There are some portions which are theatrical, but for the most part it is beneficial. I'd say that my company already had a large majority of the important things in place before getting SOC2, the process helped us close some gaps and organize the ongoing maintenance.
Certainly if the organization is not interested in security, they could fake their way through the certification with meaningless compliance and not actually achieve security.
But if your company does take security seriously, the certifications do help you get organized.
Sometimes it is just helpful when enforcing a good procedure across an organization to be able to tell a sales manager that they can't just email passwords around because we are SOC2, instead of trying to convince them from principle. It can elevate it above the level of company policy from which some people feel exempt. Now you can just threaten them that if they cause an exception on next year's SOC2 report it might scare away the big sale.
Certainly if the organization is not interested in security, they could fake their way through the certification with meaningless compliance and not actually achieve security.
But if your company does take security seriously, the certifications do help you get organized.
Sometimes it is just helpful when enforcing a good procedure across an organization to be able to tell a sales manager that they can't just email passwords around because we are SOC2, instead of trying to convince them from principle. It can elevate it above the level of company policy from which some people feel exempt. Now you can just threaten them that if they cause an exception on next year's SOC2 report it might scare away the big sale.