What's the fastest way to complete a SOC 2 Type 1 and Type 2 Audit? Checkout our latest post Read More

Get your questions answered

Frequently Asked Questions

Need help? Got a question that isn't listed below? We're here to help! Schedule a call with one of our security experts now.
Schedule a call now
What is Workstreet?

Workstreet is a fractional security and privacy company laser focused on high-growth companies (startups). You can think of us as a security and privacy program in a box.

We provide everything you need to create, manage, and scale a security and privacy function. This includes everything from policies to training to audits. Check out our services page for more specifics on what we do for our customers.

Why should I use Workstreet?

Security and privacy are requirements to sell and scale today. Every startup we know, and we know a lot, is either adding security and privacy roles and tasks to already overloaded employees, struggling mightily to find and onboard security and privacy talent, or simply ignoring security and privacy, putting them, their investors and their teams at risk.

Our team are expert in security and privacy for startups, having built products and provided security and privacy services to thousands of companies. We are a rare blend of startup operators who understand modern technology and the audit process and landscape.

We are not a fit for every company as we only serve startups. If you’re not a startup, we’re sorry. If you are a startup operator, our focus and experience make us a perfect fit to help you.

For a fraction of the cost of hiring dedicated people, not to mention the time required to find people with this rare skill set, Workstreet solves security, privacy, and compliance for you so you and your team can double down on your day jobs and maximize your chances of success.

What is security, privacy, and compliance?

These are three separate but integrated functions that broadly fall under the “trust” banner. Below are high-level definitions.

• Privacy makes promises about data and what you do to protect it.
• Security implements controls to meet the promises of privacy and ensure the confidentiality, integrity, and availability (CIA) of data.
• Compliance measures the alignment of privacy and security with established standards, frameworks, and regulations (HIPAA, SOC2, ISO, PCI, GDPR, etc.).

Workstreet addresses all three - security, privacy, and compliance - for our customers.

What is a virtual CISO?

A virtual CISO (vCISO) is a fractional Chief Information Security Officer (CISO). When we use the term “vCISO”, we mean a person assigned and accountable for security at a company. This role is in charge of security which is, or at least should be, a horizontal function at most companies.

This doesn’t have to be a “CISO” as a “CISO” is not required by any compliance frameworks or data regulations. The title is less important than the role of managing security. The title could just as easily be “virtual VP of Security” or “virtual Director of Security” or pretty much anything.

Companies like Drata and Vanta are now using the term vCISO to classify service provider partners so more managed service providers (MSPs) and managed security service providers (MSSPs) are starting to use the term to describe categories of services they provide to customers.

Do I need a CISO and Privacy Officer?

Many compliance frameworks and data regulations do require an individual to be responsible and accountable for security. This is why we function as a cCISO for our customers.

Technically speaking, a CISO and Privacy Officer are not required unless you work in healthcare and need to comply with HIPAA. That said, we have found that having both sends a strong message to the market and customers about your understanding of security and privacy as well as your focus on them.

Why would I need a data protection officer (DPO)?

A data protection officer (DPO) is required by GDPR. Under GDPR, a DPO has to meet certain requirements like having expertise as well as reporting to the highest level within a company. If you have any users or customers in the EU, there is a very high likelihood that you need a DPO.

Why subscription pricing and not hourly?

Subscriptions map to the functions we perform, not the hours we work. We are providing fractional expert talent and billing accordingly as we invest time to build, manage, and scale your security and privacy program. Subscriptions align our incentives with the value you deliver to you.

When we have worked with services companies in the past, we noticed they’d provide a range of hours and then consistently bill somewhere in the 75%-90% range of those hours. Subscriptions are more transparent and predictable for you and for us.

How much do I save by using Workstreet?

We calculate the ROI of Workstreet across a few dimensions.

There is the direct savings of fractional work vs hiring a dedicated security person. This savings can be $50,000-$150,000 per year.

There is a direct saving in time by offloading all of security and privacy to Workstreet. Most startup teams spend between 10 or more hours a week on security, privacy, and compliance. These hours are usually spread across several people. This ranges from policies and procedures to sales calls to security questionnaires to audits. With Workstreet, you get an extra day of work each week from your team.

There is an indirect ROI of closing more deals faster. This is a mix of your focus and our assistance in turning security into an asset for your sales and marketing teams.

How do I know what you are doing?

We are a part of your team so you can always reach out to us. We prefer Slack but we are also available via text, phone, or email.

You have access to our dashboard so you can always get a quick snapshot of the status of security and privacy and the status of ongoing projects.

