Last time we talked about the recent challenges in the SOC 2 market. Today we turn our attention to what it costs service organizations — and this volume almost writes itself.
This is the one where I tell you that cheap compliance is bad, that you get what you pay for, and that organizations should invest in meaningful security programs. It is the article that every consultant in my position has written in some form. But that take is incomplete.
The real story is not about bad actors selling snake oil to naive buyers — although that happens far too often. The real story is about brilliant people: founders building companies they believe in, CFOs fighting to control costs in a market that demands more for less, CISOs trying to protect organizations with budgets that haven't kept pace with threat landscapes — all making rational decisions inside a system that has quietly stopped telling them the truth.
That is the story I want to tell. And it starts not with a villain, but with a mistake.
The Mistake: Treating Compliance Like an Engineering Problem
There is an idea that has gained significant momentum in the past several years, and it is seductive because it takes the hardest part of compliance and makes it formulaic.
The idea goes something like this: security and compliance are fundamentally technical problems. Controls can be mapped to system configurations. Evidence can be pulled automatically from APIs. Audits can be streamlined into data pipelines. Build the right tooling, and you can engineer your way to compliance with minimal human friction.
I am not dismissing technology. I have watched automation genuinely transform evidence collection and compliance monitoring. GRC tools bring real value — we rarely support an engagement where a GRC solution doesn't have an important role, especially ones like Vanta or Diligent that do it right: they don't lie in their sales process, they don't have secret ties to a specific auditor, and they don't hire jerks.
But there is a fundamental misunderstanding of what it means to build trust with your customers, regulators, and the public through compliance. Controls are not just configurations. Building trust is far beyond a one-time action in a system, or monitoring that the configuration hasn't drifted.
Building trust through compliance requires building the right culture, doing the right thing in your daily decisions, and memorializing how your organization does the right thing. Operationalizing all of that and having it validated by an independent third party is what makes a program lasting.
Doing compliance right requires accountability structures and people who own outcomes — not just systems that track them. When we reduce compliance to a set of technical checkboxes that can be auto-populated and auto-evidenced, we are not building a trust program. We are building a very convincing artifact that describes what our security program looks like while quietly hollowing out everything that makes compliance lead to trustworthy organizations.
What Enterprises Actually Know (That Everyone Else Is Relearning)
I have spent meaningful time working with large, complex organizations — the kind where a compliance program involves dozens of stakeholders, multiple legal jurisdictions, layered approval workflows, and controls designed not just to prevent a bad outcome, but to create the documentation trail that proves, after the fact, that the organization acted responsibly.
Those programs are not elegant. They are not fast. They involve governance committees that feel bureaucratic until the moment you need them. They involve control owners who are not in security — they are in finance, legal, HR, and operations — because the risk surface of a real organization does not stop at the firewall.
And they are expensive. I will not pretend otherwise.
But here is what years of working at that level taught me: the cost of those controls is not the cost of compliance. It is the cost of being trustworthy at scale. It is the infrastructure that allows a customer to hand you their data, their processes, and in some cases their regulatory obligations, with confidence that you will not drop them.
The enterprise world learned this lesson the hard way — through data breaches that cost hundreds of millions in remediation, through vendor failures that cascaded into supply chain incidents, through audit findings that revealed beautiful control documentation sitting on top of processes nobody actually followed.
Those lessons produced something valuable: deep institutional knowledge that governance cannot be engineered away. That the human layer — the accountable individual, the review cycle, the escalation path, the exception process — is not a legacy artifact of a pre-automation world. It is the point.
The Hidden Cost, By Stakeholder
The cost of check-the-box compliance does not look the same for everyone.
For the startup: The hidden cost is a trust deficit at the worst possible moment. You built a beautiful product, moved fast, got your SOC 2 badge in six weeks, and now you are in a late-stage enterprise sales cycle. The customer's security team asks for a controls walkthrough — not the report, a conversation. A walkthrough of how the controls actually work, who owns them, how exceptions are managed, what your incident response process looked like the last time it was invoked. If your compliance program was built to generate a report rather than govern your organization, that conversation will end the deal. Not because you failed an audit, but because you cannot answer questions that a real program would answer automatically.
For the middle-market firm: The hidden cost is the gap that widens between what your compliance documentation says and what your organization actually does, at exactly the pace your organization grows. At twenty employees, a lightweight control framework is defensible. At two hundred, the same framework has become a liability — because the processes that were informal and functional at small scale are now informal and broken at medium scale, and nobody has a clear picture of where. The compliance program that should have scaled with you did not, because it was designed to produce a report, not govern a growing organization.
For the enterprise trying to reduce cost: The hidden cost is vendor risk that is invisible until it materializes. Every third-party SOC 2 report you accepted at face value, every vendor you onboarded because they had the badge, is a potential gap in your supply chain security posture. If that framework has been systematically undermined by commodity programs that produce reports without substance, the assurance you purchased is not the assurance you received. You will discover this through your own audit process, through a regulatory examination, or through an incident. None of those are good discovery mechanisms.
The Automation Ceiling
There is a ceiling on what automation can govern, and that ceiling is lower than the current market narrative suggests.
Automated evidence collection is valuable. Continuous monitoring is valuable. Workflow tooling that helps control owners complete their responsibilities on time and with documentation is valuable. I use and recommend tools that do all of these things.
But the ceiling appears the moment a control requires a human to exercise judgment: to evaluate whether a risk is acceptable, to decide whether an exception is warranted, to assess whether a third party's representation is credible, to determine whether the spirit of a requirement is being met even when the letter of it technically is.
Those moments are not edge cases in a compliance program. They are the program. They are the reason the AICPA's framework requires a CPA — a credentialed professional bound by an ethical code and subject to regulatory oversight — to sign the report. Because the system was designed with the understanding that some things cannot be reduced to a data point.
When we build compliance programs that treat the human judgment layer as friction to be engineered away, we are not making compliance more efficient. We are removing the part of the system that was doing the actual work.
What Trust Actually Costs
The check-the-box compliance market exists because the belief is beneficial on both sides of the transaction. The buyer benefits from believing the badge is real. The seller benefits from believing that producing the badge is enough.
The cost of that mutual belief is paid by the customers who trusted the report. By the employees of the organization that discovers, too late, that its compliance program did not survive contact with a real incident. By the enterprises whose third-party risk management was built on a foundation of reports that described a program nobody maintained.
Trust — real trust — is not a report. It is not a badge. It is not an automated evidence collection that runs on a Saturday morning and populates a dashboard nobody reviews.
It is the accumulated result of an organization doing the unglamorous, expensive, human work of actually governing itself, and having an independent professional verify that the work was done.
That costs something. It is supposed to.
The startups that understand this early will build something durable. The middle-market firms that invest in it now will not face a reckoning at enterprise scale. The enterprises that demand it from their vendors will not discover their supply chain risk in a post-incident review. And the compliance profession that insists on it will still mean something ten years from now.
Next in this series: The Buyer's Guide to Asking Better Questions — what procurement, security teams, and boards should actually be asking when a vendor hands them a SOC 2 report.
Stay Informed, Stay Secure
Subscribe to our newsletter and get the latest cybersecurity insights, updates, and event invitations delivered straight to your inbox. Join our community and empower your security journey with RISCPoint's expert knowledge.
Join our newsletter for updates. Terms.
