27 Compliance Memes to Make the Process a Little More Enjoyable
If you work in cybersecurity, you know how frustrating it can be to be constantly bombarded with doomsday scenarios.
Between the constant threat of ransomware attacks, the complexity of cybercriminal schemes, and the aggression of nation-state threat actors, it can feel like the challenges are never-ending, and it's easy to get caught up in fear-mongering and sensationalized headlines.
While it's important to remain vigilant, it's also essential to give yourself permission to take a breather and laugh a little.
To make the compliance process a bit more enjoyable, we’ve compiled some of our favorite compliance and cybersecurity memes for you below.
On SOC 2
Let’s just get this out of the way:
We know, we know. Saying “We received a SOC 2 report covering security” isn’t as catchy as “We are SOC 2 certified.” Resist the temptation! (Looking at you, marketing.)
But the good news is…
You can’t pass or fail when it comes to SOC 2—it’s a report on the design of your company’s internal controls.
An auditor issues a report with their opinion on whether those controls were suitably designed and operating effectively to meet the relevant SOC 2 Trust Services Criteria. An auditor will issue a report regardless of how good or bad your controls actually are, and do not determine pass/fail.
When your company receives its first SOC 2 report
When marketing gets a hold of the report…
Say it with me (and every CISO out there):
SOC 2 is an attestation, not a certification!
But if it was a certification… here’s where we’d put it.
When Security Questionnaires Can’t Be Avoided
When bringing on a vendor or partner, companies will send lengthy security questionnaires for vetting. Some recipients of said security questionnaires think sending their SOC 2 report will help them skip the questionnaire.
Spoiler alert: It doesn’t.
We all wish this meme wasn’t true, but most companies in highly regulated industries require their potential vendors to both provide them a SOC 2 report and complete their security questionnaire.
The SOC 2 report is intended to be an additional level of assurance in support of the questionnaire—it’s not intended to replace it.
If you know, you know.
Then there’s the organizations that do fill out the security questionnaire—but instead answer every question with a list of the certifications and reports they have.
And when startups try to sell into the enterprise space.
Really, these are all the horcruxes of "security awareness." While we’re at it, let’s throw Draco Malfoy in there as “Fedramp” for good measure.
Scary Audits and Auditors
If you’re in the cybersecurity industry, you know how intimidating the prospect of an audit can be. Without automation of your compliance processes, audits are monumental challenges.
But hey, at least you have compliance memes to make it all bearable!
Just take some time to brush up on how to prepare for an audit—they said.
That way, you won't be caught off guard by any unexpected questions or requests from the auditors—they said.
Auditors don’t bite!
Just don’t be this guy.
Because there’s a light at the end of the audit tunnel!
Security vs. Compliance
Remember: Security and compliance are not one and the same. You can simultaneously be compliant and not secure. Compliance is the minimum.
When compliance is the primary goal, this is what happens. Compliance should be the byproduct of good security.
Instead, the goal should be a culture of security, as it lays a foundation for continuous improvement.
Compliance itself does not build that—leadership does.
Ok, maybe not that particular leadership.
But when compliance is the focus instead of security, you build a culture of compliance, which leads to complacency. Complacency leads to security breaches.
Nothing to see here. We are compliant!
In the News
The regulators are coming.
Tell your friends: No more excuses with new regulations rolling out.
And yet, some predictions for this year.
Many bigger companies are setting aside millions, if not billions, of dollars for privacy fines this year for not complying with the full extent of privacy regulations.
On a personal level, with travel ramping up again, don’t fall for this.
And of course, MFA isn’t going anywhere.
Well that was fun. What now?
Sign up for the Trusted Newsletter, and get the latest security and compliance news delivered right to your inbox.
2023 Compliance Trends Report
Drata surveyed 300 established and enterprise organizations to tap the pulse of the state of risk and compliance. In doing so, we identified related trends, perceptions, and how compliance impacts the business. This year, the primary takeaway is that a mature compliance program will accelerate a business, not slow it down.