This is a repost of something I wrote on [LinkedIn] a few weeks ago, but now that I’ve put together a blog, it can live here.

Assurance is not a technical problem. Let me repeat, assurance is not a technical problem. It is a human problem. Full stop.

It’s a mistake to think that you can automate assurance away or have an easy path to a SOC 2/ISO/PCI audit by buying Vanta (or Drata or Secureframe or insert tool here), filling in the boxes on the template policies and calling it good. It doesn’t matter how good your security stack is, or your practices or your training program or all of the above are, if you can’t get past the human element.

What do I mean by this? Let’s use SOC 2 Type II as an example. Your practices are going to be audited for consistency over a period of time, and not how shiny your tooling is or how great your security stack is or how many alerts your Panther configuration throws up on a screen. It’s less about what you use and more about what you do over time to assure your auditor that you’re following best practices.

This is why a Type I audit is much harder than a Type II. It’s easy to go around to your team and say “Okay y’all, today we have to do everything by the books because the auditors are coming in.” It’s much harder to maintain those practices over three to six months, much less a full year. It’s about consistently good practices over time, rather than great practices that can’t be sustained at your business’s maturity level.

The same thing goes for writing your policy stack. It’s great to have all the shiny new buzzwords and keywords in place with your policies and say you perform all the latest industry trends for security. However, if those practices slow your business down and people bypass them in order to get their jobs done, you’ve effectively made your security worse, and you’ve set yourself up to have a bad time when your auditors come around. The same applies if you just fill in the blanks on the template policies and proceed to ignore them until the alert comes around to acknowledge them in your security tool of choice again.

Build your policies and practices for people, make them things that you can sustain and then do them consistently. Auditors like consistency, and so do humans. Do good things consistently, don’t worry about dazzling your auditors with technology or the best, most perfect policy stack to cover every possible situation ever.

At the end of the day, customers and auditors just want to be assured that you follow good security practices consistently. That’s it. It’s not a mystery, it’s not a black box, it’s about doing the right thing consistently, day in and day out, and having your policies be consistent with your practices. There is very little your auditor will ask of you that shouldn’t already be implemented to maintain good security hygiene.