Compliance

Increasing Compliance to Enhance Security-by-Design | anecdotes

Yair Kuznitsov
March 28, 2024
Enhance your security posture by leveraging Compliance - discover how with anecdotes


Skiing is a bit confusing as far as sports go.

You're either exulting in the glory that comes with careening down glistening slopes or you're mowing down trees. With your face.  

If you're an avid skier like me, you’ve likely come across the term “going off-piste”. This French term refers to designated official trails skiers are advised to stay on. Going off-piste is a risky move that could unintentionally lead to dangerous consequences. These areas outside of the established boundaries of the run are unsupervised and unmarked—and if you choose to go there, you're doing so at your own risk. And if you do choose to go there, you run the chances of meeting up with elements like rocks, cliffs, and the occasional avalanche.

Increased Awareness, Increased Frustration

Skiing is great and all, but by now, you're probably wondering what going off-piste and staying within set boundaries has to do with compliance.

Well, a whole lot, it turns out.

Today, thanks to the countless high-profile data breaches and ransomware attacks that have made headlines, there’s an increased awareness around the need to ensure best security practices. And this means that InfoSec Compliance has gained new prominence. It’s top of mind for every potential customer and it’s one of those things that keeps stakeholders up at night. It is a maker or breaker of deals and thus, ensuring you've got the necessary frameworks in place is incredibly critical.

But it comes as no surprise that InfoSec teams hate dealing with it. That's because every framework requires resources, time, and money. Every audit takes months of prep. And the audits themselves? Less fun than having 3 root canals done simultaneously. Without novocaine. And with prep and audits that can drag on for months, sometimes it seems like compliance is just a collection of nitty gritty tasks that take away from the team’s core responsibilities.

And this impression, as a potential inhibitor of growth and expansion, is why the InfoSec community—and businesses in general—tend to look at compliance with a level of disdain and frustration.

Compliance = Guidelines for Security-By-Design

But here is a thought question; what is the deeper raison d'etre of compliance frameworks and going through certifications, attestations, and reports? Surely their only goal can’t be to make life more frustrating, can it?

Obviously, that’s not the answer.

Not so long ago, companies could get away with not thinking about, or investing in, their security posture until the very last moment possible. Today though, with the aforementioned increased security awareness, things are different; in order to see deals take shape, businesses need to proactively display from day one that they are indeed worthy of being trusted with the data they hold.

In this light, it becomes clear that certifications, reports, attestations, etc., are not the end goal. The TRUE goal of adopting frameworks is to ensure that companies have security best practices in mind and are continually working towards maintaining and improving their policies and procedures.

Stay On The Right Path

Compliance is a whole lot like those established pistes on ski runs, keeping security efforts from skiing off a cliff or into an avalanche. When looked at from an optimal approach, compliance can become a guiding light, illuminating the marked and supervised path that should be followed in order to protect and secure data.

Following this established path prevents businesses from veering too far from the ideal track and skiing off that metaphorical cliff. It prevents them from journeying to uncharted territory that will likely yield untested and risky results. And moreover, when a business is designed with security-in-mind, with security best practices across the board, aligning with frameworks like SOC 2, ISO 27001, etc, is a snap because they merely reflect the best practices that have already been implemented.

This is especially true in young startups, where the “CISO'' might just be one of the founder’s best buddies—or maybe even the IT person or the VP R&D. In these less mature environments, compliance frameworks should be seen as imperative guidelines. By adhering to their chosen frameworks, regardless of their maturity level, they can establish a foundation based on security best practices from the get-go.

This can be accomplished by:

  • selecting more technical frameworks (such as NIST) to adopt and implement security controls
  • using more high-level frameworks (like ISO 27001 and SOC 2) to design processes and policies and define the security culture
  • leveraging regulations (HIPAA, for instance) to align with security industry best practices, as well as embracing much-needed security controls, to show prospects in those industries

But this concept of using frameworks as guidelines isn't only applicable to startups; In more mature companies with a robust InfoSec team, frameworks can and should be viewed as another great light to follow and continuously improve by. And in both startups and enterprises, successfully passing an audit is how you display that optimal status to your customers, allowing your board to sleep more soundly at night.

So instead of viewing compliance as a roadblock, try (hard as it may be!) to view it as guidelines, establishing security best practices from day one. Though a lofty goal, it’s one that will see great dividends in the end. And with these guidelines in place, who knows? Maybe you’ll find a day or two to hit the slopes.  


Yair Kuznitsov
Tech geek who appreciates and enjoys a good piece of code, Co-Founder and CEO of anecdotes.