| ▲ | Othan a day ago |
| It's security theater. Friendly plug for Oneleet, who actually talked us out of getting it. We were considering getting certified, but it only really makes sense if your customers require you to have it. |
|
| ▲ | Imustaskforhelp a day ago | parent | next [-] |
| Tangential to this but do ISO certifications make sense or are they security theater as well? And another question but as a consumer, is there any certification which can meaningfully try to show if people/business take their security carefully or are all things security theater in that aspect and at some point, we just have to trust the enterprise and look for other signals of security (like for example blog posts which might show a deep-dive into security for example comes to my mind) |
| |
| ▲ | stackskipton 18 hours ago | parent [-] | | Not really. As long as current system where auditors are also clients of company being audited, the conflict of interest is too high. Also, not to mention in many countries, the cost of getting breached is nothing so many companies are willing to just hope for the best and payout in case of the worst. |
|
|
| ▲ | truetraveller a day ago | parent | prev [-] |
| What about enterprise customers / sales? |
| |
| ▲ | hobofan a day ago | parent [-] | | For enterprise sales you can get a SOC 2 Type I faster than any enterprise sale goes through. Typically, most enterprises are okay if you show them proof that you are "in the process" of getting the certification by showing them that you have signed up with one of those platforms (Delve, Vanta, etc.), so you would be okay to start only when you are about to close one of those enterprise deals. | | |
| ▲ | staticassertion a day ago | parent | next [-] | | Yeah, we got a signed letter of engagement from our auditor, which was enough to unlock a customer without having to go through any sidestepping process. | | | |
| ▲ | truetraveller 8 hours ago | parent | prev [-] | | Great info, thanks! |
|
|
