Danielle Kwon remembers the exact moment she knew she’d won the contract.
It was March 2025, in a glass-walled conference room in downtown Atlanta. She’d just finished presenting her firm’s cybersecurity training methodology to the procurement team at a regional healthcare system — 14 hospitals, 23,000 employees, a $380,000 annual training contract. The head of IT security looked at her VP of HR and nodded. The kind of nod that means yes.
“We loved everything about your approach,” the IT director told her after the meeting. “You’re our top choice. We just need to get you through vendor onboarding.”
Danielle drove home thinking about hiring. She’d need two more trainers, maybe three. She started drafting the job posts in her head.
Then the vendor questionnaire arrived.
147 Questions She Couldn’t Answer
Danielle had built Kwon Security Consulting from a solo practice in 2019 to a seven-person firm doing $620,000 in annual revenue by 2024. Her clients were mid-sized companies — 200 to 1,000 employees — who needed cybersecurity awareness training, phishing simulations, and incident response planning. She was good at it. Her client retention rate was 94%.
But she’d never sold to a healthcare system with a formal vendor security program.
The questionnaire was 147 questions spread across 12 sections. Network architecture. Data handling procedures. Access controls. Encryption standards. Business continuity planning. Third-party risk management. Incident response protocols.
Then the requirements page:
- SOC 2 Type II certification. Current. No exceptions.
- Cyber insurance with minimum $5 million aggregate coverage, naming the healthcare system as additional insured.
- Written, tested incident response plan with documented tabletop exercise within the prior 12 months.
- Evidence of endpoint detection and response (EDR) deployment across all company devices.
- Annual penetration testing by a qualified third party.
“I sat at my kitchen table reading it three times,” Danielle says. “I had good security practices. MFA on everything, encrypted drives, regular backups. But I didn’t have any of it documented and certified the way they needed.”
She called the procurement coordinator. Was there flexibility? Could they accept an alternative?
“She was very nice about it. She said, ‘These are non-negotiable. HIPAA requires it and our board requires it. If you can get SOC 2 within 90 days, we can hold the selection.’”
The Math That Stops You
Danielle started getting quotes.
SOC 2 Type II audit: Three firms quoted her between $22,000 and $35,000 for the audit itself. But SOC 2 Type II requires a minimum observation period of six months. She couldn’t get it in 90 days even if she wrote a check that afternoon.
SOC 2 Type I (a point-in-time snapshot) was faster — 8 to 12 weeks — but the healthcare system’s requirements specifically said Type II.
Compliance readiness: The auditors told her she’d need 3 to 4 months of preparation before the observation period could even begin. Policy documentation, control implementation, evidence collection systems. One firm recommended a compliance automation platform at $12,000/year. Another suggested she’d need a part-time compliance contractor at $8,000–$15,000.
Cyber insurance upgrade: Her existing policy covered $1 million. Upgrading to $5 million would cost $11,400/year — but her insurer required her to first pass a security assessment. She needed MFA on every system (done), EDR on every device (partially done — her two remote trainers used personal laptops), and an incident response plan that had been “tested via tabletop exercise” (she had a plan; it hadn’t been formally tested).
Penetration testing: $4,500–$8,000 for a third-party assessment.
Total estimated cost: $58,000–$74,000 for the first year. Annual maintenance thereafter: $25,000–$35,000.
Danielle’s net profit in 2024 was $71,000.
“They were asking me to spend my entire profit — with no guarantee I’d even win the contract — on certifications I’d never needed before for any other client.”
She called the procurement coordinator back and asked for a 12-month extension. The answer was no. They selected the runner-up, a division of a national consulting firm with 200 employees and every certification already in place.
What Losing That Contract Actually Cost
The $380,000 contract was the obvious loss. But Danielle started seeing the pattern everywhere.
Within the next three months, she lost two more opportunities to the same wall. A financial services firm required SOC 2 Type II and $3 million in cyber coverage. A mid-market SaaS company wanted SOC 2 plus ISO 27001. She didn’t pursue either past the initial conversation.
“Once you start looking for enterprise contracts, you realize the compliance requirements are everywhere. I’d been growing steadily in the mid-market, but there’s a ceiling. Companies above a certain size all require the same things, and I didn’t have any of them.”
She ran the numbers. The three contracts she’d lost or passed on totaled $640,000 in annual revenue. She was leaving more on the table every year than her entire current revenue.
“That was the moment I stopped thinking of compliance as an expense and started thinking of it as a capital investment in market access. Like buying a piece of equipment that lets you bid on bigger jobs.”
