Is there any evidence that compliance audits improve security?
Given the huge amount of work that goes into something like a SOC 2 audit, I'm just curious if there is any data that this process actually improves security. For example, some of the largest security breaches in recent history, like the supply chain attacks with SolarWinds, were in part due to following "best practices" required by things like SOC 2. Plenty of the items in SOC 2 seem like good recommendations, but there is a ton of "box-ticking". I'm just curious if there have ever been any studies on SOC 2 audits, for example are data breaches less likely to occur in audited companies.
I think people need to stop seeing Service Organizational Controls and Security Operations Center controls as the same thing. The SOC2 audits change management mostly and performance of contract for software companies. It was made by accountants and does not correlate to cyber threats. Audits like CyberSecurity Maturity Model Certifications were developed to align configurations which lead to breaches or threats more directly. It’s also important that you understand which compliance audits improve your CyberSecurity like CIS or CMMC and which ones are more generic like SOC and which help security professionals like MITRE understand attacks better. We have a SOC 2 because we have financial services clients which audit themselves against SOC 1 for financial reporting and want to use a similar standard to audit their software providers development environments. We use other policies and frameworks like MITRE, CIS and CMMC to stay ahead of threat details. You can use the Verizon breach report to correlate the controls to number of times you got breached. But you’d be napping CiS as a SOC doesn’t correlate at all.