Posted by freddykruger 1 day ago
Forbes 30 under 30 remains undefeated
AWS is probably the best actual CaaS vendor out there. They have a product offering expressly designed to help their customers get through this jungle:
https://docs.aws.amazon.com/artifact/latest/ug/what-is-aws-a...
You are still responsible for everything on top of what AWS provides (software/configuration/policy), but their compliance package handles a massive portion of what you would otherwise have to do if you were on-prem. Physical security, hardware management, disaster recovery, et. al., you get essentially "for free".
You build something great and big corporation X wants to buy a subscription but you need to be certified.
Much of this is a good checklist but some of it is very european.
"Where is the risk register to track controls in your 7 person company?"
Now instead of doing what your team does best, you are doing paperwork theater for frameworks designed for a 100,000 employee enterprise.
You are documenting things nobody will read, making up processes that don't exist and translating the operations of a lean company into bureaucratic language.
What's needed is a variant of these standards for small teams, which is proportionate and pragmatic.
In scenarios where the company REALLY REALLY wants to buy the SaaS, they often will invest in the company, one of the reasons for which being to ensure they have the resources to go through all the red tape.
CIS Benchmarks are worth a look too: They’re best practices for securing typical cloud platforms, SaaS and OS.
We've be able to use a lot of AI-assisted engineering and AI in the software to solve longstanding business challenges in this space.
I won't make assumptions about where you're located, but on the East Coast US it is big business among banks, utilities, healthcare, etc.
intermediaries like delve have only amplified this failure.
it was obvious to anyone who was involved in this industry that, all of this is just security theatre with nothing really to back it up.
We were actually looking at it as well recently (we're using Drata). I was thinking "Cool, this looks like the next cool step forward". The claims didn't sound out of the world in my ears.
Every time an issue like this appears I wonder how many more undiscovered frauds are out there.
I would have expected this to be somewhere at the top right now given how deep the article digs and evidence seems legit.
Regardless, it's been an ongoing issue. I know a few involved companies — it takes basically 5 days to get a SOC 2 Type 2 report through Delve. And, of course, they market this way too: "SOC 2 in days". Unbelievable.
(1) I had no idea this story existed and woke up to claims that I was obviously* suppressing it.
(2) I looked into it and found that no moderator had touched either of the two submissions of the story, but that both submissions had set off HN's voting ring detector. (Whether there was a voting ring or not, I don't know - that software isn't perfect. It has held up well over the years though.)
(3) We merged the two discussions and placed the merged thread on the front page.
(4) Why? Because we moderate HN less, not more, when YC or a YC startup is part of a story: https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu.... This is literally the #1 principle of moderation in the sense that it was the very first thing that pg drilled into me: https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que....
Thus providing compliance is really just paying someone to shift responsibility.
The regulator can ask whether you are compliant. You can present certificate from Delve or someone else and that's the end of it.
I am a founder, and my ambition includes meeting the highest possible standards for my customers.
Some things just have to be done.
Wellll this is not always the case. I have moved from a shithole country to a nice one and oh boy I am crying in gratitude every month that I pay taxes. Because it is every day that I can see my money working for me in the environment.
But your point stands.
The same applies to all the audit and bureaucracy stuff. Does it do something? If you don't feel it does, does it mean it's not? I don't know really, but I hope somebody is rotating their key material as they provided in their security posture.
I love bringing Switzerland up to annoy most of western/northern Europeans since their success is so obvious and undeniable while going in very different direction than most of Europe. Low to low-medium taxes, yet state budgets are frequently in positive numbers, there is no end to money spend on infra projects, train infra, but also rather strong social programs (just not ridiculously bad as mentioned above), top notch free healthcare and education. VAT taxes are 2-8% instead of 20-23% in all countries around. Country simply works(TM) because population is not hard comfort-zone-addicted and entitled bunch of spoiled whiny kids, they work relatively hard and it brings results, consistently and long term. They don't work more than americans nor asians, but thats enough for their prosperity.
Do you think lets say a heavy tax burden in say Italy, or even France (not even going more into southern or eastern EU since that would be a small book) is really used well and efficiently? I visit those places frequently and it certainly doesn't seem that way. Random examples - Italy has garbage everywhere, people drive to highway stops to drop it there (so the wind blows it all around). Infrastructure seems like from 80s, with added age. From people dealing with bureaucracy there - its stuck in 19th century, direct approach will get you often nowhere. France - most communist state in western Europe, heck in all Europe, sans Belarus maybe. Yet if you talk to people, they are constantly pissed off at government, never happy with society or state they live in. I don't blame them, listening to French colleagues complain is often rather sad experience. Not something you read in travel guides, do you.
Somehow I doubt that you are in the B2B/Enterprise space. When you're pitching demos and you hear from people "we really wish we could buy your product but we can't because Finance won't approve the expenditure unless you get XYZ-123", and you hear that over and over again because that is the real-world industry that you live in, then you better believe that there are founders who wake up in the morning wishing that.
You clearly have no understanding of what compliance does. Compliance does not "shift responsibility". Compliance is you demonstrating to your customers that you give enough of a shit that you're willing to pay the table stakes to sit at the table. You can complain that the game has table stakes, but all worthwhile games have them.
That said, this should be used sparingly; as it embeds a behavior deep. If that behavior later no longer makes sense it can be extremely costly to change it later.
At some point I was asked to look over the documents for the compliance definition and it was really hilarious. I had to give my engineering perspective on which aspects of the requirements we were and weren't meeting.
But they were stuff like "you must have logs". "You must authenticate users". "You must log failed authentication attempts".
Did we fulfill these requirements? It's a meaningless question. Unless you were literally running an open door telnet service or something you could interpret the questions so as to support any answer you wanted to give.
So I just had to be like "do you want me to say yes?" and they did, so I said yes. Nothing productive was ever achieved during that engagement.
Companies do want to be secure. They try, and they often fail because it's hard.
They hire auditors to find problems and to shift blame. But since they only have 30 days to fix the problems that are found, it's going to see a lot like they only care about shifting the blame. Because at that point, they only care about passing that audit.
Right after that, though, they start caring about security again.
How do I know? 19 years experience going through those audits on the company side. For 11 months of the year, it was clear the boss cared about security. For that 1 month during the 'free retest' period, they only cared about passing that audit.
Then do not pass the responsibility. But here's the trick: the regulator would like to see an audit done by a firm and purchasing audit services is exactly that: passing responsibility. So legally you can't be compliant unless you passed responsibility.
I'm sorry, but... $6,000 / 200 == $30 / hour? Just assuming the value of the actual certifications is $zero?
Wouldn't that raise some serious red flags?