I'm in the interesting position that I've built something that everybody needs, but nobody wants.
I've built a product that manages the compliance process for the Big 5 (i.e. PCI-DSS, SSAE16-SOC2, HIPAA, ISO 27001, and FEDRAMP).
My product, ComplianceChaos[1] competes with RSA Archer, Protiviti, Lockpath, Aruvio, and MetricStream.
From my research, 80% of IT operations around the world can't confidently certify themselves against any of those information security frameworks. When recently talking to Security Directors and above, they claim "I don't need to comply" or "well we may not be the best, but we're not the worst, so compliance just isn't a priority."
We understand that a big business like General Electric will not do business with your company unless you can show some kind of proof that you're compliant with the Big 5. For example, if you're a cloud service provider or SaaS, GE wants you to certify for SOC 2 and ISO 27001.
We also know that if you host on Amazon's FEDRAMP Compliant environment or Catalyze.io's HIPAA compliant environment, it doesn't automatically mean your company is also compliant. Your company still needs to go through the compliance process too."
When I first set off to build this product a couple years ago, the security officers first exclaimed, "We need a compliance tool so that we don't have to deal with scattered documents and long spreadsheets." When I built the MVP and continued iterating on it, security officers again exclaimed, "this is the most beautiful compliance product I've ever seen! Better than RSA Archer."
However, when I asked them to use it, for FREE, they would say, "Well it's nice, but compliance just isn't a priority for us because the business has other missions like doing real security work". Explaining to them that compliance frameworks like ISO 27001 and FEDRAMP is real security work was met with deaf ears. In fact, they would retaliate saying, "Compliance like ISO 27001 isn't security. It's a low bar, bare minimal, and not enough."
When I counter with, "But 80% of the industry can't confidently assert that they've done due diligence in meeting the compliance controls. If compliance is so bare minimal, then why do only 20% go all the way to Attestation instead of all 100% of you guys?" That question would again fall on deaf ears.
I've recently pivoted to a services company, no thanks to TrustWave for getting sued for performing subpar security compliance auditing work. I'm specifically looking at you auditors who ask employees to put their passwords in a spreadsheet.
So here I am, having built a product and auditing service that IT Operations do in fact need, but do not want. They don't want the politics behind it nor the emotions behind it, and wish to sweep compliance under the rug.
How do I solve for #1 Make something that people want, when nobody wants compliance, but definitely needs it?
You need to make the decision makers life easier. At the moment it sounds like you have made something that makes their life harder right now in exchange for some future benefit that might not help them personally. Until someone loses their job because they are not able to show compliance then you are going to have a hard time getting people to use your product.
I don't know about your field but from what you say, it seems you shouldn't target security officers but rather salespersons. By definition, complying won't be voluntary. It has to be forced. You say it's required to close a sale so it follows that salespersons will want it, then they can force it upon the security officers.
I've built a product that manages the compliance process for the Big 5 (i.e. PCI-DSS, SSAE16-SOC2, HIPAA, ISO 27001, and FEDRAMP).
My product, ComplianceChaos[1] competes with RSA Archer, Protiviti, Lockpath, Aruvio, and MetricStream.
From my research, 80% of IT operations around the world can't confidently certify themselves against any of those information security frameworks. When recently talking to Security Directors and above, they claim "I don't need to comply" or "well we may not be the best, but we're not the worst, so compliance just isn't a priority."
We understand that a big business like General Electric will not do business with your company unless you can show some kind of proof that you're compliant with the Big 5. For example, if you're a cloud service provider or SaaS, GE wants you to certify for SOC 2 and ISO 27001.
We also know that if you host on Amazon's FEDRAMP Compliant environment or Catalyze.io's HIPAA compliant environment, it doesn't automatically mean your company is also compliant. Your company still needs to go through the compliance process too."
When I first set off to build this product a couple years ago, the security officers first exclaimed, "We need a compliance tool so that we don't have to deal with scattered documents and long spreadsheets." When I built the MVP and continued iterating on it, security officers again exclaimed, "this is the most beautiful compliance product I've ever seen! Better than RSA Archer."
However, when I asked them to use it, for FREE, they would say, "Well it's nice, but compliance just isn't a priority for us because the business has other missions like doing real security work". Explaining to them that compliance frameworks like ISO 27001 and FEDRAMP is real security work was met with deaf ears. In fact, they would retaliate saying, "Compliance like ISO 27001 isn't security. It's a low bar, bare minimal, and not enough."
When I counter with, "But 80% of the industry can't confidently assert that they've done due diligence in meeting the compliance controls. If compliance is so bare minimal, then why do only 20% go all the way to Attestation instead of all 100% of you guys?" That question would again fall on deaf ears.
I've recently pivoted to a services company, no thanks to TrustWave for getting sued for performing subpar security compliance auditing work. I'm specifically looking at you auditors who ask employees to put their passwords in a spreadsheet.
So here I am, having built a product and auditing service that IT Operations do in fact need, but do not want. They don't want the politics behind it nor the emotions behind it, and wish to sweep compliance under the rug.
How do I solve for #1 Make something that people want, when nobody wants compliance, but definitely needs it?
[1]http://www.ComplianceChaos.com
I'm going to sleep now, but I would really appreciate reading your responses in the morning and I'll definitely respond too.