Comment by bedatadriven
2 months ago
I don't want to work wherever you do your thing. Software as a service means you provide a service, and you should take your responsibility to protect your customer's data super seriously. Compliance frameworks are one useful tool among many to support this effort. It helps us identify gaps, identify risks, make improvements. It also give us a way to communicate what we do to our partners. The behavior described in the medium post is fraud, pure and simple.
I am a founder, and my ambition includes meeting the highest possible standards for my customers.
I've done a mix of SOC2, ISO27001 and PCI L1 for 3 different startups. 2 of them b2b. All certified 100% and fully compliant.
The problem with the current frameworks is that the "controls" are so asinine and auditors so hard headed, that getting certified becomes a matter of "checking the box" .
Particularly most of those frameworks REQUIRE maintaining so much paper red tape that make a 10 person startup want to kill themselves. And in addition the costs are stupid high for startups that are just "starting up".
On the flip side, how many large companies have we seen that have all the SOCs, ISOS and whatnot certifications, and they get pwn3d and their data stolen or exposed.
It tells you that a place being certified doesn't guarantee shit.
The reality is that large companies ask for certs as a CYA mechanism: the "security" department of LargeCo, asks for the compliance cert so that when shit hits the fan, they can say "not my fault, they told me they were compliant"
The good thing is that with the new Bullshit generators (llm) this certifification/compliance process will collapse.
Well, yes, but that's the point of many contracts, they are often designed to shift risk to parties that are better equipped to handle those risks. We run our app on GCP because as a 20 person company I don't want to be responsible for physical security and a million other risks.
With ISO27001 or SOC 2, I have more information about the other party's ability to manage those risks than just taking their word for it. I'm trusting a third party auditor to vouch for them.
Fraud undermines all kinds of relationships and yes LLMs make it worse. The last job we opened I got hundreds of perfect cover letters asserting the candidates met all of the criteria. Bah.
My perhaps naive hope is that a few of these companies involved will face criminal fraud charges and we will start to develop new reflexes as a society that just bc LLMs making lying very very easy, there are still consequences.
> With ISO27001 or SOC 2, I have more information about the other party's ability to
... spend time and money to emulate the asinine requirements of outdated standards instead of actually making the product better and more secure.
> I'm trusting a third party auditor to vouch for them.
Like Delve?
1 reply →
I think the thing we are confusing here is "compliance" vs the "highest possible standards".
In theory these two terms mean the same thing.
In practice compliance can be detrimental to the cause and values that you and I both share seemingly.
> I am a founder, and my ambition includes meeting the highest possible standards for my customers.
Same here. This is why I don't care about "compliance" - because I take the privacy of my customers sacred. For example, that means no KYC on my customers. And compliance requires KYC.
Compliance with what requires KYC? Nothing in ISO-27001 requires you to collect any information about your customers. Unless there are laws that require you to. Knowing your vendors is another story.