top of page

SOC 2, the certification of quality that isn’t

Not many people will resign from a Fortune-5 company. I did.

Why?


Because I discovered a risk that every large company, in every business sector, is

exposed to… and all of their customers- you and me.


You see, every large company in every business sector utilizes colocation companies-

providers of data center space, whether for their enterprise IT operations, or if own their

data centers, for IT “pipelines” to get from their data centers out to the world.


This introduces the first obvious risk, the loss of agency by the IT client when they go to

colocation facilities. In other words, you lose some level of control of your future, when

you put it squarely in the hands of other people. So the IT organizations of these

companies demand some sort of guarantee from the colocation provider that they have

proper cybersecurity and maintenance operations for power and cooling systems. Such

guarantees are usually proffered via a SOC-2 certificate, which assures the IT client

renting out the space, that the vendor of the space is properly protecting their interests.


The SOC-2 is THE STANDARD in the IT industry, to assure things are being done

properly.


But there’s a problem: SOC-2 certificates are utterly worthless. They’re a complete

fraud.


A colleague humorously observed that it has no more legitimacy than a Good-

Housekeeping Seal of Approval.



WHY, you might ask, would I state that the SOC-2 is a complete fraud?


QUALIFICATIONS


Did you know that the only qualification required to be a SOC-2 auditor is that you have

to be a CPA, a certified public accountant?


Now I ask you, how many CPAs do you know, that are experts on cybersecurity? Oh,

there are a few who’ve taken classes and gotten certifications, but that doesn’t make

them experts.


Going further, how many CPAs do YOU know, that are experts on mission-critical

facilities? This an area requiring decades of experience to audit, much less properly

manage and understand.


It’s the same as an accountant coming up as you board an airplane, and saying “don’t

worry, I audited the maintenance practices of the airline, THIS airplane is safe!” Would

that make you feel warm and fuzzy, or would you suddenly ask what does a CPA know

about avionics, or jet engines, or flight controls?


It really is that absurd.


“HE WHO PAYS THE PIPER CALLS THE TUNE”


The SOC-2 process suffers from a fundamental conflict; the certificates are paid for by

the colocation companies. In other words, the auditor is being paid by the company

they’re auditing.


The colocation companies are buying a product; if they don’t the product they want,

they’ll hire different auditors to get the results they desire.


AUDIT METHODOLOGY AND BLANKET COVERAGE


SOC-2 audits are performed by taking a sampling of the records of the colocation

company, with a few sample records from individual sites thrown in to check whether the

controls are being followed. Restated, the SOC-2 audits do not look at individual sites,

but cover the entire colo company, whether they have 2 data centers or 20: it’s a blanket

certification.


The problem with this is that I have seen multiple examples where two sites were within

a few miles of each other, both owned by the same company, where one site was being

managed well, and the other site very poorly. The team managing the site was usually

the deciding factor.


BAD ACTORS


Believe it or not, there are “bad actor” SOC-2 auditors. I have seen “clean” SOC-2

certifications for locations where literally half the records for the audit period had been

irretrievably lost, making any legitimate audit impossible. The only logical conclusion

was that the SOC-2 audit was fraudulent, because they simply didn’t have the

documentation to complete a legitimate audit. Worse, the compliance management for

the company was absolutely involved in the fraud and signed off on the certification.


GAMING THE SYSTEM


This leads into the fifth problem, that colocation providers actively hide defects in such a

way that the auditors- CPAs who know nothing about the audited systems- won’t see

them, and give the colocation company a clean bill of health. In other words, the

colocation companies know how to game the system, so that they always look good, no

matter what.


TIMING ISSUES


The sixth, and final problem, is the SOC-2 audits are supposed to be performed on an

annual basis. The problem with this is that if a SOC-2 audit is finished in mid-January

(typical), and a major risk item comes up in February, the client is unaware of the risk for

a year, assuming the auditors find it on the next cycle- which they rarely do, due to their

lack of technical knowledge. Worse, many colocation companies defer their audits for

an extended period, up to a year, so your company may be at risk for up to two full

years before you even become aware of the problem!


The Amerruss facilities resilience program, in comparison, incorporates an initial audit

program with typically a years’ worth of maintenance records to set a baseline, followed

by periodic reviews of the previous quarter. The result is that any risks are quickly

detected, allowing clients to understand current risks, as well as formulate corrective

action plans or make other command decisions as circumstances require.


Visit www.amerruss.com, to learn more about how we protect your IT portfolio.


Comments


bottom of page