| ▲ | egorfine 4 hours ago |
| Compliance is something that no one ever wants and everybody hates. Not a single founder wakes up in the morning thinking to themselves: "oh I wish I could make my company XYZ-123 compliant!" Thus providing compliance is really just paying someone to shift responsibility. The regulator can ask whether you are compliant. You can present certificate from Delve or someone else and that's the end of it. |
|
| ▲ | bedatadriven 4 hours ago | parent | next [-] |
| I don't want to work wherever you do your thing. Software as a service means you provide a service, and you should take your responsibility to protect your customer's data super seriously. Compliance frameworks are one useful tool among many to support this effort. It helps us identify gaps, identify risks, make improvements. It also give us a way to communicate what we do to our partners. The behavior described in the medium post is fraud, pure and simple. I am a founder, and my ambition includes meeting the highest possible standards for my customers. |
| |
| ▲ | xtracto 3 hours ago | parent [-] | | I've done a mix of SOC2, ISO27001 and PCI L1 for 3 different startups. 2 of them b2b. All certified 100% and fully compliant. The problem with the current frameworks is that the "controls" are so asinine and auditors so hard headed, that getting certified becomes a matter of "checking the box" . Particularly most of those frameworks REQUIRE maintaining so much paper red tape that make a 10 person startup want to kill themselves. And in addition the costs are stupid high for startups that are just "starting up". On the flip side, how many large companies have we seen that have all the SOCs, ISOS and whatnot certifications, and they get pwn3d and their data stolen or exposed. It tells you that a place being certified doesn't guarantee shit. The reality is that large companies ask for certs as a CYA mechanism: the "security" department of LargeCo, asks for the compliance cert so that when shit hits the fan, they can say "not my fault, they told me they were compliant" The good thing is that with the new Bullshit generators (llm) this certifification/compliance process will collapse. |
|
|
| ▲ | Muromec 4 hours ago | parent | prev | next [-] |
| Not a single person wakes up in the morning thinking they wish to pay taxes and rent and do the laundry the other stuff that has to be done. I would be nice to smoke weed and play video games all day and order the deliveries. Some things just have to be done. |
| |
| ▲ | egorfine 4 hours ago | parent [-] | | > thinking they wish to pay taxes Wellll this is not always the case. I have moved from a shithole country to a nice one and oh boy I am crying in gratitude every month that I pay taxes. Because it is every day that I can see my money working for me in the environment. But your point stands. | | |
| ▲ | Muromec 4 hours ago | parent | next [-] | | As a person who moved to a high-tax country I understand the sentiment. It's usually lost on the people who were always there paying those taxes. Somehow it often doesn't click that they get something in return. The same applies to all the audit and bureaucracy stuff. Does it do something? If you don't feel it does, does it mean it's not? I don't know really, but I hope somebody is rotating their key material as they provided in their security posture. | |
| ▲ | kakacik 4 hours ago | parent | prev [-] | | There are well-used tax money, then there are stupidly burned tax money on ie buying favors of some part of population before elections, financing blindly without any checks social security programs that get abused to no end, or simply plain old corruption. I love bringing Switzerland up to annoy most of western/northern Europeans since their success is so obvious and undeniable while going in very different direction than most of Europe. Low to low-medium taxes, yet state budgets are frequently in positive numbers, there is no end to money spend on infra projects, train infra, but also rather strong social programs (just not ridiculously bad as mentioned above), top notch free healthcare and education. VAT taxes are 2-8% instead of 20-23% in all countries around. Country simply works(TM) because population is not hard comfort-zone-addicted and entitled bunch of spoiled whiny kids, they work relatively hard and it brings results, consistently and long term. They don't work more than americans nor asians, but thats enough for their prosperity. Do you think lets say a heavy tax burden in say Italy, or even France (not even going more into southern or eastern EU since that would be a small book) is really used well and efficiently? I visit those places frequently and it certainly doesn't seem that way. Random examples - Italy has garbage everywhere, people drive to highway stops to drop it there (so the wind blows it all around). Infrastructure seems like from 80s, with added age. From people dealing with bureaucracy there - its stuck in 19th century, direct approach will get you often nowhere. France - most communist state in western Europe, heck in all Europe, sans Belarus maybe. Yet if you talk to people, they are constantly pissed off at government, never happy with society or state they live in. I don't blame them, listening to French colleagues complain is often rather sad experience. Not something you read in travel guides, do you. | | |
| ▲ | Muromec 2 hours ago | parent | next [-] | | >Low to low-medium taxes, yet state budgets are frequently in positive numbers >because population is not hard comfort-zone-addicted and entitled bunch of spoiled whiny kids I'm not sure why would I need lower taxes in exchange for more work. This somehow feels like a scam. | |
| ▲ | hermanzegerman 2 hours ago | parent | prev | next [-] | | Well let's see how good that Swiss Model would work as a big normal state, and not as a small tax haven, smaller than the State of Baden-Württemberg living off those surrounding states (siphoning up wealthy people, who got rich in those countries, and also their academics, that they didn't have to pay the education for) | |
