Since this book was first published, the voluntary compliance industry has exploded, pretty much as one expected it might. As we discussed, audit reports like SOC2 are very valuable within the sales process, and in recognition of this, many b2b organizations have chosen to pursue them with vigor. But with all good things come some bad, and the field of security is notorious for delivering undesirable outcomes (ha).

Let’s address some of them.

First, a “fill-the-gaps” primer: voluntary compliance refers to that last category of security-related audits, at this time most commonly represented by two specific standards. One is SOC2, and the other is ISO27001. The latter has a number of ...