[bearjaws]

This has been my experience, enterprises are routinely one-upping their security requirements.

It used to be Shared Controls Audits, now its SOC2 Type 2, tomorrow it will be HiTrust or combinations of SOC2 and ISO controls.

This has been getting more arduous every year for the last 10 years, I don't see it reversing anytime soon.

As a startup, you will be out of business by the time you meet their requirements, or could have landed other deals.

[throw10920]

Isn't this sort of necessary, given the miniature wave of ransomware/cybercrime that we've been going through? We've been saying that companies need to improve their security - isn't this it?

------------------------------------

This is somewhat tangential, but a really good "emotional transfer moment":

This is exactly how some people feel about government regulation - this emotion, right here - that it's arduous, stifles innovation, hurts startups trying to get off the ground with a shoestring budget, and just gets worse every year.

(now, of course, the thing that those people need to understand is that some amount of regulation is necessary. but, the thing that other people need to understand is that just because some amount of regulation is necessary, doesn't mean that you can be loose with it and allow it to metasize - law needs to be written with the same care and eye toward the future as code, and then also like code, needs to be refactored to reduce "tech debt" and keep it sane. this, currently, does not happen, and virtually nobody advocates for it)

(ironically, we have way more leverage over what kinds of regulations the government puts in place than over the effective regulations like SOC2/HiTrust that are "enacted" on clients of larger companies. not sure what to do about that one...)

[bearjaws]

I'm not saying its a bad thing actually.

I think its similar to running a bank, if you cannot protect the value (money) then you are not really a good bank. The problem is people have been pretending they are not a bank and trying to skirt protecting their customers for the better part of 20 years, especially in SaaS.

[_fat_santa]

Reading about SOC2 compliance, as a solo founder it would be impossible for me to get SOC2 compliance because there is just one of me right? Every time I read the requirements it's always: this person for X, this person for Y, this person for Z, which makes it seem like if you don't have a full team working on a project, it's impossible to get SOC2 compliance because there aren't enough people.

[PeterisP]

Yes, it's not practical, and by design. In effect, this is simply acknowledging the reality that if they want to ensure a certain process, then someone has to bear the overhead of monitoring and control; so if a company wants to buy some sensitive service from a solo founder or a smallish company then they have to take responsibility themselves, and they can only delegate this duty to vendors only if the vendor actually has certified capability to do this high-overhead process.

It has some parallels to earlier initiatives like PCI DSS for payment cards which effectively said "If you can't do this list of requirements, then you'll have to delegate the sensitive stuff to someone who can", ensuring that every mom&pop pizza shop doesn't have a full list of their customers credit card numbers unencrypted on a publicly exposed database. It doesn't prevent all breaches, of course, but it did make them fewer.

[bearjaws]

It depends on the risk tolerance of your customer, but you would likely fail.

The reason being: What happens if you get struck by a bus? Your business dies overnight (or until the hosting bill doesn't get paid) and now your customers are screwed.

Many of the controls are about what happens when staff depart, both planned and unplanned? What is the power structure in the org? How do you prevent employees from damaging your business operations?

Resilience is important to any enterprise, and many audits now evaluate how hardened your business is.

Maybe a morbid startup idea of "I'll ensure business continuity if you die so you can pass SOC2" lol

[nonameiguess]

This is, unfortunately, a legitimate reason not to make solo suppliers a part of your supply chain. Inability to implement things like mandatory vacations and separation of duties does mean only you need to be compromised to become a threat vector, and that is easier than compromising multiple people. It doesn't mean you can't run a solo business, but you should focus on selling to organizations that are not likely to become the target of a supply chain attack.

[erikpukinskis]

I wonder if you can hire a law firm or a consultancy to help with this. They would have people on staff who can be legally designated as your point-of-contact for a given role?