Ali Kareem Raja

Blog

  • ISO 27001 for Startups: A One-Year Retrospective

    ISO 27001 for Startups: A One-Year Retrospective

    We’ve officially hit the one-year mark since KNOWRON became ISO 27001 certified. Following our first successful surveillance audit, I was prompted to share some practical advice for early-stage founders navigating the world of security compliance. A common question I hear is: “When is the right time to get certified, and how can we do it without a massive amount of effort?”

    This article breaks down our experience, focusing on how smaller startups can approach ISO 27001 compliance in a way that minimizes pain and maximizes long-term value.

    Compliance vs. Certification: The Critical Mindset Shift

    It’s crucial to understand the subtle but important difference between being compliant and being certified. Certification is a formal badge, a stamp of approval for your website. Compliance, however, is a foundational part of how you operate your company every day.

    Even with a small team of 5-10 people, you can establish lightweight security processes that align directly with ISO 27001 objectives. ISO is about organizational security—both at the operational and product level.

    Some examples that make sense even for small teams:

    • Enforce IP/Subnet Restrictions: While you might not need a full business VPN, restricting access to production environments by IP or subnet is a must. It’s a simple, high-impact control that protects your core infrastructure.
    • Vulnerability Management: Make vulnerability resolution a routine practice, regardless of your team size.
    • Start with Security by Design: The earlier you embed these security habits, the less disruptive and costly compliance becomes later on.

    Instead of seeing security compliance as a “tax on velocity,” view it as a trust enabler. Enterprise customers, potential investors, and even new hires gain confidence when security is a clear priority, not an afterthought. Adopting ISO-style practices early prevents a mountain of expensive and painful catch-up work down the road.

    Documentation: The 70% You’re Already Doing

    Most teams in tech underestimate this part: you are likely already doing 70% of what ISO 27001 requires. The missing piece is the documentation.

    • Are you running regression tests before every software release? That’s a security control. Write down the results. That’s compliance.
    • Do you occasionally rotate credentials? Formalize it into a predefined cadence and log the event. That’s compliance.

    ISO 27001 doesn’t ask you to reinvent your engineering discipline. It simply asks you to formalize and provewhat good teams already do. That final 30%—the discipline of documentation and record-keeping—is what gets you across the certification finish line.

    When to Pursue ISO 27001 Certification

    The certification process itself is not the insurmountable obstacle many imagine. The formal audit typically lasts two days, with follow-up surveillance audits annually. A prepared audit is largely a review of your documented processes, followed by a handful of clarifying questions.

    The financial cost is usually between €3k and €10k, depending on the firm. However, the real investment is in the ongoing upkeep of your security management system. Compliance is not a one-time project; it’s a continuous commitment to ensuring your daily operations match your policies.

    Trigger Points for Certification:

    • Enterprise Sales: If your target customer is a large enterprise, you will almost certainly encounter procurement teams that require ISO 27001.
    • Handling Sensitive Data: If your business processes sensitive customer or personal data at scale, external assurance from an ISO certification provides a crucial layer of trust and validation.

    If you are a pre-enterprise startup and don’t yet handle sensitive data, focus on building the right compliance habits. Certification can wait until it becomes a business enabler.

    ISO 27001 Is a Company-Wide Initiative, Not a “CTO Project”

    Security is a shared responsibility. While the CTO or a dedicated security lead may drive the initiative, the entire organization must participate. Engineers must follow secure coding practices, operations teams must document processes, and even non-technical staff have a role in security awareness.

    As a founder, you set the tone. If you treat compliance as a mere checklist, your team will do the same. If you present it as an essential part of building trust with customers and investors, they will embrace it as a core part of their work.

    Final Thoughts for Early-Stage Founders

    Don’t wait until a major customer or regulator forces you to think about security. Start embedding smart, lightweight habits early: subnet restrictions, credential rotations, and a culture of documentation. These practices cost little but discipline.

    When the time comes to pursue certification, you’ll find that you were “ISO-ready” all along. The certificate will simply be proof of the secure and trustworthy company you’ve already built.

  • Becoming Human: Why AI Assistants need a rethink

    Becoming Human: Why AI Assistants need a rethink

    The party trick of “smart prompting” is starting to wear thin.

    Back when ChatGPT first dropped, we all fell in love with the magic of good prompts. Craft it right, and you’d get something close to wizardry. But fast forward to today, and the cracks are showing. We’ve hit the ceiling of what prompting alone can do—and it’s time for something more serious.

    1. The Prompting Paradigm Is Breaking

    The early success of LLMs relied on clever prompts and savvy users. But here’s what we’ve learned: an AI is only as smart as the person typing. Our internal research confirms what many are already seeing—non-technical users struggle to write prompts that are clear, structured, and complete. Outside of expert power-users, effectiveness drops off a cliff. “Chat with your AI” sounds great in theory, but in practice, most users are asking vague, incomplete questions and getting equally vague answers.

