>What is needed in the current SOC2 world that might solve some of the issues you outlined without getting rid of it, or the idea of it, entirely?
IMO, nothing. It's not redeemable at all. Since you asked though, here is some thoughts:
Be more like FDA process where software is extensively reviewed, rollback procedures established, and you launch specific version with compliance. So basically two releases, maybe 4 a year.
Disallowing risk mitigation because IMO, that's result of most of problems. Oh yea, we are doing "Terrible Security thing but since fixing is too expensive, here is a bunch of lies about how we have mitigated it."
There is also option to make a government audit with criminal liability for falsifying/misleading auditors. This third-party system where auditors are getting paid results in problems. I've seen plenty of audits where bosses write up auditor requests is extremely specific ways that creatively leave out thing that should never be approved. I've also seen auditors be made aware of problem, then people backtrack, and auditors accept it because "They are also our customer and we need repeat business."
IMO, nothing. It's not redeemable at all. Since you asked though, here is some thoughts:
Be more like FDA process where software is extensively reviewed, rollback procedures established, and you launch specific version with compliance. So basically two releases, maybe 4 a year.
Disallowing risk mitigation because IMO, that's result of most of problems. Oh yea, we are doing "Terrible Security thing but since fixing is too expensive, here is a bunch of lies about how we have mitigated it."
There is also option to make a government audit with criminal liability for falsifying/misleading auditors. This third-party system where auditors are getting paid results in problems. I've seen plenty of audits where bosses write up auditor requests is extremely specific ways that creatively leave out thing that should never be approved. I've also seen auditors be made aware of problem, then people backtrack, and auditors accept it because "They are also our customer and we need repeat business."