I wrote this list, several years ago. I've since had the pleasure of taking a fast-growing startup (Fly.io) through SOC2. (This list was based on my experience consulting with a bunch of large-ish startups while they were SOC2'ing, and interviewing peers).
I would hold fast on #1 (Single Sign-On). Do SSO now. Make it one of the first security things you do. It's worth it on its own merits, and if you do it right, it makes things easier, not harder. My one-two punch for most startups would be Google SSO and Tailscale.
If you're hosting in AWS, you basically have to turn CloudTrail on, which was my #5. It's not slowing you down; you just need the data collecting. You can't deploy on AWS and not have an audit trail; that's bananas.
If I was writing that article over again, I'd strike #6 (MDM). It's fallen out of fashion to do endpoint security in SOC2; you should introduce endpoint security when you have the bandwidth to do it well.
It’s a good list and I’ve referenced it a few times over the years.
I misunderstood your intent on #5.
I still think SSO is inappropriate because it’s going to bump you into enterprise tiers for random products when you need to be the most frugal with your burn. Going with 1Password or similar gets the job done. You 100% need SSO eventually and it does get harder to implement the longer you wait, but I still don’t think it’s worth it early.
I think MDM is still a thing for SOC2, but my point is that most startups will not need a SOC2 immediately and folks should be mindful of what moves the needle security wise vs what auditors want.
We just did a SOC2, and were encouraged not to do endpoint stuff in it. You can ask your auditors to require MDM, but you don't have to, and shouldn't.
You can pick which apps to enroll in SSO; you don't have to pay the sso.tax on everything. Most of the time it's not material anyways.
SSO is really useful, but it does tend to be expensive. There’s a window pre-PMF where money is tight and it’s hard to justify the Enterprise plan on every SaaS you use.
Interesting note about MDM, any idea what contributes to that trend?
You don't have to enable SSO everywhere. There are things we still don't SSO (looking at you, StatusPage) because the price hit is huge and unjustifiable. But I'm less sanguine about not having SSO at all.
I guess I'd add that almost anything goes pre-PMF. I think it's actually pretty reasonable to consciously minimize security engineering spending before you've got a real product locked down.
I would hold fast on #1 (Single Sign-On). Do SSO now. Make it one of the first security things you do. It's worth it on its own merits, and if you do it right, it makes things easier, not harder. My one-two punch for most startups would be Google SSO and Tailscale.
If you're hosting in AWS, you basically have to turn CloudTrail on, which was my #5. It's not slowing you down; you just need the data collecting. You can't deploy on AWS and not have an audit trail; that's bananas.
If I was writing that article over again, I'd strike #6 (MDM). It's fallen out of fashion to do endpoint security in SOC2; you should introduce endpoint security when you have the bandwidth to do it well.
So: #1-5 and #7, I'd do right away.
#6, I'd wait until after my first security hire.