| ▲ | apimade 6 hours ago | |||||||
I’ll spend some more time replying to this next week, so circle back to this comment; I’m someone who regularly helps people get past these audits, meet the criteria customers are trying to assess with these certifications, and vet startups who don’t have these certifications or budget. Start by pre-filling your own CAIQ v4 with an earnest “we don’t do this” or “we haven’t even thought about this” attempt: https://cloudsecurityalliance.org/artifacts/cloud-controls-m... Then read through it and see what you can address immediately (EDR on your laptop, MFA on your cloud environments, etc), followed by role playing your client; “based on answers to this questionnaire, what would I not accept?” There will be some items you can’t fix. You’ll soon find out the majority of customers, including banks, governments, defence contractors, crypto startups — simply do not care. If they want to use your product, they’ll work with you. It may be single-tenancy, it may require architectural changes, it may mean making it selfhosted with a time-bomb, but you’ll be able to address the requirements of the CISO, compliance monkey or executive. I’ve yet to meet an industry or individual I can’t convince. Even if the product is a hot mess, half baked and radioactive — we’ll deploy it on a VM running inside of a VDI within the customer’s environment, because slopping together a migration path is _so easy_, and those early, highly regulated clients are worth it. | ||||||||
| ▲ | p_l 5 hours ago | parent | next [-] | |||||||
Major problem of entire compliance/auditing industry is not enough asking in companies "what are the actual risks we are dealing with", "what's the goal for given control", "do we have alternative control ensuring that". Compounded by cheap shitty auditors that just mark down checkboxes on a worksheet | ||||||||
| ▲ | sochix 6 hours ago | parent | prev [-] | |||||||
Thank you! That make a lot of sense! | ||||||||
| ||||||||