Note: Thoropass was formerly known as Laika. We have updated their name in the content to reflect their new branding, but their old branding is still reflected in the screenshots of their software.
Disclosure: After we published the Comparison of SOC 2 Compliance Software Vendors white paper, Thoropass approached us and asked if we’d like to collaborate with them on content creation. They gave us a demo of their program.
We are not being paid to write this, nor do we have any financial deal with Thoropass should someone choose to purchase their services after reading this article. We just think their vendor management tool is noteworthy.
It’s a safe bet that almost any modern business going for its SOC 2 is going to use several common vendors. They are going to have an online office provider, Microsoft 365 or Google Workspace. They likely have cloud servers or a service hosted on GCP, AWS, or Azure. They likely have some project management software like Jira or Trello. Employees probably use a service like Zoom or Microsoft Teams for video conferencing, while their devices are managed by tools like Jamf, Microsoft InTune, or Fleetsmith. Developers are likely using GitHub or GitLab… and you get the point.
The most common vendors are some of the most mission-critical vendors for many businesses, and their universality provides SOC 2 compliance vendors an opportunity to preload information for time-savings. However, during our research for the SOC 2 Compliance Software Vendors white paper, no vendor we reviewed had that sort of feature. A gap in the market was present. When Thoropass reached out to us after we published that white paper and gave us a demo. We noticed that their vendor management tool had that missing functionality. Let’s take a look:
Adding Vendors with SSO
The core of Thoropass’s vendor management feature is its robust database. They actively maintain a list of hundreds of common vendors and lots of time-saving information and links associated with them. All of the most popular vendors are definitely included – Microsoft, Google, AWS, Github, Jira, Zoom, Jamf, and many more.
To start accessing this database, Thoropass connects with your organization’s email and Single Sign-On service during onboarding to automatically detect many vendors an organization is using, which saves some time in filling out the vendor list.
However, it’s likely that not every single vendor a company is using is attached to SSO, so some manual entry work will be required. There’s a list of popular vendors, and a search functionality to finish filling out the list.
One other time-saver thing about the SSO link is auto-detect. The feature can automatically detect and add vendors that are connected with SSO later, which could help alert users to any new tools the organization is trying.
The Compliance Database
Once a vendor is added, users are able to open them up and take advantage of the compliance database.
Each vendor entry comes pre-populated with a list of all security compliance standards and certifications the vendor is known to have, as shown by the little icons from each of the bodies. Some of these security reports are easier to get than others, but it’s important to get the information for your own security program.
The primary reports from SOC 2 and other audits have confidential security information – often detailed and in-depth data about the security practices of a company. This information would be very valuable to attackers, so most vendors won’t share them with other businesses unless those businesses are potential or current clients, and will almost never do so without an NDA.
“Most of our startup customers aren’t on enterprise deals where they’d get [email protected] , instead they’re still at [email protected] or [email protected] . Sometimes there’s a big headache for getting a SOC 2 as a startup and as the CISO for Thoropass myself it’s one of my least favorite things to try to track down,” said Dana Mueller, Thoropass’s Strategic Compliance Evangelist.
Meanwhile, some documentation, like the SOC 3 or questionnaires from the CSA STAR Registry is publicly available.
In Thoropass, each compliance icon provides a link to the location where the user is able to request or retrieve a copy of their report – depending on the confidentiality of a given report. Requesting access to a confidential compliance report is highly vendor-specific. Big organizations like Amazon and Microsoft have special tools that allow authenticated users to retrieve these reports. Other, smaller vendors, will have a form or require an email request.
No matter the method of retrieval, these links help Thoropass users avoid the hassle of searching for each vendor’s security reports individually – a considerable time savings.
“I would say we’ve taken 90-95% of the lift out of that, in terms of having that stuff surfaced so basically you can go ‘click click’ and you got it,” said Mueller.
Some other Interesting Features
The compliance database was what we were most impressed with by Thoropass, but the vendor management tool has a few other nice features – though not as unique.
In particular, they have some nice granularity in assigning risk exposure for each vendor.
Each vendor can have its operational exposure described in common “low, medium, high” terms, its financial exposure described in real dollars, and data exposure described by the type of data that vendor has: confidential, personally identifiable information (PII) , etc.
This sort of granularity in describing risk provides a much clearer idea that is easier to communicate with non-security professionals.
VIDEO
There are also locations to enter the internal owner of that vendor relationship, the contact information of the vendor’s account executives, and more. “The goal is to create a one-stop shop for commonly leveraged data, we don’t want users to have to dig around for vendor data elsewhere,” said Mueller.
The Integrated Audit / Thoropass + Thoropass Compliance
Similar to ByteChek , Thoropass offers an “under-one-roof” SOC compliance management and audit solution. Thoropass Compliance, an independently-owned CPA firm, is the integrated audit partner of Thoropass, the SaaS company.
As we pointed out in our ByteChek article, the independence of an external auditor is important for ensuring the quality of said audit. While the consultant-auditor-in-one relationship exists and has led to thousands of successful audits, it has also gone wrong in the past. The infamous Enron Scandal was at least partially the result of the conflict of interest generated by the fact that Arthur Andersen, Enron’s accounting firm, provided both consulting and auditing services to the doomed company. Specifically, Arthur Andersen did over $50 million in services for Enron in one year alone – about 27% of the accounting firm’s total revenue in Houston.
However, there are lots of differences between that situation and the business these cybersecurity firms do.
Contract sizes for cybersecurity services and audits are much smaller. The comparatively low reward per contract is not worth the existential risk scandalous operation threatens. If a client wants to act shady, it’s far easier for these cybersecurity firms to simply end their contract.
Coalfire and A-LIGN are two established players that collectively issue thousands of SOC 2 reports every year while providing cybersecurity services to their clients. ByteChek and Thoropass are just two new players hoping to do the same with a SaaS offering.
Conclusion
When serving multiple clients, you can do leg work once to save everybody else the hassle. It’s one of the reasons we here at Fractional CISO originally researched and wrote the white paper – we received a lot of customer inquiries about these tools. Instead of making everybody do their own vendor evaluations, we did it once to save everybody else the legwork.
In the same way, Thoropass’s compliance database does the legwork once to save their customers a considerable amount of time in vendor management. It’s clear that this feature was created by a team that understands the challenges of vendor management and is seeking to ease the pain.
Want to get great cybersecurity content delivered to your inbox? C lick here to sign up for our monthly newsletter, Tales from the Click.