This article confused me @Srajan as to whether you are a security practitioner or a compliance SME! ;) You have articulated it so well in terms of why focus on compliance and challenges associated! From compliance practitioner perspective though, one of the root causes is development/ engineering organization's motivations and/or skillset gap. I have interacted with engineering leaders that take this upon themselves and invest in effort it takes to bake security in the product early on which makes compliance easier later on! On the flip side, I have seen CTO/ VP Engineering leaders who simply don't want to do security or think it is waste of time while only want to do check-the-box type effort to keep compliance! Lastly, if I were to look back, there are not that many engineers/ developers that know (or even worse- that care) what it means to write, build and deploy secure code!
As for the vendors, they take advantage of issues that get created by the vicious cycle that keeps going around! ):
Aptly put, @Yogesh. I couldn’t agree more! The lack of motivation often drives the check-the-box mentality, which vendors then exploit. Thanks for sharing your perspective.
This article confused me @Srajan as to whether you are a security practitioner or a compliance SME! ;) You have articulated it so well in terms of why focus on compliance and challenges associated! From compliance practitioner perspective though, one of the root causes is development/ engineering organization's motivations and/or skillset gap. I have interacted with engineering leaders that take this upon themselves and invest in effort it takes to bake security in the product early on which makes compliance easier later on! On the flip side, I have seen CTO/ VP Engineering leaders who simply don't want to do security or think it is waste of time while only want to do check-the-box type effort to keep compliance! Lastly, if I were to look back, there are not that many engineers/ developers that know (or even worse- that care) what it means to write, build and deploy secure code!
As for the vendors, they take advantage of issues that get created by the vicious cycle that keeps going around! ):
Aptly put, @Yogesh. I couldn’t agree more! The lack of motivation often drives the check-the-box mentality, which vendors then exploit. Thanks for sharing your perspective.
Very very well written 👏