Many startups find it difficult to strike the right balance between achieving their business goals (quick, agile development, go-to-market ASAP, and so on) with security. This is especially true when founders and key managers feel as though security is a barrier; something that imposes rules and requires investment for little visible benefit.
However, in today’s security-conscious marketplace, even the earliest stage startups are required to demonstrate their commitment to security. Stav Pischits, Founder and CEO of cybersecurity consultancy Cynance shares his views on security for startups.
What is the biggest mistake that startups make with their cyber security?
Leaving it too late, and not integrating secure practices in their organization from the start.
Quite often, startups have several reasons to put security on the back burner, each of which feel valid to them at that specific point in time, but may not be quite as valid in the longer term.
For example, many startups (and SMEs in general) believe that they are too small to be noticed by attackers, and therefore they don’t need to follow security best practices. However, recent experience has shown that a small company with a big client represents a great target for cyber attackers. In addition, many attacks are caused by offensive bots who don’t distinguish between large and small organizations, hitting any organization on their radar.
Furthermore, not all security requirements make sense when the startup is a handful of people scattered around the world working on laptops, but it can quickly get out of hand, and before they know it there are thirty people in the company who all have administrative access rights to every system in use, whether they need it or not.
As mentioned above, in today’s supplier security assurance landscape, startups are required not only to have solid security controls in place, but also to be able to demonstrate them to potential customers, sometimes even prior to running their first proof of concept in the client’s environment. Startups should therefore aim to incorporate security controls by design and by default in their organizations.
And finally, it’s much easier to start by implementing the right controls, than it is to fix further down the line. Startups who build security into the organization from the ground up are perfectly placed to make security a core part of their business from the start, growing their security measures as their company grows.
If you have a limited budget, how do you ensure maximum security for your users’ data? What areas should you prioritize?
For security to be effective, it needs to be based on knowledge of the specific mix of threats, risks, and business or client expectations that the startup faces. This is particularly important for startups with limited budgets. After all, they don’t have resources to waste on security measures that just aren’t relevant to their business.
Next up is to tie security to the business roadmap. Not all security measures are relevant if they aren’t selling to customers yet. Startups should be prepared to prioritize security activities according to where the company is now, and where it is going over the next year to year and a half.
Identify quick wins that are easy to implement. Start with security that keeps the work environment safe. Implement access controls, apply the principle of least privilege (a common mistake is giving everyone access to everything at the start), and develop in segregated environments.
Make sure you start with the right, reputable, IT and developer tools, and even encourage teams to collectively choose their tools, reducing the chance of them using shadow IT (applications outside of the company’s IT approved products).
Also, prioritize the training of employees in security responsibilities. Instilling a security culture in the organization is relatively inexpensive, and will save money down the line. Furthermore, startup employees are invested in the company, so it’s a good time to get them to buy into keeping it safe and secure.
What does a security team look like inside a startup? What are the most important roles that these team members have?
We do accept that it’s unrealistic for most startups to have a dedicated security person, but having said that, someone does need to take responsibility for security from the earliest days of the company, and customers will be looking for that person with that responsibility.
The best advice we can have is to identify the different responsibilities that are classified as ‘security’. For example, product security (making sure that security is applied to all developed applications and products), compliance, procurement, and so on. Integrate these security roles as far as possible into relevant people’s day-to-day job. For example, whoever is responsible for paying for a new system is responsible for procurement security. Or, whoever is responsible for ensuring employee compliance with the company’s code of conduct, is tasked with security training and education.
Finally, ask for advice from professionals. There’s no need for you to do everything yourself, but it must be done nonetheless, so be creative.
When should a startup hire a CISO?
Again this depends on the type of startup, their size, and the sector they operate in. If the startup operates in a heavily regulated industry (for example financial services or the health sector), and routinely handles a lot of sensitive or personal data, then they may consider employing a CISO earlier rather than later. Again there are creative ways to employ a CISO, such as utilizing an external CISO on an ‘as a service’ basis.
There are also several steps up before hiring a CISO. Security operators, analysts, consultants, and more, are all able to handle day-to-day security operations within the organization.
How is security at a startup handled differently than security at an enterprise?
Security at startups is a very different animal to that of enterprises.
Startups can afford to be a little more inventive, and look at new technologies that are designed to answer their particular security issues. Startups are also usually more flexible and quicker to make real change in their organization.
The difference in budgets also means that startups have to be smarter. They can’t afford to buy the wrong product or one that they will quickly outgrow, but neither can they afford to buy a product that only caters to hundreds or thousands of licensees. They need solutions that can start small and scale up.
Should startups purchase cyber insurance?
Yes. Why not? Insurance of any type is always a good thing.
But, they also need to be aware that simply having insurance does not mean they will automatically be secure. Furthermore, many cyber insurance packets no longer cover ransomware payments.
In addition, some insurers will also ask for evidence that the startup has extensive security measures in place, meaning that insurance is not a shortcut to security compliance.
Tell us a bit about Cynance – How did it get started, and what services do you provide to clients?
We are a London-based cyber security consulting firm. Our mission is to assist our clients to secure their business operations and products, in an agile and business oriented manner. We basically believe that security should be as transparent as possible and enable business rather than disrupt it.
Our services include: application security advisory services including, but not limited to, penetration testing services, cloud security and network infrastructure security consulting, and security compliance services including CISO as a Service, security compliance advisory services, including ISO 27001 and SOC 2 preparation.
Lastly, to receive more timely cyber security news, top-tier reports and cutting-edge analyses, please sign up for the cybertalk.org newsletter.