Compliance vs Real Security

The cluster discusses how corporate security often prioritizes compliance checklists, certifications like SOC2, and tools like CrowdStrike for audits over actual effective security practices, labeling it as 'security theater' or 'cargo cult' security.

➡️ Stable 0.5x Security

3,885

Comments

Years Active

Top Authors

#9107

Topic ID

Activity Over Time

2007

2008

2009

2010

2011

2012

2013

2014

2015

2016

113

2017

183

2018

161

2019

263

2020

342

2021

560

2022

518

2023

462

2024

488

2025

473

2026

Top Contributors

tptacek (106) dogman144 (19) staticassertion (19) Spooky23 (18) akshatpradhan (17)

Keywords

e.g US CI ISO27001 CD HIPAA BASIC SOC2 E.g QSA security compliance teams companies secure procedures compliant practices certification box

Sample Comments

_wldu • Jan 24, 2022 • View on HN

They want us to be compliant, not secure:https://www.go350.com/posts/they-want-us-to-be-compliant-not...

w8rbt • Feb 13, 2019 • View on HN

Probably not. Security is full of the "We're Compliant" types (don't we have insurance for that?) and very few real technologists who know how to hack/break/abuse systems. Target was PCI compliant when their CC data was breached and exposed. There are many more examples of this. Check the box, get owned and no really cares. That needs to change.

semicolon_storm • Jul 10, 2022 • View on HN

Sounds like standard SOC2 cargo cult security.You're not secure until you spin around 5 times and say the magic incantation while documenting that you've done it for the audit.

HexPhantom • Aug 8, 2025 • View on HN

This is what happens when security is treated like a checklist item instead of a core requirement

a012 • Dec 10, 2025 • View on HN

Security team in most of the corporates is just a bunch of checklists markers, so for zscaler, crowdstrike or whatever they’re doing for compliance and/or certification and you can’t say no to it because it’s the company policy and who know better than “security” team?

conductr • Jun 17, 2023 • View on HN

Seems like an outsourcing of compliance/security likely to avoid this exact thing

twunde • Dec 1, 2019 • View on HN

I'm honestly surprised that nobody b here has mentioned getting a compliance certificate like a SOC2. Within the US that's what's expected by these security teams. Take a look at Comply: https://github.com/strongdm/complyThat will get you your security policies and an overview of what your looking for. If you do decide to get certified make sure to how a vendor that does bot

8organicbits • Nov 9, 2025 • View on HN

Idk, I have done security audits for startups and small tech companies. They won't have a security engineer on staff and are "moving fast and breaking things". I've seen things much more misguided than this.

jandrewrogers • Jul 16, 2025 • View on HN

This has relatively little to do with actual security. It is compliance and certification theater for the most part. In many cases you can avoid it entirely by outsourcing caring about it to the customer. This isn’t always a bad thing; sometimes they understand and can deliver on their requirements much better than you can.

tru3_power • Jan 23, 2021 • View on HN

Compliance makes more than security?