[HN Gopher] Launch HN: Stacksi (YC W21) - Doing Security Questio...
___________________________________________________________________
Launch HN: Stacksi (YC W21) - Doing Security Questionnaires, So
Your Team Isn't
Hi HN, We're Emre and JJ, the co-founders of Stacksi
(https://www.stacksi.com), a product that helps fill out security
questionnaires so smart people can focus on higher-value tasks
(like actually managing security, or engineering or selling, or
really anything but filling out forms). At our last company, we
were the ones who filled these things out. We hated doing it, but
got them done because we had to in order to close deals that could
meaningfully impact the trajectory of the company. If you've had
to deal with these, you understand that they're the worst way of
broadly assessing a company's security with a reasonable time /
cost tradeoff...except for every other method that we currently
have at our disposal. Problem is, that they're often 200+
questions sent to salespeople and forwarded ASAP to some other poor
soul (often some sort of engineer). The questions asked (e.g. what
is your company's encryption standard? or "what events do your logs
capture?") - assuming that they're even correctly phrased - touch
sufficiently detailed aspects of a company's security practices
that make it difficult for someone who doesn't have at least some
security / compliance background (e.g. a salesperson) to answer
properly. All of this means that high-capability individuals (CTOs
in earlier-stage companies, Solutions and Security Engineers in
later-stage ones) end up spending significant amounts of time
answering the same questions that they answered a few days ago,
just phrased sufficiently differently that rote copy-paste isn't a
viable solution. This is what we're trying to fix. We do it, in a
nutshell, by taking two things: 1) a company's security docs (e.g.
policies, diagrams, vuln scans) and 2) the questionnaire in
whatever format it's in (GRC portals, web forms, excel, word, PDF,
tea leaves). Putting those two things together, we get the
questionnaire done accurately and quickly using a human-in-the-loop
model. (We combine a tuned BERT model searching on the company's
docs with manual review by a human on our team). The product works
something like this: Upload your docs; Upload the file, schedule 15
minutes to review with us in the next couple days, then forget
about the questionnaire until the review call and do other work. In
the background, we index all of your documentation and run a search
for each question to find the most relevant sections of your
documentation. Once that process is complete, a human on our team
reviews what the system has output to make sure that answers are
accurate and high quality. We then mark it as reviewed and you
receive notification. When Stacksi's internal review is done, our
team takes a few minutes to review it with you (usually within ~48
hours so we have enough time to ensure quality across many
questionnaires), and then you send it back to the company that
asked for the assessment. In instances where your docs don't touch
on specific information (often comes up with questions around app-
specific authentication options like "Does your application support
SSO with our Identity Provider, [INSERT IdP here]?"), our software
also has collaboration features to make it easy for teams to work
together to get the questions answered without pulling out all
their hair deciphering asinine questions or nagging teammates for
answers. It then uses those answers to inform future
questionnaires. We currently charge for questionnaires per-
question ($2), so companies don't have to pay through the nose to
get help or commit to a subscription. We've gotten some feedback
that we are under-pricing right now (maybe too much), but our goal
right now is to grow the number of customers we're working with
rather than trying to squeeze every penny out of every customer.
The more customers we have, the better our product gets for
everyone, since (quality) data is the biggest driver of a good vs
garbage model. For that reason we want to make it as much of a no-
brainer as possible for people to sign up and get started. We're
super focused on making sure the NLP handles the majority of the
work and not making this a business that relies on having a bunch
of questionnaire savants reviewing questionnaires all day every
day. Our goal is for a human to spend <15 seconds per question in
review and thus, we're pricing this as a software product, not a
services product. We also hope that pricing this way puts us in
better alignment with our customers' success (the more time we save
them, the more we earn, without locking them into a contract that
forces them to pay whether they get questionnaires or not). Some
bigger customers actually want the subscription for financial
predictability reasons, so we've started supporting that, too.
Finally, for companies that don't yet have policies written, we
help customers create and manage them, and charge separately (kind
of like Clerky, but for security policies). We want to support
builders in growing their companies (in our own small way) and
allow talented people to put their skills to more productive use
than filling forms. We would love feedback from the community, and
we're happy to answer any questions that come up!
