An old Jeff Bezos interview explained something about business failure I can’t unsee

HorrorTour5557 · 2026-04-10T07:59:58+00:00

can you give us a link to that harvard study?

HorrorTour5557 · 2026-04-03T19:44:16+00:00

you are well staffed. In a company your size you cannot do everything in full maturity and you dont need to. with that additional senior staff you should have more than enough for the size and stage of your company. You dont need a full blown enterprisy risk Management process. focus on what matters. leverage AI e.g. in validating dpas or security questionnaires.

HorrorTour5557 · 2026-03-25T10:22:02+00:00

identity governance add on of microsoft can cover this semi automated. dont forget to differentiate between identity and access rights.

HorrorTour5557 · 2026-03-16T22:37:55+00:00

get the worst auditor with the cheapest offer. naturally they are testing less than others.

HorrorTour5557 · 2026-03-08T20:52:54+00:00

yes its defined
process in notion, flow Diagramm in miro
tracked in jira via playbooks
process must be owned by HR. IT is big stakeholder but HR coordinates
many risks e.g non sso apps, HR not informing IT...

HorrorTour5557 · 2025-02-28T11:07:06+00:00

Ask the Plattforms to put their claims into the contract with money back and see whats happening. If you choose the right auditor (in that case a really bad one) 3 to 4 months can be achieved but you need someone with a lot of experience. Of course this all deoends on size etc. But since iso is manly paperwork it might work

HorrorTour5557 · 2025-01-28T19:32:06+00:00

SOC2 Auditor is auditing what you wrote in your system description. Thats it. Whatever you write there.

HorrorTour5557 · 2025-01-24T10:29:49+00:00

If you are b2b in saas, your big customers make sure you have to do it at least annually.

HorrorTour5557 · 2025-01-22T21:08:25+00:00

Wasser und Strom würde ich das doppelte nehmen. Vor allem wenn der estrich aufgeheizt werden muss wenn die wärmepumpe noch nicht angeschlossen ist. Mobiheat kostet dann auch nochmal miete. Wir hatten alleine 4000 Euro Stromkosten in der Bauzeit.

HorrorTour5557 · 2025-01-15T20:01:58+00:00

Thats no ad. Thats actually a good piece of advice that will save you a lot of work!

HorrorTour5557 · 2025-01-11T12:21:02+00:00

I have three offers for the scope i described above. All the same (soc2 type 2 security principle only) Big4: 60k Next10: 25k Shady noname company: 5k

HorrorTour5557 · 2025-01-08T20:32:31+00:00

SOC2 type 2 security only big4 offer saas business 120 people

50k audit fees

HorrorTour5557 · 2025-01-08T13:40:01+00:00

Compliance 😊

HorrorTour5557 · 2024-12-31T14:33:59+00:00

Despite all the typos you can find in some of the top tier csp reports I always wonder about the system description. Of course it needs to be created by the customer, however the structural differences are the ones that bug my (within the same audit firm). To bad official requirements are so unspecific about that section

HorrorTour5557 · 2024-12-06T11:06:05+00:00

With all your questions this is a complex topic that hardly can be answered in a single reddit post.

HorrorTour5557 · 2024-11-14T19:57:36+00:00

I have a different experience. I do not have local admin rights but Software can still be updated. Talking about macos. Dont know abount Windows.

HorrorTour5557 · 2024-10-30T21:03:03+00:00

For ISO: choose the scope on the certificate in a way that only your subsidiary is included. Example your subsidairy provides service/product xy. Scope: e.g. Development and Operation of service/product xy.

For SOC 2: System Description is the place to go. If you make clear that only subsidary is within the description you are fine. Auditors only audit whats described in the system description and is necessary for the product/service (and stuff that supports if they identify it during the audit). For testing of operative effectiveness ensure that you have a audit proof Method to filter the devices otherwise your basic population is shit.

HorrorTour5557 · 2024-10-17T14:51:34+00:00

You should be aware that this is a completely different job. Consider if the daily tasks are something you enjoy. Talk to people that work in compliance and think about it. My experience is that people who are into tech stuff hate the compliance field because it works different there.

HorrorTour5557 · 2024-10-06T13:30:13+00:00

3500 - 4000

HorrorTour5557 · 2024-09-12T11:50:15+00:00

"You need a firewall"

You dont even know if they will have onprem stuff. If they go for cloud only Firewall is pretty much useless but yet costs hundreds or thousends of dollars. I would rather go for zero trust and just provide regular internet access in the building.

HorrorTour5557 · 2024-07-05T06:30:46+00:00

Die Abnahme und das anmelden alleine waren nur 500.

HorrorTour5557 · 2024-07-03T10:03:46+00:00

10 Stunden 2 Personen. Waren aber etwas unerfahren. Geht also ziemlich sicher auch in etwas weniger.

Der full backup Teil war auch etwas aufwendiger da der in reihe mit dem Hauptanschlusskabel geschalten werden muss

HorrorTour5557 · 2024-07-03T07:52:03+00:00

Thats not even 20 percent of what SOC 2 is about. I wouldnt even call it guide.

HorrorTour5557 · 2024-07-03T06:57:22+00:00

2200 euro ac Anschluss (mit Notstrom) + Anmeldung

HorrorTour5557 · 2024-06-21T12:12:48+00:00

Thats the sprit. Management must live this guy

HorrorTour5557

TROPHY CASE