CASE STUDY: LBMX's SOC 2 Journey
At a Glance, LBMX’s goal was clear: to strengthen data security.
With Oppos’ expert guidance, LBMX achieved SOC 2 Type 1 and Type 2 compliance within nine months, enhancing security practices, aligning policies with industry standards, and boosting company-wide security awareness.
LBMX’s commitment to client data protection inspires trust and secures a competitive advantage.
As cyber threats intensify and customers demand stronger data protection, cybersecurity has become vital for growing businesses.
The System and Organization Controls 2 (SOC 2) framework, developed by AICPA, sets rigorous standards to safeguard organizations and data entrusted to them, making it crucial for technology-driven companies like SaaS providers, cloud storage providers and data processors.
SOC 2’s five Trust Services Criteria—security, availability, processing integrity, confidentiality, and privacy—ensure effective data protection controls. A gap assessment helps new adopters identify improvement areas before the audit.
SOC 2 compliance is a prestigious achievement that demonstrates a company’s commitment to data security and builds competitive advantage. The SOC 2 compliance journey, however, can be daunting and complex for businesses unfamiliar with the framework and the alignment required for internal controls.
This case study shows how LBMX, with Oppos’ expert support, successfully navigated SOC 2 compliance, achieving strategic and operational gains.
The Client
Founded in 2001, LBMX is a global SaaS provider with over 100 employees. Its business-to-business marketplace platform connects businesses, buying groups, and purchasing cooperatives to optimize buying and selling processes. LBMX’s platform centralizes electronic invoicing and rebate management across various sectors, including lumber, building materials, manufacturing, and industrial supply.
SOC 2: A Must-Have for LBMX
As LBMX expanded and client demands for data protection grew, the company chose to pursue SOC 2 compliance in 2024. With a strong network team and solid practices in place, LBMX was ready to tackle its first compliance journey.
Recognizing the value of expert guidance, LBMX partnered with Oppos to navigate the complexities of the SOC 2 framework. When asked about his expectations at the beginning of LBMX’s compliance journey, Tony Feuz, LBMX Chief Technology Officer recounts:
“I didn't know what to expect, and I was scared of the amount of work it would take.”
– Tony Feuz, LBMX Chief Technology Officer
Partnering for Succes
LBMX discovered Oppos through a Canadian government program for business compliance and security.
After reviewing a shortlist of recommended providers, LBMX chose Oppos for its proven expertise. Oppos then took the lead, expertly guiding LBMX through its SOC 2 journey.
“Typically, our customers have no prior compliance history. They have never taken on a compliance journey before. It is up to Oppos to explain the process and put them at ease.”
– Darace Rose, Oppos Chief Executive Officer
Darace Rose, Oppos Chief Executive Officer, explains that Oppos specializes in guiding first-time compliance clients by matching them with the right Oppos consultant for a smooth compliance experience.
The Compliance Blueprint
With over 60 years of expertise, Oppos is a trusted leader in cybersecurity and IT audit preparation.
For LBMX’s SOC 2 attestation journey, Oppos concentrated on three Trust Services Criteria:
- Security (mandatory for all attestations)
- Availability
- and Confidentiality.
Leveraging its proven Compliance Blueprint, Oppos guided LBMX through every stage—from gap assessment and remediation to final attestation. Oppos provided essential services like penetration testing, vulnerability scanning, security awareness, and risk management training.
Within nine months, LBMX achieved SOC 2 (Type 1 and Type 2) compliance, meeting tight timelines without sacrificing quality.
The People, Tech, and Tools That Enabled Success
Three key factors contributed to a smooth and successful compliance process:
LBMX was fully committed, dedicating resources and prioritizing SOC 2 interactions. Clear communication and collaboration with Oppos fostered team alignment and project momentum.
Guided by Oppos, LBMX quickly adapted processes and systems to efficiently gather the evidence needed for SOC 2 compliance.
Using Monday.com as a project management tool was a game-changer for the project team. It facilitated task tracking and accountability.
These elements ensured a streamlined, effective, and efficient path to completion.
Overcoming Challenges
Two of the LBMX team members, Adekunbi Ayibiowu, Business Process Manager, and Matthew Arnold, System Administrator, noted that while the compliance journey was smooth overall, LBMX faced two main challenges:
Adapting to new compliance methods and evidence requirements was initially demanding, but LBMX documented these changes to retain and share knowledge across their teams.
Gathering evidence with tight deadlines was challenging, yet the team’s dedication kept the project on track.
Lessons Learned
The LBMX team shared critical insights and two key takeaways from their SOC 2 journey:
Periodic reviews are essential to keep teams updated on changes and new security requirements.
A robust framework for documentation and evidence organization is crucial for maintaining compliance and audit readiness.
SOC 2 Pays Off
"Our customers can be confident that their data is safe and secure."
– Tony Feuz, LBMX Chief Technology Officer
The goal of SOC 2 compliance was clear: strengthen data security—and LBMX achieved that.
Strategic Benefits
SOC 2 increased customer confidence in LBMX’s data security and streamlined the completion of third-party security questionnaires for enterprise clients.
SOC 2 was necessary to help LBMX grow, and Tony, LBMX’s Chief Technology Officer, concluded that they might have lost some sales without it.
Operational Improvements
The SOC 2 attestation process led to significant improvements in LBMX’s data security and overall operations, with notable impacts on policies, access controls and permissions, encryption, documentation, and training.
Detailed Enhancement
- Strengthened HR policies, whistleblower procedures, and user segmentation
- Enhanced data access controls, access tracking, and permissions management
- Implemented database encryption for added security
- Created a central repository for control tracking and updates
- Boosted company-wide security awareness and training
- Improved internal change management practices
- Aligned policies with industry standards
These advancements embedded a culture of continuous improvement within LBMX, supporting business resilience and strengthening customer trust.
The Compliance Road Ahead
With SOC 2 Type 1 and Type 2 attestations achieved, LBMX is committed to ongoing compliance, including annual re-audits.
To maintain a strong focus on compliance and data security, they renewed their contract with Oppos for two more years. Oppos will continue supporting LBMX in assessing and closing security gaps, enhancing security awareness, consulting with auditors, and streamlining evidence gathering to demonstrate key controls.
Advice for SOC 2 Beginners
For organizations considering SOC 2 compliance, LBMX shares these essential tips:
- Don’t underestimate the effort. SOC 2 requires substantial time and dedication.
- Build a skilled network security team. Expertise is vital for a smooth journey.
- Stay organized from day one. Thorough documentation is key.
- Consider external support. Experienced consultants can streamline the process by connecting controls to the framework.
In Conclusion
SOC 2 is more than a checklist; it is an essential standard for growing businesses, signaling to clients that data security is a top priority. If your company is interested in pursuing a compliance journey, call us, we’re here to help.
“You need to hire someone to get through this process and help manage it. We got there quicker, easier, and faster with Oppos.”
– Tony Feuz,
LBMX Chief Technology Officer
