I am a founder, and my ambition includes meeting the highest possible standards for my customers.
The problem with the current frameworks is that the "controls" are so asinine and auditors so hard headed, that getting certified becomes a matter of "checking the box" .
Particularly most of those frameworks REQUIRE maintaining so much paper red tape that make a 10 person startup want to kill themselves. And in addition the costs are stupid high for startups that are just "starting up".
On the flip side, how many large companies have we seen that have all the SOCs, ISOS and whatnot certifications, and they get pwn3d and their data stolen or exposed.
It tells you that a place being certified doesn't guarantee shit.
The reality is that large companies ask for certs as a CYA mechanism: the "security" department of LargeCo, asks for the compliance cert so that when shit hits the fan, they can say "not my fault, they told me they were compliant"
The good thing is that with the new Bullshit generators (llm) this certifification/compliance process will collapse.
Some things just have to be done.
Wellll this is not always the case. I have moved from a shithole country to a nice one and oh boy I am crying in gratitude every month that I pay taxes. Because it is every day that I can see my money working for me in the environment.
But your point stands.
The same applies to all the audit and bureaucracy stuff. Does it do something? If you don't feel it does, does it mean it's not? I don't know really, but I hope somebody is rotating their key material as they provided in their security posture.
I love bringing Switzerland up to annoy most of western/northern Europeans since their success is so obvious and undeniable while going in very different direction than most of Europe. Low to low-medium taxes, yet state budgets are frequently in positive numbers, there is no end to money spend on infra projects, train infra, but also rather strong social programs (just not ridiculously bad as mentioned above), top notch free healthcare and education. VAT taxes are 2-8% instead of 20-23% in all countries around. Country simply works(TM) because population is not hard comfort-zone-addicted and entitled bunch of spoiled whiny kids, they work relatively hard and it brings results, consistently and long term. They don't work more than americans nor asians, but thats enough for their prosperity.
Do you think lets say a heavy tax burden in say Italy, or even France (not even going more into southern or eastern EU since that would be a small book) is really used well and efficiently? I visit those places frequently and it certainly doesn't seem that way. Random examples - Italy has garbage everywhere, people drive to highway stops to drop it there (so the wind blows it all around). Infrastructure seems like from 80s, with added age. From people dealing with bureaucracy there - its stuck in 19th century, direct approach will get you often nowhere. France - most communist state in western Europe, heck in all Europe, sans Belarus maybe. Yet if you talk to people, they are constantly pissed off at government, never happy with society or state they live in. I don't blame them, listening to French colleagues complain is often rather sad experience. Not something you read in travel guides, do you.
>because population is not hard comfort-zone-addicted and entitled bunch of spoiled whiny kids
I'm not sure why would I need lower taxes in exchange for more work. This somehow feels like a scam.
That said, this should be used sparingly; as it embeds a behavior deep. If that behavior later no longer makes sense it can be extremely costly to change it later.
Too often liabilities exceed assets, or the liabilities are externalised.
Liability doesn't work as an incentive for many risks. For uncommon but extreme risks, it can be better to roll the dice on company failure than regularly pay low amounts for mitigation.
It is especially effective to ignore liabilities when a company has poor profitability anyways.
And then you see major companies sidestep the costs of their liabilities (plenty of examples after security failures, but also companies like Johnson&Johnson).
At some point I was asked to look over the documents for the compliance definition and it was really hilarious. I had to give my engineering perspective on which aspects of the requirements we were and weren't meeting.
But they were stuff like "you must have logs". "You must authenticate users". "You must log failed authentication attempts".
Did we fulfill these requirements? It's a meaningless question. Unless you were literally running an open door telnet service or something you could interpret the questions so as to support any answer you wanted to give.
So I just had to be like "do you want me to say yes?" and they did, so I said yes. Nothing productive was ever achieved during that engagement.
Companies do want to be secure. They try, and they often fail because it's hard.
They hire auditors to find problems and to shift blame. But since they only have 30 days to fix the problems that are found, it's going to see a lot like they only care about shifting the blame. Because at that point, they only care about passing that audit.
Right after that, though, they start caring about security again.
How do I know? 19 years experience going through those audits on the company side. For 11 months of the year, it was clear the boss cared about security. For that 1 month during the 'free retest' period, they only cared about passing that audit.
Somehow I doubt that you are in the B2B/Enterprise space. When you're pitching demos and you hear from people "we really wish we could buy your product but we can't because Finance won't approve the expenditure unless you get XYZ-123", and you hear that over and over again because that is the real-world industry that you live in, then you better believe that there are founders who wake up in the morning wishing that.
You clearly have no understanding of what compliance does. Compliance does not "shift responsibility". Compliance is you demonstrating to your customers that you give enough of a shit that you're willing to pay the table stakes to sit at the table. You can complain that the game has table stakes, but all worthwhile games have them.
Then do not pass the responsibility. But here's the trick: the regulator would like to see an audit done by a firm and purchasing audit services is exactly that: passing responsibility. So legally you can't be compliant unless you passed responsibility.