I’ve been working in the field of information security for over eight years and in July 2022, I joined the Information Security team at Skymetrix. It’s my privilege to be working with this team, to enhance our company’s commitment to more secure operations, products, and services. However, I want to emphasize that this is a company-wide endeavor which involves all departments.
Our commitment to security
We know that customers are increasingly interested in vendors’ security credentials, and we want our approach to security to set us apart from other providers.
At Skymetrix, we see information as a valuable asset, so just like any other asset, it’s vital to protect it. This includes the information that our customers store in our platforms.
Therefore, we are taking a proactive approach to managing our security, and not waiting until a security incident occurs. This requires investment but it’s worth it, because just as with our health, a preventative approach always leads to better outcomes.
This is how we do things at Skymetrix. Innovation and continuous improvement are part of our company culture, so this naturally extends to information security.
How we will deliver on that commitment
In the past year, we’ve been working with colleagues to develop our security strategy and action plan for the next two years and beyond. There are four key strands to this, which I’ve outlined below.
A dedicated information security team
Our team is solely dedicated to information security. We focus on both the organizational and technical aspects of security and have the full backing of our company’s senior leadership team.
We work closely with colleagues from all departments, but especially IT, product development, support, and customer success.
Improving our security posture
‘Security posture’ just refers to an organization’s overall cybersecurity strength and how well it can predict, prevent and respond to ever-changing cyber threats. We use the NIST Cybersecurity Framework to continually assess and improve our security posture.
The NIST framework is widely considered to be the gold-standard for building a cybersecurity program. It provides a set of recommendations and standards so that organizations are better prepared to:
- Identify which of their processes and assets need protection
- Protect those assets by implementing appropriate safeguards
- Detect cybersecurity incidents by implementing appropriate mechanisms
- Respond to cybersecurity events with techniques that contain the impact
- Recover from cybersecurity events with processes that restore damaged capabilities and services.
Using NIST, organizations can continually assess their security ‘maturity level’ on a 5-tier scale, to see how well they are doing:
Initial (1) is the weakest level, whereas Optimized (5) is the strongest. From our own self-assessment, Skymetrix has developed clear objectives and an action plan over the short, mid, and long-term. We are working towards maturity level 4 (Managed), which represents a high level within our industry.
Achieving compliance
As I’ve explained, the driver for improving our information security is an internal one — we firmly believe it’s the right thing for the business and our customers, and it just makes sense in a company with a continuous improvement culture. We are not doing it to ‘tick a box’.
However, we realize that achieving compliance is reassuring for our customers, so we have clear aims for increasing compliance over the next two years, with a focus on SOC 2 compliance and ISO27001 certification.
SOC audits are conducted by an independent assessor, who checks an organization has an effective system of controls for financial reporting and security.
At Skymetrix, we currently have:
- a SOC 1 Type 2 compliance report, which proves our controls over financial reporting are suitably designed and operating effectively
- a SOC 2 Type 1 report, which proves we have appropriate security controls in place.
Our next goals are to:
- become SOC 2 Type 2 compliantin 2023 — this is a more complex compliance exercise, with a longer and more thorough audit of our security controls
- become ISO27001 certified in 2024 (the best practice framework for information security management systems.)
We will keep you updated on our progress towards these goals.
Security by design
Skymetrix is also now adopting the ‘security by design’ approach. This means ensuring that systems and all their components are created with security in mind from the very start, rather than relying on updates and security patches later. This approach will ensure we build and design products in the most secure way possible.
To conclude...
I hope that by explaining our information security strategy and aims, you can see just how seriously we take this issue. We are custodians of our customers’ data, and we know that this is a huge responsibility.
That’s why we are taking a proactive approach to information security and have a clear and ambitious plan of action for improvement. We want our customers to be reassured that their applications and their data are in safe hands.
Questions?
Never miss an update
Look out for more articles from our senior leaders over the next few months, on topics such as software implementation, next-generation technology and more. Subscribe to our blog or follow us on LinkedIn for alerts about these and other articles.