| ▲ | KPGv2 3 hours ago | parent | prev [-] | | It doesn't hurt that Swiss immigration is very difficult to get through, and they have all that Holocaust money no Nazi or dead Jewish victim is ever going to come claim. |
|
|
|
|
| ▲ | Duhck 4 hours ago | parent | prev | next [-] |
| When I worked in cybersecurity I had a similar realization. No one cared about security posture. They cared about insurance policies. People hired us to shift blame instead of improve security posture. this is not terribly different |
| |
| ▲ | leeter 4 hours ago | parent | next [-] | | This is why I've said for years: If you want to drive best practices and policy with companies you can only do it with liability. Particularly non-insurable and non-tax deductible liability. If a company can't offload civil or criminal penalties to their insurance company and take the tax write down, they suddenly start caring about it. That said, this should be used sparingly; as it embeds a behavior deep. If that behavior later no longer makes sense it can be extremely costly to change it later. | | |
| ▲ | robocat 2 hours ago | parent [-] | | > Particularly non-insurable and non-tax deductible liability Too often liabilities exceed assets, or the liabilities are externalised. Liability doesn't work as an incentive for many risks. For uncommon but extreme risks, it can be better to roll the dice on company failure than regularly pay low amounts for mitigation. It is especially effective to ignore liabilities when a company has poor profitability anyways. And then you see major companies sidestep the costs of their liabilities (plenty of examples after security failures, but also companies like Johnson&Johnson). |
| |
| ▲ | bjackman 4 hours ago | parent | prev | next [-] | | One of my FAANG security projects incidentally helped with some compliance efforts (I made very sure it was incidental, constantly said things like "I am thrilled that I can help you guys achieve your goals but I wanna be clear that I don't give a shit about compliance and I won't be allowing it to influence the direction of my product" in meetings, it must have been extremely annoying to work with me). At some point I was asked to look over the documents for the compliance definition and it was really hilarious. I had to give my engineering perspective on which aspects of the requirements we were and weren't meeting. But they were stuff like "you must have logs". "You must authenticate users". "You must log failed authentication attempts". Did we fulfill these requirements? It's a meaningless question. Unless you were literally running an open door telnet service or something you could interpret the questions so as to support any answer you wanted to give. So I just had to be like "do you want me to say yes?" and they did, so I said yes. Nothing productive was ever achieved during that engagement. | |
| ▲ | wccrawford 4 hours ago | parent | prev [-] | | I think it's subtly different than that. Companies do want to be secure. They try, and they often fail because it's hard. They hire auditors to find problems and to shift blame. But since they only have 30 days to fix the problems that are found, it's going to see a lot like they only care about shifting the blame. Because at that point, they only care about passing that audit. Right after that, though, they start caring about security again. How do I know? 19 years experience going through those audits on the company side. For 11 months of the year, it was clear the boss cared about security. For that 1 month during the 'free retest' period, they only cared about passing that audit. |
|
|
| ▲ | solatic 3 hours ago | parent | prev | next [-] |
| > Not a single founder wakes up in the morning thinking to themselves: "oh I wish I could make my company XYZ-123 compliant!" Somehow I doubt that you are in the B2B/Enterprise space. When you're pitching demos and you hear from people "we really wish we could buy your product but we can't because Finance won't approve the expenditure unless you get XYZ-123", and you hear that over and over again because that is the real-world industry that you live in, then you better believe that there are founders who wake up in the morning wishing that. You clearly have no understanding of what compliance does. Compliance does not "shift responsibility". Compliance is you demonstrating to your customers that you give enough of a shit that you're willing to pay the table stakes to sit at the table. You can complain that the game has table stakes, but all worthwhile games have them. |
| |
|
| ▲ | tfrancisl 4 hours ago | parent | prev [-] |
| Maybe no one wakes up wanting to deal with compliance, but it you found a company that has legal or moral obligations to be compliant with these standards, you sure have signed yourself up for it. Passing the responsibility off to some other company is, quite simply, irresponsible. |
| |
| ▲ | egorfine 4 hours ago | parent | next [-] | | > Passing the responsibility off to some other company is, quite simply, irresponsible. Then do not pass the responsibility. But here's the trick: the regulator would like to see an audit done by a firm and purchasing audit services is exactly that: passing responsibility. So legally you can't be compliant unless you passed responsibility. | | |
| ▲ | tfrancisl 4 hours ago | parent [-] | | These compliance companies are not primarily tasked with auditing, as this article makes very clear. Delve is in control of the auditing process in a way that is inappropriate and unusual for this industry. The work that the company with these obligations should be doing themselves is generating the Section 3 description and the controls. The auditor then independently verifies their compliance with the controls. Thats a clear delineation of responsibilty, IMO |
| |
| ▲ | egorfine 4 hours ago | parent | prev [-] | | Problem is, compliance is often detrimental to the cause. You want to encrypt users' data at rest? Illegal. You must store users data in a way prescribed by the law and it is extremely cumbersome, outdated and insecure. |
|
