Waiting that 12 months to really demonstrate you have a working security program with efficient controls really pays off. It's something I look for when doing vendor reviews and I assume others do the same.
For the first SOC2, I don't hold this against a startup (I appreciate they are going through the efforts this early). Would want to see it become 6 month/1 year as the program matures. A vendor like this is low risk (aggregator of "public" information, limited data sharing, etc).
I have all sorts of issues with Vanta/Drata "compliance as a service" tools, but adequate for something like this, at this point in time.
Tbf, I’ve found it’s a good sign when an org goes through this pain early on - less chance for tech debt to pile up.
Most of my employment has been in the security auditing/testing space, and the difference between “bolting it on later” and “building it in from the start” is incredible from both a purely technical and a process standpoint.
technick|1 year ago
jronald|1 year ago
I have all sorts of issues with Vanta/Drata "compliance as a service" tools, but adequate for something like this, at this point in time.
fullspectrumdev|1 year ago
Most of my employment has been in the security auditing/testing space, and the difference between “bolting it on later” and “building it in from the start” is incredible from both a purely technical and a process standpoint.
Bisen|1 year ago