We also send security and privacy alerts and updates each week.

Will you help me sell my product?

First, we will develop publicly available materials that you can use in your sales and marketing. We have experience with this and know what to say to get in front of speed bumps and roadblocks in the sales process.

Second, we will respond to security questions you get from prospects and customers, including questions in security questionnaires. We know the right words to use to assuage even the most anxious customers.

Third, we will attend sales calls as needed to talk about security and privacy at your company. We bring experience and credentials that give you instant credibility.

Will you help me sell my product?

Workstreet is a fractional security and privacy company laser focused on high-growth companies (startups). You can think of us as a security and privacy program in a box.We provide everything you need to create, manage, and scale a security and privacy function. This includes everything from policies to training to audits. Check out our services page for more specifics on what we do for our customers.

Do you do audits?

Yes and no.

Internal audits are those performed internally, by members of your team. When you work with Workstreet, we become a part of your team so we perform the internal audit function for your company. In this function, we assess compliance with target regulations and frameworks such as GDPR, HIPAA, CCPA, SOC2, ISO 27001, PCI, and more.

External audits, by definition, are performed by auditors that are not part of your company. We are not a CPA firm and auditor so we cannot issue external audit reports or certifications like SOC 2 reports. We assist, and can fully manage, external audits for you including helping pick an auditing firm and interfacing with your external auditors. This is a lot of work and a way we deliver value to our clients.

Do you use software?

Yes, we use internally developed software as well as 3rd party security and privacy software. Just like an employee assigned security and privacy duties, we leverage software to help your company go faster, do more, and build trust. We typically make recommendations for software based on your specific company stage and needs.

How do you pick software to recommend for me?

We're intimately familiar with security software for startups. We’ve built some of it and optimized the use of it. The software we recommend is what we consider, based on our long experience, for a company that looks like yours.

We do not choose software based on referral payouts. If we earn a referral payment, we will be transparent about it and you will know before deciding.

Do you use Vanta, Drata, or SecureFrame?

Yes, we use audit automation platforms. Not all companies need this type of platform but some, especially those going through a SOC 2 or ISO 27001 audit, benefit from using them. While these platforms accelerate evidence collection and provide things like policies and training, setting up, implementing, and managing the various aspects of these platforms require humans and time. At Workstreet, we are those humans and we spend that time for our clients.

Do you provide training?

Yes, we provide training. In addition to being a good practice to minimize your risk, almost every regulation and compliance framework (GDPR, NIST, CCPA, HIPAA, SOC2, ISO 27001, PCI, etc.) requires security awareness training. Some, like ISO and HIPAA, require other training like privacy training (HIPAA) or technical security training (ISO). Workstreet provides all the necessary training.

Can you manage security incidents and data breaches?

Yes, we can manage security incidents and data breaches. The management of security incidents and data breaches is a big part of how penalties are assessed. Workstreet ensures you are dotting your “i’s” and crossing your “t’s” when it comes to data breaches. The hard part about this is aligning your breach management with the myriad of state, national, and industry-specific rules and regulations for data breaches.

When should I start using Workstreet?

We believe even the smallest companies can benefit from having security and privacy expertise on their team. Even if audits are a ways off, we can get you prepped to sell and get through security assessments and security questionnaires.

Below are several company stages and how Workstreet can help:

Company with no security or privacy function. We’ll build your security and privacy program from the ground up. We’ll assess the current state, help you choose what frameworks or regulations you want to meet, implement policies and training, and put you on solid footing to build trust with customers.
Company with policies and procedures preparing for its first audit. Policies and procedures are just documents. Most are written based on templates. Implementing them and collecting evidence that you are following them is the hard part. We can do this for you and make sure you’re ready for an audit and don’t waste time.
Company with a mature security and privacy program. You’ve passed audits - that’s awesome! We can optimize and run your security and privacy program, saving you money with fractional security and privacy expertise. We can also extend your program to other geographies and industries.

In all cases, Workstreet can manage your security and privacy function in its entirety and let you focus on growing your business.

Do you do penetration testing?

No, but we can manage pen testing engagements in their entirety.

Are there security, privacy, and compliance things you do not manage?

We typically do not manage day-to-day security operations such as log review and analysis, patching, endpoint management, etc. We do provide policies and procedures as well as workflows to make all of these easier for your team. We can even train them how to do these security operations and ensure they are properly documented.

Get started today.

Speak with one of our compliance experts to see how we can help your organization leverage compliance.