How Iteratively Got Their SOC 2 Fast with Drata

The Challenge

Some of our team has worked on SOC 2 compliance projects before, and know from experience just how much of a headache it can be in terms of time and resources. As a small, fully-remote team, we need to be efficient while still prioritizing critical aspects of our business like security and compliance. The archaic and time-consuming way these audits have traditionally been carried out consist of: numerous back and forth auditor requests, hundreds of screenshots, stale spreadsheets, and countless mistakes. The whole SOC 2 compliance process seemed like it was ripe for automation with a product like Drata.

The Solution

We needed a tool that would not only automate the security control monitoring and evidence collection, but one that would also guide us through the SOC 2 preparation and maintenance process.

We also decided early on that it would be best to select a product that had strong partnerships with reputable audit firms to ensure the support was there at every stage when we needed it. This felt like the best way to maximize value while decreasing effort. Drata’s platform delivered on all the above in a seamless manner.

Why Drata?

Drata’s vision for what security monitoring and SOC 2 compliance should look like matches that of our own – and they’re improving on the process in real-time, not just streamlining it. Drata’s continuous monitoring and automated evidence collection (not just screenshots) of our controls is fantastic and gives us peace of mind that we’re secure and continuously compliant every day of the year. It also gives us the assurance that we’ll be notified and able to efficiently remediate gaps and issues that arise as we grow.

Drata’s team is friendly, knowledgeable, and willing to take the time to explain the hard-to-grok parts of the SOC 2 process. Combine that with their strong alliance with a leading CPA firm like Schneider Downs, the decision to go with Drata was a no-brainer for us.

The Audit Preparation

We had talked to many auditors prior to finding Drata and there was a prep phase that you could optionally pay an auditor for and then the audit phase where they come in and review everything. I was kind of feeling like, “I have no idea what to do and how to prepare.”

Connecting our systems to Drata gave us an immediate view of where we had gaps and what needed to be addressed prior to engaging in an audit. I could see which control tests were failing, make the recommended adjustments, and rerun the tests to ensure we implemented them correctly.

Drata basically turned this complicated process of reading through a bunch of PDFs, word documents, and excel spreadsheets into an automated roadmap with concise step by step guidance. Without an initial deep understanding of the necessary security controls to have in place across the organization, Drata not only helped us get audit-ready quickly, it made us more knowledgeable as a result of using it! In “learning to fish,” we are that much more appreciative of the value Drata provides with its continuous, automated testing and evidence collection. To think we’d have to otherwise collect this evidence manually and never know exactly where we stood in terms of audit-readiness, Drata’s value only became more evident.

How Did Drata Affect the Experience?

Drata was like starting at the 50 yard line instead of our own goal line. We are able to build on top of what we already have, rather than having to map what we already have into some spreadsheet and then figure out what we need to change.

It was a learning experience as well as a doing experience and it made the learning process faster as we didn’t have to consider what format we needed things in and could just rely on Drata to automatically process the necessary data. We’ve received many compliments from people we’ve sent our policies to as well, which speaks to the quality of the templates and tooling within Drata.

How Different Would it Have Been Without Drata?

I think if we had to do it all by hand, I would have had a much harder time collecting and matching evidence of our controls with the SOC 2 criteria. Without Drata, it would have been as if we were creating a map while trying to use it to navigate to an unknown destination. With Drata, we had the map, the destination, and the automated GPS.

What Advice Would You Give to Others Preparing For Their Audit?

We had a very tight timeline and with no SOC 2 consultants, we weren’t sure what to expect. But with Drata’s guidance, we hit our aggressive target. Every consultant and auditor we spoke to warned us that our SOC 2 timeline was tight, but we were able to do it with Drata and Schneider Downs.

Having someone senior enough to support the SOC 2 initiative is important so everyone on the team sees that leadership values the process. With short, but consistent chunks of time, it’s amazing how quickly you can get audit-ready when you’re automating SOC 2.

Because Drata continuously tests controls, it becomes part of our normal day to day culture. We now have a Security Steering Committee. We meet regularly and it provides a place where people can talk about security, continuous improvement and continuity planning.

What Was the Biggest Surprise?

I was surprised, as were our auditors, at just how smooth the preparation and audit itself went. We had 98% of the requests upfront and ready for our auditors before they asked for it. The auditors said they were so accustomed to having to go back and forth with multiple requests, scheduling meetings, and piece-mealing bits of evidence here and there. It made the entire audit process a breeze.

Drata had already collected the evidence automatically, and our auditors were able to pull it right out of the system. I’ve been asked by so many companies about SOC 2 and what to do and how to be successful and I just tell them to get Drata. The Drata Customer Success and Support teams are great. They answer all of your questions and help you through the whole process. The tool is a better version of an audit as it encourages you to keep compliance requirements up to date rather than scrambling to repair things when an audit is on the horizon. This is a continuous integration audit, which makes it that much more valuable.

If people are serious about the items being audited, Drata makes your audit worthwhile from a business perspective rather than just a box you check to please your customers. Drata actually helps you learn about security and compliance while improving your security posture. If the UI doesn’t answer your questions for you, the support team does – and quickly!

What’s Next for Iteratively?

Security has always been important to Iteratively and our customers. Drata will help track where we can continue to do better, and ensure that we are made aware of any issues straight away (before they become a problem), rather than 12 months later at the next audit.