> 80% of Compliance has always been a performative box checking exercise.
You're making the same mistake as most people do: it's 80% box checking but that doesn't make it performative, the box checking is here so that the dude who checked the box become legally responsible for what's happening if they haven't done what they said they did.
If you didn't check that box you could always claim you didn't know you weren't supposed to do what you did. As soon as you've checked “yes, I'm doing things in the approved way”, this excuse disappears.
Okay, so who are we supposed to go to for SOC 2 compliance now if any number of the compliance automation companies might be charging 5 figures to do it fradulently?
296 comments
They delivered the product that every company wanted - make the box checking faster.
> 80% of Compliance has always been a performative box checking exercise.
You're making the same mistake as most people do: it's 80% box checking but that doesn't make it performative, the box checking is here so that the dude who checked the box become legally responsible for what's happening if they haven't done what they said they did.
If you didn't check that box you could always claim you didn't know you weren't supposed to do what you did. As soon as you've checked “yes, I'm doing things in the approved way”, this excuse disappears.
In my experience it’s we know that they know that we know that they know …..
How did none of this come up during diligence? Feels like a prime example of too good to be true.
I would have expected this to be somewhere at the top right now given how deep the article digs and evidence seems legit.