IT Department Achieves SOC 2 Compliance After CEO Asks Them To "Lean In" For Sixteenth Consecutive Quarter

CyberSecurity Smith

2 min read
Share

Filed by Cybersecurity Smith

CHARLOTTE — The information technology department at a mid-sized SaaS company successfully achieved SOC 2 Type II certification on Friday, sources confirmed, following an eight-month engagement during which the four-person team was asked to "find efficiencies," "do more with less," and ultimately "just get it across the finish line, team."

The certification was obtained despite the department's repeated written warnings that current staffing was insufficient to both maintain production systems and complete the 147 controls required for attestation. A capacity analysis submitted by senior sysadmin Dave Karlsen in March, which projected that meeting the audit timeline would require either two additional headcount or a 60-hour workweek for existing staff through Q3, was returned by the CFO's office with the handwritten note "Push through."

"We pushed through," Karlsen confirmed.

In an all-hands meeting held Monday, CEO Marcus Brennan thanked the IT team for their "incredible commitment" and acknowledged that "the past few months have been a sprint." Brennan noted that work-life balance was "a priority for the company" and that the team should feel free to "take a long weekend at some point this fall, schedules permitting."

"This is the kind of culture we're building," Brennan said, in a meeting attended remotely by three IT staff members, two of whom were simultaneously remediating a control finding from the auditors. "When the moment calls for it, we lean in. We do what it takes. We don't watch the clock."

Brennan, who took a previously scheduled two-week vacation in July, did not specify when the moment would conclude.

CISO Brad Thornwell-Pierce, CISSP, CISM, CRISC, CISA, who oversaw the engagement from what he described as "a strategic altitude," presented the certification to the board on Tuesday in a session titled "How We Built A Culture Of Compliance." The deck included a slide titled "The Team That Made It Happen," featuring a photograph of Thornwell-Pierce.

"Compliance is a journey," Thornwell-Pierce told the board. "And this team — my team — has shown what's possible when you align around a vision."

Asked for comment, Karlsen forwarded a screenshot of his pending PTO request, submitted in February, with the status field reading "Awaiting Manager Review." His manager is Thornwell-Pierce.

At press time, the CFO had circulated a memo announcing that, building on the success of the SOC 2 engagement, the company would now be pursuing ISO 27001 certification, with a target completion date of Q1. The memo concluded with the phrase "no additional resources anticipated at this time" and a smiley face.

EDITOR'S NOTE — Cybersecurity Smith reached out to Karlsen for additional comment. He responded with the following, in its entirety:

"Tell them I said it's fine.

Tell them everything is fine.

Tell them I'll see my family in November."

Read more

Cybersecurity Industry Marks 15 Consecutive Years Of Demanding More Cybersecurity Professionals, Asks For 16th

Filed by Cybersecurity Smith ALEXANDRIA, VA. — The International Information System Security Certification Consortium, known as ISC2, released its annual Cybersecurity Workforce Study this fall, marking the fifteenth consecutive year in which the cybersecurity industry has called for an immediate and substantial increase in the number of cybersecurity professionals. ISC2 is