Fresh Thoughts #131: New Isn't Always Better
- Newsletter
Last week, a long-time Fresh Security customer decided to commit to ISO 27001.
The conversation was almost 2 years in the making.
They are a growing company in a lucrative, niche industry.
Their customers love what they do.
And they have increasingly been working with enterprise companies.
With enterprise customers, they have found a sharp rise in the question -
"Do you have ISO27001, or must you complete our security questionnaire?"
Some security questionnaires have been simple - 30 questions covering the fundamentals.
However, one infamous request came from a top film studio and contained 386 questions...
Our customer has always run a tight ship.
While constantly pushing the boundaries of what is possible, they maintain an extremely efficient toolset.
Everything they need, and no more.
So, with strong growth, market demand, and a straightforward technology stack... why has it taken 2 years to decide? Cybersecurity marketing.
ISO 27001 Certification as a Service
At the start of the conversation, the new Vanta-led ISO27001 certification industry was undertaking a significant marketing effort.
The narrative went...
Collecting evidence for your audit is hard - unless you use our product.
We will get you certified quickly - if you use our product.
And the quiet bit...
We will charge you £7,500+ each year you hold your certification - if you use our product.
At the time, we did a market survey and found a few cheaper alternatives.
However, within months, the entire industry settled around this price.
As an astute business owner, we were immediately asked...
"So what do you get for this cost?"
And we had to give an uncomfortable answer...
FS: You get a set of baseline policies that you will need to adapt to your business.
[X]: But we already have those...
FS: You get a content management system that makes it simple to link risks with mitigations.
[X]: Hmm... anything else?
FS: You get automation that pulls in user configuration and access controls from SaaS services.
[X]: But we only use 3 or 4 of those... Do we get device management?
FS: No.
[X]: Processes and SOPs?
FS: No.
[X]: ...so you're telling me that the £7,500 is for a content management system?
FS: Pretty much...
It left a bad taste.
And caused the delay.
Back to Basics
But there is a different way.
The way it used to be done.
Before Vanta et al. came along.
The old-fashioned way.
Using spreadsheets for tracking and shared folders as a content management system.
It's not pretty.
And you need to pay attention to the details...
But it works and has worked for decades.
And once you pay for it, there is no ongoing annual charge.
There is no rent extraction.
Final Thoughts
The new crop of web-based, semi-automated certification services is a valuable addition...
If you have the right size and complexity of company...
...and the correct tech stack.
Fall outside this sweet spot, and traditional, imperfect spreadsheet approaches continue to function satisfactorily.
In cybersecurity, new isn't always better for the customer.
It may just be a way of generating recurring revenue for a vendor.
Until next week, have a great week.
August 13, 20243 Minutes Read
