Breaking Barriers to Market Entrance with Compliance

Breaking Barriers to Market Entrance with Compliance

Breaking Barriers to Market Entrance with Compliance

Customers are often interested in a compliance framework they don’t objectively need. For example, they think they want to pursue FedRAMP, but they don’t provide cloud services that can be sold to the government in some form.

Let’s talk about barriers to entrance and compliance

What is a barrier to entrance? According to my 20 year old marketing text book from back when my back didn’t hurt and I didn’t have “the knees of a 90 year old man”, barriers to entrance kept you from selling your product in a given market. They can be in the form of a particular technology you don’t have access to, or in our case, a regulation in the form of demonstrating compliance. This can be imposed by the government or a contractual cost of doing business. The former is FedRAMP, and the latter is PCI-DSS.

FedRAMP, PCI-DSS, HITRUST

FedRAMP, PCI-DSS, HITRUST

As an example, if a company wants to sell into the healthcare market, they are going to run into the HITRUST compliance framework. With a little due diligence and some Wikipedia searches, they’ll discover that the executive council for HITRUST is made up of the following firms:

Anthem Inc, Express Scripts Inc, Highmark, Humana Inc, IMS Health, Kaiser Permanente, McKesson Corp, and UnitedHealth Group.

If you research HITRUST, you’ll notice that it’s often associated with companies that want to do business in the healthcare market. We can presume that if a company were to offer their widget to that market, at some point they are going to get requests for proposals (RFPs) for contracts that will contractually obligate them to meet HITRUST.

This means that the company should think about compliance beforehand. They should engineer their product so that at the end, a HITRUST certified assessor can come in and assess the product, and the product will pass. This will remove that barrier to entry to that particular market.

Why is this relevant? If I had a Kennedy half dollar for every sales call I’ve been on where a customer had designed and deployed a product only to run up against a compliance framework that they neither planned nor prepared for, I could probably buy a Tesla P100D.

Having a coherent strategy to sell your product in your target market is critical. In the event that doing the necessary due diligence is not your forte, then a consulting firm that specializes in compliance (here’s where I pitch you, just to be intellectually honest) is going to be a value add for you.

The money you spend on a gap assessment of your product early will save you the cost of re-engineering your application to meet compliance requirements

I’ve literally had clients tell me that they “should have done this last year when it would have been cheaper than ripping their SaaS apart this late in the game.”

To recap: Figure out and research the markets into which you want to sell when you are in the early stages of building your product. I know that sounds obvious. Then, if you realize that you must demonstrate due diligence in the form of some sort of compliance framework (FedRAMP, HITRUST, PCI-DSS, SOC2, ISO 27001, etc.) you should consult with an expert (internal or external, sometimes your company will already have a person for this) and make sure you don’t have to rip apart your SaaS later.


The information presented in this article is accurate as of October 1, 2020. Follow the ScaleSec blog for new articles and updates.

About ScaleSec

ScaleSec is a service-disabled, veteran-owned small business (SDVOSB) for cloud security and compliance that helps innovators meet the requirements of their most scrutinizing customers. We specialize in cloud security engineering and cloud compliance. Our team of experts guides customers through complex cloud security challenges, from foundations to implementation, audit preparation and beyond.

Get in touch!


Using WAF and CloudFront with Serverless Applications

The third installment of security best practices for serverless applications running on AWS.

Next article

ScaleSec is a Cloud Security Alliance Member.
ScaleSec is a Cloud Security Alliance Trusted Cloud Consultant.
ScaleSec is a Better Business Bureau® Accredited Business.
ScaleSec is a PCI Security Standards Council Participating Organization.
ScaleSec is a service-disabled, veteran-owned small business (SDVOSB) for cloud security.
ScaleSec is a certified Veteran’s Business Enterprise™ (VBE) from the National Veteran Owned Business Association.

Here for you

Have questions? Leverage our expertise to help you meet your business goals with a strong security posture.

Join us

ScaleSec is a well-connected, fully remote team. We thrive in the great undocumented beyond. We’re hiring in most US metros.

Get in touch

Considering cloud? Want to optimize and transform your existing digital portfolio?
Reach out to us.

Gap Assessment

Get perspective. Address security comprehensively.

Prepare for compliance.

ScaleSec
San Diego, CA 92120, United States

619-SCALE15

© 2023 ScaleSec. All rights reserved. | Privacy Policy