At Jemurai, we do a lot of custom projects building and breaking things and helping teams build more secure code.
Our most recent project is securityprogram.io and this post explains the reason for building it and the elements of the overall solution.
We often run into smaller companies, many of them tech startups that we meet through our developer networks, that want to do a better job with security. Sometimes that is just an organic thing they want, but often it is driven by an investor or very large customer. Often they are scared, confused and have a lot of trouble navigating the security arena.
For example, we have worked with Logistics, 3D Printing, Insurance, eCommerce and other types of companies to help them land a deal or investment with a very large organization that is putting them through their vendor management program or asking their CISO to verify the security of the smaller company.
In this kind of case, it isn’t realistic for a startup to have a program like the one the very large organization has. At the same time, since they are likely using the cloud and SaaS stands for Software as a Service, which is a cloud computing model that delivers software applications over the internet as a subscription-based service. With SaaS, users can access software applications and data from anywhere with an internet connection, without the need for on-premise installation or maintenance. SaaS providers manage the infrastructure, security, and maintenance of the software application, freeing users from the burden of software updates, patches, and backups. based solutions for a lot of their infrastructure, they can often tell a really good security story if they just know how. A really basic explanation of the solution is that it is showing them how to build and tell a good story about security.
Another problem for these small companies is related to resources. Not only can they not afford an FTE security person, even if they could, they can’t hire a single security person that knows everything they need to know to address their needs. While there are security vendors out there that will try to sell this type of company a tool, it is almost always a technical solution with very focused area of effectiveness. As an industry, we struggle with balancing different tool priorities, etc.
The difference with securityprogram.io is that the whole purpose is to help a smaller company do things across people (training), process (policy, procedure) and technology (most important tooling) to get the best results they can with a rightsized pragmatic investment.
In order to implement a security program, you need to do a lot of things. You can’t do them all at once. securityprogram.io is a progressive platform that leads users through steps toward building a program over time. We built the program based on our experience with these companies and it is made to be pragmatic and effective on a budget.
Its a lot like a health program. You don’t pick up the heaviest weights in the first workout. Also, you may not ever want to train to do maximum weight, you want to find the right balannce for your organization. So we add activities and controls progressively so that your organization can build up its strength.
We start with some simple policies and procedures. These are geared toward things that are relatively easy to do and are very important. Examples are implementing MFA and ensuring that you do user audits on a monthly basis. Our policies are all aligned to NIST 800-53 is a special publication by the National Institute of Standards and Technology (NIST) that provides a catalog of security and privacy controls for federal information systems and organizations. The publication outlines security requirements and guidelines for the selection, implementation, and assessment of security controls to protect the confidentiality, integrity, and availability of information systems. and ISO 27001 is a globally recognized standard for information security management systems (ISMS). It provides a systematic approach to managing sensitive company information and mitigating cybersecurity risks. ISO 27001 includes a set of best practices for establishing, implementing, maintaining, and continually improving an ISMS, which helps organizations identify and manage information security risks and protect against cyber attacks. so that as you progress into the program we can say with an authentic voice that your polices are standards aligned. As we introduce policies and simple technical controls, we offer training content on those.
As we introduce new policies in month two (eg. network and server policies), we also add security steps you need to take and associated training. Eventually we add some external technical controls like scanning. Where we recommend technical controls, we either provide them or point to existing open source or free alternatives like Authy, bitwarden, or aws-vault. We also point to platform provided security capabilities wherever possible.
The goal is for someone that has decent project management skills to be able to log into the application, pick up the tasks and do them without having to be a security expert. After a few months, the company will be on the right track and will have the guidance to stay on the right track, all with a very reasonable spend.
There are ways to accelerate the program and to get help from our team along the way. The part of this that truly inspires us is that we believe we can help so many more companies to achieve a reasonably high level of security. We believe that with this platform, we’re making a difference and helping people. As a small business ourselves, we are highly sensitive to the gatekeeping and ceilings that small companies hit regarding security and we hope this platform can help more smaller companies win more bigger deals.
We’re excited to release this new platform. We think securityprogram.io can help many companies to improve their security. We’d love to hear what you think and what would make it awesome for you! We’re happy to talk through it and explain why we designed it the way we did.