Security from the Start: Startup Security Basics
My name is Oren Yunger, and I'm super excited and honored to be here today to kick off DevGuild Enterprise Security. Before I begin, please allow me to introduce myself. I spent 14 years in IT and security working at small and large organizations, as well as the Israeli military. My last pure security position was as chief security officer at a SaaS startup. Today, I work at GGV Capital, a global multi-stage venture capital firm that helped more than 42 companies reach $1 billion valuation. At GGV I drive security, IT infrastructure and developer tool investments. I haven't been working in this space for a while, and I've witnessed how security investing can help companies mitigate risk, but more importantly I've witnessed how security can drive revenue and accelerate growth.
Why Startups Pass on Security
Having been on both sides of the coin, both as a practitioner and as an investor, my observation is start ups believe security is important yet they don't invest in it properly. The reason that startups decided to pass on security makes a lot of sense. For example, and maybe some of you have said it before or heard others say it, some teams believe they are too small to invest in security and it's just not a priority right now, and they will figure out security as they go. Or more precisely, when they grow. Others fail to take action because they feel they're immune to security threats. Maybe they feel they're secured by default because their engineers worked at some security companies before and they know security, or because they're developing on AWS and they do security pretty well.
Why Startups Should Care About Security
But in fact, startups should invest in security. In a reality where nearly 50% of cyber attacks are targeting small businesses, startups should view security as the top business risk. But more importantly, they should treat it as a top business opportunity. How come? Because by investing in security, startups can see several positive outcomes. The first is driving and sales, by building themselves as a trusted vendor they can create much faster sell cycles and get the technology to be adopted by much larger organizations. Second, they can stay compliant with laws and regulations, and more importantly they can avoid being features on the news media for the wrong reasons. Lastly, any startup wants to build for scale and they want to do it in the right way, and by investing in security and integrating it into your products, you can eliminate challenges and technical depth that can be very difficult to mitigate later on.
Integrate Security Into Your Startup
By now, I hope that you agree that security is important. Let's talk business and discuss how you can integrate security into your businesses. Building security maturities is relatively difficult, but here are a few steps that will help you in your journey.
First, you need to understand what will happen if things go wrong. You should do that from your customers perspective, such as the same way as your customers perform risk analysis when working with new vendors, you should understand what are the risks that your customers view by working with you. For instance, if you're integrating into your customers product you're in their critical path. That means that if you go down, they go down. Another example is that if your customer is required to download and install your software, they can be compromised by forced installation of malware coming from your breached environment.
The second step would be to understand how things could go wrong. By that I mean you need to understand your infrastructure, your environment and focus on the critical areas. For instance, your administrative access to your customers environment. In addition, I suggest you take care of the basics . In today's reality it doesn't really matter what line of business you're in, there's no good reason to store secrets in code or to give administrative access to every account, or not to deploy multi-factor authentication everywhere possible.
In this context, it's important to mention that 95% of the breaches happened because of human error. That means that 95% of breaches can easily be prevented.
Lastly, in building your security maturity, you should minimize the business risk to enable your growth. Now that you understand what are the business requirements coming from your customers and what are the risks that can happen if you don't take care of security, you should think about innovative ways to minimize that gap and to allow your customers to onboard to your platform quickly. One example would be if you need to process personal identifiable information, you need to make sure that it is absolutely mandatory for your business operations. After you've done that, you need to make sure you've defined for how long you need that information and delete it right after. The story I can share with you is about a developer focused startup that decided that they need access to store their customers code base in their environment. This startup invested heavily in security and their customers were not super happy with that architecture. The startup figured out a way to collect only the metadata of the code while leaving the actual code base in their customers environment, and that allowed for a much smoother sell cycles and unlocked opportunities that were just unavailable before. Throughout this process of building a security maturity, I suggest you leverage different resources as you grow and build security maturity.
One of those resources that I would like to highlight is Security4Startups, or S4S in short. it's a project I'm honored to take part in, working with 10 leading security professionals here in the Bay Area. Some are here today in the crowd. We spent countless hours working on this initiative because we are so passionate about removing the friction that startups face when trying to integrate security. S4S is a technical and detailed document or project, if you will, that is geared for early stage founders and technical leaders that will give them tools that are economical to implement, but also easy to maintain. It will also give you the insights in how security professionals view different risks of working with vendors when you're trying to win them over and integrate into their platforms. That for us is free, and it is also an open source tool. We'd love to get your feedback to help others integrate security. Please make sure you check it out today at Security4Startups.com.
Takeaways and Critical Components
As I wrap up this presentation, I want to leave you with three main key takeaways. First is you should invest in security early. You should not let perfect be the enemy of good, and you should not wait to hire a chief security officer to prioritize security in your business. In that context, it's important that you build security in stages as your business grows, and you don't have to stop everything to build a fortress.
Second, you should prioritize. What's important? What's important? As I mentioned earlier, There are some areas in
There are some areas in your business that are more critical than others, make sure that those are heavily secure. You should also be ready to make tradeoffs.
It might be much easier to devolve your business as a pure SaaS, but some enterprises would be easier to win over using an on prem model, at least in the beginning. Lastly, you should integrate business planning with security thinking. The only constant is change, especially in startups. But those changes, for example, deciding to take on sensitive information could open up new vulnerabilities both for you and for your customers. Therefore, you should look at any business opportunity and decision from a security lens to make sure your customers interests are protected. All right, that's all I have for you today. I humbly hope that this mini-session provided you with some food for thought if you double-click on everything security here today. Thank you so much for your time and attention, and thank you Heavybit for making this happen. Please enjoy DevGuild Enterprise Security.