freddykrugerMar 19

Delve – Fake Compliance as a Service

https://deepdelver.substack.com/p/delve-fake-compliance-as-a-service

Delve - Fake Compliance as a Service - Part I

How Delve managed to falsely convince hundreds of customers they were compliant and then lied about it when exposed and called out

DeepDelver
Show threadaiisahikMar 20

80% of Compliance has always been a performative box checking exercise.

They delivered the product that every company wanted - make the box checking faster.

Show threadmizzao
Okay, so who are we supposed to go to for SOC 2 compliance now if any number of the compliance automation companies might be charging 5 figures to do it fradulently?
Mar 20 at 11:15pmWeb
Show threadnerdsniperMar 21
If you want to do it right, hire a CPA who takes it seriously and spend the time to complete it in-house and fully understand it. Then engage one of the big 4 to sign off on it. The big 4 don’t offer much for SOC2 above what Delve does, it’s all smoke and mirrors unless you personally take it seriously.
Show threadSpooky23Mar 21

Pay to play and keep selling. Understand the liabilities and cover your ass, address the biggest risks.

The point of SOC2 is really demonstrate that you have controls. The other fake compliance areas are scarier for sure. You used to see really blatant issues — I recall early SaaS companies pitching to my enterprise with sales engineers showing me customer data.

Microsoft refused to provide diagrams to the Feds detailing how Azure works. They got the FedRAMP High stamp anyway, because they already sold it to half the Fed. That’s more real… as a situation where a Chinese hacker could compromise data in a dedicated “government cloud” by compromising a certificate in an onprem dev environment should be impossible… yet it happened.

Show threadsubscribedMar 21
Big four have been caught approving fraudulent accounts too, so why not SOC? :)
Show threadthraxilMar 21
Last time I went through SOC 2 we talked to our auditor about this. His view was that there are and basically always have been auditors/companies that will sign off on anything without verifying it if you're paying them. The rest of the industry knows who they are though. If you are taking things seriously and hire an auditor who does, that's one of the things that they look at when you're reviewing the reports from the services/subprocessors that you use. Ie, you can get a SOC 2 that doesn't mean anything but then any of your customers who know/care will flag it and it won't be worth anything.
Show threadjjmarrMar 21

From the article, OP dealt with this.

> But what do you do when the enterprise you are selling to asks you to show that pen-test report (which you never did despite paying for it, because Delve told you a pentest-tools.com vulnerability scan sufficed)? When they ask for your most recent risk assessment, do you just screenshot Delve’s pre-fabricated assessment and pray nobody will pay attention?

> It was that point where the realization sank in. We knew we messed up. We were unable to answer most questions honestly without jeopardizing the deals we were trying to land. We scrambled to get things done the proper way outside of Delve, in an effort to pretend to know what we were doing, but it ended up simply being too much work to get done quickly enough to save things.