I’ve been an Amazon customer since the late 90s, back when books were all they sold.
Over the years, I have ordered hundreds — maybe thousands — of items from them.
At this point, and thanks to their proven ability to deliver all kinds of products in what often feels like impossibly short timeframes, my expectations for the company are very high.
So, when I ordered my usual New England Patriots hat (the one with a Velcro strap in the back to accommodate my larger-than-average size head), I expected nothing less than to receive the product a few days later.
Sure enough, the package arrived as promised.
But… instead of a New England Patriots hat, inside was an Atlanta Braves hat. Wrong town. Wrong team. Wrong sport.
Hmm. I checked online. Yep, I had ordered the right thing.
So I initiated a return and ordered another New England Patriots hat.
But a few days later, it happened again — Atlanta Braves!
Again, I checked. Again, I had ordered the right thing.
The problem, I’m guessing — and ruling out the unlikely possibility that the Atlanta Braves organization has secretly purchased Amazon and is sending everyone their team’s hats — is that something is miscategorized over at the Amazon warehouse.
The packing robot thinks it’s picking a Patriots hat, but instead, the bin is filled with Braves hats.
Does this mean quality control has slipped at Amazon overall? Maybe.
After all, over time, quality tends to fade across all sorts of products, services, and companies. What was once a great solution is now mediocre or worse.
In the cybersecurity world, Exhibit A in this regard is SOC 2 attestations. Nothing has slipped faster or further than the quality of these independent auditor reports intended to verify how securely a company manages data and systems.
What’s Going On With SOC 2 Attestations?
I’ve spent a lot of time over the past year speaking to CISOs, auditors, and other GRC pros. Everyone can feel a change in the air — a bad change.
More and more, cheap auditors are coming on the scene promising SOC 2 success. Often, they are promoted through a company’s own GRC software. The pitch is easy … who wouldn’t want to save 60% (or more) on an annual audit fee?
But they are not doing quality work. The SOC 2 reports are generic, often filled with copy-pasted material, and provide nothing of value to partners and customers.
Rather than inspiring confidence and trust in the cybersecurity programs they supposedly attest to, they do exactly the opposite. We are already hearing stories of major companies refusing SOC 2 reports from their vendors if these come from known disreputable auditors.
At what point will companies stop taking SOC 2 reports altogether?
SOC 2 Is Entirely Market-Driven
It’s not a legal framework.
The only reason SOC 2 has emerged as an incredibly valuable tool is because it’s trusted. But that only happens if the reports are complete, thorough, and accurate.
When you hire an auditor to deliver a SOC 2 attestation, they act as an intermediary between you and your clients.
That stamp of approval — a process you only have to go through once a year — removes the need for each client to put you through the cybersecurity paces. That’s good for them and good for you.
The AICPA (American Institute of Certified Public Accountants) is the group that created and owns the SOC 2 framework; they set the standards for how the audits should be done. That makes sense, since CPAs have existing, trusted relationships and are already in the compliance business.
But if the AICPA doesn’t start policing this and taking corrective action, SOC 2 could be market-driven out of relevancy.
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.
