“Is there potential for reputational impact to our institution due to the nature of this product/service?” As a SaaS company answering this for a potential customer, that’s hard to answer. The way it’s worded, is the answer ever “no”?

🎉 Exciting stuff at Workstreet as we kick off 2025! In just the first week back, we’ve got a lot going on. 🌐 Ecosystem Alignment: our goal is product partner fit. Collaborating closely with the rapidly maturing Vanta ecosystem, we're aligning our network of

“Are you an MSP or a vCISO?” I got asked this on a call this week, and it’s a fair question. Many MSPs are expanding from managing software and IT to providing security and compliance services, now offering vCISO services. On the flip side, some vCISOs, like us @

🪲 Bug bounty programs? 🤔 Lately, I've been asked a lot about bug bounty programs. For some of our clients, setting up and managing these programs is a no-brainer. They see it as a proactive step to find vulnerabilities. On the flip side, other clients are skeptical to

One of the first questions I ask people about security and compliance plans, whether they’re just starting out or expanding, is: What worries you the most about this? 🤔 At least 90% tell me their biggest fear is not having enough resources to achieve their target outcomes, be

In a crowded market where attention is hard to get, standing out is hard. At Workstreet, we're tweaking branding and messaging, because most of what's out there feels like the same thing over and over. Just like the premium people now put on in-person experiences, our

I just upgraded from the Gen 3 to Gen 4 ŌURA - under 60 seconds for the process. It doesn’t surprise me how easy it was. I’ve worn the Oura for the last 3+ years and it is far and away the best fitness / health device I’ve ever owned (and I used to write about health

Founder: "We can't afford to slow down” I hear this a lot when talking to companies about compliance, usually SOC 2 or ISO in this context. Security and compliance feels like just another task on a founder or startup operator’s already overflowing plate. Nobody wants to get

"Describe your logging capabilities for the applications/systems/hosts and network where Company_Name data will be posted sufficient to determine the root cause of a security incident? If so, are *these following logged, reviewed and audited?" 🦄 Company_Name = VC-backed IPO

Are you on a tight timeline for your SOC 2 or ISO 27001 audit? 👉 Book your auditor's calendar, like now. Auditors are in high demand—especially during certain seasons. Get an auditor early to avoid delays when you’re audit ready. #SOC2 #ISO27001

Trust and compliance are changing fast thanks to a bunch of factors - regulation, risk, AI, new software like Vanta, etc. One new trend: more awareness of custom control descriptions. we’re seeing more demand from our clients to collaborate on these. To be clear, we’ve

In Austin this week for our first Workstreet quarterly team onsite. We got a small group together to plan for Q1 and the rest of 2025. We’ve grown to over 50 people and 100s of active customers across North America, Europe, Asia, and Latin America. And we’re planning for 2025 to

I’ve been trying to write more. I’ve also been trying to use more AI tools, both to learn but also to be more productive. For writing, I’ve been using . I speak to the app and use different, heavily customized prompts to create different types of written content.

Should you have every piece of evidence an auditor asks you for? Not necessarily. You may have compensating controls or alternative evidence that addresses the underlying evidence the auditor is seeking. You know your company, tech, and operations best. Don’t be afraid to ask

I’ve been thinking a lot about how 2025 will redefine the trust for AI vendors. We're seeing way more scrutiny for these AI vendors, this is driving demand for trust programs specifically geared towards AI. Here's what I'm seeing: 🔍 Increased Scrutiny: buyers are demanding

There’s a lot of people talking about the loss of value and credibility of SOC 2. And a lot of blame thrown around at audit firms, the AICPA, companies that demand SOC 2 from their vendors, GRC platforms, on and on. I always see some variation of this in the comments of these

“How long does it take to be HIPAA compliant?” It’s a strange question. 🤔 More accurately, how long does it take to do all the things to comply with HIPAA. If you’re a small company, it’s def possible to be compliant with HIPAA fast, in just a few weeks. This is mostly policy

When I see a product with network effects, I’m jealous. An example - I’ve been loving Granola and sharing Granola meeting notes. These notes are at Granola URLs so they spread the word for Granola. Then, this week Workstreet got 2 large company leads for pentests

When should we hire a full time CISO? At my first company, we hired a full time CISO when we were at about 40 employees. And I wish we hadn’t. Why? 1. CISOs are expensive 2. Many CISOs lack experience with startups 3. CISOs are rarely individual contributors Most of what a

Companies hire a full time CISO thinking it solves their security problem. It doesn't. You get one person. One set of experiences. One perspective. A fractional team gives you a group of experts that have experience with every framework, every industry, every tool. Better