Author : emremm
Score : 81 points
Date : 2021-03-19 13:28 UTC (9 hours ago)
| wgyn wrote:
| Filling out questionnaires is such a time suck. It's extra
| painful because different companies use different standards
| (CAIQ, SigLite, VSAQ). Hopefully they solve the near-term
| questionnaire problem, but I'm also excited to see them
| eventually tackle the underlying problem--we _want_ to prove to
| potential customers and users that we take security seriously,
| but right now it 's prohibitively tedious and time-consuming to
| do so.
| lbriner wrote:
| Can't wait to use something like this, definitely a pain point to
| fix!
|
| One of the hardest parts though is when the question is too
| abstract so even as a human, I'm not sure what they are asking
| and in what context.
|
| For example, a typical question would be "What encryption do you
| use at your company"? Dumb question and no accurate answer that
| would take less than 10 pages. How would you deal with these?
| joetheone wrote:
| These types of questions are exactly why we have a human-in-
| the-loop model :)
|
| Our AI is probably not going to touch this as it's very
| unlikely a good answer in in your documentation, so a real
| person will take a stab at it and then flag it for review with
| you. We've seen a number of these BS types of questions and can
| generally give an answer that will satisfy the client, and we
| can review it with you to make sure you're happy with it.
| soumyadeb wrote:
| This can be super useful if it works. Congrats on the launch!!
| joetheone wrote:
| Thanks for the kind words! If you ever have a questionnaire
| that needs answering or just generally have questions about
| security & compliance, drop us a line and we'd be happy to chat
| :)
| newman8r wrote:
| What happens in the event a question is answered incorrectly, and
| the company loses a contract because if it? Does Stacksi assume
| the liability, or provide some sort of insurance in this case?
| simonturvey wrote:
| Do you support a kind of internal "yes, but..." note so that
| opportunities for improvement can be drawn from the
| questionnaires themselves and tracked? I always wanted that to be
| way easier.
| emremm wrote:
| Yes. (no but)
|
| The way that our system is built, every question has (up to)
| three possible inputs:
|
| A selection An additional detail An attachment
|
| When we parse a questionnaire, the system picks up whether
| there's a selection option available and shows that
| accordingly. Every question can have a detail or attachment.
|
| Recorded a quick video here to give a bit better overview:
| https://www.loom.com/share/ed32e33598404bc7a883a66653c99258
|
| You can also add an internal comment (by tagging someone like
| in Slack) to discuss with colleagues. That info stays on the
| internal system and doesn't get sent to the customer when the
| questionnaire is exported / sent off.
| jamespaden wrote:
| How do you differ from Skypher.co, which is another YC company?
| We're about to sign up with them.
| joetheone wrote:
| Admittedly, I have not seen any of Skypher besides their
| website.
|
| That said, the biggest differentiator that I see is that we use
| a human in the loop model, while Skypher is a purely software
| solution.
|
| In other industries, an AI that can answer even 90% of the
| questions well would be a fantastic result. On a security
| questionnaire, that's going to lead to more back and forth,
| more meetings, and more work for the vendor (in this case you).
| Our reviewers are there to make sure that every question is
| answered perfectly.
|
| If Skypher solves the problem for you, great!
| emremm wrote:
| Overall, this is an underserved market, and saving smart
| people time on security questionnaires is a goal we both
| have.
|
| Here's what I know about our product - we can ensure that the
| quality of the responses are exceptionally high - our
| customers tell us that they're at or better than the
| responses that their teams would be providing.
|
| Ultimately, what I think that translates to is more time
| saved on our customers' end and less back-and-forth with
| their prospect's infosec team to get the deal closed.
| __jf__ wrote:
| Who's sending these questionnaires, when and why? I'm asking
| because I work in infosec and have never seen one.
| ssss11 wrote:
| I work for a reasonably large corporate in regulated space
| holding client data, and yeah, our infosec are regularly
| sending security questionaires. They go to new vendors, or
| existing vendors when we plan to purchase something new from
| them. I believe they're reviewed periodically as well.
|
| No one likes wasting time filling out forms, but in large
| businesses, theres a need to ensure the whole service (incl.
| subcontractors/vendors/data processors) are operating properly.
| So yeah some confirmation is needed... 200 page docs though?
| Geez. I think ours is ~15.
| joetheone wrote:
| I've never seen a 200 page one, but 200+ questions is fairy
| common. At 15 pages yours probably clocks in around there at
| least :)
| joetheone wrote:
| Hi there!
|
| Questionnaires get sent when companies want to do business
| together that requires sharing sensitive info with each other.
