This is so amazing. Loved the comparison. Its a tricky situation. Most of the companies think about the compliance for business point of view. If they are compliant to a particular standard, they will be approved for further business. In PCI DSS also I have seen, payment gateways needs to show their compliance to PCI DSS framework before 1st transaction is hit (mostly based on the test data). One way to bridge this gap is to get compliance from a good auditor and then the enforcing entity (like a bank or payment brand) can do their own security checks after the compliance.

Expand full comment
Apr 9Liked by Ross Haleliuk

In some ways, the "security" companies set up this mindset with their ads.

What I saw at the top of a Google SERP today, "ISO 27001 Compliance - Get Certified Faster

The only All-in-One ISO 27001 compliance and audit solution with expert-guided automation. Breeze through an ISO audit with our audit prep and management tools and integrations."

Maybe security shouldn't be a "breeze" ...

Expand full comment
May 24Liked by Ross Haleliuk

What an amazing approach! Been questioning myself many many times. A challenging question though is which mindset to choose when compliance with a standard is not just a requirement or nice to have but an absolute business enabler. In other words, if you ate not compliant with standard X, you cannot sell to anyone. Is a balance achievable in that case, especially when the standard is old-fashioned?

Expand full comment