    2. From Reactive to Proactive Agents

    We need to shift from reactive assistants to proactive collaborators. A good agent shouldn’t wait for instructions—it should guide the user. Think less autocomplete, more like a seasoned teammate steering the conversation. Suggest next steps. Clarify ambiguity. Push the work forward.

    3. True Utility Requires Deep Context Integration

    Here’s the thing: general knowledge is not the same as actionable intelligence. To be useful, agents must understand the user’s world—deeply. That means integrating with:

    • Domain-specific workflows
    • Business logic and exceptions
    • Institutional memory (past tickets, docs, internal policies)

    This goes far beyond simple retrieval. It’s about dynamic, real-time sense-making—pulling the right thing at the right time in the right format.

    4. Knowledge Injection ≠ Context Awareness

    Too many teams think context means “dump the docs into a vector store.” It doesn’t. True context means knowing which knowledge is relevant right now. It’s not just access to data—it’s situated awareness. Conditioning the model with the right bits at the right time.

    5. Context Routing Is the Missing Glue

    This is where most implementations fall flat. LLMs need intelligent routing mechanisms. Systems that:

    • Understand the task intent (Are we troubleshooting? Writing SOPs?)
    • Surface role-specific, granular info (Ops vs. Engineering vs. Support)
    • Manage overflow (via memory strategies, chunk prioritization, retrieval augmentation)

    Think of it as selective attention for machines.

    6. Autonomy Requires Trustworthy Behavior

    You can’t have autonomy without trust. That means guardrails, explainability, and consistent behavior. A capable agent knows when to act, when to ask, and when to escalate. Especially in ambiguous cases, where human judgment would usually kick in.

    7. Designing for Human-Like Dialogues

    Prompting is a developer’s interface. Regular users want conversation. That means:

    • Asking clarifying questions
    • Offering options instead of demanding instructions
    • Adapting based on behavior and feedback

    Smart agents learn the user’s preferences and meet them halfway.

    8. Tool Use Is Not Optional—It’s Essential

    The most powerful agents don’t just chat—they do. That means tool use: search, ticketing systems, databases, CRMs. But tool use isn’t just API calls—it’s orchestrated reasoning. Knowing when, how, and why to use a tool, and chaining actions into outcomes.

    The future of LLMs isn’t in clever prompts. It’s in intelligent, context-aware, action-capable agents that feel less like toys—and more like team members.

  • The “Perfect Prompt” Fallacy: Why Your LLM Outputs Need More Than Hope

    The “Perfect Prompt” Fallacy: Why Your LLM Outputs Need More Than Hope

    I’ve seen firsthand the seductive power of the “perfect prompt.” The initial demos are dazzling, the potential seems limitless. But relying solely on prompt engineering as the cornerstone of your GenAI strategy is a recipe for instability and ultimately, a compromised product.

    We’ve observed a dangerous trend: teams treating LLMs as black boxes, expecting consistent, high-fidelity outputs simply by refining input strings. This approach ignores the fundamental nature of these models – probabilistic systems inherently susceptible to variance.

    The Illusion of Determinism: A Technical Deep Dive

    LLMs operate on complex statistical models, mapping input sequences to output distributions. Even minor perturbations in the input space, whether intentional prompt tweaks or subtle data shifts in the underlying model, can drastically alter these distributions. This isn’t a bug; it’s a core characteristic.

    We’re dealing with high-dimensional latent spaces, where minor changes can have cascading effects. The concept of a deterministic “perfect prompt” is fundamentally flawed.

    Moving Beyond Heuristics: Applying Rigorous ML Practices

    To build production-grade GenAI applications, we must abandon the heuristic approach of prompt tweaking and adopt the established methodologies of machine learning engineering. This means:

    • Formalizing Ground Truth: Define objective, quantifiable metrics for evaluating output quality. This requires more than subjective assessments. Construct structured datasets with verifiable ground truth, leveraging external knowledge graphs or expert annotations.
    • Quantitative Evaluation Frameworks: Implement rigorous evaluation pipelines, incorporating metrics like precision, recall, F1-score, and BLEU. Extend these with domain-specific metrics that capture nuanced aspects of output quality.
    • Robustness Testing: Develop comprehensive test suites that stress-test your system across diverse input distributions, including adversarial examples and edge cases. This ensures resilience to prompt variations and model updates.
    • Versioned Model and Prompt Management: Establish a robust version control system for both LLM models and prompts. This enables reproducibility, facilitates debugging, and allows for controlled experimentation.
    • Architecting for Uncertainty: Design systems that account for inherent LLM uncertainty. Incorporate fallback mechanisms, confidence scoring, and human-in-the-loop workflows to mitigate the impact of low-confidence or erroneous outputs.
    • Explainability and Interpretability: Invest in techniques that provide insights into LLM decision-making. This enables better understanding of model behavior and facilitates targeted improvements.

