Why your CSO, not your CMO, should pitch your security startup

Whenever a security startup lands on my desk, I have one question: Who’s the chief security officer (CSO) and when can I get time with them?

Having a chief security officer is as relevant today as a chief marketing officer (CMO) or chief revenue boss. Just as you need to make sure your offering looks good and the money keeps rolling in, you need to show what your security posture looks like.

Even for non-security startups, having someone at the helm is just as important — not least given the constant security threats that all companies face today, they will become a necessary part of interacting with the media. Regardless of whether your company builds gadgets or processes massive amounts of customer data, security has to be at the front of mind. It’s no good simply saying that you “take your privacy and security seriously.” You have to demonstrate it.

A CSO has several roles and they will wear many hats. Depending on the kind of company you have, they will work to bolster your company’s internal processes and policies on keeping not only your corporate data safe but also the data of your customers. They also will be consulted on security practices of your app or product or service to make sure you’re complying with consumer-expected privacy expectations — and not the overbearing and all-embracing industry standards of vacuuming up as much data as there is.

But for the average security startup, a CSO should also act as the point-person for all technical matters associated with their company’s product or service. A CSO can be an evangelist for the infosec professional who can speak to their company’s offering — and to reporters, like me.

In my view, no startup of any size — especially a security startup — should be without a CSO.

The reality is about 95 percent of the world’s wealthiest companies don’t have one. Facebook hasn’t had someone running the security shop since August. It may be a coincidence that the social networking giant has faced breach after exposure after leak after scandal, and it shows — the company is running around headless without a direction of where to go.

But startups can’t afford to make the same mistakes as the billion-dollar-making tech giants that walk away with eye-watering fines, which, in reality often only take hours to recoup in revenue.

In the past few months, several startups have made rookie mistakes — simple but painfully glaring security lapses that were found by security researchers. Document management startup OpticsML leaked millions of mortgage documents, streaming site Kanopy exposed viewing habits of its users, Outdoor Tech’s ski helmet had severe security bugs, medical records firm Meditab left a server exposed with thousands of medical records and robocalling giant Stratics Network exposed millions of call recordings containing sensitive information.

It doesn’t matter how big or small your startup is, you can bet that someone will find a weakness.

The extra overhead of an additional person dedicated to security may seem like a burden on the already stretched budgets of your startup. Think of them — like any other member of your executive suite — as an investment. Just as you want your sales chief to reap the revenue rewards and your marketing boss to perfect your company’s branding, your CSO will help protect you from flaws, weaknesses, hackers and breaches.

Broken down, your CSO should:

  • Enact good information security: Key to the role is keeping the company’s data — and customers’ information — safe. Is the data encrypted, and how does the company hold the encryption keys? Who can access user data if requested by law enforcement? Are there appropriate access controls in place to prevent insider misuse?
  • Develop safeguards for your product: Whether you’re collecting or processing customer data, or offering a product that connects to the internet, how can you ensure that you collect as little as possible? And this also means helping to audit future product or service releases to ensure they fall in line with how the company wants to conduct itself from a privacy standpoint.
  • Budget and manage risk: How are funds properly used? Is there enough budget for your staff to pen-test your product and make sure it can withhold attacks? Do you dedicate some of that to a bug bounty to pay security researchers who find vulnerabilities in your product or service? 
  • Ensure your product provides security and privacy: Data can be highly identifying — to your company and to hackers. Can information coming in and going out of your company’s product or service be anonymized? Having staff to red-team your product can weed out security bugs and privacy infractions. Having hackers within the company dedicated to targeting your own offering will make bug fixes much more efficient. 
  • Accountability and perceptions: It’s not about having someone on staff to take the fall in the event of a security lapse or a data breach. It’s as much about the public perception of being in a position where the company takes matters of security seriously. That might include public outreach, setting up bug bounties and safe harbor for security researchers. It’s about inviting hackers in to help you as much as you can pay them.

But above all, it’s important to have someone who can talk the talk and walk the walk when it comes to showing off your product or service to the likes of the hungry media.

Pitching your security startup has its own nuance — you can easily get on the wrong side of the reporter you’re pitching to with simple mistakes and misjudgments.

You should also consider:

  • Be simple but specific: You have a very short window to impress a reporter. Reporters sometimes get dozens of pitches a day. Have a concise and simple-to-understand plan — security reporters are smart but aren’t going to spend brainpower trying to deobfuscate what your company does. If it’s a secure cloud storage solution, you can say so. Don’t use bullshit buzzwords like “hack-proof” and “military-grade encryption.” There are no such thing as absolutes in security.
  • What sets you apart? The startup scene is a crowded one. There are likely other companies trying to do what you’re already doing — or doing it already. What do you have that’s new? Or if not new, what makes you better than your competitors? And what problem are you trying to solve?
  • Technical is good: You’re going to face a barrage of questions from the reporter — subject to their piqued interest. Be prepared to dazzle from the start. If you’re a data-intensive company, how are you keeping that data safe? Is it anonymized, and if so, how? Is your encryption offering open source — it will have to be to allay fears of backdoors — and if so, how do you make money? And, if you have a product ready to go, who did the security review and how was it conducted? These are questions reporters will want to know and bullet.
  • Look ahead to the future: What does the near-term future and long-term future look like, and what are the next steps? It’s good to know how your company can scale over time. You may start off small, but you may have to quickly learn how to provide your product or service to a larger than expected number of people overnight.

When you’re ready to pitch your security startup to the media, you should make your CSO as available as possible. Having your security chief in lockstep with your marketing and public relations team can greatly improve how your company is perceived. Reporters don’t want to be caught out covering snake oil. Your CSO should be the point-person to answer the more technical questions when they inevitably arise.

Just, whatever you do, don’t send me your CMO.