01: Introduction to Security Management

Why Now?

If it’s true that software is eating the world, and that every business will be a software business in the future, then it’s equally true that every business will be a security business.

If you work in tech, you’ve probably seen the trends. In B2B, a vendor security review would happen after the contract was signed. Today it happens during vendor qualification and security validation now has a major impact on the buying process. B2B companies are increasingly finding that customers expect vendors to have strong, holistic security management programs in place from Day 0. Audits like SOC 2 and ISO 27001, pen testing, and other trust-building activities are becoming table stakes.

In B2C, data protection issues have entered mainstream awareness. The news cycle continues to fill up with story after story of big data breaches and companies misusing data. Consumers are also voters, and more regulations like the EU’s General Data Protection Regulation are popping up all over the world.

It’s becoming increasingly clear that any business that uses data will have to account for how it uses and protects data. Just saying “we take security seriously” on yourwebsite.com/security isn’t enough anymore. Customers want to know exactly what efforts a business takes towards security and compliance.

What’s Included in the Guide

This guide provides an introduction to core concepts in security management and practical recommendations for how to get started. It is based on the most commonly asked questions that we at Aptible have heard while helping hundreds of companies build and run security management programs with Aptible Comply. The advice in this guide will be most useful to customers in the sweet spot for Comply: early-ish-stage teams building web architecture and using SaaS/PaaS/IaaS extensively.

If you’ve been tasked with “figuring out security” or looking into a compliance audit like SOC 2 or ISO 27001, you can use this guide as a roadmap to designing and building a security program that will help you:

  • Have comprehensive, compelling answers to vendor security assessments
  • Prepare for an audit or certification like SOC 2, ISO 27001, HITRUST, or FedRAMP
  • Lay a strong baseline for regulatory compliance with GDPR, HIPAA, the California Consumer Privacy Act, or whatever comes next

Specific compliance protocols will always vary in the details, but if you’ve addressed each of the areas covered in this guide, you’ll be well-prepared for the most common security management challenges and how to overcome them.

Aptible was founded by engineers and lawyers. It’s not a coincidence that our work lies at the intersection of those two fields, and that we love precision and clarity.

Our goal with the Aptible Owner’s Manual is to help you, as a current or prospective member of the Aptible Team, get a clear sense of what this team is — what we mean by “us.”

The Aptible Team at our First Annual "Onsite" in 2019.

You are an owner of Aptible. This is your guide to how our various business-, culture-, and team- building efforts fit together. Our goal is to clearly explain why each exists and what we’re looking to get out of each effort in one place, so you don’t have to learn about each piece bit by bit, or not at all.

As an owner of Aptible, this is your company, your team. This manual is your manual. All of the programs and efforts here are your programs. We invite each of you to comment, criticize, and improve this. Tell us what’s missing. Tell us what’s not working. Tell us how we can make the experience of working and contributing to Aptible better.

This manual is divided into three sections:

  1. Our Business

    • What is our Mission and Vision? Why are we all here? Why Aptible?

    • What’s our business model? How does the business work?

    • How do we operate?

  2. Our Culture

    • What kind of team are we trying to build?

    • What are our shared values?

    • How do we approach work?

    • What kind of environment are we trying to create?

    • How do we work together as a team?

  3. Our Team

    • Who does what?

    • What are our key responsibilities?