Constant compliance is security theater – TechCrunch

As a former CTO, I know that integrations are required to deliver data-driven products online. I’ve designed transactional data systems that integrated with global telecom networks, applicant tracking systems and cloud-based infrastructures. Powerful integrations are not hard to conceive. It’s easy to identify data you would like to share between two different systems.

An integration, however, is beset by the same suite of pitfalls that any product feature or technological innovation may require, with one big wrinkle: At least half of the requirements were never designed with you, your use case or your organizational goals in mind.

The complex relationship of your vendors, technology and your overall business makes integrations a hard problem. It also makes potential solutions very brittle. If the problem you’re trying to solve is a SOC 2 audit or ISO 27001 certification to drive sales, an integration will not make passing your audit quicker. In reality, it will make it harder to achieve.

The problem you’re trying to solve

Before widely published security standards like SOC 2 or ISO 27001, much of security work was siloed into specific business functions like board management, HR or infotech. Each group designed best practices according to the expertise of their leaders. Few buyers ever asked questions.

Having a published standard with a validated testing or audit methodology provides an important new signal in your entire organization’s maturity. Buyers can point at specific credentials and require companies to accomplish an independent assessment to be certified. As the number and variety of vendors have grown, buyers have increasingly identified efficient tools to analyze your security stance.

If the problem you’re trying to solve is trust via certification, does a technical integration accelerate compliance?

Integrations inhibit compliance and increase risk

There are zero integration requirements for SOC 2, ISO 27001, HIPAA or even CMMC, and there is no published security standard that requires an integration to achieve compliance. Even common standards such as PCI-DSS, GDPR or CCPA can be achieved without integrations, deployed agents or enterprise technology.

This is because all security standards are designed to not require any specific technology, personnel or processes. The authors of standards such as ISO 27001 recognize that each company is increasingly unique. For example, companies that offer an on-prem or private cloud deployment model are likely not required to comply with the monitoring portion of the SOC 2 Security standard during audit. Services organizations that develop intellectual property, such as software for their customers, are likely not required to comply with the change management portions of ISO 27001 and SOC 2 Security.