Founders (technical & non-technical)
CTOs & Developers
Sales & Business Development
Investors (Private Equity, Venture Capital, etc.)
Why This Matters
Cybersecurity, data privacy, and regulatory compliance have become increasingly essential business challenges for startups and global organizations alike, and these issues impact starting, running, investing, or acquiring a business.
Today’s consumer has become more focused on data protection and privacy and has less confidence in a startup’s ability to safeguard digital assets.
Problems to Solve
Consumer Trust - Trust in a digital world is harder to earn and keep, and startups are considered riskier by the average consumer.
Meeting Standards - Enterprise customers expect mature data protection, and data privacy practices and early startups can struggle to meet standards.
Regulatory Costs - Solving for the evolving regulatory landscape only gets more expensive with time and company scale
Where This Applies
Signs point to security flowchart
Does your startup:
Have users logging into your platform?
Use a database?
Leverage cloud-based resources like IaaS (Infrastructure as a Service)?
Have intellectual property (IP) to safeguard?
Process payment transactions?
Collect, store, use, or process Personally Identifiable Information (PII) data?
Collect, store, use, or process any regulated data (i.e., financial or healthcare)?
Have customers who operate in highly regulated industries (i.e., Critical Infrastructure, Insurance, etc.)?
If yes to any of the above, security, privacy, and compliance need consideration early and often.
A few other reasons you need to consider security, data privacy, and compliance:
Your company brings in new employees (part-time or otherwise)
You want your company to be acquired
You are seeking private equity or venture capital investment (see Why Private Equity Needs Cybersecurity Expertise)
Simply put, you cannot do business without cybersecurity, data privacy, and regulatory compliance in mind today (at least not for very long).
Common Arguments From Founders
❌ “We’re here to sell product X or service Y first, not be secure…“
❌ “We’ll take a look at that when we get bigger…“
❌ “We’ll wait until we have enough customers asking…“
Many startups gauge their level of involvement and commitment to cybersecurity based on either the company’s financial expense or certain financial milestones.
Instead of waiting for a specific windfall event or a set number of times a customer asks about your cybersecurity practices, do this instead:
✅ Consider what industry you are in (or your customers are in)
✅ Consider the risk associated with the data your company has (or hopes to have)
✅ Consider what that would mean if that data was lost or stolen
Why to Start Early
Price You Pay to Play - Some enterprise customers will require specific security and regulatory compliance levels even to do business (i.e., SOC2, PCI-DSS, etc.).
Security Sells - Security and compliance are selling points in the current state of the world, and your customers will expect it. Security, or lack thereof, could make or break your first big B2B customer.
Create Your Moat - Do what others will not. Security, data privacy, and regulatory compliance in your industry can make you stand out and create a competitive barrier to entry into your market.
Limit Security Debt - Cybersecurity, data privacy, and regulatory compliance design decisions early on cost a lot less than down the road as your company begin to scale as customers, and requirements get larger.
Security Guiding Principles for Startups
Create a Security Culture - Adopt strong security and data privacy practices from the beginning and make it a part of everyone’s job. Security is more process than technology.
Do the Right Things - And Do the Things Right. You can’t be good at everything early on, so pick a few things to be very good at and make it an essential piece of how you operate.
Work the Plan - You don’t have to have it all done up front, but you have to plan to get it all done. Customers will be OK with timelines to get compliant or resolve security issues. Customers will NOT be OK with no plans.
What You Can Do Right Now
While not meant to be an exhaustive or exact list on what may work for your company, here is a sample guide on what you can do now with associated timelines:
Use What You Have (0-3 months):
Use environment-native security controls where possible
Use environment-native compliance reporting (i.e., AWS Trusted Advisory, etc.)
Use available 3rd party tools/integrations for security
Start talking to employees about how to avoid phishing scams and Business Email Compromise (BEC)
Know Yourself and Know Your Vendors (0-3 months):
Understand the “Shared Responsibility Model”of securing your cloud resources
Be able to explain how you collect, store, process, and use a customer’s data
Hold your 3rd party vendors to a high level of security rigor with your data
Make sure all employees, contractors, etc. understand what information they can and cannot share
Understand Compliance in Your Industry (3-6 months):
Know the regulations and certifications that your industry or customers require
Make someone at your company responsible for cybersecurity, data privacy, and regulatory compliance (doesn’t have to be their only job, but this will ramp up quickly)
Get Outside Support (6-9 months):
Find out how other startups or companies in your market space are addressing security concerns
Seek out a part-time or fractional trusted advisor to help navigate cybersecurity, data privacy, and regulatory compliance
Nail the Basics (9-12 months):
Build your business with security and data privacy principles upfront
Create Information Security policies and standards
Use multi-factor/two-factor authentication wherever possible
Do not share passwords and get password vault manager to manage your company’s many accounts (I like 1Password)
Use the model of least privilege (e.g., the CEO should not be “admin” on everything)
Work Smarter, Not Harder (9-12 months):
Make managing users of your services easy to use, self-service, and auditable
Make someone’s full-time responsibility looking after security or hire a new person to take on this role
Test Yourself (12+ months):
Do static/dynamic code analysis on your web and mobile applications
Audit yourself early and often (your institutional customers will)
Perform tabletop exercise to respond to threats or loss of your services due to a cybersecurity event
Every scenario will be different, and the risk of your particular company should be driving your roadmap here. Adjust as needed.