The COVID pandemic and The Great Resignation have led to extensive upheaval in workforces and workplaces. Some workers are returning to revised workplaces and schedules. Some are working from home and may do so indefinitely. And some are not returning to work at all. How best to achieve and maintain continuous SOC 2 compliance in the face of these seismic shifts?
The state of hybrid workstyles now
Recent research makes it clear: hybrid workstyles are here to stay.
Social media marketing company Buffer conducted its fifth annual State of Remote Work survey in late 2021. Based on responses from more than 2,000 remote workers in 16 countries, the most recent survey found remote work growing in popularity among workers and even gaining support among business leaders.
97% of respondents would like to work remotely at least some of the time for the rest of their careers.
90% of respondents would describe their remote work experiences as “very positive” (61%) or “somewhat positive” (29%).
62% of respondents are more excited about their jobs since they became remote workers.
72% of respondents said their company is planning on allowing at least some amount of remote work permanently, up from 46% in 2021.
Beyond employee preferences, companies are embracing hybrid workstyles because they can help improve productivity. A Stanford University survey of some 16,000 workers found that companies supporting work from home enjoyed an average 13-percent increase in productivity over previous years, as measured by profits.
On the downside, the push for hybrid workstyles has also contributed to the Great Resignation, as have layoffs and closures spurred by the COVID pandemic. The U.S. Department of Labor found that more than 11.5 million American workers quit their jobs during the second quarter of 2021. More than 4.5 million additional workers left their jobs in March 2022.
All these changes can make privacy protection an even more daunting challenges for many companies. Fortunately, compliance with the operational framework known as SOC 2 can help address the challenges that accompany the growth of hybrid workstyles.
SOC 2, privacy, cybersecurity, and continuous compliance
SOC 2 refers to the specific measures you take to achieve and sustain compliance as “controls.” Compliance auditors use the controls they recommend for your business and the evidence you supply to determine if the policies that run your business are clearly defined and consistently enforced. Your auditor’s assessment of your controls and evidence also determines if you are compliant with SOC 2, or where you are not.
The SOC 2 framework is built upon five “Trust Service Criteria” — Security, Availability, Confidentiality, Processing Integrity, and Privacy. These Criteria include multiple specific controls focused on protection of individual privacy and proprietary corporate information. For example, there are specific controls that govern how personally identifiable information (PII) identified, collected, corrected, retained, and removed. There are also multiple SOC 2 controls that address cybersecurity concerns, such as user access control, role-based access, physical access restrictions and secure device disposal.
Like cybersecurity and privacy, SOC 2 compliance is not a “one and done” affair. Your goals are to maintain effective stewardship of privacy and security and avoid the expense and difficulty of preparing anew for each annual SOC 2 audit. This means you need to achieve and sustain continuous SOC 2 compliance.
Continuous compliance relies on effective, compliant policies and their consistent execution and enforcement. These goals, in turn, rely on continuing support from multiple roles across an organization. However, the people currently in those critical supporting roles could become remote or hybrid workers, leave voluntarily, or be terminated at any time. Such disruption could place your SOC 2 compliance at risk. You and your colleagues need to take steps to ensure continuous compliance, even in the face of sudden, unpredictable change.
Continuous compliance: How to achieve it
To pass a single audit, you need little more than a willing auditor and a high threshold for pain. You’ll need the latter trait because each audit can require months of disruptive preparation, and you’ll be expected to pass at least one every year.
To achieve continuous compliance may require a bit more up-front effort, but will result in reduced preparation, disruption, and costs for future audits. It will also help strengthen your cybersecurity and privacy protection efforts, and improve overall business operations, even in the face of roiling changes in your workforce and their workplaces.
To achieve and sustain continuous SOC 2 compliance, your business needs three things.
A solid relationship with a solid auditor. You should look to your auditor to do more than to check items off a list and generate a boilerplate report. The right auditor can help you get your first audit right, and help you create the foundations for continuous compliance. A good auditor can and should be a strategic advisor to your business, about SOC 2 compliance and other important areas.
A modern compliance automation solution. A compliance automation solution with the right features can help you to achieve and sustain continuous compliance, and to demonstrate it credibly annually and on demand. Such a solution can also help mitigate difficulties created by personnel changes, by capturing, retaining, and reusing relevant knowledge and experience among your stakeholders, from executives to technicians. The ability to collect, store, and even learn from this knowledge base can help improve both your compliance management and other key operational areas, within and beyond cybersecurity and privacy protection.
A commitment to “compliance as culture.” Success with continuous compliance requires more than reactive remediation and protection attempts. It requires a combination of the right policies, procedures, processes, solutions, and working relationships, across and beyond your organization. To make these integral parts of your company’s culture starts with executive leadership, and like cybersecurity and privacy protection efforts, must embrace everyone in the organization. And as with those efforts, you must combine effective policies and technologies with continuing efforts at education and promotion of the business value of compliance to sustain it, operationally and culturally.
Your workforce and how and where they work are all likely to continue to evolve indefinitely. By focusing on sustained, continuous SOC 2 compliance, you can insulate your business from disruptions caused by this evolution, and improve your cybersecurity, your privacy protections, and how your business does business.