I think that, at least for b2b software, there's a lack of appreciation here for the role compliance plays. The author cites both googles and Microsofts office tools, but they really suck. My fiancee has to use Microsoft, and now I do too; no one likes them! Their janky online office actually deletes text as I type!
However, I know that the only reason my company is using it is because it makes compliance really easy, and they just don't have the bandwidth to take on more. This is further complicated by microsofts, let's say not great security record, which indicates that security compliance is really more of a box checking activity than anything else.
This is where Europe could come in. By lowering the barrier or, even better, coming up with requirements that required something closer to real security, you could seriously challenge these US companies.
>coming up with requirements that required something closer to real security
Being in security for years now, I'm not sure that's possible. At the end of the day real security is a massive onion with lots of layers. Most of the time I'm dealing with crappy security consultants I would not say their recommendations are made up whole cloth. I would say misapplication of requirements from different security contexts is one of the most common problems, and after that examining shallow issues for checkboxes rather than fundamental issues of applications.
> security compliance is really more of a box checking activity than anything else.
Yup. Same at my job, new FIPS requirements. Current functional hardware is now e-waste because not compliant. And, of course, the few vendors who do support FIPS are the usual incumbents like MS and Cisco. So buy new Dell hardware with TPMs, Cisco switches, Windows 11 and server 2025. Forced obsolescence and waste stream for check boxes.
A lot of companies worried about things at this level grind their machines into small bits after finding out potential leaks of information were occurring on things like NVRAM on devices.
I think there was a one-two punch that sort of destroyed common sense.
First the rise of cloud computing where some data went remote.
Then the pandemic where people were remote too.
And I think most corporations sort of GAVE UP. Now everything including employee lists, business strategy, code, internal documents, chat sessions, email, meetings... it's all just out there.
However, I know that the only reason my company is using it is because it makes compliance really easy, and they just don't have the bandwidth to take on more. This is further complicated by microsofts, let's say not great security record, which indicates that security compliance is really more of a box checking activity than anything else.
This is where Europe could come in. By lowering the barrier or, even better, coming up with requirements that required something closer to real security, you could seriously challenge these US companies.