Simon Willison made an observation recently that I haven’t been able to stop thinking about: cybersecurity increasingly resembles proof-of-work. Not proof-of-work in the abstract sense of “doing hard things,” but in the specific, precise sense used in distributed systems: expending computational effort to produce a verifiable output that proves you did the work, where the value of the output lies entirely in its verifiability rather than in any intrinsic utility.
In Bitcoin, miners burn electricity solving SHA-256 puzzles. The puzzles have no value. The solutions have no value. What matters is that producing them takes demonstrably expensive effort, and that anyone can cheaply verify the work was done. The work is the proof, and the proof is the point.
Apply that lens to modern security compliance and the parallel becomes uncomfortable.
What Security Compliance Actually Produces
A SOC 2 Type II audit takes six to twelve months of continuous evidence collection. You’re generating access logs, change management tickets, user provisioning records, training completion certificates, and incident response documentation. An auditor reviews that record and certifies that your controls existed and operated over the period. The output is a PDF. That PDF unlocks enterprise sales conversations.
The PDF does not mean your systems are secure. It means your controls operated as documented. A company can pass SOC 2 Type II and still have critical vulnerabilities in production, inadequate secrets management, developers with excessive privileges, and no real incident response capability. The audit checks whether the controls you defined were followed, not whether the controls you defined were the right ones.
ISO 27001 has the same structure. You define an Information Security Management System, document your risk assessments and treatment plans, get an accredited auditor to verify your documentation and processes, and receive a certificate. The certificate proves you maintain an ISMS with certain properties. It does not certify your risk treatment decisions were correct or your controls effective.
PCI DSS is more prescriptive, specifying 12 requirement categories with hundreds of sub-requirements. Organizations handling card data must meet these or risk losing the ability to process payments. The requirements are real and many of them are genuinely useful. But the compliance process creates the same dynamic: effort flows toward what’s measurable and auditable, not necessarily toward what reduces breach probability most efficiently.
Penetration testing has developed a particularly pure proof-of-work quality. Many organizations run annual pentests primarily to produce the report, which they share with enterprise customers in security questionnaires. The findings often get triaged and parked rather than remediated, especially lower-severity items. The value extracted from the engagement is the document certifying it happened, not the security improvement.
The Questionnaire Industrial Complex
Somewhere in the last decade, the security questionnaire became a primary artifact of B2B sales. A prospective enterprise customer sends a vendor a spreadsheet with 300 to 500 questions about security practices. A security analyst spends days or weeks answering it. The customer’s security team reviews the answers. Nobody is quite sure what they’re checking.
The questions are often generic, copied between questionnaires, and difficult to answer meaningfully. “Do you encrypt data at rest?” is not really a security question; it’s a proof-of-work prompt. The expected answer is yes, and you provide it. The exchange doesn’t surface whether your encryption key management is sound, whether your storage is actually encrypted end-to-end, or whether the encryption is configured correctly. It produces evidence of an interaction.
The Shared Assessments program, CAIQ, and similar frameworks try to standardize this process. They make it more efficient but don’t resolve the underlying problem: you’re optimizing for answerable questions, not for security outcomes.
What Acceleration Does to This Dynamic
AI tools are now capable of doing significant portions of this work. Large language models can draft SOC 2 policy documentation, answer security questionnaires from a document corpus, generate security architecture diagrams, and summarize penetration test findings into executive summaries. Several startups have built compliance automation products precisely on this capability.
This is where the proof-of-work analogy gets particularly sharp. In Bitcoin, the point of proof-of-work is that it’s computationally expensive; cheaper hardware or more efficient algorithms that reduce that cost erode the security property. The work must be hard to preserve its value as a signal.
If compliance artifacts become cheap to produce, they lose their signal value. If any organization can generate a plausible-looking security program with AI assistance in a weekend, the enterprise customer who reads that SOC 2 summary or questionnaire response is no longer getting useful information about security investment. They’re getting a demonstration of AI fluency.
The attackers, for their part, have always been exempt from proving anything. They don’t file documentation. They don’t get audited. Their constraint is finding one exploitable path, while defenders must defend the entire surface and simultaneously prove they’re doing so to a dozen different external audiences.
Where Effort Should Go
None of this means SOC 2 audits are worthless or that penetration testing is theater. Compliance frameworks do create floors. They force organizations to implement basic controls they might otherwise skip, maintain documentation that aids incident response, and develop security muscle memory through repeated process execution. An organization with no compliance program and one with SOC 2 Type II are not equivalent.
The problem is resource allocation under the proof-of-work regime. Engineering time spent on compliance evidence collection is time not spent on threat modeling, on improving detection capabilities, on reviewing high-risk code, or on reducing attack surface. Security team hours spent answering questionnaires are hours not spent on anything else. When compliance becomes the primary deliverable of a security program, the program optimizes for compliance.
Bruce Schneier has been making versions of this argument for years, most pointedly in “Security Theater” and subsequent writing on how visible security measures get prioritized over effective ones because they’re easier to demonstrate. The proof-of-work framing sharpens it: the problem isn’t just that some measures are theatrical, it’s that the entire incentive structure rewards demonstrated effort over achieved outcomes.
The NIST Cybersecurity Framework identifies five functions: Identify, Protect, Detect, Respond, Recover. Compliance work concentrates heavily on Protect, because protection controls are documentable. Detection and response capabilities are harder to certify and rarer in auditor checklists, despite being what determines whether a breach becomes a catastrophe.
The Signal Collapse
Any proof-of-work system faces signal collapse when the cost of producing the work drops faster than the cost of verifying it. Bitcoin’s economic properties hold because ASICs and algorithm design keep the hardware cost of mining proportional to network difficulty. Security compliance has no such mechanism.
As AI reduces the cost of producing compliance artifacts, the artifacts carry less information about actual security investment. The enterprise customer who has been using SOC 2 Type II as a proxy for security maturity will need a different proxy. What that looks like is unclear. Outcome metrics are hard to collect and harder to audit. Continuous monitoring services like Vanta or Drata try to make evidence collection automated and verifiable in real time, which is directionally interesting, but they still measure control operation rather than security outcomes.
The broader problem that Willison surfaces is structural. Security is one of the few domains where you must continuously prove effort to external parties while simultaneously preventing adversaries who face no such requirement. That asymmetry has always existed. What’s changed is the cost function on both sides is shifting, and the signals we’ve built around demonstrated effort are becoming easier to fake than to trust.