We’re reaching point where business norms and social expectations around security and privacy are changing rapidly. In B2B, security review used to be a post-acquisition step for enterprise. Today, requests for vendor security assessments, SOC 2 audits, ISO 27001 certifications, pen tests, and other trust-building investments all happen before the sale, and are increasingly table stakes. As public awareness of data privacy issues grows, and public anger at big breaches caused by lax data security builds, regulators and governments at the state, federal, and international level are introducing regulations around data protection.
With the availability of cloud infrastructure, thousands of SaaS vendors, powerful development tools and open source frameworks, it’s easier than ever to develop a product and start a business with a small team and light overhead. Once you gain traction, however, security scales in complexity as your technology, people, and number of requirements grow. And no matter how many companies say “we take security seriously” on their website, many struggle to think holistically and strategically about security. Stakeholders realize the need for a formal security program, but find the process frustrating or confusing, increasing the risk of failing audits, exposing private data, paying big fines, and losing customers just as global conversations around privacy and security are entering the mainstream.