Ferry Haris

@Seanfrank Nice. Same here. Working on something I love feels bitter if someone else not aligned with my values would meddle around and ruin the spirit.

We own all of Ridge. me + 5 guys. At any point, we can cash out and sell for life changing money. there is ALWAYS a market for EBITDA positive, growing brands. not having investors means the deal is clean- no preference, no board member vetos. I keep running ridge because it is fun and I like it. Build a business YOU LIKE to run. Not one you are trapped in. This is the number one reason to not raise money.

@aashay2035 @jrmandell So if your customers sending you an Excel file, you’ll still return PDF? How about if they ask you to fill up a third party platform?

@FeHa @jrmandell I made a folder with all our client questions, and docs, and feed them into a local model, and upload the PDF. It gives me at least 75% of a valuable draft, and removes 90% of the thinking. My favorite question what windows security antivirus you use: Linux

I review about 300 SOC 2 reports per year across all different size orgs (Google, Ramp, Netsuite, Workday, 5 person startups) and I’ve gotten a SOC 2 myself. And here’s what everyone is missing: In the case of Delve, their customers are not the ones getting screwed. In fact, it’s closer to the opposite. The customers are in on the racket. They want the easy way through the SOC 2 audit. They don’t want a serious auditor and they don’t want to do any work. These are the type of startups that for the most part are not selling to large customers. They are selling to other startups that just need to check the box with any piece of paper that is stamped SOC 2. Because the Security teams at large enterprises won’t take these reports seriously. And I suspect this is big news for the same reason people slow down to see a car crash on the highway. In general, we’re fascinated by big heavily funded startups that have dramatic crash outs.

You’re not wrong, but it also shows the issue with the auditors. They have mandate to make sure that the control statements meet the control objectives. If a company exclude something that is impaired the objectives, then they should raise the issue and make it as a note in the auditor’s opinion section.

@FeHa @jrmandell Yeah that's fair. Obviously it's only as good as the auditor. My main point was that SOC 2 sucks. Although at least ISO 27001 is prescriptive rather than "define what you want and we dont really care why you're excluding something"

When things are done properly, actually we cannot say say ISO 27001 more superior than SOC 2. It all comes down to the persons. I even now working on fixing some issues affecting a client who got ISO 27001 cert but actually it was a sloppy job that the customer asked to redo the whole audit process. Now they are looking at us to perform internal audit, and we can only laugh at the evidence prepared for the initial audit.

@jrmandell I take the accelerationist view here -- none of this matters because SOC 2 is garbage and hopefully this means more people recognise that. ISO 27001 superiority.

Actually that's not completely correct when things are done properly. Auditors have mandate to proof that the process works. Any auditors who follow the same school know that there are 2 types of tests they need to perform: Test of Design, Test of Implementation and Test of Effectiveness.

Cybersecurity compliance is a marketing wrapper. Always has been. SOC 2. ISO 27001. FedRAMP. All of it. You’re paying for documentation that a process exists. Not proof the process works.

Let’s get back to supposedly relaxing weekend… Java coffee to really start the day.

The interesting fact about the whole SOC 2 drama this weekend is: most people who read SOC 2 reports as part if their jobs are actually not active online. They might have LinkedIn account, but they just not active on the platform. So, Monday seems like will be just like any normal day as if nothing much happened over the weekend.

I'll repeat here: despite other GRC founders offer one year free of their platform because of Delve's case or some offer to slash their normal price, I and feha.io won't do it. Why? 1. We are a fully bootstrapped company. Whenever we roll out resources for our customers, I need to think about their salary, long term sustainability, etc. So, I don't have and I don't want to burn money for just riding the marketing wave. Especially the wave that is started with negativity we are witnessing today. 2. It's unfair to work or do business like that, while existing customers still pay the full price. Why don't they also get the whole discount like those who you want to poach? 3. It gives a wrong image to the whole industry. Because the issue is never about which platform is the best, but what or how people actually implement and assess those controls. So, such move is just giving the whole industry yet another bad incentive. I know I'm running a business here. And this is an "opportunity" to ride the wave and get new customers. But I just don't want to do it that way. I want to do it fair and square. I want the whole team of feha.io work with businesses who are actually care about security and compliance. If that resonates with you, my email and calendar are always open for you. Don't hesitate to contact me at ferry@feha.io

Looks like this SOC 2 and Delve discussion is getting out of hands now. Many even openly said SOC 2 as a whole is a scam. Be that as it may, if you have let's say 100 customers, would you rather to entertain 100 of them to come knock your door and do their own audits directly on your processes and systems? If yes, do you that the costs would be less than going for SOC 2 or Pentest?

