When I started building HackerRank, I was expecting to get promoted (rather pushed) from an SDE to CTO. I was expecting the change and it wasn’t so bad. Since we acquired customers at a steady rate, I had the bandwidth to learn from my mistakes. We were extremely apologetic whenever something went wrong with our customers and made sure we could do everything to make our customers successful.
The other title I got along with CTO was CISO (at first, we had to create one since we were supposed to have this role. I decided our SDLC, was responsible for network, cloud and application security. What we didn’t know at that time was to create a new role/title)
Three websites helped me navigate the initial challenges faced with this role. Answering their questionnaire helped me understand what are the process we should set in place to understand to improve our security process.
CAIQ
The Consensus Assessments Initiative Questionnaire (CAIQ) is a survey provided by the Cloud Security Alliance (CSA) for cloud consumers and auditors to assess the security capabilities of a cloud service provider. The CAIQ was developed to create commonly accepted industry standards to document the security controls in infrastructure-as-a-service, platform-as-a-service and software-as-a service applications.
The CAIQ is contains a series of yes or no control-assertion questions that can be customized to fit an individual cloud customer’s needs. The questionnaire is designed to support organizations when they interact with cloud providers during the cloud providers’ assessment process by giving organizations specific questions to ask about the providers operations and processes.
VSAQ
VSAQ was created with the end goal of streamlining and standardizing vendor security processes and requirements, the questionnaire itself is easy to complete, straightforward, and clear about the required input from both parties involved. Many organizations also now use the VSAQ as a baseline or benchmark when creating a cybersecurity team or data protection policies for the first time.
SIG
The Shared Assessments Group’s SIG (Standardized Information Gathering) questionnaire is a holistic tool for risk management assessments of cybersecurity, IT, privacy, data security and business resiliency in an information technology environment. The questions within the SIG are based on referenced industry regulations guidelines, and standards (including NIST, FFIEC, ISO, HIPAA and PCI).
Security is always a work in progress task. But the above three websites have made it easy to improve the security and maintain the documentation.