How We Think about SaaS Product Security at Skedulo

Taylor ReedAt Skedulo, our security team is always looking for ways to leverage technologies to continuously secure our user, customer, and company data. In most organizations, working in a fast-paced environment, driving innovation, and ensuring continuous delivery leave a slim margin for embracing security in all aspects of the product lifecycle.
As most security practitioners know, rush to market and robust security practices can be at odds with each other. In a similar sense, it’s easy for organizations to get caught in the bureaucracy of regulatory compliance checkboxes, rather than making meaningful steps in creating a secure product and security-minded culture.
This is especially true in startups transitioning to compliance-driven security. It doesn’t have to be that way—it’s possible to maintain speed, agility, and a sound security posture by applying a comprehensive and self-aware approach to security.
5 Tips for Maintaining Speed and Security
While each organization’s objectives are unique, properly planning and configuring a business’s existing technologies is always critical for protecting sensitive data (without sacrificing agility).. There are several best practices that we use at Skedulo to address this and to ensure our approach meets the needs of our organization and our customers:
1. Leverage technology as a force multiplier
Just like any SaaS company, using the cloud to manage scalability and availability greatly reduces the overhead and technical debt associated with maintaining infrastructure. The majority of these services also reduce the attack surface available and make configuration management much easier to handle for smaller security teams. Making modern, informed technology choices—and avoiding legacy systems and processes—puts time and energy back in our security team’s tanks to focus on proactive security application.
An added benefit to this is agility. For example, when COVID-19 forced a transition to working remotely, our Identity Access Management (IAM) technology choices and configurations enabled our transition time to a matter of hours, not days. Additionally, our security posture remained unchanged due to configuration management choices implemented during the planning process and executed when needed.
2. Use compliance as a baseline
We’re proud of our achievements in SOC 2 and other regulatory compliance standards—but we understand that compliance doesn’t always equal security. An attacker doesn’t care about ISO 27001 compliance if you have a public S3 bucket with PII exposed.
Effective regulatory compliance requires a self-aware approach to how the critical controls actually apply to a security function. That’s why we view compliance as a baseline and apply additional measures where it matters. We draw from years of lessons learned in offensive security roles and bring an “attacker mindset” to our security policies at large.
3. Prioritize evolving threat models
The threat model is not a static entity; they evolve as quickly as exploits are created. As such, it’s important to evolve our security model as the threat model changes. When we focus on risk, it’s also important to contextualize relevant threats to our organization, and focus on the potential business impacts.
This enables us to prioritize risk and subsequent security requirements based on the real-world threat. In return, we’re benefitted with a portfolio of evolving threat models based on emerging techniques from attackers. We combine these tactics with industry-accepted best practices to bolster our security posture to realistic threats.
Learn more about how to plan for success in the digital age
Download our Whitepaper4. Embrace the unknown
Expect zero days. Albeit not the most positive outlook, we embrace the mentality that known-secure applications will not always be that way—and ultimately, security incidents are an if-and-not-when. On the surface, this seems like a grim way to look at security posture, but it’s actually a proactive step.
Keeping this in mind, we layer and segment our network security measures to build a robust security posture. If an asset (secure or not) is compromised, we apply defense-in-depth policies to minimize the business risk and loss of data.
5. Focus on culture
It’s well known that breakdowns in security awareness often lead to the initial compromise of a secure system. We understand that and create a secure culture—not only through policy, but also through security awareness training to promote a security-minded and self-aware culture.
We also recognize that security awareness doesn’t stop with being able to recognize a phishing email—it must also be baked into our product. We achieve this by creating a security-minded culture in our product development cycles and by conducting regular security reviews as validation.
Drive Innovation While Remaining Secure
The moment we believe a system is indefinitely secure is the moment security-atrophy will take its course. As such, we remain vigilant in securing all aspects of business functions. Using these strategies, we create an ecosystem of intelligent choices in configuration management, process management, and network management with the resources in our arsenal.
By implementing a combination of regulatory compliance frameworks (e.g., NIST, SOC2), critical thinking in our threat modeling, and making intelligent technology choices, we’re left in an advantageous position to develop a comprehensively secure product to our customers.
Looking to implement a new solution in your tech stack? Learn how to do so efficiently and securely with our change management checklist.
Join the growing list of readers receiving real-world insights on AI scheduling, field operations, and workforce innovation from Skedulo.
Real operational insight
What's changing in the industry
Product thinking that helps you move faster
Communications are limited to relevant news and insights.
Related posts

Build vs Buy: Mobile Workforce Management Software
Buying or building a new software platform is a huge decision for any business. Whether it’s a SaaS solution or one created in-house, the software needs to fit into the budget, address the company’s key goals, and be easy for workers to use. Now that only 33% of workers are tied to a specific loca…
Read the post
Refreshing a Brand with Good Bones
First impressions are never wrong When it comes to evaluating brands, I believe first impressions are never wrong. When your brand is out in the wild—outside a context of a branding case study—people are going to think what they want to think. In many ways the underlying logic behind the branding d…
Read the post
How Skedulo is using an expanded partner ecosystem to help customers solve the challenges of the deskless workforce
What I love most about my job is hitting the road and listening to our customer stories. Over time, I’ve come to learn a lot about what our customers need to manage their field, mobile and deskless workers on the frontline. What constantly strikes me is how they apply Skedulo in so many different w…
Read the post