Ferry Haris

@girdley always be right... money will come eventually...

Do you want to be rich or be right?

Many companies already using AI to create their security policy documents. Many companies also already using AI to answer security questionnaires sent by their customers and prospects. So why most third party risk management team members are reading those documents and comparing them against their own requirements manually?

I thought after what happened over the weekend all compliance vendors would stop promoting ISO 27001 or SOC 2 audit ready in days. But apparently I'm too naive expecting that would happen on Monday, aka today. We are back to normal business with many of these vendors. Nothing really change.

Depends on your product and target market. SOC 2 is not an insurance policy. It's now considered a tax for doing sales. Although not all, many buyers now expect you to have it even before trying to approach them to show your product. So, building product is important, but to be ready when the question arrives is also crucial.

@twistartups SOC 2 is just an expensive insurance policy against getting sued. Most startups are better off focusing on building something people want.

Your SOC 2 report might be fake. That's not a hypothetical! A whistleblower just exposed that a $300M compliance startup allegedly rubber-stamped reports for hundreds of companies using Indian certification mills and pre-filled templates. We've got insider takes from @RyanMahdavi from @ceel_io and @HustleFundVC's @dunkhippo33 about what this means for startups and how founders can protect themselves from compliance scams at a SPECIAL TIME: 4:30 pm CT / 2:30 pm PT. Live on X and YouTube!

@Cleo_Compliance @Threatintel_be Glad that feha.io has all that you have mentioned.

this is the right framing. the regulation overlap between ISO 27001, NIS2, GDPR, and DORA is massive. something like 60-70% of controls map across frameworks. the bottleneck isn't awareness, it's that most GRC tools still treat each framework as a separate project. shared evidence repositories should be table stakes by now. the maturity curve model works especially well for SMEs who can't afford dedicated teams per framework.

Right now, every new regulation looks like a new spreadsheet and another project. Envision a maturity curve where the same compliance backbone supports ISO 27001, NIS2, GDPR, and DORA with shared evidence and shared monitoring. 1/2

@quahzhengwei If it works the way you are always doing, then keep it running as such. Your agent as described can be a good alternative for the typical compliance SaaS. Are you happy with your current internal auditor btw?

I could never relate when someone said that attaining SOC 2 or ISO 27001 certification was easy. Our experience was very much different. When we first heard of ISO 27001, Accredify was just an MVP and our product was not even launched yet. It was after 6 months of pitching to a large education institution that we were hit with "If you don't have ISO 27001, it's going to be a problem, not impossible, but a difficult problem." by the cloud security assessment team. What now? We scrambled. We immediately engaged a reputable auditor, BSI, the publisher of BS 7799 (precursor of ISO 27001), to kick start the process. The final certification came a year later with zero non-conformities. Not because we were slow, but that many requirements simply needed time to produce the necessary artefacts for the auditors and each steps required a lead time from the previous for it to make logical sense. The steps to get there was daunting. In the beginning, we didn't know compliance tools existed. We just did what made sense. And what made sense was to internalise the substance of the certification, map it to how our business operate and work with relevant consultants to sense check what we were doing. Our risk officer then was the MVP. Dozens of new processes implemented, hundreds of audit artefacts and thousands of hours spent to set the foundation of our information security management. Why didn't we use a tool? Through the years as we re-certified and attained a few others, I continually challenged the team to look at compliance tools to make the process more efficient. Their pitch was promising - "prep for audits in just weeks", and we gave them a shot. Unfortunately, or thankfully, the standardisation of the tools simply couldn't yet handle the robustness of the set-up that we already have in place, we would have to "dumb down" significantly. If that was where we started, that would have been what we have adopted, so thankfully. Of course, it wasn't without consequences. While waiting for our certifications, some clients agreed to work with us based on a provisional report, some agreed to work on a risk acceptance basis, and some couldn't proceed. On a yearly basis, the aggregation of internal cost and external fees, costs us hundreds of thousands. Substantially the exercise is just a public display of what we have done, and we would have had the processes in place regardless. How can we optimise this? Our CTO is experimenting with an internal agent, Yuka, that'll be trained on the processes that we have put in place. Each of us are still responsible for our own domains, while Yuka will help make sure that we are logging everything in a timely and complete manner. Yuka also has unlimited patience and no qualms messaging us at 12am to update the user registry or security logs. Eventually Yuka, will become our agent to correspond with clients rather than a static trust center. Could this be the future?

Just because a SOC 2 Type II report does not write any audit finding, it doesn't mean that you are getting a trustworthy report. This is one outcome from an interview I did on behalf of a client looking for a new Third Party Risk Management analyst. Despite his long standing career in the field, for 15+ years, apparently his understanding of what a good SOC 2 report looks like is very much outdated. So, don't be surprised if many enterprises accept blindly the SOC 2 reports produced by questionable firms.

@Seanfrank Nice. Same here. Working on something I love feels bitter if someone else not aligned with my values would meddle around and ruin the spirit.

We own all of Ridge. me + 5 guys. At any point, we can cash out and sell for life changing money. there is ALWAYS a market for EBITDA positive, growing brands. not having investors means the deal is clean- no preference, no board member vetos. I keep running ridge because it is fun and I like it. Build a business YOU LIKE to run. Not one you are trapped in. This is the number one reason to not raise money.

@aashay2035 @jrmandell So if your customers sending you an Excel file, you’ll still return PDF? How about if they ask you to fill up a third party platform?

