We practice what we preach when it comes to security. So all customer data is encrypted at rest and in transit, access is limited using RBAC, we have 2FA on everything, etc.
We also never send customer security data to 3rd parties, so your data is not heading off in some API to be processed externally, it all happens entirely in our environment.
Admittedly, we've not done SOC2 or ISO27001 yet (the company is only a few months old), but it's on our roadmap, and we're putting the appropriate controls in place from the get go.
I doubt I'll be able to convince you to trust us in a HN comment, so if you'd like to hear more, please do reach out :)
If you have that problem in the future, please do reach out to us!
That is an interesting hypothesis, and to be perfectly honest, I'm not sure what the answer is. There are plenty of existing business where you can pay for outside security consulting help, and they are priced accordingly.
My response is that every business in 2021 should be using software to make their operations more efficient and bring costs down. If a business is not doing that, I'd have concerns about their leadership and vision. We're pricing this as a software product because that is what we intend for it to be. Security Experts are expensive and probably do not want to spend 40 hours a week answering security questions for other companies. NLP allows us to make them more efficient with their time and produce the same quality of answers.
The ultimate success or failure of our business depends on our ability to get our NLP to deliver high quality answers and minimize the time our own internal reviewers need to spend on each questionnaire. We are making progress here every day, but still need to get better.
It's totally fair to be skeptical that we can pull that off. I will say though that we are fanatical about NOT making this a business where we hire lots of humans to be reviewers. We'd rather fail than hire an army of low wage workers to do the soul sucking job of reviewing other people's questionnaires all day every day.
What you describe is exactly what we do. Every single answer output by Stacksi is required to be explicitly approved by a member of our client's infosec team before it can be exported and used. Questions that we don't know the answer to or that we have taken an educated guess at are explicitly flagged as such and our reviewed together by our team and the questionnaire reviewer at the client.
I see Stacksi as giving our client's an extra pair of hands on their team to help with this tedious work. We're a jr. team member though, so our work needs to be checked over before being sent :)
1. We handle a company's security documentation the same way companies treat any sensitive info they are storing (credit card data, PII, etc). We store it encrypted at rest and in transit, ensure that only employees who need access to said data have that access, require 2FA on everything, require sufficiently strong passwords, encrypt the hard drives of our laptops, virus scan every file that is uploaded before use, virus scan our servers daily, virus scan our laptops daily, etc, etc. We are not SOC2 compliant today but are heading down that path so that we can provide our customers with the confidence that we can be trusted with their information.
2. We have liability insurance for our own company, but we do not take liability for our answers because every single answer is required to be reviewed by an admin or security team member of our client before it can be exported from Stacksi. If an answer has not been pulled directly from a client's policies, we specifically highlight it and review it with the client to ensure that it is accurate and that they are 100% comfortable with it.
3. I have no idea what an assessor might think of one of their vendors using a company like Stacksi to help handle questionnaires, and I imagine it would vary wildly from person to person. However, I see Stacksi exactly the same as having an extra team member on your infosec team who exclusively handles inbound questionnaires. You (their boss) make sure they are familiar with the policies and procedures of your company, and then you review their work to ensure that it is accurate. Does it really matter whether that person is a full time employee or your company, an infosec contractor who helps out part time, or a service like Stacksi?
Every single answer that comes out of Stacksi needs to be approved by an employee of the client before it can be exported and downloaded.
The vast majority of answers to questions comes directly from a client's own security policies, which we (admittedly) trust are up to date and accurate. We do our best to ensure that we don't use files that were uploaded more than 6 months ago in our algorithms, but if we're getting bad inputs to the system you're going to get bad outputs. When our reviewers do write something new, we check with the client to make sure it is accurate and again, it needs to be explicitly approved by someone on the client's team who has the rights to review questionnaires.
I don't see how this is any different from a jr. employee at a company answering a questionnaire based on the policies and then asking their boss to review. The jr. employee is definitely not going to go through every system themselves to verify that the policies and documentation are accurate. They are going to assume the policies are good and then double check with a trusted source (their boss on the infosec team), exactly what we are doing.
We understand that right now we're not actually helping companies be more secure, and we've never claimed to be doing that. One of our first priorities moving forward is to develop additional tools to actually validate that what is being said in security policies is what is in place. We're not there yet because we are a small and young company, but we will get there :)
You sound like you should talk to us and get your time back :)
A lot of auditors make it seems like once you have your SOC2 or ISO27001 certification that you'll be free from these forever, but our finding is that it might get you out of 20% of these at best, and for the rest it's basically table stakes.
I'd love to see stats on that. I'd bet that rather than losing the deal entirely, the more common case is that the deal gets delayed (possibly significantly) if something is flagged in a security review. After all, even standards like PCI & SOC2 include provisions for compensating controls :)
If you want to go in depth on our operational or security controls in due diligence as a potential customer, we'd be happy to do so over email. You could even send us a questionnaire ;)
However, you'll have to forgive us for not posting all of that in a HN comment. I understand that you "wouldn't take anything that you've heard so far as an indication of anything other than buzzword competency" but I assume you also probably wouldn't be conducting such diligence in HN comments.
Stacksi is happy to sign (and has signed!) numerous NDAs with our clients.
If you're talking about the NDA process between vendors and assessors, that is a whole different can of worms which we have not really waded into at this point.
In my experience as a startup founder, the easiest way to handle these types of situations is to just read over and sign whatever NDA the bigger company has sent over.
If you're not answering many questionnaires, it's totally possible that you don't need help. We have customers who are filling out 5-10 of these per week, and the time really adds up.
We also have absolutely no requirement for our customers to generate docs with us. Any high quality security documentation will do. If you want to spend the hours required to take something open source and adjust them to your needs, more power to you!
Loopio and RFP.io are direct competitors. They are both good tools, but are designed for RFP response in general and not security specific. RFPs do tend to have security sections, so there is some overlap for sure, but these guys by definition are focusing on a wider problem and don't dive as deep into security.
A number of our customers combine our service with loopio or rfp.io and we are perfectly fine with that.
We also never send customer security data to 3rd parties, so your data is not heading off in some API to be processed externally, it all happens entirely in our environment.
Admittedly, we've not done SOC2 or ISO27001 yet (the company is only a few months old), but it's on our roadmap, and we're putting the appropriate controls in place from the get go.
I doubt I'll be able to convince you to trust us in a HN comment, so if you'd like to hear more, please do reach out :)