SecurityFebruary 18, 20268 min read

SOC 2 Type II, one year later

A candid look at what the first year of continuous SOC 2 Type II compliance actually cost, what we automated, and the three controls that caused the most pain.

Daniel HwangSecurity Engineering

We completed our SOC 2 Type II audit a year ago. This is the post I was looking for when we started the project, and could not find.

What it actually cost

About 0.6 FTE of sustained work on the security team, and roughly 0.2 FTE across engineering for evidence collection. The auditor bill is a line item but a much smaller one than people expect.

What we automated

Access reviews, change management evidence, and vulnerability scanning evidence are now 100% automated. Every Friday morning a worker runs, pulls the week's evidence into our compliance vault, and our security engineer spends about 15 minutes spot-checking.

The three controls that hurt

Vendor management. The sheer number of SaaS vendors modern companies use. We now require every new tool to come with a one-page security review before procurement.
Backup restore testing. We had backups. We did not reliably test restores. Fixing that meant building a weekly game day.
Incident response tabletops. Not because they are hard — because they are easy to deprioritize.

Written by

Daniel Hwang

Security Engineering at DXData.

Start building with DXData.

Spin up a catalog in minutes. Bring your own object store, keep your existing SQL, and branch your data like code.

Get started free Read the docs

All posts

SecurityFebruary 18, 20268 min read

SOC 2 Type II, one year later

A candid look at what the first year of continuous SOC 2 Type II compliance actually cost, what we automated, and the three controls that caused the most pain.

Daniel HwangSecurity Engineering

We completed our SOC 2 Type II audit a year ago. This is the post I was looking for when we started the project, and could not find.

What it actually cost

About 0.6 FTE of sustained work on the security team, and roughly 0.2 FTE across engineering for evidence collection. The auditor bill is a line item but a much smaller one than people expect.

What we automated

The three controls that hurt

Vendor management. The sheer number of SaaS vendors modern companies use. We now require every new tool to come with a one-page security review before procurement.
Backup restore testing. We had backups. We did not reliably test restores. Fixing that meant building a weekly game day.
Incident response tabletops. Not because they are hard — because they are easy to deprioritize.

Written by

Daniel Hwang

Security Engineering at DXData.

Start building with DXData.

Spin up a catalog in minutes. Bring your own object store, keep your existing SQL, and branch your data like code.

Get started free Read the docs

SOC 2 Type II, one year later

What it actually cost

What we automated

The three controls that hurt

Read next

RBAC is not enough: attribute-based access in practice

How we run 4.2B rows/day through a single Iceberg catalog

Branching production tables: a 6-month postmortem

Start building with DXData.

SOC 2 Type II, one year later

What it actually cost

What we automated

The three controls that hurt

Read next

RBAC is not enough: attribute-based access in practice

How we run 4.2B rows/day through a single Iceberg catalog

Branching production tables: a 6-month postmortem

Start building with DXData.