one of the things that pisses me off about SOC 2 reports is that IT and procurement teams don't even bother to read them.

Teams waste so much time filling out questionnaires and procurement treats SOC 2 reports like a checkbox.

bureaucratic nightmare.

Creating content with code: @livecaster @harmonybot /bot-or-not | /blitkin | /orange-dao | IRL: YC W15 Construction tech founder

Startup artist seeking inspiration.  Champion of /bcard

It is a checkbox.  Soc2 isn’t about keeping user data safe anymore, it’s a money-making industry.

Dude 100%, I remember when I used to negotiate contracts. This company failed there SOC2 cert, I raised it to CISO & said we should probably not sign an agreement with them especially since they wanted to cap liabilities & they would be doing I9 verifications so super sensitive data.

HR head went over my head, CISO caved like a b. And two weeks later they got hacked and lost all the data and Equifax also acquired them (which they got hacked the year before). Ever since then I knew it wasnt shit tbh.

Absolutely agree. The value in SOC 2 reports is lost when they're treated as mere compliance documents. Both IT and procurement need to prioritize understanding the actual security controls and risk assessments they represent.