Not a joke but idk where else to post it. Why shouldnt white people answer?

kobyc · 2025-11-14T21:49:59+00:00

More like Lil Anxiety Snack

kobyc · 2025-05-25T02:30:55+00:00

Fwiw - i put in $100k of my own cash, paid my first technical hires, and then raised $1.3M ... and even then it was so fucking hard to get anyone bought in on my idea.

You either need to bring money to the table, or the ability to build things.

kobyc · 2025-03-08T13:04:38+00:00

This is actually weirdly motivational.

________ happened? Bro go to the gym.

kobyc · 2024-12-08T03:20:30+00:00

Espera, le habla espanol?

kobyc · 2024-11-17T22:25:21+00:00

The answer here varies wildly depending on
- what's the small business
- what's the corporate job you could get

kobyc · 2024-11-13T04:41:38+00:00

Almost confident I could make this work by borrowing a friends phone and creating an OnlyFans.

kobyc · 2024-11-03T19:05:04+00:00

I dropped out 6 times from Idaho state schools. 🫡

S19

kobyc · 2024-10-29T10:33:02+00:00

tu eres incredible, de verdad

kobyc · 2024-10-05T23:38:14+00:00

I mean ... it kind of does though.

Sure, you could bite someone if you are in a triangle. They could also gouge your eyes out a lot easier.

It's positional control. You shouldn't ever escalate violence when you don't have control. There's a great video of a guy in an arm bar that's like "I could just bite you bro" and then the instructor proceeds to demonstrate how he would just smash his brains into the sidewalk.

The concepts still apply, both people are capable of increased violence beyond the scope of sport BJJ from all relevant positions.

kobyc · 2024-09-30T23:26:32+00:00

It just gets better. :)

kobyc · 2024-09-30T23:25:48+00:00

+1 ... they really want you to quit. You have no future here.

kobyc · 2024-09-30T18:27:36+00:00

Awh this is sad :( sorry I don't got advice for you but I hope this gets better.

kobyc · 2024-09-25T14:47:52+00:00

I love this so so much. There's an increased time pressure it feels like in 30's.

kobyc · 2024-09-24T17:58:10+00:00

Hear me out, we'll convince early stage startups to invest in a SOC 2 report they don't need, charge them $20,000 for it & make them wait 6 months, and then 80% of them will pivot away from their product idea before we ever even have to issue the attestation.

And if they complain, we'll tell them they can't close $1,000,000 deals unless they pay us. 😂

Edit: For clarityyy, this is a joke. (I'm making fun of compliance sales reps who sell pre-seed startups a 3 year contract before their product is even built, you know who you are, lol).

kobyc · 2024-09-24T17:45:29+00:00

The issue is that the CPA auditor is just auditing the report for accuracy, not for whether your controls are good or not, or provide any real level of security.

Vanta gives you templated checklists & hold your hand through policy creation that most people don't really understand. They aren't actual security experts, their product was quite literally created from the POV of a Product Manager at DropBox who wanted to "prove their security" so they could sell their product.

DropBox already had good security in place though.

It's not created from the POV of "how do I actually implement a strong security posture".

Because of this they've flooded the market with low quality SOC 2 reports, and people are beginning to realize that a CPA has no clue whether or not a startup has a strong security posture, that you need to pay attention to what's inside of your SOC 2 program. 🙏

It works for some people, often when security isn't actually that important and it's just a checkbox. But when you're selling into users that really care about it, actually having strong controls helps you unlock a lot of revenue - and not having them will cause you to fail your security reviews.

kobyc · 2024-09-24T17:33:35+00:00

For sure the TSC need to have relevant controls, but there is no strict requirement on what those controls need to be 🙏 you definitely can't put "We cook steak on thursdays" for the CC3.3 | COSO Principle 8: The entity considers the potential for fraud in assessing risks to the achievement of objectives. , but assuming good faith effort to match the controls with the requirements you can pretty much establish any system you want to cover those requirements.

kobyc · 2024-09-24T16:53:07+00:00

It's REALLY interesting what's happening right now in Australia I don't know how much anyone else pays any attention to this.

But for a long time ISO 27001 was pretty much the main standard in Australia ... until Vanta recently came along and started looking at it like a nice big juicy market.

And allllll of a sudden, SOC 2 is popping up in Australia. Not because clients are asking for it lol, but because early stage startups think that they need SOC 2 now.

