Beyond checkboxes: Building security that actually works

Originally posted at e27

---

Nobody cares about real security, and that is precisely the problem.

If you look closely at most founders, engineering teams, and even security leaders, they typically only care about security in two very specific situations: when they need to sell to an enterprise client or investor, and when they have just suffered a breach.

As a former CTO of an insurance company that went through ISO 27001 certification, I have seen this play out firsthand. When you deal with enterprise clients, you are expected to be a top-tier “security guy.” But there is a massive gap between checking the boxes on a compliance form and actually securing your infrastructure. This gap is costing companies millions in lost productivity, friction, and hidden technical debt.

Here is the uncomfortable truth about why nobody cares, what “paper security” really costs you, and how to make security a sustainable practice rather than an exhausting sprint.

The asymmetric incentive problem

The core issue is an incentive asymmetry: paper sells, but implementation does not show.

External stakeholders like clients, auditors, and investors care if you are “secure enough” according to frameworks like ISO 27001, SOC2, HIPAA, or GDPR. They fundamentally trust third-party certificates rather than your actual internal practices. Because buyers cannot look under your hood, companies are incentivised to achieve “paper-only” security. It is far easier to patch a vulnerability in a policy document than in a legacy codebase.

Just like in software engineering, until things break, nobody looks under the hood. Security is invisible when it works. Real security (including access management, secret handling, and rigorous authentication policies) is hard, unglamorous, and completely invisible from the outside.

When my Series A company went through ISO 27001, we initially thought it would be a breezy one-to-two-month sprint. We hired advisors expecting a turnkey solution. Instead, they handed us abstract, heavyweight policies that did not fit our culture. One advisor openly told me, “I will do the important part, which is the exact wording of the security policy. The details and execution are on you; that is the easiest part.”

He was wrong. Implementation is the hardest part. How you handle your API keys internally, whether they are stored in a secret manager or exchanged in Slack messages and post-it notes, is your real security.

When they suddenly care and what it costs

Companies usually only wake up when a disaster strikes: a blocked enterprise deal, a failed investor diligence process, a public exposure of vulnerabilities, or a devastating breach.

But even without a breach, paper security carries hidden, corrosive costs. When leadership treats security as a compliance checkbox, it creates massive internal friction. Security protocols that do not match actual workflows slow down marketing, sales, and engineering. Teams quickly grow frustrated and start finding creative workarounds. The result is shadow IT, bypassed controls, unmanaged secrets, and deep moral hazard. When employees watch executives bypass the rules because they are “too busy,” they know the security posture is essentially fake.

To see where you stand, apply two simple tests:

• The CEO test: Can your CEO comply with all of your company’s security policies? If the busiest, most empowered person in the building can follow the rules, they are likely reasonable. If an exclusive executive group routinely bypasses everything, you have paper security.
• The engineering test: Ask your developers, “How many ways do you know to hack our organisation?” If they have to scratch their heads and think about it, you are doing alright. If they immediately laugh and say, “Oh man, there are a hundred ways,” you are in trouble. Your internal people always know where the bodies are buried.

Who should care and how

Moving past paper security requires a shift in mindset across three key groups.

• For Founders: Stop treating security as a one-time sprint. It requires the same dedication as strong software architecture. Your most important security decision is hiring the right CISO. A bad CISO simply takes regulatory requirements and writes heavy policies that do not match your actual processes. A good CISO is highly hands-on; they intelligently interpret standards, which are fundamentally flexible, and adapt them to your specific operations so that teams can stay productive.
• For security teams: You must understand the workflows you are protecting. In the old model, security was a top-down mandate acting as a business bottleneck. Today, you must build a security culture through transparency. Discuss trade-offs openly. Ask your team how they feel. If they feel bogged down or constantly point out glaring gaps, your policies are failing in the real world.
• For engineering teams: Focus on fundamentals rather than theatre. Enforce secret management natively. Implement Two-Factor Authentication (2FA) and least privilege access everywhere. Make encryption a first-class citizen. Above all, never reinvent the wheel by building your own authorisation server or secret manager. If you leverage proper Infrastructure as Code (IaC), embedding security by default is just another rule instead of a monumental roadblock.

Here’s a comparison of old vs. new security approaches:

The AI revolution

In regions like Southeast Asia, security is still largely a “catching-up” industry. Many security leaders rely on outdated, manual processes, like requiring a manager’s written review for production access, rather than adopting modern zero-trust networks, progressive controls, or automated proxy servers. They inadvertently become bottlenecks, blocking organisational velocity.

The AI revolution changes the equation entirely.

Security has always struggled because it involves endless, mundane analysis. Today, highly intelligent CI/CD workflows can automatically check code for vulnerabilities. AI can analyse gigabytes of application logs to spot dangerous anomaly patterns, a task impossible for humans.

As an industry, we must now transition to a continuous security mindset. The AI tools available today allow us to constantly scan for secret leaks, unprotected APIs, and container vulnerabilities natively in the background. But it also introduces new frontiers we must proactively defend against: prompt injections, agent manipulation, and the unique vulnerabilities of LLM architectures.

The alignment solution

The core problem has always been that security teams and operational teams speak entirely different languages. Security thinks in terms of framework standards and threat vectors; product teams think in terms of velocity, release cycles, and user experience. The inevitable result is friction, risky workarounds, and fake compliance.

Real security requires collaboration rather than control. It demands shared context on what “secure enough” actually means for your specific stage and market, backed by team-wide consensus rather than top-down mandates.

Modern platforms are emerging that allow teams to share processes and build this consensus natively, turning rigid security policies into executable, automated workflows. Security becomes sustainable as an embedded, frictionless practice, rather than an exhausting annual sprint or compliance theatre.

We have reached a point in the digital economy where trust is everything. But true trust cannot be built with a PDF certificate. It is built when your engineers cannot easily name a hundred vulnerabilities. It is built when your CEO follows the exact same rules as the newest intern.

We must confront the devastating cost of pretending to be secure. Apply the CEO test. Have the hard conversations with your engineers. And start building security that works in reality, not just on paper.

‍

‍