Technical data

Consistent compliance is a theater of security – TechCrunch


As an elder CTO, I know integrations are needed to deliver data driven products online. I have designed transactional data systems that integrate with global telecommunications networks, applicant tracking systems and cloud-based infrastructures. Powerful integrations aren’t hard to design. It’s easy to identify the data you want to share between two different systems.

An integration, however, is beset by the same set of pitfalls that any product functionality or technological innovation may require, with one big problem: At least half of the requirements were never designed with you, your case in mind. use or your organizational goals.

The complex relationship between your suppliers, technology, and your entire business makes integrations a difficult problem. It also makes potential solutions very fragile. If the issue you’re trying to solve is a SOC 2 audit or ISO 27001 certification to drive sales, an integration won’t make your audit pass any faster. In reality, it will be more difficult to achieve.

The problem you are trying to solve

Before widely published security standards such as SOC 2 or ISO 27001, much of the security work was siled into specific business functions such as board management, HR, or infotech. Each group has designed best practices based on the expertise of its leaders. Few buyers asked questions.

Having a published standard with a validated test or audit methodology provides an important new signal in the maturity of your entire organization. Buyers can provide specific credentials and require companies to perform independent assessment to be certified. As the number and variety of vendors have grown, buyers have increasingly identified effective tools to analyze your safety position.

The best time to implement an integration is when you’re sure it’s useful.

If the problem you’re trying to solve is trust through certification, does a technical integration accelerate compliance?

Integrations inhibit compliance and increase risk

There is no integration requirement for SOC 2, ISO 27001, HIPAA, or even CMMC, and there is no published security standard that requires integration to achieve compliance. Even common standards like PCI-DSS, GDPR, or CCPA can be achieved without integrations, deployed agents, or enterprise technology.

This is because all security standards are designed to require no specific technology, personnel or process. Authors of standards like ISO 27001 recognize that every business is increasingly unique. For example, companies that offer an on-premises or private cloud deployment model are unlikely to be required to comply with the monitoring portion of the SOC 2 security standard during the audit. Service organizations that develop intellectual property, such as software for their customers, are unlikely to be required to comply with the change management portions of ISO 27001 and SOC 2 Security.