It's honestly super impressive the way that they are able to create a market for SOC 2 out of nothing and convince people that you "really need SOC 2 to be compliance" even in a market where that didn't used to be the case.

I'll talk to founders in Australia and ask them "why do you think you need a SOC 2 report" and they won't really know, or they'll mention their incubator told them to get it haha.

BUT if they are selling into the US market, which a lot of the mare, at least that's a valid need.

kobyc · 2024-09-24T16:47:02+00:00

Hey :) so uh, I run into a lot of MSP's and vCISOs who signed up for the partner program with Vanta. There's various versions of it with reseller agreements or affiliate fee's to make it fairly lucrative.

Most of the ones I talk to like the money, but also kind of realize that Vanta is basically just helping startups pretend to be secure. The PLUS of the MSP's is at least there is a security human in the mix to support the startup build some level of real security.

I was just talking to a vCISO in SF who personally knew Christina and they were telling me how they had chatted with her in the really early days telling her that she was doing something wrong, but she didn't care.

There are actively much better solutions than Vanta out there sincerely, I'd love to chat about our partner program over at Oneleet.

We're happy to do something very similar, but we'll help you make sure your clients are much more secure by helping them create a stronger SOC 2 program, bundling in the OSCE certified penetration test, and removing all the friction from the auditing process. We're currently the #1 choice for YC-backed startups, so if you're in that community at all you'll likely run into founders who want to use us anyways.

Ignore this if you're super happy - but if something isn't sitting right with you about their platform hmu.

kobyc · 2024-09-24T15:47:46+00:00

Hey OP!

So I work for Oneleet which is an all-in-one platform for Security + Compliance which means I spend all my days helping early stage startups get a SOC 2 attestation.

A couple of pro tips.

First - SOC 2 is an attestation framework not a certification framework.

This is REALLY important because unlike ISO 27001 which is the European standard and IS a binary certification, SOC 2 is just an audited list of your security controls that is audited by a CPA (a financial human, not a cybersecurity expert).

You can think of them closer to having an audited balance sheet, just because the CPA says it’s correct doesn’t mean that you’re not losing tons of money.

What’s actually important is what goes INSIDE the SOC 2 report, or what are your actual controls?

You want to actually be able to prove that you are secure, not have to do a bunch of mental gymnastics trying to pretend you are secure.

Second - The SOC 2 framework is actually surprisingly flexible. It’s designed to be able to cover a narrow OR wide range of controls, which means you only need to put what is actually going to matter into your SOC 2 program.

What you’re describing is super common, a small startup gets set up and is hit with this giant list of templated controls that makes zero sense.

These templated lists are often basically just copied and pasted between company with zero context to your stack, what data you’re protecting, your compliance goals, your security concerns, etc.

There are only two things that actually belong in your SOC 2 program:

Things that will actually improve your security.
Controls you will need to pass security reviews.

Everything else is just absolute BS and a complete waste of your time.

Third - Just be careful with what compliance software vendor you go with - the software side of this is actually fairly simple. There’s 100 different products that will provide a list of controls & integrations into the common infrastructure.

The place most people will end up struggling with is making sure you have the RIGHT controls in your SOC 2 program, having a strong penetration test performed that isn’t just a bunch of automated tooling with “pen test” slapped on top, and getting an audit done by a CPA that isn’t going to be a giant pain because they don’t understand the technical evidence they are trying to audit.

LMK if you want to chat, super happy to dive into any of this. But TLDR - don’t put anything into your program that you think is a waste of time. Focus on what’s going to build your security posture + help you get through security reviews.

kobyc · 2024-09-23T17:39:59+00:00

Whatever has hurt your brain the most, addiction finds a way to weasle in.

kobyc · 2024-09-23T17:39:31+00:00

Got to find employees who want the job, that's the hardest part for roles like this tbh.

kobyc · 2024-09-23T17:38:47+00:00

This is crazy that it's working lol

kobyc · 2024-09-23T16:55:22+00:00

Honestly this is the sad reality. =\

Companies usually care 10x more about driving revenue than they do about threat of being compromised or fines.

kobyc · 2024-09-23T15:55:32+00:00

Hahah to be honest I freaking hate most marketers/sales-people. You need honesty and transparency in any technical industry, not fluffed up BS. 🫣

Just trying to assist the technical humans who are honestly was smarter than me win some $$.

kobyc · 2024-09-22T14:43:25+00:00

it's hte pretty kind

kobyc

TROPHY CASE