By their very nature startups are usually singularly focused on fast growth. At the earlier stages, security may not come up at all, or seem simply extraneous.
But taking security into account early will help you protect your brand, win the confidence of investors and convince clients of all sizes – especially in the enterprise space – that their data is secure with you.
A company’s cybersecurity posture is not determined by the budget it allocates to the newest or most expensive technologies. Looking at your startup’s security from a strategic perspective will ensure you invest the resources you have in the most effective way. And the good news is that some forethought, even with a modest budget, can go a long way in strengthening your security preparedness and overall company resilience.
Hiring full-time security person is usually not an option – nor is it necessary. The important first step is developing a relationship with a seasoned security expert, who can get to know your company and its unique requirements. Such a dedicated Virtual CISO must understand your threat landscape, in order to advise on both strategic and tactical security matters, as well as manage longer-term projects.
An organization has different security needs at different stages of growth. The important thing is to get started early. Also important: Ensuring that your security posture improves in line with overall organizational maturity. This is accomplished through the development of a structured and documented security program, ideally one which aligns with major international standards such as ISO 27001.
Within the security industry it is well known that weakest link in a company’s security is usually its employees. Phishing emails provide the initial compromise vector for the vast majority of attacks. Therefore a pillar of any security program must include training employees to recognize phishing and other social engineering tactics, through interactive learning and simulated phishing emails campaigns.
A startup’s proprietary web and mobile applications are often its most valuable non-human assets. The best way to secure your applications is to build them with security in mind. Practicing security-by-design means security goes from an afterthought to an initial requirement during application planning and development. BrothersKeep can help throughout the design, development and deployment lifecycle.
Review of the agreement and application specifications given to the development team. Important things to keep in mind during this phase is to include general security requirements regarding publicly known vulnerabilities, clauses related to the enforcement of industry best practices as well as the ongoing mitigation of security issues.
Security review of the design specification and architecture produced by the development team. The specification often details not only the overall vision for the application architecture, but also which components will be used, as well as the technical solutions to specific design problems. Apart from performing a threat modelling exercise to identify security-critical aspects of the architecture, this is a good point in time to highlight weaknesses in technical solutions to manage components such as document upload and password management.
Scoping of and mitigation of findings in security testing. When performing a security test to verify a satisfactory delivery, proper scoping is essential as well as the cost-effective mitigation of any findings. Clauses regarding issue mitigation from the original agreement can become important at this stage.
Get the most out of your security investment: Demonstrating compliance with an internationally accepted standard such as ISO 27001 can accelerate your sales by convincing clients that their data is safe with you, and assure investors their money is in responsible hands. It will also save you time in answering the security section of RFPs in the best way.
Some security standards come in the form of government or industry regulations with which certain organizations must comply, such as PCI-DSS for companies that accept credit card payments, HIPAA for organizations that process Protected Health Information (PHI), and CMMC for DoD contractors. Other standards, such as ISO 27001, are proactively adopted by companies who want to improve and systematize their security governance and processes, and to be able to demonstrate this security maturity to clients, business partners and investors.
The ISO 27001:2013 Standard’s stated goal is to specify the “requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization.” Since it’s introduction it has grown to be the de-facto gold standard among organizations around the world. Companies who successfully implement the standard are able to demonstrate a mature security posture in RFPs, due diligence and other sensitive bids, transactions and negotiations.
The ISO 27001 standard is comprised of 14 sets of controls, which together provide a comprehensive security framework addressing all aspects of an organization’s cybersecurity. The control domains are: 1. Information security policies, 2. Organization of information security, 3. Human resource security, 4. Asset Management, 5. Access control, 6. Cryptography, 7. Physical and environmental security, 8. Operations security, 9. Communications security, 10. System acquisition, development and maintenance, 11. Supplier Relationships, 12. Incident Management, 13. Business Continuity Management, and 14. Compliance.
The Wall Street Journal reports that “cyber insurers, leery of security risks created by remote working and other effects of the coronavirus pandemic, are stepping up scrutiny of policyholders’ security arrangements. These efforts could result in costlier policies, or even coverage denials for companies.” Voluntarily adopting and complying with an internationally-respected cybersecurity standard is a great way to demonstrate that security is taken seriously.
