SOC2 compliance is a waste of time
I’m increasingly convinced that SOC2 compliance is a waste of time, popularized by Vanta to the detriment of the ecosystem. Founders spend upwards of $12,000 and a week of work to get compliant yet enterprises get essentially no protection. Somehow, enterprises have been persuaded that SOC2 is a good test for security. But pay up and pretty much anyone can get certified.
I should know. I’m a startup founder who paid up and ticked all the boxes - so we’re SOC2 Type 2 compliant.
How do you get SOC2 compliant?
SOC2 compliance begins with a big payment to Vanta, who are the only people benefiting from this process. For $6,000+ you get access to their SaaS platform. This will almost certainly be the most expensive software you buy as a Seed stage startup.
Then the box ticking exercise begins. You’ll get a set of generic policy templates you need to lightly modify - which feels a bit like copying someone’s homework. You get instructions to screenshot trivial security settings like 2FA, and some obscure requirements like an anonymous whistleblower form. But don’t worry if you don’t want to do any of these, you can mark these requirements as obsolete and still become compliant.
Then you make another big payment, this time to an auditor. For a staggering $6,000 someone will open Vanta and confirm you’ve ticked all the boxes.
And just like that - you’re SOC2 compliant.
Why is this a waste of time?
SOC2 includes few technical protections for customer data. It’s a box ticking exercise with a bunch of vague documents that many SOC2 compliant founders haven’t read. Vendors still have complete control of any shared data, and they can still do what they like with it. If the vendor is compromised, the data is probably toast.
I increasingly think that startups should save themselves the distraction, and instead invest in real security best practices rather than SOC2 security theatre. Enterprises should run their own security checks rather than blindly trusting SOC2, and self-host products that deal with sensitive data