Starting from Zero: Building a Cybersecurity Program in a Startup.

Ok, you have decided to put all your efforts into a new company that you have dreamed about for a while.  You have your plan, idea of what product you will be selling, and potential investors lined up.  You have your developers scheduled and have started creating your first product. Of course, you are on a fast track to deploying something to show investors progress, so you have had your developers throw together their first prototype. You are now ready to demo your new product to your investors.  During the demo start entering information that some might consider sensitive.  Mailing address, credit card information, first and last name, and other personal preferences.  One of your potential investors asks these questions, “How are you protecting all this information, and what happens if we get attacked by hackers?”

In the rush to deploy something you have forgotten that the answer to these questions is vital to a sustainable business. The information needs to be protected.  Having someone with an information security background to answer these questions could be the decision between getting the investment and then walking away.

Although you are starting the company on a shoestring budget, it is vital that you have the appropriate talent on staff to ensure you are delivering what you want to deliver, and you are doing it in an effective and secure manner. Much like having legal counsel, having a Chief Information Security Officer (CISO) on staff could help guide decisions that could lead to success or failure for your business. But much like lawyers, the good ones tend to be very expensive.

The rise of the fractional CISO or Virtual CISO (vCISO) model is truly custom-made to fill this vital need.  Instead of paying for a full-time CISO, having a few hours a month to guide the company’s security program from the beginning can save many headaches in the future.  By having someone on your staff to help guide technology decisions and give important feedback on product and business risks, you will get the opportunity to fix small issues before they become large, unmanageable problems.  

The CISO’s role is to ensure that risks are known, understood, and mitigated to the level that is appropriate for the chosen business.  They will ask questions such as, “Are there any regulatory factors to the industry?”, or “What type of data are we storing that needs protection (AKA the “crown jewels”)?”.  These and many other questions will help the CISO determine the business risk from any technology-related systems.  

The answers that are obtained by the CISO from the many questions that they will be asking will help to build a road map of how to deploy appropriate security controls in a growing environment.  Not all security programs are the same, they are determined by the size, scope, and risk of an environment.  By being engaged early on the CISO can determine the correct balance between the flexibility of a grown environment and required security to maintain assurance that it is protected. It is many times easier to build these protections in place as you build the new environments or applications than go back and retrofit security gaps in production environments.

The CISO will also pick a security framework that should align with your company.  The security framework ensures that the appropriate controls are in place to protect the company from potential security incidents. But almost as important as a security framework is aligning a plan to deploy that framework as the company grows.  Aligning the security plan to the overall company business plan ensures the security program is sized appropriately and will continue to manage risk as the company grows and changes. 

Starting a new company can be very challenging but also rewarding. Ensuring you have the appropriate technology for security protections in place, can help detect and reduce any potential security threats and help the company focus on succeeding in the marketplace.

Sean K. Lowder