> or is the main incentive to be able to tout compliance?
At the time I joined, the existing goals were around compliance and checking boxes on security questionnaires, which is exactly the problem I'm trying to solve. Specifically, compliance was driven by the IT/Infra teams and mostly around access to access to cloud infra. That's obviously useless if a db server is locked down and change managed, but the software access the data isn't.
So, the bulk of my efforts in this area have been around bridging the gap from checking boxes to actual compliance with various standards. Fortunately, we rely heavily on data, so it's not a hard sell to properly protect things.
In general, people receive the questions well, as it makes the strong point that there's a big gap between checking a box that people in sales & marketing care about, vs. how any issues arising from not having "real" compliance would be catastrophic and business ending for a company of our size.
At the time I joined, the existing goals were around compliance and checking boxes on security questionnaires, which is exactly the problem I'm trying to solve. Specifically, compliance was driven by the IT/Infra teams and mostly around access to access to cloud infra. That's obviously useless if a db server is locked down and change managed, but the software access the data isn't.
So, the bulk of my efforts in this area have been around bridging the gap from checking boxes to actual compliance with various standards. Fortunately, we rely heavily on data, so it's not a hard sell to properly protect things.
In general, people receive the questions well, as it makes the strong point that there's a big gap between checking a box that people in sales & marketing care about, vs. how any issues arising from not having "real" compliance would be catastrophic and business ending for a company of our size.