We might just be bad at sales, but probably half of our calls we spend the time trying to convince people not to get a SOC 2 report.

The truth of the matter is that SOC 2 is going to cost you a lot of money, tens of thousands of dollars, and will take a lot of time both implementing a security program but also waiting for the type 2 audit to be complete (usually we see startups finish in 4-6 months).

For early stage startups, the time is often even more expensive than the money.

And they go through all of this in the hopes that obtaining a SOC 2 attestation is going to enable large enterprise deals.

While a SOC 2 attestation CAN be a bottleneck to passing security reviews, by itself it is not a “golden ticket” that will enable all of your enterprise deals. Here’s our framework that we think through when trying to decide “does this startup need a SOC 2 attestation, or not.”

First - is there clear user demand for a SOC 2 report?

One thing we hear fairly often is that “i’m going to be selling into enterprise, so I’ll probably need a SOC 2 report” but no one has actually vetted whether or not this is true. Just because you’re selling into large organizations doesn’t mean you are always going to NEED a SOC 2 attestation!

Different industries are going to have different compliance requirements, and it’s going to change a lot depending on what kind of product that you’re selling.

You don’t want to just invest all of this time and money into getting a SOC 2 report without having done your due diligence up front that this thing is truly going to be required.

One of our most common recommendations is to first go talk to your potential customers and ask them if they are going to require a SOC 2. Get them to share the actual security questionnaire that they give their vendors. Make sure that SOC 2 isn’t just on it, but that it’s going to be a hard requirement for unblocking the deal.

You’d be surprised how far you can get without actually needing a SOC 2, for a lot of enterprise companies it’s actually a “nice to have”, especially if you have a product that a key decision maker really really wants.

Second - did you build a product that anybody wants?

SOC 2 attestations should come after building a product with at least a basic level of product market fit. You don’t want to have a 4-6 month roadblock keeping you from putting your product into users hands to determine if you have actually built something anyone really cares about and is going to be willing to pay for.

Start by giving your product to the segment of your market who doesn’t need a SOC 2 report.

Find design partners, get just a handful of people playing with your thing, do whatever you can to find user demand that you are building the right thing.

The #1 reason that people fail to obtain a SOC 2 report is that they decided to pivot away from their current product direction or the ICPs they thought they were going to serve.

Building a startup is hard enough. Building a product that someone wants is hard enough. Honestly if you get just that bit right almost nothing else matters, even SOC 2 attestations. For this reason we always want to make sure that you are very confident in your product direction before you start thinking about dedicating valuable time & resources towards compliance.

Third - is it the right time to make this investment?

If you built a product that people want, and having the right security controls attested by a SOC 2 report is a blocker for unlocking business, the final thing to think through is wether or not it’s the right time to be making this investment into SOC 2.

There are a few factors that will go into this decision:

1. How much revenue will a SOC 2 report help unlock?

2. What else could you be doing instead?

3. When are you going to need to have a SOC 2 report?

4. Do you have the financial resources to dedicate to this?

When we talk to people about obtaining a SOC 2 report, the dollar value that it could potentially unlock for users is going to vary fairly drastically.

For some startups, a SOC 2 report is only going to unlock $1,000 per deal. For others, it is the blocker of a $1,000,000 contract (or more).

A good rule of thumb is that obtaining a SOC 2 report should unblock a minimum of $50,000 to $100,000+ of new business in the next 12 months. This will make sure you have a very healthy return on your investment into compliance, and that your time/money isn’t going to be better spent elsewhere.

Because it IS a trade off.

With the resources you’re going to dedicate to getting a SOC 2 report you could be spending them building more features, driving more demand to your product, or 100 other things. Startups are a game of prioritization & focus. You want to make sure that this is truly the best use of your time.

Does this NEED to be on your roadmap? Does it NEED to be on your roadmap right now?

Our standard recommendation is that it should be actively blocking deals that are currently in the pipeline. You should have companies coming to you with a security review actively asking for a SOC 2 report. Not pipeline that’s going to need this thing 12-18 months from now, but will need to see it within the next 6 months.

Finally - it might be high ROI, it might be time sensitive, you might have built a product users want, and be doing everything right … but you still need to have the financial resources to dedicate to obtaining a SOC 2 report.

Often we’ll see bootstrapping startups come to us in the $50k - $100k ARR range where a SOC 2 report would definitely help them unlock new business, but the financial & time commitment makes it a little hard.

You need to make sure that this is an investment you can make.

What we often recommend to these startups is that you should focus on the parts of your market that doesn’t need a SOC 2 report yet. Build good security controls into your organization yourself, throw up a landing page and talk about how you care about security, you’d be really surprised by how far you can get without needing the SOC 2 report.

Then once it’s time Oneleet will still be there for you to help take you through the process, polish any holes in your security program, run your penetration test, and help you obtain a SOC 2 attestation.

If you read all the way through this article I hope it was helpful to you! If you’re still not sure whether it’s time to get a SOC 2 report go schedule a call with us - our team is experts at this process, and we will NEVER suggest you get a SOC 2 attestation unless we deeply think you need it.

In full honesty we tell more people “you don’t need this right now” than we do otherwise. Our goal is to help you build the right security program & compliance posture for your stage, even if that means bootstrapping it for a little while longer.