HOw are we different?
We started building SPIO when a UX advisor asked us "Who are you heroes to?" Our answer was the small tech companies that close investment rounds or large sales based on having a legitimate security program.
Our vision with securityprogram.io is to make excellent security accessible.
We understand that tracking compliance is important, but we hate the spreadsheets and convoluted standards just as much as you do.
We wanted to remove the pain where we could through automation and not just ask "do you do XYZ?" but to actually help you do XYZ!
Standards Aligned Policies
Your security program begins with reviewing and adopting security policies.
We built the simplest possible policies that adhere to NIST 800-53 and work for smaller tech companies with primarily a cloud based presence, SaaS based tooling but also resource constraints and rapid process changes.
We cross reference our program activities to other standards including NIST CSF, CIS 20, ISO 27001, SOC 2 TSC, and CMMC to make sure you get credit for the work you do either with customers or with your management team.
Experience has shown that this approach allows companies to move fast while making pragmatic security improvements that both improve security and demonstrate alignment to standards that customers trust.
A robust security program must include security training. Not only must we provide training, but we need to track it to prove that it has been done.
With securityprogram.io we provide a variety of training for your entire team. This includes universal Security Awareness Training, developer trainings around the OWASP Top 10 and AWS Cloud Security, Threat Modeling and policy specific training to help customers implement each security policy.
The training is all video based and delivered by industry experts, like Matt Konda, our CEO and former Chair of OWASP.
Organizing Your Tasks
A lot of the magic of securityprogram.io comes out when a client goes through a rigorous third party review and realizes they've done all of the hard things the client asked for. Often, they tell us how relieved they are!
This is possible because we did the hard work of mapping out tasks you need to do to implement a program. We also broke them into Rounds, which provide a more digestible sequence of work stages. Things you need to do periodically automatically pop up at the right time to keep you on track. All tasks have descriptions that explain how to do them - for an IT generalist.
Finally, we mapped the tasks to different standards and made them fully searchable, exportable and assignable so that you don't have to worry about missing anything.
Often, in addition to the general progress illustrated in the dashboard at the top of this page, clients want to know where they stand related to other prominent standards. On the left, we show an example where maturity against NIST-CSF is captured. This dashboard also supports detailed breakdowns for: CIS 20, SOC 2, ISO 27001 and CMMC.
This dashboard captures a deeper view of maturity that can be an effective communication to stakeholders and funding sources, like your board of directors.