7 Comments

This is so amazing. Loved the comparison. Its a tricky situation. Most of the companies think about the compliance for business point of view. If they are compliant to a particular standard, they will be approved for further business. In PCI DSS also I have seen, payment gateways needs to show their compliance to PCI DSS framework before 1st transaction is hit (mostly based on the test data). One way to bridge this gap is to get compliance from a good auditor and then the enforcing entity (like a bank or payment brand) can do their own security checks after the compliance.

Expand full comment
Apr 9, 2023Liked by Ross Haleliuk

In some ways, the "security" companies set up this mindset with their ads.

What I saw at the top of a Google SERP today, "ISO 27001 Compliance - Get Certified Faster

The only All-in-One ISO 27001 compliance and audit solution with expert-guided automation. Breeze through an ISO audit with our audit prep and management tools and integrations."

Maybe security shouldn't be a "breeze" ...

Expand full comment
May 24, 2023Liked by Ross Haleliuk

What an amazing approach! Been questioning myself many many times. A challenging question though is which mindset to choose when compliance with a standard is not just a requirement or nice to have but an absolute business enabler. In other words, if you ate not compliant with standard X, you cannot sell to anyone. Is a balance achievable in that case, especially when the standard is old-fashioned?

Expand full comment
Sep 6, 2023·edited Sep 6, 2023Liked by Ross Haleliuk

Excellent content explaining in-depth the realities of the whole issue around audit vs real security mindset. OWASP compliance isn't a thing though despite companies out there still trying to claim that.

Expand full comment