SURF Security sells its products to very security-conscious customers, distributed throughout North America, Europe and the Middle East. It implements security rigorously and by the book. Given that SOC 2 is the dominant security compliance framework in North America, SURF Security decided that SOC 2 certification would make a forceful statement to its prospective customers there about its values and its robust implementation of security controls.
Mishel Mejibovski, SURF Security’s head of Operations, previously held roles as a security specialist working in Israeli military intelligence and as the deputy head of security for the airline El Al. He was committed to the highest standard of security both within SURF Security and in SURF Security’s product, and was persuaded that using an automated approach to security compliance was the right path forward.
Akitra provided SURF Security with a comprehensive set of customizable policies and controls as a first step. Then, the company took advantage of Akitra’s 100+ integrations to begin automated evidence collection, which had previously been done manually. “Manual evidence collection was hard work,” said Mishel. “It involved a dedicated person having to chase various people around the company to provide the necessary evidence reports on time – which was of course an error-prone process. Automation is faster, more reliable, and a lot less work.”
As part of the evidence collection, SURF Security’s IT team also installed Akitra’s Shield software for endpoint monitoring. They quickly found that Shield became a vital part of their compliance process, collecting a substantial part of all compliance evidence.
“We were particularly happy with Akitra’s approach to supporting us through the compliance journey,” added Mishel. “They held weekly meetings with us to keep us on track, which helped ensure we had our final SOC 2 report in hand on schedule.”
Mishel finds that now that SOC 2 Type 2 is in place, backed by Akitra’s compliance automation platform, “We are now a more mature company in being able to not only follow security best practices internally, but also prove we’re doing it. You’re not going to find that level of maturity in other companies at this stage of the company’s life cycle”.