[mushufasa]

> Like many businesses, my org requires some paperwork ("telecom approval") in order to buy computing hardware, which is basically a short questionnaire that I assume to check off some "we're not actively trying to backdoor you" boxes. I've had vendors get this turned around in <24 hours. Framework, however, has not been able to do this.

I'm not in this industry but do sell into regulated industries with vendor diligence practices.

I would check your assumption that it's just "checking off some boxes" -- often questionnaires can be hundreds of pages long, and require you to sometimes get esoteric certifications or attestations. The questions are often very sophisticated meaning that not just anyone can fill them out. Big companies have dedicated roles for this type of thing (a lot of CISO at SME is filling out these papers) where the person is specialized in filling out these papers. Also, there is a knack to these types of forms -- you have to be able to hold two opposing ideas in your mind to do this effectively, A) this is important to do quickly and well to enable us to make sales to this company, and B) this paperwork is bullshit and you should focus on checking the boxes versus worrying about, e.g., truly enforcing a floppy disk security policy at your firm (yes, most of these questionnaires get added to over the years and never pared down, so you often have to answer questions about comically obsolete or irrelevant technologies). There's a big catch because often someone skilled enough to answer these questions would be better served actually doing things, e.g. writing code, and the people who can fill out these questions but not skilled enough to do the actual things are a weird middle-ground of mediocre that is hard to find.

Really big companies often solve this by just paying overskilled people to do this for a few years, which is expensive and soul-destroying for the skilled person (I had a CTO quit in large part because of having to do paperwork). And after a vendor is already established with a company, the requirements for updating it year over year are really light, so it's actually not as hard for established companies to maintain versus new vendors.

[rkwz]

> There's a big catch because often someone skilled enough to answer these questions would be better served actually doing things, e.g. writing code, and the people who can fill out these questions but not skilled enough to do the actual things are a weird middle-ground of mediocre that is hard to find. Really big companies often solve this by just paying overskilled people to do this for a few years, which is expensive and soul-destroying for the skilled person.

This is a really insightful comment, how do companies get around this issue (apart from paying overskilled people until they burnout)?

[mushufasa]

I do a lot of these myself (technical founder, willing to do dirty work) but there comes a point where it's not a good use of my time for all but the biggest opportunities, because these things are so time intensive and I need to wear many hats. In fact, I wouldn't be surprised if that's what's going on at Framework now.

I would love to hear if anyone has different suggestions. For reference, we already employ outsourced ciso/cyber vendors (think of vanta, strikegraph) but, while they can help draft responses to these things, they can't do the last mile of certifying and submitting on your behalf, so in practice we still need some skilled internal resources to accomplish these