|
| I envy that you have never had to deal with these!
| xtracto wrote:
| Im head of engineering at a ~70 people B2B startup and man I
| HATE these things with passion. I get one almost every other
| week and yes, they are indeed 200+ questions. Even after you
| are PCI, SOC2, ISO27001, etc compliant some companies REQUIRE
| you to fill these things. It is a HUGE pain and time consuming
| chore.
| sz4kerto wrote:
| Genius. I know HN comments should have more substance, but what
| else can I say.
| joetheone wrote:
| We appreciate the comment :)
| Grimm1 wrote:
| Hi guys I have to say first the product solves some very annoying
| things people have to do so that's great. I have more of an aside
| though -- I really like your landing page is that custom?
| emremm wrote:
| Much appreciated!
|
| Like JJ said, we use Webflow for hosting the landing page and
| customized a template (softbit)
| https://webflow.com/templates/html/softbit-saas-website-
| temp....
|
| Credit for customization of the design goes to the awesome
| Cristi Hurhui (https://dribbble.com/CristianHurhui)
| joetheone wrote:
| It's a webflow template: https://softbit-template.webflow.io/
| securitypal wrote:
| Congrats Stacksi on the launch!
|
| Super exciting to see more companies solving the security
| questionnaire pain points :)
|
| Hope we both can solve this problem for the market and make it a
| win-win for all security, sales, and engineering leaders!
| nickdothutton wrote:
| Some of you might find this post interesting. The first step down
| the path to automating compliance.
| https://blog.eutopian.io/a-universal-lemma-for-compliance/
| emremm wrote:
| Appreciate the way you've thought about this, Nick. I like the
| suggestions that you bring up to at the end:
| What if we could produce compliant configuration snippets for
| live systems? What if we could express internal
| compliance policy in parsable form? What if we could
| automatically apply configurations and re-test? What if
| automatic attestation was cryptographically signed by both
| parties? What if this was so frictionless it could be
| done daily or on-demand?
|
| Ultimately, security is _hard_ and finding ways to simplify and
| automate protocols will make everyone better off.
| psoots wrote:
| I can't believe these questionnaires have become so pervasive
| that it's spawning an industry. I hate these things. They are
| such a burden on the small, niche software vendor.
| joetheone wrote:
| We totally agree! At our last company these were a major PITA
| and slowed us down a lot because when we first started working
| with other businesses, we were not prepared to handle them at
| all. We want to help remove the burden from small software
| vendors, and we think our pricing model is super user friendly
| :)
| Beefin wrote:
| Despise security questionnaires, so a very important problem
| you're solving.
|
| My company just onboarded RFPIO, which I'm super happy with which
| addresses everything it seems you're offering.
|
| How is Stacksi different than RFPIO?
| emremm wrote:
| Glad our product resonates!
|
| A couple points of differentiation:
|
| 1) First-shot completion: Our system typically gets 90%+ of the
| questionnaire completed with no user involvement. I don't think
| RFPIO (or other RFP-focused platforms) do that.
|
| 2) Guidance & Support: Some of the stickiest parts of RFPs are
| the questions that are either WTF? or that you answer "No" to
| and determining how to manage that. Does it actually matter
| that you don't have a WAF (depends on the rest of your
| architecture)? Does it actually matter that you're still using
| TLS 1.1 (probably want to change that)? Should you fix those
| things? RFP systems don't help with that; ours does (largely
| because we've put a human in the loop).
|
| What I've heard from our customers using those systems is that
| RFP systems help (after you've spend time on curation) with
| ~30-60% of questions. If the questionnaire is 200 questions,
| that still leaves you with somewhere on the order of 100
| questions to answer.
|
| Ultimately, RFPIO provides a software tool only; we're
| providing a software-enabled service.
|
| The time your team spends on questionnaires is reflected in
| that.
| joecasson wrote:
| Another tool that I've been happy with is Loopio. They do
| have the "Magic" capability that tries to automate answers.
| Given the consistent structure of security questions, they
| had a higher match / completion rate, but their UX was a
| little difficult to navigate. Again, software only solution,
| but something that might be interesting for comparisons.
| joetheone wrote:
| Loopio and RFP.io are direct competitors. They are both
| good tools, but are designed for RFP response in general
| and not security specific. RFPs do tend to have security
| sections, so there is some overlap for sure, but these guys
| by definition are focusing on a wider problem and don't
| dive as deep into security.
