Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If I do SOC2, then I have to spend a lot of money.

If I don't, then my customers will forgive me in a few weeks and life goes on.



If you're in B2B, plenty of larger companies will disqualify for not having SOC2/ISO27001.

Also, it can help get you out of repeat security assessment questionnaires, so it can actually give you time back, depending on how many of those you have to field.


This. You'll lose more money in lost clients than SOC2 will cost you. It is only really expensive the first time you do it - after that if you just follow your own procedures the annual audits are pretty easy. And yes, being able to just reply to those security questionnaires (do you have armed guards in your data center?) with "see SOC2 report" is gold.

Of course if you are in an industry were clients don't ask for soc2, don't do soc2.


> If you're in B2B, plenty of larger companies will disqualify for not having SOC2/ISO27001.

And it's a good question whether you want such larger clients at all. At one of the previous places where I worked, we used to put deliberately bad answers (the worst that our public version of the security policy would allow, not the actual practices) in security forms in order to get rid of too-demanding clients.


> we used to put deliberately bad answers

That seems like quite a waste of time. Nobody forces you to take on a customer, so if you don't want them just say no and move on, instead of spending a lot of everyone's time to go through the motions hoping for the deal to break.


A lot of enterprise-scale companies won't even consider your SAAS if you don't have SOC/ISO, but many can certainly make it without those companies as customers.


If you're trying to be a vendor for a medium or larger company, SOC2 is usually one of the bright-line requirements.

... Which is not a good thing, because (as noted already in this thread) SOC2 doesn't actually make you secure. Nor does not having certification make you insecure. But, when used as a shorthand, it leads companies to engaging in compliance theater to get certified, spending a bunch of money without actually making their data noticeably more secure.


Having policies, records, procedures and documents for everything might also make due diligence easier in case you want to sell the company at some point. Makes it look a bit less like a messy one man show too.


> If I don't, then my customers will forgive me in a few weeks and life goes on.

If you don't, you are missing out on a lot of customers who would have given you 10000x the one-time cost of SOC2.


For a lot of shops, yes. Don’t SOC2 if that’s you!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: