Willfully paying for a service that offers SOC 2 reports at 1/5th the usual rate and delivers them in days instead of months and deluding themselves (and others) that it's a proper audit.

Taking cookie cutter policies/controls jamming it into your org without any awareness whatsoever. Acting surprised when employees complain about draconian rules and the audit process is a pain because you wanted to take the shortcut.

Why can't people just do it the proper way the first time? Pay for a reputable auditing firm, write your own policies and implement controls that map to the actual organization, do a gap assessment with the auditing firm so that both parties is aligned on expectations, and spend the necessary time to undergo the audit. Getting it should be a milestone if you actually take it seriously and have a modicum of professionalism.

In my eyes, audits should be a trust exercise. You trust that your organization is organized in a way that meets standards (by doing the work) and the auditors trust that you aren't faking your evidence. As someone who has to regularly vet countless new software purchases, SOC 2 actually serves a role. Does anyone have a better idea of getting third party validation of how another company operates? Like sending them tons of questionnaires is the solution?

All this just breaks that trust by facilitating certification mills. Another example of fraud stemming from a country that churns out fake degrees, fake papers, fake conferences, and fake references.

As for the pre-filled stuff, that's what other SOC 2 companies mean when they try to sell you "compliance in a box." Not that bad if the company is starting from scratch (<1 year), but not realistic for a company that has an existing IT footprint.

However, the allegations here is that it is fraud. An "AI" company acting as a front for certification mills.

From Sid Meier's Alpha Centauri

I'm not a labor economist and know nothing about job reports. A quick read into the technical notes mentions that there are two separate surveys and the 528k number comes from the second establishment numbers (https://www.bls.gov/news.release/empsit.b.htm).

I think at the end of the day, SOC 2 aims to instill a basic level of organizational security so the company doesn't shoot itself in the foot. If a company can't genuinely follow a basic set of SOC 2 controls, can I trust them to do actual security?

Also, badly written checklists might be bad, but not all checklist are bad. Pilots use them. Doctors use them. Mechanics use them. In fact, most fields that involve critical life or death operations use them. Why? Because humans have a limited memory and tends to miss critical tasks all the time.

I don't understand why taking the time to do SOC 2 right will take time away from the "real problems." Perhaps things like asset/vendor management, access control, and maintaining an efficient security organization aren't real problems for any organization. I'm reminded of that Futurama quote "When you do things right, people won’t be sure you’ve done anything at all." Unfortunately, just as you've encountered companies that lie on their SOC 2, I've encountered companies that have strong security engineering practices, but fails at basic organization security.

You can pass a driving test and get a driving license, but you can still drive 90 miles on the freeway and run red lights. Is it the fault of the DMV? The fault of the person who administered the driving test? Well, since people are getting away with bad things, why don't we remove the driving test and abolish the DMV.

Also, who is intentionally letting your employees store password in plaintext?

Perhaps consider the phrase "Don't let perfect be the enemy of good". Okta had a shitty breach, but does that mean dropping SSO completely? What better alternatives are out there?

If you believe in "easy answers", then you are buying to the marketing and sales pitch. There is actual meaningful work being done by many that isn't easy and isn't appreciated.