It always depends on your type of product and industry you are operating in. For certain industries and certain countries, there are specific regulatory requirements to demand such third party assurance reports as part of their due diligence process. SOC 2 is never about security. It’s about structured process. Business predictability.

7/ Do you even need SOC 2? Most people think you need SOC 2 to close enterprise deals. You don’t. If you have: 1. a strong product they want 2. strong security that survives real review You can still close enterprise. We weren’t SOC 2 certified for years. Got to $1m ARR and never lost an enterprise deal because of it. We had a strong product. We had great security. We passed their audits. SOC 2 absolutely helps accelerate procurement. And once you scale enterprise, that matters a lot. But people confuse “helps sales” with “proves security.” That’s the scam.

Unpopular Opinion: SOC 2 is a scam. It's not just Delve. The entire system is flawed. 👇 1/ Why are CPAs auditing your security?

@aashay2035 @jrmandell Yeah unfortunately. That’s why when we work for a client, we always the process to be: process existing information ➡️ only ask the questions that don’t have the information. Used to be manual, now trying to automate it using 3rdcomply.com

@FeHa @jrmandell Those lists of questions are so pointlessly long that, answering them seems like I am being pranked

@ThePeterMick Working on 3rdcomply.com We want to give the time back to security analysts at companies so that they don’t need to manually read thousands of pages anymore when doing vendor due diligence.

Working on your startup this weekend? Go ahead and pitch it to us 🏆 Sales happened here before 💰 Seen by thousands last week 👀

@jessethanley @cathrynlavery @Lovable @WisprFlow You’re right about the customers side, but they also have some level of reliance or perception that the auditors do proper assessments. The whole reports started because we cannot have everyone asking to perform their own audits on all vendors they have.

There is a meta conversation around the validity of SOC-2 and it's merits as a tool for customers to gauge whether a company thinks about security at all. At the end of the day SOC 2 is just a (third party) auditor’s report about a bunch of items you say you are doing, less a certification badge and not a simple pass/fail exam. It's up to customers to 1) read the final report and 2) assess if they are comfortable with the levels of controls the app says they are doing.

the Delve story is insane because of all the other companies it brings down too. No-one mentioned on their website should be considered compliant. how many times did that substack mention @Lovable and @WisprFlow 💀💀💀

@jrmandell Some may recognize trash. But the reality we are in now shows that most don’t. Because if they do, the pressure to get better reports already mounted since at least last year.

@FeHa They want a SOC 2 but they recognize trash in a minute. These vendors can only get through the process if they’re not doing something remotely critical (swag provider!). Agree on security questionnaires, they are a waste of time.

Compliance founders are slashing their price to poach Delve customers. Audit firms management made public statements about why they are different and how the already cut ties with Delve since last year. Customers are announcing they already moved to other compliance platforms. Never thought that the whole players in the ecosystem are dragged into this telenovela this weekend. I can only wish that this really opens people eyes and ears about what and how these compliance frameworks work and supposedly work. I hope people are starting to genuinely think about being secure, not just close the sales deals to make shareholders happy. Am I too idealistic?

@daniel_nguyenx For me tbh the whole situation is a good shake up on the whole industry.

Delve competitors right now

@rekdt The good thing about all this is: we got some awareness going. Hope things would go better in the future.

Since we’re talking about Delve and fake it til you break it Compliance as a Service >Cybersecurity is a large Venn Diagram circle encompassing a much smaller compliance circle >Compliance is like passing a health inspection, but that doesn’t mean you can’t die in the restaurant

@tereza_tizkova Actually the structure already exist, but mostly on the auditing side. The ones that give the audit firms mandate. But the ones who provide audit prep service? Some goes through audit, but most don't.

someone should build a company that audits compliance companies