Fun fact, these negative value garbage offerings are often “required” by box checking certifications like SOC2.
Sure, if you have massive staffing to handle compliance you might be able to argue you’ve achieved the objective without this trash. The rest of us are just shrug and do it.
Some of the “compliance managers as a service” push you in this direction as well.
Why do companies need these "box checking certifications"? I imagine the answer, as usual, is that either they or one of their customers is working with the government which requires this for its contractors. That's usually the answer whenever you find an idiotic practice that companies are mindlessly adopting.
Pretty much. We’re in the healthcare space and most of our customers are large hospital systems. Anything except “SOC2 compliant, no exceptions on report” will take an already long deal cycle (4-18 months) and double or triple it.
If you’re a startup it also means that your core people are now sitting in multiple cycles of IT review with their IT staff filling out spreadsheet after spreadsheet of “Do you encrypt data in transit?”
Some of the “compliance managers as a service” push you in this direction as well.