I left my previous firm’s SOC practice in April 2023 to join the federal practice. Before then, I was working on larger contracts; my focus was mainly on established start-ups and enterprise clients. I spent my time outside those responsibilities helping other assessors and assisting with training and first-time project scoping.
Our audits were detailed and followed standardized methodology with controls covering not just the bare-minimum needed for SOC, but baseline security best practices, as well as crafting unique controls outside those baselines for unique implementations of things such as continuous vendor management platforms, risk-based multi-factor authentication tools, and secure, serverless environments with better availability than that clock Jeff Bezos is building in a mountain. After talking with peers, voices in the community, and old mentors; I have discovered I was in somewhat of a bubble. The landscape was shifting around me and through my recent interviews at other firms, I discovered they were universal issues.
The linchpin of these shifts, I’ve been told repeatedly, is the falling asking rate for an annual SOC 2. This is due to a plethora of factors – some economic such as high interest rates and reactive forecasting causing mass layoffs – some technological such as AI and the expanding collaboration between security tools and GRC firms.
At the end of the day, it has caused a dangerous contradiction. As the average competitive cost of a standard SOC 2 is going down, the skill level required to be a good assessor and perform a SOC 2 has increased and become more apparent as the 2017 Trust Services Criteria mature and interpretations solidify. So, the question is, “How do you keep quality up while keeping your prices down?” Firms are relying on outsourcing, technology solutions and control homogenization to speed up audits and reduce costs. When leveraged properly these methods can help reduce overhead, but is it enough to justify these prices? I’m not sure.
Furthermore, I am curious to see how this will affect who is performing SOC 2s. Will these lowering prices cause wages to plateau during these times of high inflation, making skilled assessors move from bigger firms to more boutique firms that keep a higher standard, or will they leave the discipline completely for PCI or federal audit in pursuit of a livable wage? Will there be or is there an SOC audit brain drain? Will control testing automation and GRC tool implementation reach a level of complexity and accuracy such that a good enough SOC assessor will be more about understanding the software more than the system?
We don’t know nor can we predict the answers to these questions. However, I will be watching to see if my personal predictions come true and looking at job postings to see if the requirements get shorter and shorter. All I know is, during a time in cybersecurity where breaches and zero-days are becoming something you almost feel desensitized to, I would hope for increased quality and audit time for one of the world’s most popular assessments instead of the biggest concern being how to maximize the ROI.