Nobody wants to hear this. So naturally, I'm going to say it. A compliance certificate does not make you secure. It makes you look secure. There is a difference. And this week, that difference showed up in the worst possible way for LiteLLM: 97 million monthly downloads, supply chain compromised, credentials silently stolen, while their allegedly fabricated SOC 2 and ISO 27001 badges still sit untouched on their web page. The paperwork survived. The security didn't. Welcome to security theater. I wrote about it in my book, Cybersecurity Metastrategy (lnkd.in/dpPC9wta). Longer version: In the past few years, the InfoSec industry has been very popular among VC investment firms. This has resulted in a large number of new cyber startups, in which each offers a security product for specific problems. This brings us to today, in which we have a bunch of specialized products, but a lack of comprehensive solutions. A lot of these startups are focused on technical problems, but the other big category is the “GRC products”. GRC stands for Governance, Risk (management) and Compliance. And while the startups with technical products promise silver‐bullet solutions, the GRC startups promise compliance and security automation. These companies claim that by using their products and services you will become compliant with security standards “within weeks”. They claim you can automate all your security and compliance related work. This is BS. Unfortunately, many companies take this bait, generally because of someone’s incompetence. All of these cyber companies that claim they can get you compliant to the highest security standard within weeks, could never exist in regulated industries such as the pharmaceutical industry, because of the way they work and the (dis)service they provide to their clients. A good rule of thumb I learned from my experience in IT and InfoSec: if something seems more exciting, pleasing, or ideal than seems reasonable, then it likely isn’t genuine, legitimate, or true. The same applies to these platforms. One of such startups is Delve, a Y Combinator-backed compliance automation platform that promised to get companies SOC 2 and ISO 27001 certified within weeks. Last week, an anonymous whistleblower group called DeepDelver published an investigation exposing what was actually going on. The evidence was hard to argue with. A misconfigured Google Spreadsheet, left publicly accessible by Delve, exposed hundreds of client audit reports. Out of 494 of them, 493 were essentially the same document. One of Delve's customers was LiteLLM, a Python library with ~97 million monthly downloads, widely used by developers. LiteLLM was hit by a supply chain attack. Hackers had stolen the maintainer's publishing credentials and pushed two malicious versions of the package to PyPI. You can't make this stuff up!