> SOC2 stuff (which we all know is largely theater)
SOC2 is only theatre if you (a) you already have good practice, and (b) can demonstrate that you have good practice. If your practice isn't good enough (like the whole notion of security controls is a foreign concept), and sure there's a lot of boilerplate to work through -- but the whole point of a SOC2 Type 2 report is that you only have to demonstrate once to the auditor, rather than to each customer each time.
Having to get internal security sign-off for a non-audited SaaS vendor -- really, life's just too short for that most of the time, and if there's choice of two more or less equivalent providers we go with the certified one every time.
SOC2 is only theatre if you (a) you already have good practice, and (b) can demonstrate that you have good practice. If your practice isn't good enough (like the whole notion of security controls is a foreign concept), and sure there's a lot of boilerplate to work through -- but the whole point of a SOC2 Type 2 report is that you only have to demonstrate once to the auditor, rather than to each customer each time.
Having to get internal security sign-off for a non-audited SaaS vendor -- really, life's just too short for that most of the time, and if there's choice of two more or less equivalent providers we go with the certified one every time.