This is so amazing. Loved the comparison. Its a tricky situation. Most of the companies think about the compliance for business point of view. If they are compliant to a particular standard, they will be approved for further business. In PCI DSS also I have seen, payment gateways needs to show their compliance to PCI DSS framework before 1st transaction is hit (mostly based on the test data). One way to bridge this gap is to get compliance from a good auditor and then the enforcing entity (like a bank or payment brand) can do their own security checks after the compliance.
100%! Thanks a lot for the thoughtful comment, Himanshu. You are right - people tend to think "we need to be compliant so that we move on with our lives". That part is fine, as long as there is an understanding that security is a critical component or running a business, regardless of what they think of compliance.
In some ways, the "security" companies set up this mindset with their ads.
What I saw at the top of a Google SERP today, "ISO 27001 Compliance - Get Certified Faster
The only All-in-One ISO 27001 compliance and audit solution with expert-guided automation. Breeze through an ISO audit with our audit prep and management tools and integrations."
100%! Same page. There are way too many company who sell stuff like "get secure with SOC2". This further confuses people who are already overwhelmed thinking about compliance and security.
What an amazing approach! Been questioning myself many many times. A challenging question though is which mindset to choose when compliance with a standard is not just a requirement or nice to have but an absolute business enabler. In other words, if you ate not compliant with standard X, you cannot sell to anyone. Is a balance achievable in that case, especially when the standard is old-fashioned?
I think it is - as long as we think of security as an essential component of running the business, not as something we get by default, by the virtue of being compliant.
Sep 6, 2023·edited Sep 6, 2023Liked by Ross Haleliuk
Excellent content explaining in-depth the realities of the whole issue around audit vs real security mindset. OWASP compliance isn't a thing though despite companies out there still trying to claim that.
This is so amazing. Loved the comparison. Its a tricky situation. Most of the companies think about the compliance for business point of view. If they are compliant to a particular standard, they will be approved for further business. In PCI DSS also I have seen, payment gateways needs to show their compliance to PCI DSS framework before 1st transaction is hit (mostly based on the test data). One way to bridge this gap is to get compliance from a good auditor and then the enforcing entity (like a bank or payment brand) can do their own security checks after the compliance.
100%! Thanks a lot for the thoughtful comment, Himanshu. You are right - people tend to think "we need to be compliant so that we move on with our lives". That part is fine, as long as there is an understanding that security is a critical component or running a business, regardless of what they think of compliance.
In some ways, the "security" companies set up this mindset with their ads.
What I saw at the top of a Google SERP today, "ISO 27001 Compliance - Get Certified Faster
The only All-in-One ISO 27001 compliance and audit solution with expert-guided automation. Breeze through an ISO audit with our audit prep and management tools and integrations."
Maybe security shouldn't be a "breeze" ...
100%! Same page. There are way too many company who sell stuff like "get secure with SOC2". This further confuses people who are already overwhelmed thinking about compliance and security.
What an amazing approach! Been questioning myself many many times. A challenging question though is which mindset to choose when compliance with a standard is not just a requirement or nice to have but an absolute business enabler. In other words, if you ate not compliant with standard X, you cannot sell to anyone. Is a balance achievable in that case, especially when the standard is old-fashioned?
I think it is - as long as we think of security as an essential component of running the business, not as something we get by default, by the virtue of being compliant.
Excellent content explaining in-depth the realities of the whole issue around audit vs real security mindset. OWASP compliance isn't a thing though despite companies out there still trying to claim that.