Harris Osserman

The Delve scandal is the perfect excuse for me to write my long-simmering rant about SOC-2 and InfoSec. 1. 90% of SOC-2 is security theater. We couldn't pass audit until we had completed an annual performance review (absurd requirement for a team of 4). It is mind-boggling to me that we collectively decided to adopt an accounting framework (and accounting firms) to validate infosec. 2. SOC-2 startups are (at least in part) culpable for this mess, thanks to Jevon's Paradox. It's now "easier" to get it, so getting the certification is table stakes for an enterprise contract. "But Hari, startups can now sell to enterprise more easily" — nope. 3. I would argue that the approach for selling to enterprise was *better* prior to 2017: — Enterprises were more open to doing pilots without SOC-2, because it was harder to do and not table stakes. This is, obviously, a more efficient way to transact and explore ad hoc relationships. — You'd simply have to do actually useful things like pentesting, security questionnaires, etc. to show you were serious about security... which you have to do today anyway, because SOC-2 is a terrible proxy for real security. And enterprises have gotten easier to sell into, because they realized they need to be more tech forward. Correlation, not causation. SOC-2-as-table-stakes killed a more pragmatic, trust-based sales motion. All in all, the introduction of SOC-2 as an industry standard introduced *more* friction into the process, racked up *higher* costs for their customers, for ultimately the *same or worse* security outcomes. We would all be better off if we threw the standard in the trash, because then we might actually come up with something sensible. 4. Perhaps the Delve takedown was penned by a competitor, but — if the facts hold up — that doesn't make it any less valid. This is a wildly competitive space, and I've seen some truly nasty stuff happen, from an observer's seat. But people are using that to discredit the piece, even though the facts so far are pretty damning (regardless of the biases of the speaker). 5. All of the SOC-2 companies are roughly equivalent (no matter what they tell you), and you should optimize for a good service at a reasonable price and grit your teeth and get it done when you think you have enough PMF where enterprises might want it. 6. Don't even get me started on GDPR and CCPA. Cookie banners take quality-adjusted years off peoples' lives, just like cigarettes and the DMV. And just like SOC-2 is security theater, they are privacy theater. 7. Most importantly: getting dinged because you didn't pass security reviews has nothing to do with security. It means your buyer / champion didn't care enough to push it through. If you're sorely lacking, it might be an actual issue. You should (obviously) do the important stuff (vulnerability scans, pentests, 2FA, be careful with phishing), but after that... Spend your time building something that buyers want to rip out of your hands. Your security problems will start disappearing.