freddykrugerDelve – Fake Compliance as a Service
https://deepdelver.substack.com/p/delve-fake-compliance-as-a-service
80% of Compliance has always been a performative box checking exercise.
They delivered the product that every company wanted - make the box checking faster.
Pay to play and keep selling. Understand the liabilities and cover your ass, address the biggest risks.
The point of SOC2 is really demonstrate that you have controls. The other fake compliance areas are scarier for sure. You used to see really blatant issues — I recall early SaaS companies pitching to my enterprise with sales engineers showing me customer data.
Microsoft refused to provide diagrams to the Feds detailing how Azure works. They got the FedRAMP High stamp anyway, because they already sold it to half the Fed. That’s more real… as a situation where a Chinese hacker could compromise data in a dedicated “government cloud” by compromising a certificate in an onprem dev environment should be impossible… yet it happened.