Here at ThreatMatrix, we’re always on the lookout for good quality, non-FUD security tips to share with our readers. That’s why we’re happy to point you to a useful startup security checklist that a company named sqreen has created. The company offers a good tactical checklist of activities that, absent a more focused strategy and singular point of ownership, can get your company past some of the preliminary hurdles startups will face.
Startups are hustling to get funding, engineering, and innovative products off the ground and often they (unintentionally) don’t spend the time needed to responsibly secure their company, venture capitalists (VCs), and beta customers. Innovation is key in the world of startups, but without the proper security measures in place, you’ll quickly lose all that hard-earned trust from both VCs and customers, not to mention your own employees.
It’s also important to note that some sales can be lost without adequate controls. As your company looks to larger customers, the maturity of their vendor risk programs may require external attestation to the controls you have in place. For example, it’s now commonplace for customers to ask for SOC 2 Type II reports or ISO 27001 certifications. In one fell swoop, all that work you put into your startup could amount to nothing.
So, startup CTOs, take note of this list. Even if you’re not a security expert yet, get these pieces safely into place and you’ve laid the groundwork for the company, your CEO, and the all-important Board of Directors.
The checklist not only documents what pieces of your security infrastructure to get in place, but also at what stage of the company you need to complete it. That seed round where everyone around you is hyper focused on pitching and getting funding is when you, as CTO, need to be just as honed-in on security. You need to take these steps now so that security becomes part of the culture of the company; this way, they are not friction points introduced later but merely “the way it has always been”. If you’re past seed round and you haven’t taken these security steps yet, start now, it’s never too late.
Here are some additional steps Cylance would suggest adding to this list:
- Recruit the right security expert to be part of your Board of Directors who can serve as a mentor during the growth of the company. Gaining perspective and having accountability at the Board level will demonstrate maturity and build trust with investors, customers, etc. They will be an invaluable resource if they have gone through similar stages themselves. They will also know about achieving and sustaining compliance certifications. They will have past experiences (good and bad) with security vendors that can help you fast-track purchase decisions. They will know candidates for roles in security you may wish to eventually fill.
- Establish a good contractor policy. As a startup, you most likely will consider outsourcing aspects of normal business function or security to a third party. You will bring on burst capacity temporary resources. Consider the risks associated with their presence honestly and take the steps necessary to protect the company from accidental and intentional harm.
- Related to contractors, is building a baseline vendor risk management plan. Vendor risk is a popular topic over the last few years. Keeping an inventory of your vendors, their access, their importance to successful deliver of your service/product will be crucial to demonstrating maturity. You will find eventually contractual obligations from customers for you to demonstrate you have this risk managed; unearthing vendors being used after the fact will take significantly more effort than if you incorporate it into your procurement process upfront.
- Most certifications, like SOC 2 Type II, ISO 27001, and FedRAMP can be a year or longer to achieve. If you are considering customers who require these you should incorporate starting early to prepare the company for operational and procedural changes attaining these certifications will require. These are a marathon, not a sprint. They will require annual renewal, audit, and improvement. You can use tools like the Secure Controls Framework (https://www.securecontrolsframework.com/) to build baseline of controls for your environment based upon obtaining specific certifications.
Check out the full security checklist by sqreen here: https://www.sqreen.io/checklists/saas-cto-security-checklist
NOTE: This blog represents the opinions of the ThreatMatrix Editorial staff only, and does not represent an official Cylance endorsement of any companies, services or persons mentioned herein.