Sigstr’s Commitment to Security: The SOC 2 Journey

by Sarah Harvey / November 1st, 2019

Sigstr helps the world’s best marketers do amazing things with their employees’ emails. The average person spends 6.3 hours in their inbox every day. Sigstr gives marketers the ability to serve targeted ads to their audience where they’re spending the majority of their time: the inbox. This connectivity between Sigstr and email clients presents information security risks that Sigstr must address. We sat down with Brent Mackay, Director of Product Management and Data Protection Officer at Sigstr, to discuss what their team learned through the SOC 2 audit process and how it gives Sigstr a competitive edge in the email and marketing application space.

The Need for SOC 2

What information security risks face email applications? Generally, we see spam, phishing, and malware. According to Symantec, in 2018, Microsoft Office files accounted for almost half of all malicious email attachments. 1 in 10 URLs sent in emails are malicious. Each hacked email account is worth between $5 and $10. Those types of risks led to Sigstr going above and beyond to ensure that their service will not leave a vulnerability open to unauthorized access. Sigstr knows that employee email is incredibly sensitive, which is why they decided to pursue SOC 2 Type I and Type II attestations.

Mackay comments, “At the beginning of 2019, we announced Sigstr’s SOC 2 Type I attestation with a commitment to continue moving our security program forward. In August, we announced the SOC 2 Type II attestation. An important part of SOC 2 compliance is the ongoing adherence and improvements made to security systems and processes. The standards for SOC 2 shift as the tech ecosystem changes and ongoing improvements to controls are needed in order to stay up to date. Sigstr plans on annual SOC 2 Type II audits as a mission for customers to have confidence that their data is safe with us.”

Information security and compliance have two-fold importance to Sigstr. To keep their applications safe from unauthorized access and maintain uptime, they have to be the best of the best – and compliance helps raise the bar. It’s also important to the growth of Sigstr’s business, aiding them in closing deals with enterprise-level organizations who demand that their vendors be held to a high standard of security and compliance.

Lessons Learned from the SOC 2 Audit Process

After gaining Type I and II attestations, Sigstr felt as though the SOC 2 audits were definitely worth the time, effort, and cost. Mackay says, “Going through the SOC 2 audit process is exciting and challenging. Since this was the first set of SOC 2 audits that Sigstr had gone through, there was somewhat of a fear of the unknown. KirkpatrickPrice did a great job to help us prepare and we are very glad to have gone through the process.”

The Sigstr team learned a lot along the way about how to be in a position to better secure customers’ email data. Mackay explained that their team had three main takeaways after going through the SOC 2 audit process, which includes:

  1. Before going into a SOC 2 audit, it’s important to research what it entails and then measure your company’s preparedness. There are dozens of controls and policies that need to be in place prior to starting the audit, and it would be daunting to try to write and implement them during an audit. An easy place to start is to document the processes and controls you currently have in place.
  2. It is easy to underestimate the time the audit will take end to end. Audit timelines will vary based on your company size and scope of the engagement, but at Sigstr, we learned that it is a full-time job for a few people for approximately three months. We prepared our security team to allocate their time appropriately since the majority of the work was on them.
  3. When going through the process of creating controls and policies to govern your information security program, it can be very tempting to embellish and add aspirational controls. This can come around to bite you because controls that you put into policies will be audited. Whatever you put into a policy, you will be asked to furnish evidence of that during your Type I and Type II audits. If you fail to do so, it will show up as an exception on your report. We followed a simple mindset of “do what you say and say what you do.”

Competitive Advantage Gained from SOC 2

Sigstr is the only company in their space that has gone through a SOC 2 audit – and they didn’t just go through the Type I. They completed both Type I and Type II within a year. That alone is a competitive advantage, but furthermore, Sigstr’s SOC 2 audits were measured against all five Trust Services Criteria. We see most organizations choose between one and three, so this choice shows Sigstr’s incredible commitment to securing the email data that they are responsible for.

Having a SOC 2 Type II report readily available has also helped Sigstr accelerate the vendor approval process with many of their customers. Without a SOC report, the vendor approval process can take much longer, and potentially lose the opportunity to do business with larger customers.

Sigstr’s compliance journey can teach others how valuable an information security audit can be – for your processes, your technology, your people, and your clients. Want to learn about how your organization could tackle the SOC 2 journey? Contact us today.

More About Sigstr

Sigstr makes employee email your new favorite ad channel. Run hundreds of simultaneous banners to intelligently target your audience by industry, geography, or opportunity stage. Gain deep account-based insights and buyer intent data based on the real relationships your team develops (all from email and calendar patterns). In addition to standardizing email signatures, Sigstr turns every email your employees send into a marketing campaign.

More SOC 2 Resources

SOC 2 Academy

SOC 2 Compliance Checklist

Was the Audit Worth It?