Imageplus
Start a conversation

09REGULATORY READINESS

Security has quietly become a reason customers say yes.

For most of my career, security was something you justified after the fact, a cost you defended to people who would rather have spent the money elsewhere. That has changed and changed in a way I find genuinely energising. Security has become something your customers actively check before they buy, which means doing it well is no longer only protection. It has turned into a way to win the work.

BY PHILIPPE KAIVERS · 1 JUNE 2026 · 8 MIN READ
A fuel pump nozzle at a forecourt, a public interface to a payment system
FIG · 00A pump is a public interface to a payment system. So is most software. The exposed surface is exactly what gets tested.

The short version is that a clean security posture has become one of the most persuasive things a vendor can put on the table, because the person across from you is now required to care about it. What used to be a private virtue is now part of how the deal gets decided.

01The shared language of web security.

Anyone who builds web software eventually meets the OWASP Top 10, the awareness document the Open Worldwide Application Security Project publishes to name the most critical categories of application risk.¹ It is not a full standard and it was never meant to be. What it is and why it matters here is the common vocabulary. When a security team, an auditor and a developer all say broken access control or injection or security misconfiguration, they are pointing at the same things, drawn from the same list. Most of the weaknesses an attacker actually reaches for live somewhere in those ten categories: a missing authorisation check, a query built from unsanitised input, a default nobody changed, a dependency nobody updated.

The value of a shared list is not that it is exhaustive, because it is not. It is that it turns a vague unease about security into something a real conversation can be held against. You can ask, concretely, how a given system stands up in each category and you can get a concrete answer back. That is worth a great deal the moment someone outside your company starts asking the questions.

02Why your customers now ask.

Here is the shift underneath all of this. European regulation has made your customers responsible for your security. Under NIS2, essential and important entities have to manage the cybersecurity risk in their supply chain, which means assessing the security of the suppliers and service providers they depend on.² If you sell software or a service into one of those organisations, their compliance now rests partly on yours. So they ask. The security questionnaire that used to be an occasional nuisance is becoming a standard part of procurement and behind it, more and more often, sits a request to see the results of an independent test.

This is the part worth taking to heart: your security posture has become a sales document. A buyer choosing between two vendors who are equal on everything else will choose the one that can show its application has been tested and its serious risks closed, because that vendor lightens their own audit burden. Security stopped being purely defensive the day it started deciding who wins the contract.

03What a pentest actually buys you.

This is where the OWASP categories stop being a list and become a map. A penetration test, the work of having skilled people try to break your system the way an attacker would, is most useful when it is structured around the same categories everyone is asking about. We run these tests as part of our practice and the pattern is consistent. The findings that matter are rarely exotic. They are an access-control check that was never enforced on one endpoint, a forgotten admin interface still reachable from the internet, an old library with a publicly known hole. Ordinary things in ordinary places, which is precisely why a fresh pair of adversarial eyes finds them and the team that built the system walked past them every day.

What the test buys you is two things at once. It closes the real holes, which is the whole point. And it produces something you can hand to a customer’s auditor: independent evidence that you looked, found and fixed. In a vendor audit, that evidence is worth far more than any assurance you offer about yourself, because it was not you who did the checking.

04Turning the audit into an advantage.

None of this is a reason to be anxious about security and that is the shift I most want people to feel. For years security was framed as the function that says no, the brake on shipping. The vendor audit quietly turns it into the thing that says yes: yes, this supplier can be trusted, yes, we can sign. An organisation that knows its application risks, has had them independently tested and keeps the evidence current does not dread the questionnaire. It answers in an afternoon and moves on to the next deal while a less-prepared competitor is still scrambling to explain itself.

That is the opportunity hiding inside what can look like just more compliance. Treat the OWASP Top 10 as a language worth being fluent in and the penetration test as something you do because you want to know rather than because you were asked. Then the audit you were dreading becomes a credential you get to lead with. Security, done in the open and done well, has become one of the cleaner ways to earn a customer’s yes.

QUESTIONS ON THIS PIECE

What readers tend to ask.

01What is the OWASP Top 10?

The OWASP Top 10 is a widely used awareness document for web application security, published by the Open Worldwide Application Security Project. It ranks the ten most critical categories of web application risk, from broken access control and injection to security misconfiguration and vulnerable components. It is not a full standard, but it is the common language teams and auditors use to talk about application security.

02Why does NIS2 care about my suppliers’ security?

Because NIS2 makes supply-chain security an explicit obligation. Essential and important entities have to manage the cybersecurity risk posed by their suppliers and service providers, which in practice means assessing the security of the vendors they depend on. If you sell software or services to those organisations, their compliance now rests partly on yours, so they ask.

03Is a penetration test required for NIS2?

NIS2 does not name penetration testing as such, but it requires appropriate, risk-based technical measures and the ability to demonstrate them. A pentest has become one of the most common ways an organisation shows its security has been independently checked, which is why it increasingly appears as a question or a requirement inside vendor security audits.

04How do we get ahead of vendor security questionnaires?

Treat the questionnaire as a description of the security you should have anyway. Know your application risks against a framework like the OWASP Top 10, fix the serious ones, keep an independent test you can point to and keep the evidence current. Then the audit stops being a scramble and becomes something you can answer in an afternoon.

WRITTEN BY
Philippe Kaivers

Founding partner, Imageplus. Advisory across AI strategy, governance and regulatory readiness, grounded in twenty years of systems in regulated production.

Other insightsBook a call
ABOUT THIS INSIGHT
Pillar
Regulatory readiness
Published
1 June 2026
Read time
8 minutes · 1,240 words
SOURCES
  1. The OWASP Top 10, the awareness standard for the most critical web application security risks: OWASP Top 10.
  2. NIS2 requires entities to address supply-chain security as part of their cybersecurity risk-management measures. NIS2 Directive (EU) 2022/2555, Article 21: EUR-Lex.
READ NEXT
REGULATORY READINESS

The calm in a crisis is just decisions you made earlier

LONG-FORM · 8 MIN OPERATOR’S DIARY

The stack you can walk away from

FIELD NOTE · 9 MIN REGULATORY READINESS

AI literacy is the part of the Act worth running toward

LONG-FORM · 6 MIN

CONTACT

Start a conversation.

Tell us what you want to change. We respond within two working days.