Project Management for Small Businesses – A SOC II Example

One of the common pitfalls many small businesses face is the lack of project management in their daily business operations. Project management is important when dealing with deadlines, juggling multiple priorities and projects, budgeting, and managing your time more effectively. We believe it’s important to get project management expertise and experience from third party professionals, so you can use practical solutions to build a strong foundation that supports your business goals.

We spoke with Robin Shabazz, Principal at the Eastledge Group LLC, a business consultancy that provides  strategic planning, project management, change management and training solutions to clients. As a project and change management consultant, she helped us adopt

SOC 2 Type II controls, an industry standard in data protection for SaaS (Software-as-a-Service) companies.  Our SaaS business model centers around providing procurement professionals with software solutions that make it easier for buyers and suppliers to do business together.  Our software solutions make connecting simple for these professionals and our solutions offer robust security measures that protects their data.

“Bringing outside third-party expertise was crucial to our success,” COO & GM Daryl Hammett said. “Robin did an incredible job educating our staff and implementing organizational change.” Robin’s HR and legal and background, along with her compliance experience made the required organizational process and procedure changes less daunting.

Today, we wanted to catch up with her and ask her advice for start-up and small companies considering project management, as well as SOC 2 implementation:

What is SOC 2 and How did Project Management help?

A SOC 2 (Service Organization Control) report reassures businesses that their software vendor builds, tests, and operates their system in a manner that protects your data.  SOC 2 is a reporting standard specifically focused on controls within SaaS companies. SaaS companies can elect either a SOC 2 Type I (establishing key controls) or a SOC 2 Type II report (rigorous report showing performance on key activities over a 6 or 12 month timeframe).  The American Institute of Certified Public Accountants (AICPA) governs the process and only Certified Public Accountants (CPAs) can perform the audit.  Audit reports cover a range of topics including, the security, availability, confidentiality, privacy, or  processing integrity of a SaaS company’s system (infrastructure, software, operational and management procedures).  Our SOC 2 Type II audit focused on security.  With Robin’s project management and training support, we were able to create a process that enabled us to expedite our audit “readiness” by following a few straightforward project management steps:

  1.     Outline project in terms of scope, schedule and budget
  2.     Define and assign roles and responsibilities of project team
  3.     Establish project plan, identifying key milestones, schedule, due dates, risks and mitigation tactics
  4.     Update and train stakeholders regularly to manage change process
  5.     Manage project to completion by conducting regular meetings and updating project plan
  6.     Close project with a “lessons learned” stakeholder meeting and/or report.

Becoming SOC 2 compliant can be hugely valuable for your business. With increasing supply chain disruptions and the ever-changing cyber threat landscape, many companies are requiring SaaS suppliers to be SOC 2 compliant. Demonstrating organizational procedures and controls that minimize your customers’ exposure to risk (security, reputational, operational, etc.) can be a key differentiator for small SaaS solution providers by showing that you have a solid business strategy and security program.

Key Steps to Getting Started with my SOC 2 Process

Many small business owners think: I can’t implement controls required for SOC 2 because it’s time consuming, costly and requires too many changes. But that’s not true!  From a small business standpoint, establishing controls to ensure your business is not vulnerable to attack is essential.   One small system “glitch” can set your business back for years and even destroy what you worked so hard to build.  A SOC 2 report gives potential customers the confidence they need to entrust their data with your solution.

There are consultants, like Robin Shabazz, who can partner with you to assist you on your SOC 2 journey and augment your project management resources at a budget that makes sense.  If you’re ready to move towards a SOC 2 certification, make sure you have three key roles in place:  (1) a project manager; (2) a technology lead; and an (3) HR or operations lead.  These three resources will collaborate with your consultant to design, build, train, and implement the new procedures required by SOC 2.  If your business is not yet ready to dive into SOC 2, consider the compliance and audit checklist we developed, freely available here. These items might give you a better idea of the daily activities that make your software application and business operations more secure.

Eastledge Group LLC is a business consulting company focused on providing organizations with people-centric solutions in project and change management, HR and training. Robin Shabazz, Esq. is a licensed attorney, who is certified in mediation, Fierce Conversationsä and unconscious bias training.  Prior to joining the Eastledge Group LLC, Robin held progressive senior leadership roles within global billion dollar companies.