Why do companies need these "box checking certifications"? I imagine the answer, as usual, is that either they or one of their customers is working with the government which requires this for its contractors. That's usually the answer whenever you find an idiotic practice that companies are mindlessly adopting.
Pretty much. We’re in the healthcare space and most of our customers are large hospital systems. Anything except “SOC2 compliant, no exceptions on report” will take an already long deal cycle (4-18 months) and double or triple it.
If you’re a startup it also means that your core people are now sitting in multiple cycles of IT review with their IT staff filling out spreadsheet after spreadsheet of “Do you encrypt data in transit?”