|
| A number of our customers combine our service with loopio
| or rfp.io and we are perfectly fine with that.
| ahstilde wrote:
| Stacksi makes so much sense. It is always frustrating when a
| senior engineer is pulled into doing security questionnaires.
|
| I had the pleasure of interviewing Emre for my podcast. If anyone
| want's a listen, check it out: https://www.aakash.io/all-schemes-
| considered/stacksi-emre-mu...
| secfirstmd wrote:
| This is very cool. Kudos for tackling this. At Security First
| (https://www.secfirst.org) we build free open source apps and
| tools for helping people learn about and manage physical and
| digital security. At one stage we spent a lot of time looking to
| how to built out smart forms like this for stuff like incidents.
| It gets very very complicated very quickly in terms of building
| out the backend brains of it. So massive kudos to you for
| tackling this challenge, I can only image how difficult it was. I
| look forward to testing it and seeing how we might be able to use
| it with groups like journalists and activists at risk. It's kinda
| hard to know at this stage from what's on your site but will
| there be some kind of api we can use with it?
| emremm wrote:
| Very cool! Security awareness and training that doesn't suck
| (I'm talking to you, Java "training" Applets from 2000) is
| probably one of the highest impact "soft" things that companies
| can do to _actually_ make their company (and people) more
| secure.
|
| We've built on top of an API (primarily for data I/O), but
| haven't exposed anything for public consumption yet (the API's
| only used by our app), simply because we have so much to tackle
| already that we're not ready to support a developer community
| using the API quite yet.
|
| Like you said, building arbitrary logic into forms is hard...
| secfirstmd wrote:
| Awesome, look forward to seeing how it goes!
| ComodoHacker wrote:
| OK, but can we do better? Is there a better way to assess supply
| chain security risks than these questionnaires?
| joetheone wrote:
| This is actually what we're trying to build towards :) Our
| first products rely on the policies that company's put together
| themselves, but we're building towards tools that they could
| use to show more convincingly that information written in
| policies is actually put into practice.
| emremm wrote:
| No doubt. We're sure there will be better ways, and we'd like
| to help in getting there. Rather than die on that battlefield
| before we've built something meaningful, we're working to help
| at least solve the immediate need that companies face. We're
| fans of refactoring rather than blow up and replace right off
| the bat, with the thinking that it'll be a lot easier to change
| things from a position of relevance and experience. Personally,
| I'd love to move to a more protocol-based approach that has
| verification behind it.
| xtracto wrote:
| That's wat certifications are supposed to be used for (PCI,
| SOC2, ISO27001). But even if your company has them, some
| businesses want you to fill these horrendous questionnaires.
| jasonkimtech wrote:
| Filling out questionnaires is definitely painful but reviewing
| them can be as well. Are you guys planning on building any
| tooling to make the review process for teams onboarding vendors
| easier?
| joetheone wrote:
| We definitely think about that, but our previous experience is
| as startup founders so we're starting out by addressing a
| problem we know very well.
| emremm wrote:
| FWIW, we'd love to help there eventually, we just think that
| the vendor side of the market is so abysmally underserved
| that we wanted to start there.
|
| The goal of this whole thing is to speed up the entire
| process of security review and _actually_ reduce 3p vendor
| risk while getting business done.
|
| I guess we've got our work cut out for us...
| mwcampbell wrote:
| > Finally, for companies that don't yet have policies written, we
| help customers create and manage them, and charge separately
| (kind of like Clerky, but for security policies).
|
| And with that, you likely just won my company as one of your
| earliest customers.
| emremm wrote:
| _inserts celebration gif here_
| TheTaytay wrote:
| Seriously. Shut up and take my money.
| joetheone wrote:
| We'd love to! Reach out to us!
| billyhoffman wrote:
| First, thank you so much for this! I hate these things.
|
| However answering these questions without nuance and context can
| at best cause a lot more back and forth between company and
| vendor, and at worse kill the deal immediately. Example:
|
| Bad way, no context: Do you have external certification for
| HIPPA/PCI compliance: No.
|
| Better way: Do you have external certification for HIPPA/PCI
| compliance: No, because product does not collect, store, or
| process health data or payment card data.
|
| How do you handle cases like this in an automated fashion?
___________________________________________________________________
(page generated 2021-03-19 23:01 UTC)