@FeHa @jrmandell I made a folder with all our client questions, and docs, and feed them into a local model, and upload the PDF. It gives me at least 75% of a valuable draft, and removes 90% of the thinking. My favorite question what windows security antivirus you use: Linux

I review about 300 SOC 2 reports per year across all different size orgs (Google, Ramp, Netsuite, Workday, 5 person startups) and I’ve gotten a SOC 2 myself. And here’s what everyone is missing: In the case of Delve, their customers are not the ones getting screwed. In fact, it’s closer to the opposite. The customers are in on the racket. They want the easy way through the SOC 2 audit. They don’t want a serious auditor and they don’t want to do any work. These are the type of startups that for the most part are not selling to large customers. They are selling to other startups that just need to check the box with any piece of paper that is stamped SOC 2. Because the Security teams at large enterprises won’t take these reports seriously. And I suspect this is big news for the same reason people slow down to see a car crash on the highway. In general, we’re fascinated by big heavily funded startups that have dramatic crash outs.

You’re not wrong, but it also shows the issue with the auditors. They have mandate to make sure that the control statements meet the control objectives. If a company exclude something that is impaired the objectives, then they should raise the issue and make it as a note in the auditor’s opinion section.

@FeHa @jrmandell Yeah that's fair. Obviously it's only as good as the auditor. My main point was that SOC 2 sucks. Although at least ISO 27001 is prescriptive rather than "define what you want and we dont really care why you're excluding something"

When things are done properly, actually we cannot say say ISO 27001 more superior than SOC 2. It all comes down to the persons. I even now working on fixing some issues affecting a client who got ISO 27001 cert but actually it was a sloppy job that the customer asked to redo the whole audit process. Now they are looking at us to perform internal audit, and we can only laugh at the evidence prepared for the initial audit.

@jrmandell I take the accelerationist view here -- none of this matters because SOC 2 is garbage and hopefully this means more people recognise that. ISO 27001 superiority.

Actually that's not completely correct when things are done properly. Auditors have mandate to proof that the process works. Any auditors who follow the same school know that there are 2 types of tests they need to perform: Test of Design, Test of Implementation and Test of Effectiveness.

Cybersecurity compliance is a marketing wrapper. Always has been. SOC 2. ISO 27001. FedRAMP. All of it. You’re paying for documentation that a process exists. Not proof the process works.

Let’s get back to supposedly relaxing weekend… Java coffee to really start the day.

The interesting fact about the whole SOC 2 drama this weekend is: most people who read SOC 2 reports as part if their jobs are actually not active online. They might have LinkedIn account, but they just not active on the platform. So, Monday seems like will be just like any normal day as if nothing much happened over the weekend.

I'll repeat here: despite other GRC founders offer one year free of their platform because of Delve's case or some offer to slash their normal price, I and feha.io won't do it. Why? 1. We are a fully bootstrapped company. Whenever we roll out resources for our customers, I need to think about their salary, long term sustainability, etc. So, I don't have and I don't want to burn money for just riding the marketing wave. Especially the wave that is started with negativity we are witnessing today. 2. It's unfair to work or do business like that, while existing customers still pay the full price. Why don't they also get the whole discount like those who you want to poach? 3. It gives a wrong image to the whole industry. Because the issue is never about which platform is the best, but what or how people actually implement and assess those controls. So, such move is just giving the whole industry yet another bad incentive. I know I'm running a business here. And this is an "opportunity" to ride the wave and get new customers. But I just don't want to do it that way. I want to do it fair and square. I want the whole team of feha.io work with businesses who are actually care about security and compliance. If that resonates with you, my email and calendar are always open for you. Don't hesitate to contact me at ferry@feha.io

Looks like this SOC 2 and Delve discussion is getting out of hands now. Many even openly said SOC 2 as a whole is a scam. Be that as it may, if you have let's say 100 customers, would you rather to entertain 100 of them to come knock your door and do their own audits directly on your processes and systems? If yes, do you that the costs would be less than going for SOC 2 or Pentest?

It always depends on your type of product and industry you are operating in. For certain industries and certain countries, there are specific regulatory requirements to demand such third party assurance reports as part of their due diligence process. SOC 2 is never about security. It’s about structured process. Business predictability.

7/ Do you even need SOC 2? Most people think you need SOC 2 to close enterprise deals. You don’t. If you have: 1. a strong product they want 2. strong security that survives real review You can still close enterprise. We weren’t SOC 2 certified for years. Got to $1m ARR and never lost an enterprise deal because of it. We had a strong product. We had great security. We passed their audits. SOC 2 absolutely helps accelerate procurement. And once you scale enterprise, that matters a lot. But people confuse “helps sales” with “proves security.” That’s the scam.

Unpopular Opinion: SOC 2 is a scam. It's not just Delve. The entire system is flawed. 👇 1/ Why are CPAs auditing your security?

@aashay2035 @jrmandell Yeah unfortunately. That’s why when we work for a client, we always the process to be: process existing information ➡️ only ask the questions that don’t have the information. Used to be manual, now trying to automate it using 3rdcomply.com

@FeHa @jrmandell Those lists of questions are so pointlessly long that, answering them seems like I am being pranked

@ThePeterMick Working on 3rdcomply.com We want to give the time back to security analysts at companies so that they don’t need to manually read thousands of pages anymore when doing vendor due diligence.

Working on your startup this weekend? Go ahead and pitch it to us 🏆 Sales happened here before 💰 Seen by thousands last week 👀