Comment by mooreds
2 days ago
The auditors aren't writing the compliance guidelines, are they? Just enforcing them.
I'd say you want to send these articles to the people writing such guidelines.
What am I missing?
2 days ago
The auditors aren't writing the compliance guidelines, are they? Just enforcing them.
I'd say you want to send these articles to the people writing such guidelines.
What am I missing?
No, you’re right. Though I think there’s definitely a gap between standards bodies like NIST and the AICPA or whoever sets the SOC2 standards these days. I think some of the answer is just momentum. Customers have come to expect it of their vendors, specifically because it is security theatre, something they can point to if anything goes wrong.
> because it is security theatre, something they can point to if anything goes wrong.
Yeah, there is space between "this is a good practice and it's nice to be able to check the box" and "this is a standard someone else dictated but it will cover my butt if anything happens" unfortunately.
I get it, I depend on standards all the time (food safety, equipment certification) so I understand the desire, but darn it's frustrating when they are viewed as a cure-all.