If it’s true that software is eating the world, and that every business will be a software business in the future, then it’s equally true that every business will be a security business.
If you work in tech, you’ve probably seen the trends. In B2B, a vendor security review would happen after the contract was signed. Today it happens during vendor qualification and security validation now has a major impact on the buying process. B2B companies are increasingly finding that customers expect vendors to have strong, holistic security management programs in place from Day 0. Audits like SOC 2 and ISO 27001, pen testing, and other trust-building activities are becoming table stakes.
In B2C, data protection issues have entered mainstream awareness. The news cycle continues to fill up with story after story of big data breaches and companies misusing data. Consumers are also voters, and more regulations like the EU’s General Data Protection Regulation are popping up all over the world.
It’s becoming increasingly clear that any business that uses data will have to account for how it uses and protects data. Just saying “we take security seriously” on yourwebsite.com/security isn’t enough anymore. Customers want to know exactly what efforts a business takes towards security and compliance.
This guide provides an introduction to core concepts in security management and practical recommendations for how to get started. It is based on the most commonly asked questions that we at Aptible have heard while helping hundreds of companies build and run security management programs with Aptible Comply. The advice in this guide will be most useful to customers in the sweet spot for Comply: early-ish-stage teams building web architecture and using SaaS/PaaS/IaaS extensively.
If you’ve been tasked with “figuring out security” or looking into a compliance audit like SOC 2 or ISO 27001, you can use this guide as a roadmap to designing and building a security program that will help you:
Have comprehensive, compelling answers to vendor security assessments
Prepare for an audit or certification like SOC 2, ISO 27001, HITRUST, or FedRAMP
Lay a strong baseline for regulatory compliance with GDPR, HIPAA, the California Consumer Privacy Act, or whatever comes next
Specific compliance protocols will always vary in the details, but if you’ve addressed each of the areas covered in this guide, you’ll be well-prepared for the most common security management challenges and how to overcome them.