At DevGuild: Enterprise Security, we learned that security has become more and more of a revenue driver for startups. As a result, investors are taking an interest in how the companies they invest in are doing to ensure that their products, user data and teams stay secure.
We chatted with GGV Capital investor and and former CISO Oren Yunger to learn what investors look for when they evaluate the security practices of organizations, and what early-stage teams can do to communicate their security initiatives more effectively.
Have you seen a shift in how investors are thinking about the value of good security practices?
Investors are often assessing solutions from the target customer’s standpoint. As a result, and particularly when evaluating mid-market and enterprise technologies, investors are expecting to see a certain level of security posture that will meet the standards posed in the buying process.
Another shift I’m seeing is the increasing prominence of the CISO and how pivotal they now are to any company. They have more business and technological influence than ever before. One of the outcomes of this organizational shift is the amplified CISO presence in Boards of Directors’ discussions. Investors, who often sit on those boards, are taking note.
They’re also in a process of deepening their domain understanding as well as asking questions that are increasingly sophisticated. Many startups are aware of this increased attention to security. Combined with hearing about what’s in the news and top of mind for businesses in terms of security, this results in many young companies adding security phrases to pitches that are not related to security products.
For example, a company would say, “We collect data and provide insights to Chief Marketing Officers securely,” but it won’t always be able to provide a good explanation as to what “securely” means and what protocols are followed. So, we’re seeing increased awareness of security from both investors and founders, but there is still foundational work to be done to make sure everybody is on the same page when talking security. We’re in a maturation stage that shows that security is of great importance across the board and the right mentality is there to treat it seriously and do it right.
What’s the biggest incorrect assumption that teams come to investors with regarding security?
In order to address security and show the company’s investment in the area, we see many young companies complete SOC2 audit and even ISO27001 certification. By working hard towards the goal of achieving compliance and approval from an unbiased third party, many companies believe that they are secure. In my view, this is one of the biggest misconceptions since compliance doesn’t really equal security. While it is important to establish security programs, laws and regulations will never be able to fully address the technical complexities of a technology business.
For example, a company might claim to adhere to some secure development lifecycle policy, but if sensitive data is transmitted over session IDs or there is a vulnerable application dependency running, then the whole system could be compromised even though the company had passed the audit successfully. Therefore, I would encourage any team to think about security as a category that includes a subset of compliance.
When it comes to security, what’s one thing you wish every company you spoke with was doing?
I wish small companies and startups better understood the risks that they are facing and took action to design a mitigation plan to the business roadmap should a bad scenario take place. Rome wasn’t built in a day, and security maturity should not and cannot be built in a day either. Often times, a decision of “all or nothing” – as in not being able to staff or resource for security and therefore abandoning it altogether – could be destructive to the business as it is remaining in a most vulnerable place.
This is the main reason I teamed with a group of skilled CISOs on Security4Startups.com, a free initiative that provides guidance for startups to understand security concerns from different business operations. We also outlined technical yet feasible security measures that early-stage companies can take in order to embrace security efficiently.
Founders routinely share revenue numbers and new users stats with VCs. How can they share security work and progress and goals to their investors?
Security should be treated as a board-level and investor-level topic. Just as founders are sharing their product roadmap and organizational changes with their investors, they should keep the security work and progress top of mind.
As a best practice, I suggest that the startup’s security program be presented at least once a year for boards and/or investors to review. In this alignment, the parties can ensure that the strategies support the direction of the company and the desired risk posture. It will also allow the investors to understand what actions would be taken in the case of an incident.
Is there anything you’re seeing recently that excites you most for the future of startup security?
There has been a rise in the attention that management teams allocate to security. It’s exciting to see that the industry is going places and that it’s not only CISOs who are keeping security top of mind. Equally important is that security leaders today understand that while the ultimate goal is not to be breached, security can play an important role in growing top-line revenue.
This is a great transition for everyone involved: For executive teams as security is supporting the business, for security professionals as they now are in the rooms where things happen, and for security-related startups who can sell more efficiently into businesses.
Learn more about Startup Security Best Practices
For more from Oren, watch his DevGuild: Enterprise Security talk on Startup Security Basics. Learn more about Enterprise Security trends, best practices and tooling by checking out more of our security talks and articles in the Heavybit Library.