Start[up] with security
Information security is important, most people wouldn’t argue that. However, startups often don’t think about security until they have to. Most startups are already over capacity working on their minimum viable product (MVP) and finding product market fit. That leaves little time to even think about security.
Usually, they'll decide to invest in security because their customers ask them how they protect data, or because they've experienced a security incident. Especially for B2B startups, closing a deal can hinge on proving that your company can be trusted to secure customer data. In the unfortunate event of a security breach, startups realize that their company’s future could be in jeopardy and quickly begin to take security seriously.
Security is definitely not easy, but hey, neither is building a successful company. In a startup, you need to focus on the security basics and build the maturity of your security program as your company grows. You need a security MVP.
Here a few tips to help you get started:
1. Don’t rely solely on your service provider
If you are a software company, most likely you are going to be utilizing a public cloud provider like AWS, Azure, or GCE. Many startups believe that since these companies have all of the security certifications available (ISO 27001, SOC 2, PCI, etc.) there is nothing else that needs to be done. Unfortunately, this is not the case. There is always a shared responsibility model for security in the cloud, and depending on the cloud service model (IaaS, PaaS, SaaS), your company is always responsible for some aspects of security.
Don’t expect your cloud configuration to be secure out of the box. You need to take the time to understand what both your company's and your cloud provider’s security responsibilities are. Without that knowledge, you will not know the requirements for your security MVP.
Commercial security technology tends to be a very expensive way to increase security, but there are more cost effective solutions. Leverage the native security tools provided by your public cloud provider, which are either free or billed on a per-use basis. There are also many open source security tools available. Keep in mind that you might save money with open source, but sometimes commercial tools require less time to setup and operate, so be aware of the trade off.
Image courtesy of 'Shared Responsibilities for Cloud Computing' by Microsoft
2. Start Simple
Buying the new shiny AI-powered security solution that the sales guy told you would solve all your security problems is not the place to start, even if you could afford it. Instead, focus on the basics like password management, multi-factor authentication, and patch management. Aim to cover at least the CIS Critical Security Controls for which your company is responsible. Once you have those nailed, then call the sales guy back and see what the shiny AI-powered security solution can do for you.
3. Empower your people
Security (like most things) is a combination of people, processes, and technology. There is no ‘set it and forget it’ option for security. Until you can afford your first security hire or managed service provider, find some people in the company who have an interest in security and empower them. Most importantly, you should dedicate a certain percentage of their time for security work. If security is something that is only done when there is free time, your company will never improve its security posture.
4. Integrate and automate processes whenever you can
Security is often viewed as a tax - adding time and resources when applied. To minimize the tax, security processes should be integrated as much as possible into the existing workflows and tools within your company. For example, don’t ask developers to log into another web application to view results of a static code analysis scan. Instead, have those results published to Jira, where your developers work on a daily basis. You should also aim to ‘automate all the things’ because relying on manual processes will inevitably lead to failure and slow things down when your company is trying to move fast. The DevOps (or DevSecOps) movement has created a tremendous opportunity to automate and embed security into the development and operations processes. Embrace it!
5. Build a company culture around security
People are often cited as being ‘the weakest link’ so building a security awareness culture is one of the most important things you can do. Make sure every employee is aware of their security responsibilities within the company starting from day one. Provide security awareness training to all new hires and to the entire company on an ongoing basis. You can start with a simple slide deck (and some pizza) delivered in a lunch and learn format.
You should also continuously test your employees’ awareness with phishing simulations, USB drops, and clean desk checks. This will tell you how effective your awareness training is and allow you to improve the content over time. You can talk about phishing all day long but nothing gets the attention of an employee like getting owned by your own phishing test! Awareness tests should be fun and engaging, however you should be tracking the results over time so that you can identify who to target for additional education.
To sum it up...
If you start with security early, you can turn the security tax into a feature. It will build trust with customers when you can demonstrate how their data is secured. Take these simple steps now, so that when those big prospects send their security teams to audit your small company - you'll be ready.
P.S. when in doubt, this image from Twitter user @SwiftOnSecurity says it best:
Header image created using Creative Common assets from Pablo Stanley.