I find it astonishing that in the year 2024 I have to say this out loud, but security risk and compliance risk are two different things.

Outside of crypto, lawyers drive cybersecurity programs because the primary risk is legal risk—regulatory fines, class action lawsuits, breach of contract. These are the primary causes of financial impact as a result of a security incident. Data breaches don’t hurt companies, they hurt consumers.

This makes security compliance a paperwork game of CYA intended not to prevent data breaches but to mitigate the risk of a fine or a lawsuit arguing a failure of minimum due diligence.

But all of that is of minor importance in crypto. As I have repeatedly written and spoken about for years, the real security risk in crypto/web3 exceeds your regulatory risk by several orders of magnitude.

When extralegal actors like North Korea—who operate outside the law, and where there is no legal or law enforcement recourse of any kind—hack you, and steal your crypto, you experience immediate financial harm, potentially catastrophic or existential financial harm.

Therefore arguing that “because we have SOC 2 we have good security” would be a suicidal approach to security in crypto/web3.

Is SOC 2 still a must for some companies? Of course. If you want to do business with big companies that require a piece of paper to manage their legal and regulatory risk, then you get SOC 2.

SOC 2 is a business enabler because it is a private sector extension of the cybersecurity regulatory obligations bigger companies must comply with.

But SOC 2 is worthless as a measure of real security against active sovereign adversaries, and when your real security risk exceeds your legal risk by several orders of magnitude, it would be crazy to even involve SOC 2 in a conversation about real security risk management.

As a CISO, I’m responsible for orchestrating both real security risk management and the paperwork game of security compliance. But I know the true value of SOC 2 as a measure of security risk managed—against active adversaries, its utility approaches zero.