An XKCD comic strip shows two tech workers frustrated that there are 14 competing standards for a variety of use cases. “We need to develop one unified standard that covers everyone’s use cases,” they say. The next frame shows that there are now 15 standards instead of one.
Brad Arkin, the chief security and trust officer at Cisco, will tell you that this illustration of how standards proliferate hits uncomfortably close to the truth. “Everybody is trying to come up with their own set of security controls that they would like to see SaaS applications adhere to,” Arkin says. Such commendable goals notwithstanding, enthusiasm for being the defining standard for SaaS security compliance instead creates a confusing jungle of competing ones: ISO 27001, SOC, CS in Germany, IRAP in Australia, and ISMAP in Japan, to name just a few.