For me 2024 is going to be the year, I try to scale the information security compliance consulting I have been on and off doing for last 20+ years into a combination of AI models and tooling. This is why this topic feels close to heart. The article will also be published in my company's www.peakdefence.com page once we launch the new one!

As a result the current landscape in information security compliance looks like this:

• there are a few widely recognised standards which organisations can certify against and the choice is usually defined by industry and geography combination (e.g. a SaaS provider in EU with most customers in EU would likely want to certify with ISO 27001 or ISAE 3000 (if for example in Denmark) while one in US or with US larger customers would be more concerned with SOC 2 or similar)

• All of them follow similar principles of setting security objectives, identifying and managing risks, implementing a more or less predefined (depending on standard) structure of controls and having reviews and audits on regular basis

• Very often one can observe major struggles in implementing compliance programs efficient and effective even in large Foxes (the ones with many resources, etc) with a lack of understanding among internal stakeholders “why we do this”

• Small Rabbits often go for compliance just to land the bigger “customer” without understanding the real reasons and assistance compliance program can provide. This more often than not leads to “unbalanced” compliance programs which do just one thing (e.g. secure configurations) and claiming “all work is done”

As an outcome of the factors mentioned above following can be observed:

• Certified “to the teeth” companies still end up having security incidents

• There is a lot of misunderstanding out there what certification means and what scope means and how it can/should be applied in supply chain

• Growth in tooling which provides “checklist driven certification”

From my perspective the summary is very simple. Effective information security is “balanced” = takes into account (A) People, (B) Processes and (C) Technology on somewhat “even” level! If even one of those fail, it might quickly lead to much bigger failure!

As many companies implementing information security programs come from tech, our the initiatives to do compliance are often perceived as “tech”, many company management systems end up heavily Technology biased.

Also one more critical role here is the auditors and their background and competence! While working with many auditors as trainer or lead auditor I have observed very personal background driven impact on auditors decisions on what to audit, how to audit and what the findings are!

Current generative AI based on the challenges the industry is facing now will probably have a huge impact on the industry as a whole. It is both expected to reduce the 

Key process: checking if Rabbits “fall in line” with information security.

Key process 1: demonstrating compliance to Hedgehogs (auditors) an Foxes (customers, partners)

Implementing really effective and compliant management system

Lets add one more role here. Let’s call them hedgehogs. These would be the companies and individuals dealing in providing assurance everything “is good enough”. One of the main reasons for them to exist is the lack of direct trust between Foxes and Rabbits, but also an option to review how good the expectations of certain compliance requirements are met by spending less (no Fox going to all Rabbit holes to check and not all Rabbits being happy about regular visits from different Foxes).