How it works
SecurityProgram.io (SPIO) is a SaaS software platform that helps companies to independently build their own legitimate security programs that meet industry standards and customer requirements.
At a high level, users just work through the tasks in the tool one by one. The tasks take you step by step through the things you need to do. They are written for non-security professionals. As you complete the tasks, you will track through broad areas including Privacy, Risk, Continuity, Infrastructure, Incidents, App Security and more.
At the Startup and Complete Tiers, subscribers are doing this on their own. At the Assisted and Virtual CISO tiers, subscribers are signing up to get help completing the tasks and navigating security in general within their organization.
The following sections lay out how SPIO actually works in practice for the end users. Read on to learn what might work best for you.
Startup and Complete SPIO
At the Startup and Complete tiers, you get access to template policies and the first step in building a program is to review and approve the policies. The platform also includes training around policies and technical topics, so usually the next step is to roll that out to your team. From there, it's all about knocking out tasks. Tasks range from "Monthly user audit" to "Network segmentation" to "Capture enterprise architecture".
At the Complete tier, you get access to all of the automation tools that are included in the platform. At these more economical tiers, you have to do a lot of the work yourselves but you can always ask questions in Chat or Email.
Assisted and Virtual CISO SPIO
At the Assisted tier, our team has time dedicated every month to do weekly standups, spend time doing vendor management for you, explain policies, etc. The engagement team includes an engagement manager who is trained in our tool and the tasks involved, and a technical security expert who can help with architecture or detailed technical questions.
At the Virtual CISO Tier, in addition to Assisted level team support, subscribers get an experienced security leader who can talk directly with customers or boards, assist with budgets, and help with the overall prioritization and direction.
How Do We Collaborate?
At the Assisted and V CISO Tiers, we have weekly standup meetings to ensure that we are making progress and working through the tasks. At the Complete Tier and above, we will also provide asynchronous assistance through Slack or Teams channels to ensure that subscribers can make progress. In many cases, we have template documents that we can share with Google Docs or Microsoft Office to help make the development of artifacts like business continuity plans fluid.
Through all of this, you have the securityprogram.io application to keep things organized and measurable. You can assign tasks, set due dates and collect and share evidence right in the application.
How Do I Track Results?
There is a top level dashboard that shows progress through 12 "Rounds" of work. At any point in time you can see your progress there - and report it to executive management. There is also a weekly email that captures tasks completed in the previous week and the summary of progress - which is also conducive to management visibility.
In addition, for clients that are working toward SOC 2, ISO 27001, NIST CSF or CIS 20 there are maturity widgets that show your current status. An example is shown to the right showing SOC 2 readiness.
What Is Automated?
We took some of the things you have to do in a security program and built them into the tool to make it easier. These include:
User Auditing - Connect SPIO to Google Apps, Azure AD, GitHub and AWS to make monthly user auditing a 15 minute task.
Network Scanning - Know what your external network looks like and ensure it is secure.
Risk Register - Track and manage risk in a systematic way.
Vendor Tracker - Ensure your vendors and partners meet your security standards.
Request an excerpt from Our book
As we built securityprogram.io, we also wrote a book that explains step by step how to build a program. The intent is that the book could be used as as companion to securityprogram.io or independently to help people new to the security domain or interested in our methods to have a more standard reference.
The book is a work in progress and is published on LeanPub.
If you would like to see an excerpt including the Table of Contents and a some initial chapters, let us know and we'll send you a Preview!