14 Months to Break Through
In June 2025, Danielle decided to get SOC 2. She mapped out the timeline:
Months 1–3 (June–August 2025): Foundation. She subscribed to Vanta ($8,500/year), a compliance automation platform that provided policy templates, automated evidence collection, and mapped her existing controls to SOC 2 requirements. She deployed EDR across all company devices, including issuing company laptops to her remote trainers — $3,200 for two refurbished MacBooks. She documented everything: access controls, data handling procedures, backup protocols, vendor management.
Months 4–5 (September–October 2025): Readiness assessment. She hired a compliance consultant for a one-day readiness review — $3,500. He identified 11 gaps. Most were documentation issues: she had the controls but hadn’t formalized the policies. Three required actual changes: she needed a formal risk assessment, a tested incident response plan, and vendor security reviews for her subcontractors.
Months 6–11 (November 2025–April 2026): Observation period. The SOC 2 Type II audit window. Her auditor charged $28,000. During this time, she also ran her first tabletop exercise ($2,200 for a facilitator), completed annual penetration testing ($5,800), and upgraded her cyber insurance to $5 million coverage ($11,400/year — her insurer approved it once she could demonstrate the new security infrastructure).
Month 12 (May 2026): Certification received. SOC 2 Type II report in hand. Total investment: approximately $62,600 in the first year.
She funded it by taking a $45,000 line of credit from a CDFI lender — a local community development lender that was willing to underwrite the investment based on her revenue history and the pipeline she’d mapped. The remaining $17,600 came from operating cash flow, which meant she took a reduced owner’s draw for most of the year.
“I basically took a 75% pay cut for a year,” she says. “I paid myself less than my trainers.”
What Happened Next
In May 2026, Danielle resubmitted to the healthcare system. Different contract cycle, same procurement requirements. This time, she passed vendor onboarding in nine days.
She also won a $215,000 contract with a financial services firm she’d been unable to pursue the year before. And she’s in final-stage proposals with two more enterprise clients.
Her projected 2026 revenue: $1.1 million. Nearly double her 2024 number.
“The certification didn’t make me better at my job,” Danielle says. “I was always good at what I do. It gave me a key to a building I couldn’t enter before.”
The Part That Still Bothers Her
Danielle is clear-eyed about what happened. She made the investment, it paid off, and she’d do it again. But she’s also clear about what the experience revealed.
“I competed against a firm with 200 employees for that first contract. They didn’t win because they were better — they won because they could absorb the compliance cost as a rounding error. For me, it was everything.”
She’s watched other women business owners hit the same wall. A marketing agency owner who lost a Fortune 500 content contract because she didn’t have SOC 2. A data analytics consultant who couldn’t afford the $5 million cyber insurance policy. An HR tech startup founder who spent $90,000 on compliance in her first year and nearly ran out of runway.
“The compliance requirements aren’t wrong,” Danielle says. “Healthcare systems should require security certifications from their vendors. But the system assumes you can afford to prove you’re secure before you earn the revenue that pays for the proof. That assumption has a demographic.”
She pauses.
“The businesses that can self-fund $60,000 in compliance on spec tend to be bigger, older, and better capitalized. And the businesses that are smaller, younger, and less capitalized tend to be owned by women. Nobody designed it that way. But it works out that way.”
What Danielle Would Tell You
For women business owners looking at enterprise contracts and seeing the compliance wall:
- Don’t walk away from the opportunity. “I almost did. I almost decided enterprise wasn’t for me. That would have been a $1 million mistake.”
- Start the clock now. SOC 2 Type II takes 12–14 months minimum. “If you think you might need it in two years, start this year.”
- Use automation. “Vanta saved me probably 150 hours of manual work. The $8,500 was the best money I spent.”
- Find a CDFI or community lender. “My bank wouldn’t touch a loan for ‘compliance infrastructure.’ The CDFI understood it immediately.”
- Price the certification into your rates. “My enterprise rate is 30% higher than my mid-market rate. Nobody’s blinked. They expect it.”
- Track what you lost. “When I calculated the revenue I’d left on the table, the $62,000 investment felt small. But I couldn’t see that when I was staring at the bill.”
Danielle Kwon’s experience with the compliance paywall reflects a growing barrier for women-owned service businesses trying to access enterprise revenue. For the tactical playbook on navigating these requirements, read The Compliance Paywall: When Enterprise Contracts Require Certifications You Can’t Afford. For more founder stories, visit Founder Stories.
Additional resources: SOC 2 Compliance Costs · Cyber Insurance Requirements · SBA Lending Programs