July 06, 2020
When it comes to early-stage startups and cybersecurity, the two concepts do not always go hand-in-hand. In this write-up, we’ll explain the importance of cybersecurity and how it will build trust with customers and investors.
Table of Contents (1260 words, 5 minute read):
- Target Audience
- Why This Matters
- Problems to Solve
- Where This Applies
- Common Arguments From Founders
- Why to Start Early
- Security Guiding Principles for Startups
- What You Can Do Right Now
- Moving Forward
- Founders (technical & non-technical)
- CTOs & Developers
- Sales & Business Development
- Investors (Private Equity, Venture Capital, etc.)
Why This Matters
Cybersecurity, data privacy, and regulatory compliance have become increasingly essential business challenges for startups and global organizations alike, and these issues impact starting, running, investing, or acquiring a business.
Today’s consumer has become more focused on data protection and privacy and has less confidence in a startup’s ability to safeguard digital assets.
Problems to Solve
- Consumer Trust - Trust in a digital world is harder to earn and keep, and startups are considered riskier by the average consumer.
- Meeting Standards - Enterprise customers expect mature data protection, and data privacy practices and early startups can struggle to meet standards.
- Regulatory Costs - Solving for the evolving regulatory landscape only gets more expensive with time and company scale
Where This Applies
Does your startup:
- Have users logging into your platform?
- Use a database?
- Leverage cloud-based resources like IaaS (Infrastructure as a Service)?
- Have intellectual property (IP) to safeguard?
- Process payment transactions?
- Collect, store, use, or process Personally Identifiable Information (PII) data?
- Collect, store, use, or process any regulated data (i.e., financial or healthcare)?
- Have customers who operate in highly regulated industries (i.e., Critical Infrastructure, Insurance, etc.)?
- Have operations in geographies with consumer protection laws or regulations (i.e., EU for GDPR, US for CCPA, etc.)?
If yes to any of the above, security, privacy, and compliance need consideration early and often.
Simply put, you cannot do business without cybersecurity, data privacy, and regulatory compliance in mind today
A few other reasons you need to consider security, data privacy, and compliance:
- Your company brings in new employees (part-time or otherwise)
- You want your company to be acquired
- You are seeking private equity or venture capital investment (see Why Private Equity Needs Cybersecurity Expertise)
Simply put, you cannot do business without cybersecurity, data privacy, and regulatory compliance in mind today (at least not for very long).
Common Arguments From Founders
“We’re here to sell product X or service Y first, not be secure…“
“We’ll take a look at that when we get bigger…“
“We’ll wait until we have enough customers asking…“
Many startups gauge their level of involvement and commitment to cybersecurity based on either the company’s financial expense or certain financial milestones.
Instead of waiting for a specific windfall event or a set number of times a customer asks about your cybersecurity practices, do this instead:
Consider what industry you are in (or your customers are in)
Consider the risk associated with the data your company has (or hopes to have)
Consider what that would mean if that data was lost or stolen
Why to Start Early
- Price You Pay to Play - Some enterprise customers will require specific security and regulatory compliance levels even to do business (i.e., SOC2, PCI-DSS, etc.).
- Security Sells - Security and compliance are selling points in the current state of the world, and your customers will expect it. Security, or lack thereof, could make or break your first big B2B customer.
- Create Your Moat - Do what others will not. Security, data privacy, and regulatory compliance in your industry can make you stand out and create a competitive barrier to entry into your market.
- Limit Security Debt - Cybersecurity, data privacy, and regulatory compliance design decisions early on cost a lot less than down the road as your company begin to scale as customers, and requirements get larger.
Security Guiding Principles for Startups
- Create a Security Culture - Adopt strong security and data privacy practices from the beginning and make it a part of everyone’s job. Security is more process than technology.
- Do the Right Things - And Do the Things Right. You can’t be good at everything early on, so pick a few things to be very good at and make it an essential piece of how you operate.
- Work the Plan - You don’t have to have it all done up front, but you have to plan to get it all done. Customers will be OK with timelines to get compliant or resolve security issues. Customers will NOT be OK with no plans.
What You Can Do Right Now
While not meant to be an exhaustive or exact list on what may work for your company, here is a sample guide on what you can do now with associated timelines:
Use What You Have (0-3 months):
- Use environment-native security controls where possible
- Use environment-native compliance reporting (i.e., AWS Trusted Advisory, etc.)
- Use available 3rd party tools/integrations for security
- Start talking to employees about how to avoid phishing scams and Business Email Compromise (BEC)
Know Yourself and Know Your Vendors (0-3 months):
- Understand the “Shared Responsibility Model”of securing your cloud resources
- Be able to explain how you collect, store, process, and use a customer’s data
- Hold your 3rd party vendors to a high level of security rigor with your data
- Make sure all employees, contractors, etc. understand what information they can and cannot share
Understand Compliance in Your Industry (3-6 months):
- Know the regulations and certifications that your industry or customers require
- Make someone at your company responsible for cybersecurity, data privacy, and regulatory compliance (doesn’t have to be their only job, but this will ramp up quickly)
Get Outside Support (6-9 months):
- Find out how other startups or companies in your market space are addressing security concerns
- Seek out a part-time or fractional trusted advisor to help navigate cybersecurity, data privacy, and regulatory compliance
Nail the Basics (9-12 months):
- Build your business with security and data privacy principles upfront
- Create Information Security policies and standards
- Use multi-factor/two-factor authentication wherever possible
- Do not share passwords and get password vault manager to manage your company’s many accounts (I like 1Password)
- Use the model of least privilege (e.g., the CEO should not be “admin” on everything)
Work Smarter, Not Harder (9-12 months):
- Make managing users of your services easy to use, self-service, and auditable
- Make someone’s full-time responsibility looking after security or hire a new person to take on this role
Test Yourself (12+ months):
- Do static/dynamic code analysis on your web and mobile applications
- Audit yourself early and often (your institutional customers will)
- Perform tabletop exercise to respond to threats or loss of your services due to a cybersecurity event
Every scenario will be different, and the risk of your particular company should be driving your roadmap here. Adjust as needed.
We hope this detailed write-up has been useful for you! Every startup has dreams of being a “big” or “real” company one day. The goal here is to learn how to bake security in from the beginning so the company’s security response can adapt to the changing risk posture and goals as the company grows. If you can do this successfully before reaching too much velocity, you can combat security debt and use security to accelerate your growth.