If you're running a company and not thinking about being compliant with SOC2, PCI, or ISO (or any other security standard), you need to wake up now and start making changes. And this is not only for software development companies, every SMBs should get on top of this now.
Some time ago, this type of certification was typically something that only "big" companies (enterprises) were required to do. Usually by requirements from the government or other regulations to their industries.
This type of company usually has the structure, budget, and team available to try to implement this. They were usually able to get the parts regarding HR or physical security done, painful, but doable. But most of these certifications have a big problem, 3rd party vendors...
If you had been providing services or products to the enterprise world, you might have been involved in the vetting (procurement) and infinite security questionnaires you need to answer to be approved as a vendor. This quickly became impossible for them to maintain. They had to hire a lot of people just to keep the process going, and, most of this vendor vetting process is not really that good.
They usually have many people trying to "check the boxes," making sure they get the proper answers from vendors, but that doesn't imply that the vendor is going to follow those standards or even apply them.
Because of this lack of trust, and the increased cost to maintain this, there has been a tendency in the enterprise over the last years. The solution was easy... for them... let's force all 3rd party vendors to be compliant with some industry standard. SOC2 is super popular now in the US, PCI for credit cars, HIPAA for medical information, and ISO is also used a lot in the rest of the world.
So, in theory, if they force every vendor to be compliant, they could remove most of the cost associated with vetting vendors, and they will make sure those vendors take cybersecurity seriously, and, if anything happens, they were all working with approved and secure vendors following the best industry-standard, which reduce the PR pressure when some cyberattack happens.
So, as small business owners, this has already been creating huge challenges because these enterprise companies require their vendors to be compliant. If you're working directly with them, then you need to become compliant. If you don't work for them, you might be a 3rd party vendor of another company that works for them, so you need to become compliant and the long tail continues. And this creates a new defacto standard in the whole industry.
There's no way out of this. This is already happening and is going to become the norm over the next years. So if you want to be able to stay competitive, it's time to start working on this.
All these compliance models share a ton of things, basically following some standards and validating your processes. You're trying to reduce the risks of running a company. They go from your HR processes, the training you provide to your team, the implementation of physical and server security, etc.
It is not impossible to achieve this, but it does take a lot of effort, more for small businesses where you don't have a team of 5 people that you can dedicate to this project, and everyone is already doing more than they can handle.
Changing processes and adding more controls will always be hard. Some people might sell you the idea that you can become compliant in a few months. That's a lie. Well, maybe some people can do it but I never met anyone that could.
As a basic timeframe, you're looking at at least between 9-12 months to get all of your processes in place. This will depend a lot on how much "debt" you had and how well organized you were. In the case of SOC2, you'll need at least 6 months of running the company with the new processes before doing your first audit (only the first time, then you'll probably renew on a 12 monthly basis). Plus, having the audit. If everything goes smoothly, you're looking at an 18-24 month timeline or even more if you can't at least dedicate some people to this.
So... no, you can't wait, and you can't say to yourself that no one is asking for this now, because they will in the future. And if you got to the point that someone is asking this for a contract, you're probably too late. You can still ask for some time, and some companies will give you some extension until you get your certification, but most probably, you'll start losing all those contracts.
This, I think, is the new reality for small business owners. With the increase in cybersecurity awareness, privacy issues, data retention policies, everything seems to be going this way, so jump on the train and start working on it.
This is the reason why we created MyLenio, a platform that will help you to organize your small business and reduce the friction on how you implement this on your company without breaking everything. Feel free to start your free trial here