Implementing an initial security program can be daunting for anyone, but especially for startups who, oftentimes, are faced with a lack of in-house security expertise and a tight budget. In addition to grappling with what seems like a million different moving parts, there’s also the question of scale. Startups don’t know how big or quickly they will grow and therefore are doubly challenged to find a solution that is elastic and scalable.
Getting started is often the hardest part. For many companies, it’s a matter of anticipating for what you don’t already know. But of course, security isn’t just a nice-to-have; it’s an imperative for any company operating today. Businesses that bake security in from the onset will be better equipped than competitors when security requirements from customers hit. Setting up a security program takes work, but it doesn’t have to be overwhelming if you follow some basic best practices as you begin the process.
What Data Will You Gather?
From the get-go, it’s important to analyze and evaluate what kind of data your company will be collecting. Sit down with the stakeholders – be it the founding team or others – to really think beyond what kind of data you are collecting. Think about why that data is being collected and where it will be stored within your product or service.
Right-Sized Security Controls
Many startups have been founded or led by veterans of other companies – people with experience in leading teams, often at much larger organizations. There are many positive aspects to this; they bring all that experience to the table and may even have some experience in the implementation of key security programs.
But again, it comes down to scale – what works for larger organizations isn’t necessarily appropriate for the startup. Instead, they might try to implement everything all at once – and that can lead to the security strategy getting crushed under its own weight or never getting off the ground at all due to analysis paralysis. So, it’s important to avoid this and instead really think through what your startup needs based on size, the data and the staffing.
Make a Plan and Don’t Forget the Basics
It can be easy to get mired in complexities and try to cut corners, but having a plan is better than having no plan. Create an infosec plan and update it every year. There are two important things you can do in this plan that will make scaling easier.
One is to include an internal security policy defining who’s responsible for security and who people should go to for all things related to security. This makes the plan simple and actionable for everyone. The other is to create a company scaling event checklist. This tracks specific events that must trigger an update to the security program, such as when the sales team rapidly doubles in size or when the company onboards at least two people a month across several departments.
Another important point – don’t forget the basics. In all of the noise involved with creating a plan and getting a program off the ground, it’s surprisingly easy to inadvertently overlook some of the security basics. Regardless of your company’s size, there are some fundamental security truths and requirements, like using encryption, creating secure passwords for your servers and backing up your backups.
The importance of backups has to be reiterated. If you don’t have something in place, tools like S3, Blog Storage or Cloud Storage from providers such as Amazon Web Services, Microsoft Azure or Google Cloud Platform. Along with this, diversity and redundancy should already be core parts of your overall disaster recovery and business continuity plans, but you should double-check that your servers are in different data centers and there aren’t single failure points.
Metrics and monitoring allow you to quickly drill down to the root cause of anomalies without having to dig into logs. Here’s a friendly reminder that the four golden signals of traffic, latency, saturation and error are good foundations to understand the health of your system and your customers’ experiences.
When needed, turning to your logs can be helpful. At the very least, you should have a log aggregator in order to cross-reference logs from various systems and apps. They’ll come in handy as the real “black box” source of truth.
Your Security Journey
The process of building an infosecurity program can seem like a dark art, made confusing by the myriad of different security frameworks, differing customer demands and lack of infosec talent to help you navigate it all. But the security journey of a thousand miles begins with a single step. Think about scalability and make sure the basics are covered. And whether you’re a one-person army in a startup or have a full team to work with, you can benefit from automating your security efforts. Consider including automation as a component of your strategy as you observe the best practices noted above.