In late March we announced our new offering securityprogram.io. In this post we want to provide an update around what we've been working on through May and how it works.
The basic idea is captured in this quote: "A dedicated employee with no security background can run a real security program with this tool!"
WHO NEEDS IT
- Companies with contractual security obligations (addendums, questionnaires, etc.)
- Companies that are regulated (HIPAA)
- Companies that are moving toward other audits (ISO, SOC2, FedRamp)
These companies need securityprogram.io because hiring an FTE or a consultant is extremely expensive and without guidance they are lost or at risk of losing significant chunks of business. Not only that, for most organizations they just need a few hours a month to make some serious improvements to their security posture.
Increasingly, we're seeing more smaller tech companies needing to build out some sort of security story. That's the trigger for knowing that securityprogram.io might be interesting.
WHAT THEY GET
With securityprogram.io, organizations get:
- Key Tools (Risk register, vendor tracker)
- Tasks broken out and organized in a project plan
We digest NIST 800-53, and spit out the parts you need to know about first. We give you about ~20 key tasks to reach the first goal. To advance deeper into NIST 800-53 alignment, you can to a second Tier with ~50 tasks or a third Tier with more like ~150 tasks. Wherever possible, we try to make it easier by building the things you need right in to the tool.
So users also get a way to progressively navigate building a security program with the most important parts first and a way to self modulate how fast or slow they navigate the program.
AN OPINIONATED SYSTEM
SecurityProgram.io is opinionated. It fits best for organizations that are willing to adopt new policies and follow the path we set out. While we can adapt and modify for consulting engagements, those turn in to just that: consulting engagements that inherently cost more because they require more personalized attention.
With SecurityProgram.io, we are not trying to be everything to everybody. We are setting out what we believe are best practices and then giving organizations an easy way to track their progress and use it. It is cost effective because it is highly structured.
Tasks align to policy.
Training aligns to policy.
Although we see securityprogram.io being useful at larger comanies and at scale, we are not trying to build a system that is everything to everybody or where we incorporate features for high paying customers. We are trying to build the simplest possible system that works and helps companies in the most direct way possible. We're trying to emulate BaseCamp in this way.
HOW SECURITYPROGRAM.IO WORKS ON THE INSIDE
As a user, you just log in and start working on tasks.
Some tasks represent policy approvals. You review the policy, identify the approver and track that they did.
Other tasks represent completing training. The system provides video based training for general security awareness and for the policies. Everything you need to meet basic training obligations.
Still other tasks are related to technical activities. As you complete tasks, you provide evidence. When you want to see how you are doing, we show your progress against a target project plan that includes those tasks.
When you want to get audited, the system provides easy access to all of your tasks and evidence and that illustrates what you have done. Its like a pre-emptive strike against having to run around and gather evidence for an auditor.
If you run in to problems or need help, we have a team of people who can help you navigate running your security program.
If you follow the securityprogram.io project plan and complete the tasks, you can build a NIST 800-53 ready program and have a system that helps to make sure it stays on track and survives staffing changes.
We'd love to hear from you about any feedback. That can come just as an email, or if you are interested in getting more deeply involved, you can join our beta program and get access to roadmaps, customer advisory boards, etc.