Just to clarify, this is a bugbear of mine. It's nothing personal with you, but I've spent the last 6 years or so evangelizing the idea that people should minimize their SOC2s and not get pushed around by auditors or evidence collection platforms like Vanta, because that drives a lot of terrible security engineering, and the hypercompetent best-staffed security orgs in the industry all push their SOC2 auditors around.
replyCompliance and security are entirely different practices in a well-run firm. Security can inform compliance. Compliance should not inform security engineering.
If you search my name and "SOC2" in the search bar below, I've expanded on this quite a bit.
As just one data point here, let me say thank you for all your writing on it; it was super useful to have things to point at to say “we don’t have to just blindly do a thing the auditor suggested!” for our SOC2.
replytptacek just hates soc. its probably not personal.
replyWe got some value from it! I just think it's important to remember what it actually is, rather than axiomatically deriving what you think it should be.
reply