From Mechanical Engineering to IT Security & Compliance

Hamza's experience transitioning into a tech role and working on SOC 2 compliance.

My Background

During my bachelor’s in Mechanical Engineering at National University of Science & Technology (NUST), I enjoyed managing teams and projects for various student clubs. Without knowing exactly how it would shape my future, I focused on building my communication and collaboration skills.

Hamza (First from the Right) with his Colleagues at a Recruitment Drive

My career began in Product Operations at OneScreen, and I later spent three years managing business operations at Goldwind in the renewables sector. Observing the growing influence of IT and wanting to expand into Project Management, I decided to transition into the field of Information Technology, seeing it as the perfect fit for my skills and ambitions.

Starting a New Role

In March 2024, I joined Turing Tech as a full-time Associate Technical Project Coordinator—just as one of our products was experiencing rapid growth. As we scaled, new requirements emerged from our enterprise clients, opening up fresh opportunities and challenges.

One such challenge came in the form of a security mandate from a key enterprise partner: our platform needed to become SOC 2 compliant. Achieving this certification was more than just a checkbox; it was a crucial step toward meeting the highest security standards and strengthening our credibility.

From the beginning, our team prioritized best development practices, but we hadn’t fully aligned our product with globally recognized security frameworks. This presented a unique opportunity—not only to implement top-tier security measures but also to instill a security-first culture within our technical teams.

With a clear goal in mind, we embarked on a journey to make our platform SOC 2 compliant—a journey that would enable us to scale securely while reinforcing trust with our clients and users.

The project was assigned to me and our Engineering Lead, under the supervision of our CTO, in mid-April 2024. We kicked off the initiative by gaining a thorough understanding of SOC 2 compliance and the distinctions between Type 1 and Type 2 certifications.

Understanding SOC 2 Compliance

Our first task was to answer two key questions:

  1. What is SOC 2 compliance primarily focused on?
  2. What is the difference between SOC 2 Type 1 and Type 2 certifications?

What is SOC 2 compliance primarily focused on?

SOC 2 (System and Organization Controls 2) compliance is mainly focused on data security. It ensures that service providers manage data securely, protecting the privacy and interests of their clients. The compliance framework is based on five "Trust Service Criteria":.

What is the difference between SOC 2 Type 1 and Type 2 certifications?

The main difference lies in the scope and duration of the audit. Type 1 focuses on evaluating the design of an organization’s security controls at a specific point in time to confirm that they are in place. Type 2, however, goes further, evaluating both the design and the operational effectiveness of those controls over a period, typically ranging from 3 to 12 months, to ensure they consistently function as intended. Type 2 provides a more comprehensive review of an organization’s security practices over time.

Laying the Groundwork for Compliance

Once we grasped these fundamentals, we worked closely with our compliance partners to map out a detailed roadmap for achieving SOC 2 compliance. Our first step was evaluating our existing security controls against SOC 2 standards. This gap analysis led us to prioritize key initiatives to bring our product in line with compliance requirements. Here are some of the significant steps we took:

Security Initiatives
Initiative Description
Policies Drafted and updated multiple policies covering data security and internal information handling.
HRIS Implemented Rippling as our Human Resource Information System (HRIS) to manage access control, security, and employee/contractor management.
AWS Security Leveraged several AWS services for security measures:
MFA and SSO Enabled Multi-Factor Authentication (MFA) and Single Sign-On (SSO) across critical services.
Compliance Management Adopted ClickUp to track access provisioning, infrastructure changes, and compliance requirements.
IT Security Team Established a dedicated team to track vulnerabilities and ensure compliance.
Security Awareness Training Introduced company-wide training to enhance security awareness.

A Team Effort

SOC 2 compliance is a collaborative effort that requires the commitment of the entire team. I’m incredibly proud of our team for embracing security as a core value and working together to implement the necessary practices.

The next step toward Type 2 requires a six-month commitment to maintaining and verifying security controls. This involves following a compliance roadmap, conducting regular assessments, and ensuring clear communication across teams. Regular check-ins will help demonstrate consistent security practices, paving the way for SOC 2 Type 2 certification and reinforcing our commitment to data protection.

Looking Forward

As I look ahead, I’m excited to dive deep into AWS services, gaining hands-on experience and exploring their full capabilities. I aim to understand their intricate features and how they can be leveraged to enhance security, scalability, and compliance.

This experience will help me refine my skills, deepen my knowledge of cloud infrastructure, and strengthen my understanding of cybersecurity practices. I’m also interested in exploring other cloud providers like Microsoft Azure and understanding how compliance standards are applied across different environments.

Looking for a Fresh Start

I’m incredibly thankful for this opportunity and highly recommend Turing Technologies to anyone looking for a fresh start in a dynamic and supportive environment. I’d like to extend a special thanks to Arish and Mohsin for their invaluable guidance throughout this journey, helping us stay on the right path.

Hamza Bashir