Very much agree with you about SOC 2 == obvious best practices if done reasonably!
That’s one of the “secrets” of SOC 2: if you speak some compliance, you can make most of the SOC 2 work for you, implementing best practices, getting the rest of the org to prioritize them, etc. (This is what we like about SOC 2 at Vanta: it can turn meaningful, difficult-to-measure security work into high-pri sales collateral.)
If you don’t speak compliance and have a SOC 2 consultant who doesn’t speak engineering, you’re more likely to end up with absurd arguments and bookkeeping (“but you have to use a WAF there’s just no other way!” etc.)
Very much agree with you about SOC 2 == obvious best practices if done reasonably!
That’s one of the “secrets” of SOC 2: if you speak some compliance, you can make most of the SOC 2 work for you, implementing best practices, getting the rest of the org to prioritize them, etc. (This is what we like about SOC 2 at Vanta: it can turn meaningful, difficult-to-measure security work into high-pri sales collateral.)
If you don’t speak compliance and have a SOC 2 consultant who doesn’t speak engineering, you’re more likely to end up with absurd arguments and bookkeeping (“but you have to use a WAF there’s just no other way!” etc.)