These plans will be broken out into generalized phases in your start-up journey from founding to exit. Obviously, not every company takes the same path, so specific catalysts will be mentioned and grouped in a way that may seem contradictory.
1 FormationOne to three foundersNo additional full-time staffAngel or friends and family or bootstrap funding
2 ValidationFounders + Key Strategic HiresMVP existsLighthouse/marquee customersSeed round funding
3 GrowthFounders + Key Strategic Hires + Engineering TeamsSeveral customersA series and beyond
We'll use these generalized stages in the life cycle of a start-up to delineate specific milestones and actions that you should consider taking. So as your start-up and product mature, so does your cybersecurity (Figure I.1).
FIGURE I.1 Startup Development Phases – From Idea to Business and Talent to Organization
Source: Startup Key Stages by Startup Commons is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
CHAPTER ONE Minimum Security Investment for Maximum Risk Reduction
An ounce of prevention is worth a pound of cure.
– Benjamin Franklin
NO ONE PLANS ON THEIR START-UP not making it past a year of business, so you should also plan for your investment and planning in cybersecurity to scale into the future. While selecting the bare minimum may seem and feel counterintuitive and is certainly against the opinion of many cybersecurity professionals, it will ensure the continuation of the business.
Just as the heart is the first organ to receive oxygenated blood from the lungs, the continued operation of your start-up should be the number one priority. Security must enable the business to operate and find a balance as a requirement for the business. Cybersecurity is now a priority business function and no longer solely an IT issue.
When discussing cybersecurity many thoughts come to mind, all culminating with three important categories: people, processes, and technology. As a start-up, you won't always have the option of deploying all three. And even many mature organizations do not. This is why when we discuss cybersecurity we must also discuss risk and managing risk. The goal of your cybersecurity strategy should be to reduce, mitigate, and accept risk. No two organizations are the same, even within the same industry vertical. The risk of not being Payment Card Industry Data Security Standard (PCI DSS) certified could mean the loss of revenue for one organization and absolutely nothing to another.
Cybersecurity must be included in your enterprise risk management along with things like compliance, financial reporting, business continuity, etc. It should be all-encompassing and avoid siloing each off into its own risk management vertical. Cybersecurity is a huge part of all of these pieces. All of the following compliance and regulatory requirements require a varying level of cybersecurity practice and maturity (and we'll review these in more detail in Chapter 10):
Payment Card Industry (PCI)
Sarbanes–Oxley Act (SOX)
North American Electric Reliability Corporation (NERC)
Health Insurance Portability and Accountability Act (HIPAA)
HITRUST
The credibility of your business is important to protect. This is why you seek professional advice from lawyers and accountants. A start-up with three founders and without capital cannot afford to hire a full-time world-class lawyer (also referred to as general counsel) or accountant, let alone a chief finance officer (CFO). There are, however, many services that offer those capabilities that can meet a start-up's needs at every phase of the scaling life cycle. You shouldn't feel concerned by the fact that you can't afford a full-time chief information security officer (CISO) or world-class cybersecurity team; alternatives exist that are appropriate for your start-up life cycle stage.
Regardless of the type of business you are starting or industry you plan to sell into, cybersecurity can scale with your idea. From a next-generation weapons system for the military or taking credit card transactions with some new smart device, security can be adequately included. Protecting your intellectual property (IP) and business doesn't require you to have decades of cybersecurity experience; it only requires a willingness and drive to learn. Not everything I discuss will be easy or “point and click,” but I will show you the steps along the way to scale your security, along with your business, from seed funding to initial public offering (IPO) or whatever your exit strategy might be.
There is a common phrase when describing old-school cybersecurity approaches where it is like an M&M – crunchy outside and soft inside. When cybersecurity is applied with a hardened perimeter, the thing you want to protect most may actually be more vulnerable from the false sense of security that is created.
When approaching cybersecurity for your new start-up you should focus on the following:
The data or capabilities you want to protect
The systems with that data or capabilities you want to protect
The people with access to those systems you want to protect
COMMUNICATING YOUR CYBERSECURITY
Communication is a critical part of our lives. It is also critical to the success of your business. Communicating with your fellow founders, potential or existing customers, vendors, or investors is vital. In cybersecurity, there is a common philosophy called CIA: confidentiality, integrity, and availability. To better understand this, we can apply this methodology and framework to email. In the case of the sender and intended recipients of that email, only those individuals can access the communications; the information being communicated is unmolested and it is accessible when required respectively. This philosophy is applied across cybersecurity, not just to communicate, but for this discussion we will refer to it as such. It should also be noted that each are not always equal in every situation. There may be times when availability is favored over confidentiality.
You as well as your founders will want to know your start-up is defensible, at a minimum, from the most common threats today. Your customers will want to know their data and, in turn, they are safe with you. Investors will want to know their investment is not put at unnecessary risk. Once you've addressed the topics we will cover in this book, they will all apply equally to these different audiences. Your message may vary but the standards remain the same.
EMAIL SECURITY
Email has become a digital repository for nearly everything in our lives. From communicating with our children's teachers at school, to our doctors, to our accountant when filing our taxes, it is a literal treasure trove. On top of just the sensitive data in one year of sent and received emails, our email accounts are now the key to accessing nearly all of our other accounts in other systems. Think back to the last time you reset a password. You most likely received a password reset link to your “email address on file.”
Email is not secure. This is a bold statement, so let me explain. While you may log in to your email provider that uses HTTPS – S stands for secure – in their web address, when you click to send, that email will be transmitted unencrypted across