By Richard Reinders - April 28, 2020
I’m already four months into my new role as Head of Security at Sisu, and I could not be more excited. When I first met Peter Bailis and the team, I was amazed how this seemingly young startup had already underlined the importance of security. It was a strong signal of confidence for me, and an unexpected differentiator for their customers. Little did I know that when joining I would find trust, and how the team upholds that trust, in the earliest founding documents. And it’s only improved from there. Today, I’d like to share a bit about our current investments in security at Sisu and where we’re headed in the immediate future.
Getting everyone involved from Day 1
If you work in security you know that you need to involve every individual at a company to be successful. You also rely on good partners and vendors, but most of all you need to work with your customers to deliver positive outcomes. There is nothing that can be done alone as an island. You need Engineering for secure development of your product, Ops for maintenance of the platform, Sales to transparently communicate with prospects and everyone to care and be security aware. At Sisu everyone is involved.
Let’s use security awareness training — generally not a popular subject — as an example to illustrate this attitude. As a rule, people try to click through training as quickly as possible and move on with their day, if they even receive any training at all. At Sisu it has been moved from a once yearly checkbox exercise to be front and center at every monthly All Hands. We’ve augmented the basics with seriously fun, engaging, and often humorous activities to test employees’ ability to identify security concerns and be resilient against attacks. And it’s working. I receive more thoughtful questions and flags for suspicious emails than I’ve seen at companies 10 times our size.
Upholding that Trust: Functional Security and Certification
It’s not enough for us to say we care about security. We must also do our best to have real, functional protection for our team, our customers, and their data. Then we must have independent verification that this is the case. We have received our SOC 2 Type II certification, providing audited evidence along a prolonged period that we indeed have a comprehensive approach to security. We have been successfully audited for HIPAA security rule compliance and meeting breach notification requirements. Sisu can enter into a BAA (Business Associate Agreement). We are now Privacy Shield certified. Sisu’s source code meets the requirements of Veracode Verified – Standard level, and additional 3rd party audits and verification are actively being pursued.
Security and Privacy by Design
Yes, it’s a mandate around the world, and yes, it’s an important principle, but for most companies, it’s simply too late to do this properly. But at Sisu, we have a unique opportunity to truly design in security from the first product and architecture design stages and ensure it remains central to every future decision we make. Our platform provides our customers critical facts about their data, but does not store it. What’s more, we try not to collect private information as we do not need it to help our customers gain a better understanding of why something is happening. And we believe that privacy legislation that protects individuals is a good thing.
Care for our customers
We engaged a vendor, Spycloud, who monitors the dark web for breaches. We like to know if one of our email addresses shows up in a breach at another company. But more importantly, if one of our customers has a login to our data platform stolen from their systems, and we become aware of it, we promise to let our customers know. We want to extend our visibility and protection beyond our system and show genuine care for the people who use our product.
As a final note, we know we’re not perfect, but that knowledge keeps us aggressively investing in our security program to further iterate and grow it towards greatness. This includes extending security to our customers. We commit not to charge extra for functionality you need, like single sign on (SSO). Sisu will share updates as we make progress along our roadmap. As Sisu means, go, grit, perseverance in Finnish, I have no doubt we will.
Richard Reinders, CISM, is the Head of Security at Sisu. Prior to joining the Sisu team, Richard has held security roles at Looker, Yahoo!, and in the financial services industry.