There’s no Mission Critical Software without Secure Software
Why every organization should care about SOC 2, Type II Certification
Far too often, secure software is a secondary consideration for both software providers and their customers.
The effort, time, and cost spent in building secure software can present delays in the development process as teams seek to balance functionality with fortifying critical data against internal and external threats.
When it comes to purchasing mission critical software – which an OKR platform most definitely is since it holds a company’s most sensitive strategic, tactical, and operational information – a failure to take the highest security considerations into account is foolish at best, suicidal at worst.
It is the kind of decision that leads to procurement officers and fast-acting executives getting dismissed quickly.
Do we really need to talk about cybersecurity?
There should be no surprise that cybersecurity has emerged as a primary concern for the rest of 2020. Why wouldn’t it be?
By now, the legions of hacks, ransomware, and data thefts is well-known and all too commonplace.
For any organization sincerely committed to protecting their most valuable asset – their corporate data – it is a non-negotiable requirement that any SaaS vendor have achieved the selective and rigorous SOC 2, Type II Certification.
The highest level of security
To be enterprise-grade means to be secure and SOC 2, Type II Certification is the industry’s highest and most important security classification for software platforms.
There are many different levels of classification, but the variances are not trivial. In fact, they are quite significant.
Any SOC 2 report certifies that the software has undergone a rigorous third-party audit process to ensure that it can withstand significant digital threats in the following trust services criteria: security, availability, processing integrity, confidentiality, and/or privacy.
The key difference, though, is how often these audits occur.
- SOC 2, Type I indicates that an audit was conducted on the software and confirmed at one specific point in time.
- SOC 2, Type II indicates that an audit is conducted continuously over a certain period and confirmed multiple times throughout the testing timeframe (minimum 6 months).
We all know the rapid pace of technological innovation comes a constant threat of evolving digital security threats. This is why SOC 2 Type II Certification is much more meaningful. It represents that security standards are being kept up to date in pace with threats as they arise.
If you think that security threats do not change or evolve, then SOC 2, Type I is all you need. If you think that the security environment is dynamic and rapidly evolving, then Type II is a must.
Don’t get confused between compliance and certification
It is no secret that security is an important decision criterion for every organization, as it should be. That is why so many software providers take security seriously, as do many in the OKR category. Those efforts should be applauded.
However, some efforts are more valuable than others, even if they take time and money. The commitment to keeping client data secure is not something where corners should be cut.
Many software providers will state they are “SOC 2 Compliant.” Do not be lulled into a false sense of complacency “compliance” and “certification” are not the same. There is a critical distinction.
Any software provider may declare themselves “compliant” if they are hosting their software on compliant backbones, such as public cloud service providers like AWS or Microsoft Azure.
Yet, this would be like each of us saying our personal email is secure because we use Gmail or Office 365. As we all know, things like weak passwords and 2-factor authentication make a big difference.
The same is true, if not even more so, in the world of enterprise software.
A SOC 2 “compliant” vendor has not undergone a rigorous, third-party audit of its security practices and processes. A SOC 2 “certified” vendor has.
It’s the difference between someone saying, “my house is safe” and the Secret Service saying “this house is safe.”
Which would you rather have?
Committed to security from Day 1
Gtmhub received the SOC 2, Type I Certification in February.
In September, 2020, we received SOC 2, Type II Certification, completing both one time and continued security audits through with Marcum LLP, one of the largest public accounting and advisory services in the US. Copies of the report are available from Gtmhub representatives.
In addition to the Cyber Essentials certification from UK’s National Cyber Security Centre, the SOC 2, Type II Certification is further validation of our ongoing and relentless efforts to provide the industry’s highest level of assurance to our customers while not compromising on the adaptability of the Gtmhub platform.
While it is true that we are unique within the OKR industry in that we take extra caution when designing data safeguards, conducting regular network and application scans, and are steadfastly committed to ever-evolving security and privacy best practices, Gtmhub does not have to make compromises in terms of core software functionality. This is because Gtmhub’s multi-layer, distributed architecture which eliminates the tradeoff between high levels of security, usability, and flexibility, that may be found elsewhere.
The unwavering commitment to security and adaptability is why more than 800 organizations and nearly 100,000 customers in more than 75 countries, including CNN, Red Hat, Adobe, Societe Generale, TomTom, and the world’s most recognizable sports brand, all trust Gtmhub as the most adaptable enterprise-grade OKR software to help them achieve their mission.
Security may not be sexy, but we’re not here to be sexy. We’re here to help our clients deliver outcomes. However, without the highest level of security, our clients cannot have the peace of mind they need to achieve their objectives.
This is why we made-and continue to make-the investment in SOC 2, Type II Certification. And why we will never deviate from a mindset of fanatical security.