Comment by icedchai
2 months ago
Most people only care about compliance if it stops them from closing a deal. I was at a startup where some enterprise said we needed a SOC 2. The founder talked them out of it by giving them a discount if they'd waive the requirement.
My company is tiny (just me) and at one point a client sent over a questionnaire that I needed to fill out. Half the things I already did, about 1/4th I did right then so I could check the box (added features/reports/etc), and the last 1/4th I looked into (including SOC2) and decided I’d rather lose the deal than try to do those things. I was completely truthful in the questionnaire and for those sections I just put “We can provide this but it costs extra”.
I ended up getting the contract and they never asked for those extra things. I guess that’s kind of the same thing your founder did but in reverse. Discount to skip it vs it will cost more to add it.
To be clear, I think most of the questionnaire was just “we want these answers on file”, I’m not in an industry where most of what they asked for is reasonable/needed. Though it scared the hell out of me when I got it because SOC2 (and some other things they asked about) is not cheap. Literally 1-2x the cost of the service I was selling. All for something I consider a _very_ small step about snake oil.
> I ended up getting the contract and they never asked for those extra things.
Same boat about 2 years ago: the compliance is a lot more flexible than you would think - it doesn't matter if you have a poor password policy, what matters is that you document you have a poor password policy.
Your client didn't have to get a compliant vendor to remain compliant themselves; what matters to their compliance is formal attestations from their vendor about where they are not compliant.
As a 1-man show I went through the same thing, still got the contract even though I had to formally attest to not having maybe 25% of those boxes ticked. The whole point is that it is recorded that you don't have MFA, or that you failed a pentest on these 5 items... or that you have a vendor who fails these specific 43 requirements.