparent as the 2017年信托服务标准 成熟和解释固化. So, the question is, “How do you keep quality up while keeping your prices down?“澳门赌场官方下载正在依赖外包, technology solutions and control homogenization to speed up audits and reduce costs. When leveraged properly these methods can help reduce overhead, 但这足以证明这些价格是合理的吗? 我不确定.
Furthermore, I am curious to see how this will affect 谁 正在执行SOC 2s. Will these lowering prices cause wages to plateau during these times of high inflation, making skilled assessors move from bigger firms to more boutique firms that keep a higher standard, or will they leave the discipline completely for PCI or federal audit in pursuit of a livable wage? 是否会有SOC审核 人才流失? Will control testing automation and GRC tool implementation reach a level of complexity and accuracy such that a good enough SOC assessor will be more about understanding the software more than the system?
We don’t know nor can we predict the answers to these questions. 然而, I will be watching to see if my personal predictions come true and looking at job postings to see if the requirements get shorter and shorter. 我只知道, during a time in cybersecurity where breaches and zero-days are becoming something you almost feel desensitized to, I would hope for increased quality and audit time for one of the world’s most popular assessments instead of the biggest concern being how to maximize the ROI.
