Not many people will resign from a Fortune-5 company. I did.
Why?
Because I discovered a risk that every large company, in every business sector, is
exposed to… and all of their customers- you and me.
You see, every large company in every business sector utilizes colocation companies-
providers of data center space, whether for their enterprise IT operations, or if own their
data centers, for IT “pipelines” to get from their data centers out to the world.
This introduces the first obvious risk, the loss of agency by the IT client when they go to
colocation facilities. In other words, you lose some level of control of your future, when
you put it squarely in the hands of other people. So the IT organizations of these
companies demand some sort of guarantee from the colocation provider that they have
proper cybersecurity and maintenance operations for power and cooling systems. Such
guarantees are usually proffered via a SOC-2 certificate, which assures the IT client
renting out the space, that the vendor of the space is properly protecting their interests.
The SOC-2 is THE STANDARD in the IT industry, to assure things are being done
properly.
But there’s a problem: SOC-2 certificates are utterly worthless. They’re a complete
fraud.
A colleague humorously observed that it has no more legitimacy than a Good-
Housekeeping Seal of Approval.
WHY, you might ask, would I state that the SOC-2 is a complete fraud?
QUALIFICATIONS
Did you know that the only qualification required to be a SOC-2 auditor is that you have
to be a CPA, a certified public accountant?
Now I ask you, how many CPAs do you know, that are experts on cybersecurity? Oh,
there are a few who’ve taken classes and gotten certifications, but that doesn’t make
them experts.
Going further, how many CPAs do YOU know, that are experts on mission-critical
facilities? This an area requiring decades of experience to audit, much less properly
manage and understand.
It’s the same as an accountant coming up as you board an airplane, and saying “don’t
worry, I audited the maintenance practices of the airline, THIS airplane is safe!” Would
that make you feel warm and fuzzy, or would you suddenly ask what does a CPA know
about avionics, or jet engines, or flight controls?
It really is that absurd.
“HE WHO PAYS THE PIPER CALLS THE TUNE”
The SOC-2 process suffers from a fundamental conflict; the certificates are paid for by
the colocation companies. In other words, the auditor is being paid by the company
they’re auditing.
The colocation companies are buying a product; if they don’t the product they want,
they’ll hire different auditors to get the results they desire.
AUDIT METHODOLOGY AND BLANKET COVERAGE
SOC-2 audits are performed by taking a sampling of the records of the colocation
company, with a few sample records from individual sites thrown in to check whether the
controls are being followed. Restated, the SOC-2 audits do not look at individual sites,
but cover the entire colo company, whether they have 2 data centers or 20: it’s a blanket
certification.
The problem with this is that I have seen multiple examples where two sites were within
a few miles of each other, both owned by the same company, where one site was being
managed well, and the other site very poorly. The team managing the site was usually
the deciding factor.
BAD ACTORS
Believe it or not, there are “bad actor” SOC-2 auditors. I have seen “clean” SOC-2
certifications for locations where literally half the records for the audit period had been
irretrievably lost, making any legitimate audit impossible. The only logical conclusion
was that the SOC-2 audit was fraudulent, because they simply didn’t have the
documentation to complete a legitimate audit. Worse, the compliance management for
the company was absolutely involved in the fraud and signed off on the certification.
GAMING THE SYSTEM
This leads into the fifth problem, that colocation providers actively hide defects in such a
way that the auditors- CPAs who know nothing about the audited systems- won’t see
them, and give the colocation company a clean bill of health. In other words, the
colocation companies know how to game the system, so that they always look good, no
matter what.
TIMING ISSUES
The sixth, and final problem, is the SOC-2 audits are supposed to be performed on an
annual basis. The problem with this is that if a SOC-2 audit is finished in mid-January
(typical), and a major risk item comes up in February, the client is unaware of the risk for
a year, assuming the auditors find it on the next cycle- which they rarely do, due to their
lack of technical knowledge. Worse, many colocation companies defer their audits for
an extended period, up to a year, so your company may be at risk for up to two full
years before you even become aware of the problem!
The Amerruss facilities resilience program, in comparison, incorporates an initial audit
program with typically a years’ worth of maintenance records to set a baseline, followed
by periodic reviews of the previous quarter. The result is that any risks are quickly
detected, allowing clients to understand current risks, as well as formulate corrective
action plans or make other command decisions as circumstances require.
Visit www.amerruss.com, to learn more about how we protect your IT portfolio.
Comments