    Building for Scalability and Reliability

    As CTO, my focus is on building scalable and reliable solutions. This requires a shift from treating LLMs as magic boxes to engineering them as complex, probabilistic systems. We must:

    • Prioritize infrastructure that supports continuous evaluation and model retraining.
    • Establish clear SLAs for output quality and reliability.
    • Foster a culture of data-driven decision-making, where performance is measured and optimized.
    • Understand the limitations of current LLM technology and plan for future advancements.

  • Optimising MongoDB Indexes: The Hidden Cost of Poor Index Design

    Optimising MongoDB Indexes: The Hidden Cost of Poor Index Design

    We recently encountered a MongoDB performance issue that I wanted to share as a cautionary tale for database architects.

    When designing MongoDB collections, index selection is critical – yet often overlooked until problems emerge. Here’s what our team discovered:

    A collection with 10 million documents was experiencing query slowdowns. Investigation revealed two major issues:

    Over-indexing: We had created 12 separate indexes, consuming 15GB of RAM. Reducing to 5 strategic compound indexes cut memory usage by 60% and improved write performance by 2.8x.

    Indexing frequently-updated fields: One index included a “lastUpdated” timestamp modified in 70% of operations. Removing this field from the index reduced write latency from 85ms to 16ms – a 5.3x improvement!

    Numbers don’t lie:

    • Queries: Response time improved from 450ms to 38ms
    • Write operations: Throughput increased from 2,100 to 5,800 ops/sec
    • Index maintenance overhead: Reduced from 22% to 6% of total CPU

    Key lessons:

    • Monitor index size-to-collection ratio (aim for <30%)
    • Avoid indexing high-cardinality fields with frequent updates
    • Use compound indexes strategically rather than many single-field indexes
    • Regularly audit index usage stats with db.collection.aggregate([{$indexStats:{}}])
  • 𝗪𝗵𝘆 𝗦𝘁𝗮𝗿𝘁𝘂𝗽𝘀 𝗦𝗵𝗼𝘂𝗹𝗱𝗻’𝘁 𝗢𝘃𝗲𝗿𝗹𝗼𝗼𝗸 𝗣𝗲𝗿𝗳𝗼𝗿𝗺𝗮𝗻𝗰𝗲 𝗣𝗿𝗼𝗳𝗶𝗹𝗶𝗻𝗴

    𝗪𝗵𝘆 𝗦𝘁𝗮𝗿𝘁𝘂𝗽𝘀 𝗦𝗵𝗼𝘂𝗹𝗱𝗻’𝘁 𝗢𝘃𝗲𝗿𝗹𝗼𝗼𝗸 𝗣𝗲𝗿𝗳𝗼𝗿𝗺𝗮𝗻𝗰𝗲 𝗣𝗿𝗼𝗳𝗶𝗹𝗶𝗻𝗴

    In the fast-paced world of startups, it’s easy to focus on features and overlook the foundational aspects of performance and monitoring. However, investing in instrumentation and performance profiling early on can pay significant dividends as you scale.

    Last December, we encountered a situation that underscored this importance. One of our assumptions about the possible number of rows per client in a collection was disproven when we faced an unexpectedly large number of records. The query wasn’t optimized for this scenario, leading to increased response times on the API endpoint.

    Thanks to our robust instrumentation, we were able to quickly identify the root cause and optimise the query. This allowed us to bring our API response time back to our SLA levels swiftly.

    𝗞𝗲𝘆 𝗧𝗮𝗸𝗲𝗮𝘄𝗮𝘆𝘀:

    1. 𝗣𝗿𝗼𝗮𝗰𝘁𝗶𝘃𝗲 𝗠𝗼𝗻𝗶𝘁𝗼𝗿𝗶𝗻𝗴: Implementing comprehensive instrumentation helps you detect issues early, before they impact users.
    2. 𝗦𝗰𝗮𝗹𝗮𝗯𝗶𝗹𝗶𝘁𝘆: Performance profiling ensures your system can handle growth and unexpected loads.
    3. 𝗤𝘂𝗶𝗰𝗸 𝗥𝗲𝘀𝗼𝗹𝘂𝘁𝗶𝗼𝗻: Detailed monitoring data allows for faster diagnosis and resolution of issues, maintaining high service levels.

    Don’t wait for a crisis to invest in these areas. Prioritize instrumentation and performance profiling from the start, and you’ll be better equipped to handle the challenges of scaling your product.

  • Italian Dolomites