Proof Your Security Systems: A Guide for Startups
With hacking and data breaches dominating the headlines, today, the thoughts of security automatically send fear to executives of the world’s largest corporations, fearing they may be the next target of cyberattacks.
The pandemic has forced organizations to make rapid changes to day-to-day operations and business structures, exposing the vulnerabilities and possibilities of systems that had been in place pre-pandemic. These gaps have given cybercriminals opportunities to exploit flaws, but they’ve also given organization’s a chance to rethink the way they’re working.
In this piece, Ward Osborne, Information Security Officer and Founder of Osborne Global Security, discusses the importance of security and how companies, especially startups, can get their house in order and protect their critical assets.
In the last year, millions of working people were given the gift of change. Some used that pressure to secure another job, but others still took a leap of faith, bet on themselves, and decided to succeed based on their own skills and merits. The world is chaotic by nature, but chaos breeds opportunity.
Many of these newly-minted entrepreneurs started small by selling their products and services to immediate family, close friends, and neighbors. After this initial period, some watched their small business picking up steam – maybe they could even now cut a paycheck for themselves instead of cover costs.
Delighted with their first taste of success, these pandemic entrepreneurs are now at a stage where they are eyeing the next stage in the journey and are trying to figure out how to do business with enterprise-level organizations.
This new wave of entrepreneurs needs someone available who will make sure they are doing the right things. If they are running a startup that sells digital products or services they need those products built in the right way so they don’t have to absorb 10x in reengineering costs when they inevitably have to start over and build the product in a way that’s compliant with international cybersecurity and customer data privacy protection standards. If their startup handles direct-to-consumer (D2C) customer data they need to build trust. Period.
In both cases, startups need to inculcate a security mindset, foster a workplace built on privacy best practices, have a suite of bulletproof compliance frameworks integrated at a bedrock level across the organization.
The Importance of Security: Get Your House In Order
Here’s a hypothetical: would you fly on a commercial plane if you knew the engines had been maintained by someone with no background in how a jet engine works? Someone who got the job by claiming they are “good with planes” and then demonstrated the difference between a socket wrench and a soldering iron to a hiring manager with no mechanical background?
The answer to this question is always going to be NO. There’s not a person on the planet who would board that flight if they knew who was in charge of the safety and security of their flight.
Unfortunately, there’s a far-too-common real-world parallel that can be drawn to that analogy in a one-sentence summary: SECURITY is far too important to be left to amateurs.
This doesn’t mean that startups need to worry about knocking it out of the park on the first try. Hiring an in-house security team is extremely expensive. This is all about getting the basics covered in order to establish TRUST so that startups can sell to mature organizations and generate the revenue needed to spark a Series A-round.
For startups, hiring a full-time Chief Information Security Officer (CISO) might not be feasible at first since the average low-end salary for C-Suite security professionals will be at least $300k plus stock. Engaging with a subject matter expert instead – like a virtual CISO – who can provide ongoing expertise and support – should be a priority. If Rapid Time To Value is a metric that matters – to you or your investors – hiring someone who has some pedigree and experience but doesn’t know your world is an almost sure failure. Osborne Global Security has taken many companies from idea, through startup, through A, through B, through IPO, and much farther when appropriate. We let you do you – we’ve got the rest.
The pandemic is still here with us. Since the remote-work option is very appealing to many high-value individuals as well as many companies, startups should focus on people. Not technology. Providing PEOPLE with the tools to succeed – including endpoint protection and management when building out their security profile. This means ensuring all their endpoints have anti-malware software like Sophos installed. On the other side of that coin, configuration management is critical as well. Players like JAMF and Kandji offer inexpensive protection and control of assets that allows startups inexpensive ways to remotely configure and manage the devices their employees are using to access secure company data.
Founders also need to make sure their employees are aware of physical and environmental security if they’re going to be working remotely from public places like coffee shops. This means not discussing confidential matters in public and being cautious about physical security.
