Compliance Isn't a Feature, It's a Posture

Angelo Saraceno discusses the limitations of relying solely on SOC 2 Type 2 attestations as indicators of a vendor's security posture, emphasizing that these certifications may not accurately reflect current operational practices. Saraceno, drawing from his experience at Citrix and Railway, argues that compliance has become commoditized, reducing its effectiveness as a measure of a vendor's security discipline. The text highlights the importance of evaluating a vendor's continuous monitoring, defensive defaults, incident response history, and engineer ownership to gauge their true security posture. It suggests that while the compliance industry may not change, buyers can adjust their evaluation criteria by asking more probing questions about a vendor's operational practices beyond the attestation, thereby distinguishing between vendors who genuinely prioritize security and those who merely fulfill checklist requirements.