Why I advocated for SOC 2 before customers demanded it

A startup CTO explains why he pushed for SOC 2 before any customer required it, and how treating it as a sales tool cut months from enterprise deal cycles.

By Tim Olshansky, Co-Founder, Fencer

At my previous startup, I pushed for SOC 2 before a single customer had asked for it. Most teams wait until a big enterprise deal forces the issue, then scramble. I went early on purpose, because the alternative was watching deals I'd worked for months stall out in security review. The questionnaires were eating our sales cycle, and SOC 2 was the fastest way I could answer them at scale. Going first turned a recurring sales blocker into something I could clear in days.

That was several years ago. SOC 2 has since gone from a sales advantage to table stakes, the thing enterprise buyers expect to see before they'll go deep on an evaluation. I'd still make the same call today, but for a slightly different reason. SOC 2 gets you in the door with enterprise clients, but it alone doesn't get you past the questions procurement teams ask once you're inside. The security standard for doing business with enterprise organizations is higher than ever, and SOC 2 is just the tip of the iceberg.

The work underneath the badge is what carries you through a procurement review, and it is far easier to build before a customer is waiting on it.

Going early was a sales decision first

Every enterprise deal carried a tax. Each security review would add two months to a cycle that should have taken two days, split between the time we spent answering the questionnaire and the time their team spent reviewing our answers. The work fell to me and my engineers, which meant it came straight out of building product. The questions were detailed and technical, about intrusion detection, vulnerability-scan frequency, and how we verified that issues were actually fixed, so every deal routed through me. And it wasn't one account. The same questionnaire and the same two-month slowdown came up deal after deal.

What I noticed, doing this repeatedly, was that the questionnaires covered roughly the same ground regardless of which company sent them: vulnerability management, change control, access management, and incident response. The specific language varied, but the underlying topics were consistent. SOC 2 is a standardized, third-party-verified proof that you're addressing those topics. So instead of answering 300 questions individually per deal, we answered them once through the audit and pointed to the report. Nearly all of a 300-question questionnaire can be handled with "yes, see our SOC 2 report," and the reviewer follows up only on the specifics. What used to burn a month of back-and-forth dropped to days, and that was months of sales time recovered on every deal.

What the underlying work required

The shortcut only holds because it isn't actually a shortcut. SOC 2 works as a response to security questionnaires precisely because it's a third-party audit of real controls. Pointing to the report gets you through the door only if the work behind it is genuine.

That meant building the controls, not just describing them. Vulnerability management with a documented process for finding issues and proving they were fixed, change control with an audit trail, and access management with consistent control over who could reach what. It also meant having a credible answer to the more specific questions a careful reviewer asks: where encryption keys live and who holds them, how long logs are retained, how we vetted the sub-processors in our own stack, and how often we ran a penetration test and retested the findings. Device management mattered too, so there was an answer when someone asked what happens if an employee laptop is compromised.

Bringing in tools that enterprise IT reviewers already recognized helped. Before the SOC 2, I'd describe what we were doing in our own terms, and the reviewer would have to interpret whether that mapped to what they expected to see. Once we were using industry-standard tooling, we could answer "how do you handle X?" with "we use Y," and that was typically sufficient. Common tools, common language, common expectations.

The work was significant for our team, but what made it worth doing proactively was the cumulative return: instead of burning time on questionnaire responses indefinitely, we made the investment once and had an answer that scaled to every future deal.

What's changed, and what hasn't

What's changed in recent years is how far past the badge a typical security review goes. When I first went through this, a SOC 2 report cleared most of the questionnaire and the follow-ups were light.

However, procurement teams have since caught on that the badge says little about whether a vendor runs a secure operation day to day, so they treat vendors' SOC 2 reports as the starting point and dig for evidence of how security is actually running. The questions go a level deeper than they used to: where encryption keys live and who controls them, how long logs are retained and whether they can be altered, how you vet your own sub-processors, how often you run a penetration test and whether you retest what it finds, and what you commit to a customer when there's an incident.

Third-party risk management tools are common now too, scoring your answers with software that won't let you skip a question by pointing at a SOC 2 report. These teams measure you against their own security bar, not the standard the auditor used, and a clean report with zero exceptions can still come back with a dozen follow-ups.

Why I'd still pursue SOC 2 early

A SOC 2 still opens the door. In my reading, 90 to 95% of enterprise buyers run their standard questionnaire and accept the report as the answer to most of it. But opening the door is all it does on its own, and the security behind your answers is what closes the deal.

That is why I'd build the program before a customer forces it. Decide early and you have room to build the controls properly instead of retrofitting them against a deadline. My reason was commercial first, but the program we built to pass the audit was worth having on its own, and the same controls that carry you through a procurement review are the ones that protect the company as it grows.

If you are going to put a SOC 2 in front of enterprise buyers, it is worth seeing it the way their security team will first. Fencer's procurement readiness check reads your report the way a buyer would and shows you what's strong and what they're likely to flag, while you still have room to close the gaps.

You might also be interested in:

Take Fencer for a spin

See what full-stack security looks like, built for your stage and your stack. 
Connect your tools and get a complete, prioritized security roadmap in minutes.