Another best practice would be to use a password vault for access to cloud-based, workflow resources and tools. For example: If you’ve got a startup and you need to share access to resources such as click-up, quicken, or a CRM tool, Lastpass (or another password vault) allows you to delegate those responsibilities while controlling access and managing licensing costs.
A password vault also allows startup founders to give or revoke access immediately at the endpoint level with a simple click of the mouse.
For more information on basic security resources needed to start a business, ISACA (Information Security and Controls Association) and CSA (Cloud Security Alliance) have resources from startup level all the way through to enterprise.
Securing Your Most Important Asset: Get Data Compliant
Nobody can build something from scratch and execute the idea perfectly on the first try. Founders know the main way to build something is to simply start doing the work and expect to learn from failures along the way. In order to minimize the risk of failing in avoidable ways, startups need to make sure that their work is heading in the right direction by integrating security and development best practices on a foundational level.
From a user perspective, make sure that your employees understand that the requirement for privacy is growing every day. Provide training so that they learn how to handle sensitive and regulated data appropriately and as you build your product or your platform make sure you engineer privacy into that platform. Don’t put anything that could be seen as personal data or regulated data onto your platform or service unless it’s absolutely required. No company is immune to the threat of a data breach caused by employee error, so make sure you build a culture that puts these practices at the forefront of everyday work.
Most importantly, engage a resource who can provide expert-level guidance on the ever-changing landscape of privacy regulation so you don’t run into problems off the bat with the product launch. Look externally for someone to fill the role of a Data Privacy Officer (DPO) to address requirements like GDPR and CCPA privacy laws.
Finally, the IAPP (International Association of Privacy Professionals) provides a resource for business owners who want the latest updates to privacy compliance issues.
Keep A Firm Hand On The Wheel: Learn To Navigate A Shifting Landscape of Compliance
In order to get the attention of the Venture Capital (VC) community, you need to be seen as a legitimate player. Back in the ’90s, VCs were throwing $100m at no more than promising ideas, but that’s not the case anymore. You have to be better – you have to deliver. Aside from creating an outstanding product, this means you need to show up to the table with at least one universally accepted compliance framework in place so that the VC you’re pitching to knows you’re serious about minimizing liability and safeguarding against risk.
Once you’ve finished selling to friends and family and you want to sell to enterprise-level organizations you have to be able to demonstrate compliance in order for those companies to engage with you or purchase your services. In order to do business with companies well-versed in security risks or those that have specific security requirements, compliance is a must. For startups, attestation to SOC1 and/or SOC2 provides the trust and credibility required by customers that have a mature compliance program.
Find a partner who can guide you through the process using one of the many tools available – a SOC2 doesn’t have to break the bank and can be done much more quickly than in the past. Third Party Vendor Management is a growing and important focus for all companies that want to have – or have to have – compliance programs. In this world you can only go so far without someone vouching for you – that’s what these attestations and certifications do.
A Way Forward
If you want to build trust, your business needs to embrace a culture where a focus on security, privacy, compliance, and transparency is at the forefront of everything. The combination of these four factors is a surefire way to increase trust and accelerate the velocity of sales. It’s not enough to know how to handle data and security matters from a compliance standpoint, startup founders need to be willing to be open and transparent about their efforts in ensuring customer data is protected and comprehensive security controls are in place.
Founders need to be honest with potential investors about who is guiding them along their journey, and they need to be able to prove that their commitment to doing things the right way runs deep within their organization. If they can do those things, and prove that they hold a solid commitment to starting out on the right track, they’ll be able to prove that they’re serious enough to do business with enterprise organizations and generate the revenue needed for a Series-A round of funding.
About the author: Ward Osborne, Information Security Officer and Founder of Osborne Global Security. Ward has over 25 years creating security strategies and is very interested in sharing this guide with startups to help them adopt best security practices and navigate the shifting landscape of compliance.