One of the big questions we get is "which standard should we use?"  Or "which security certification should we get?"  Oh and what is a SOC 2 Type 2 anyway??? Although securityprogram.io is neutral to which standard you use, we have seen customers mature through different levels of security...

For years, a common rule-of-thumb said your security spending should be around 10% of your company’s IT budget—but that rule doesn’t quite hold up anymore. In fact, a 2020 Deloitte survey on cybersecurity says this number is now more like 10.9% and rising year after year. That’s no...

A security program takes time to build. But you need one, no matter the size of your company, so, if you have to, start small. It's better than procrastinating and leaving your company vulnerable. Starting small means making some security decisions that you can act on immediately. We'll help you out...

The gravest risk to your data is taking an ad hoc approach to security instead of implementing a carefully thought-out security program. Creating a security policy requires assessing risk and making decisions on how to mitigate it. Selecting security controls requires going through a process to find...

Ransomware attacks are big news right now. According to US Secretary of Homeland Security Alejandro Mayorkas, ransomware attacks are up a whopping 300% over the last year. Sadly, major pipelines and meatpacking plants and their million-dollar ransoms are just two mid-2021 examples of how s...

When we start talking about security programs and standards, we need to also talk about security compliance. Unfortunately, these terms can start to blur together. To eliminate confusion, we define them here and explain how you will want to use them together to optimize your company’s information ...

Protecting your company requires a robust security program with documented policies and processes; but without consistent, thorough execution of those policies, your company isn’t actually any more secure. Program documentation, no matter how detailed or organized, doesn’t harden any targets on ...

Every company has valuable assets vulnerable to hackers. The size or stage of the company doesn't matter. All companies bear some degree of cybersecurity risk. Implementing a documented security program should be as foundational a task as devising your business model. Yet too many small compani...

Because of their size, small companies are especially vulnerable to cyber-attacks. Bad actors looking for quick wins are playing the odds that a small company has lax cybersecurity. That should be reason enough to start taking a closer look at the policies you have in place. But, if it’s not, cons...

The growing number of security standards out there, each with their own acronyms and jargon, can seem overwhelming—but they don't have to be. We want to help provide some clarity. Here's an overview of five of the most common security standards. ISO 27001 NIST SP 800-171 and NIST SP 800-53 NIST Cy...