Compliance Is an Artificial Adversary—Unless You Tie It to What You Ship

I look at compliance and regulate regulations as kind of an artificial adversary. It's someone who's supposed to guide you towards a more secure outcome. The unfortunate reality of that, though, is it doesn't take into account the fact that your day to day risks and quantifications and mitigations don't sit at that top level in the theoretical world. They sit at the bottom level. In in this case, since we're talking specifically about software, they sit within the individual releases and products and code that's being distributed to the world. That means that as an organization, you are currently being faced with a very specific problem, which is how do I contextualize these very specific vulnerabilities, risks, attack vectors to this very kind of higher level arbitrary compliance outcome and goal. There are several different ways to do that. Many different people have accomplished it. There's checkbox exercises. I don't believe that CRA will essentially allow you to, accomplish that. But at the end of the day, you are not just likely going to be, beholden to CRA. You're likely going to be, held to several different standards.