| I've done a mix of SOC2, ISO27001 and PCI L1 for 3 different startups. 2 of them b2b. All certified 100% and fully compliant. The problem with the current frameworks is that the "controls" are so asinine and auditors so hard headed, that getting certified becomes a matter of "checking the box" . Particularly most of those frameworks REQUIRE maintaining so much paper red tape that make a 10 person startup want to kill themselves. And in addition the costs are stupid high for startups that are just "starting up". On the flip side, how many large companies have we seen that have all the SOCs, ISOS and whatnot certifications, and they get pwn3d and their data stolen or exposed. It tells you that a place being certified doesn't guarantee shit. The reality is that large companies ask for certs as a CYA mechanism: the "security" department of LargeCo, asks for the compliance cert so that when shit hits the fan, they can say "not my fault, they told me they were compliant" The good thing is that with the new Bullshit generators (llm) this certifification/compliance process will collapse. |
With ISO27001 or SOC 2, I have more information about the other party's ability to manage those risks than just taking their word for it. I'm trusting a third party auditor to vouch for them.
Fraud undermines all kinds of relationships and yes LLMs make it worse. The last job we opened I got hundreds of perfect cover letters asserting the candidates met all of the criteria. Bah.
My perhaps naive hope is that a few of these companies involved will face criminal fraud charges and we will start to develop new reflexes as a society that just bc LLMs making lying very very easy, there are still consequences.