I regularly see products with a soc2 certification but have never viewed a report. Some of the real world security of these products is total dog shit.
Is it easy to bs your way through a soc2 certificate? Like are the companies in my experience lying or gaming the system, or are the auditors incompetent?
If you're engaged with the vendor's sales team, ask to see the report. 99% of the content is useless. Most read like a poorly performing LLM even if the controls were written pre-LLM.
Why would a vendor get a SOC 2? Because their customers demanded it. Why did their customers demand it? Their customers demanded it.
99% of it is a useless make-work assessment demanded by equally incompetent customers' auditors demanding it to justify their own existence.
Enh. I have no great love for most SOC 2 reports. They're seemingly endless and contain lots of blah blah blah and they're written defensively, so it's often hard to get actionable intel and insight out of them. But the System Description and the auditor exceptions are often helpful.
But forget the report for a moment. The work that goes into answering the questions and providing the evidence requires tidiness and systematic attention at a scale and duration that is unlikely without the SOC 2 (or ISO xxxxx or whatever) audit looming. That imposed journey is very much the reward.
YMMV, but as someone who's wrangled organizations through multiple years and scopes of SOC 2: You may not get a lot out of the final report, but the process is a tremendous forcing function for good practices that most organizations need.
Is it easy to bs your way through a soc2 certificate? Like are the companies in my experience lying or gaming the system, or are the auditors incompetent?