“We take security seriously” is bullsh*t.
Easy to say, hard to do. Good security takes attention to detail, and running a great security management program is difficult: complicated, time-consuming, repetitive, and boring – even more so when you add HIPAA, SOC, ISO, and other compliance requirements.
Small software engineering teams struggle to understand security requirements and translate rules into action. Growing teams struggle to track and consistently execute security activities.