6 tips founders need to know about securing their startup

If you’ve read anything of mine in the past year, you know just how complicated security can be.

Every day it seems there’s a new security lapse, a breach, a hack, or an inadvertent exposure, such as leaving a cloud storage server unprotected without a password. These things happen, but they don’t have to; aecurity isn’t as difficult as it sounds, but there’s no one-size-fits-all solution.

We sat down with three experts on the Extra Crunch stage at TechCrunch’s Disrupt SF earlier this month to help startups and founders understand what they need to do, when, and why.

We asked Google’s Heather Adkins, Duo’s Dug Song, and IOActive’s Jennifer Sunshine Steffens for their best advice. Here’s what they had to say.

Quotes have been edited and condensed for clarity.

1. Don’t put off the security conversation

The one resounding message from the panel: don’t put security off.

“There are basically three areas that folks should start considering how to bucket those risks,” said Duo’s Song. “The first is corporate risk in defending your users and applications they access. The second is application security and product risk. A third area is is around production, security and making sure that the operation of your security program is something that keeps up with that risk. And then a fourth — a new and emerging space — is trust, and not just privacy, but also safety.”

It’s better to be proactive about security than to be reactive to a data breach; not only will it help your company bolster its security posture, but it also serves as an important factor in future fundraising negotiations.

Song said founders have a “very direct obligation” to think about security as soon as they take someone else’s money, but especially when a company starts gathering user or customer data. “You have to put yourself in the shoes of those folks whose data you have to protect,” he said. “It’s not just your existential threats to your business, but you do have a responsibility, right to figure out how to do this well.”

IOActive’s Steffens said startups are already a target — simply because it’s assumed many won’t have thought much about security.

“A lot of attackers will go after startups who have high value data, because they know security is not a priority and it’s going to be a lot easier to get ahold of,” she said. “Data these days is extraordinarily valuable.”

2. Start with the security basics

Google’s Adkins, who runs the search giant’s internal information security team, joined the company almost two decades ago when it was just the size of a large startup. Her job is to keep the company’s network, assets, and employees safe.

“When I got there, they were so fanatical about security already, that half of the job was already done,” she said. “From the moment [Google] took its first search query, it was thinking about where those logs are stored, who has access to them, and what is its responsibility to its users,” she said.

“Startups who are successful with security are those where the chief executive and the founders are fanatical from day one and understand what threats exist to the business and what they need to do to protect it,” she said.

Song said many popular products and technologies these days come with strong security by default, such as iPhones, Chromebooks, security keys and Windows 10.

“You’re better off than the 90% of large companies out there,” he said. “That’s one of those few strategic advantages you have as a smaller, nimbler organization that doesn’t have a lot of legacy,” he added. “You can do things better from the start.”

“A lot of the basics are still key,” said Steffens. “Even as we come out with the new shiny technology, having things like firewalls and antivirus, and multi-factor authentication.”

“Security doesn’t always have to be a money thing,” she said. “There’s a lot of open source technology that’s really great.”

3. Start looking at security as an investment

“The sooner you start thinking about security, the less expensive it is in the end,” said Steffens.

That’s because, the experts said, proactive security gives companies an edge over competitors who tack on security solutions after a breach. It’s easier and more cost-effective to get it right the first time without having to fill in gaps years later.

It might be a hard sell to funnel money into something where you won’t actively see financial returns, which is why founders should think of security as investments for the future. The idea is that if you spend a little money at the start, it can save you down the line from the inevitable — a security incident that will cost you in bad headlines, lost customer trust, and potentially fines or other sanctions.

“If you have thought about security, policies, and show a culture and a mindset of security early on, it can put you at a competitive advantage with your customers and your investors,” said Steffens.

Adkins said that security isn’t just a one-off cost; it’s an ongoing, never-ending process.

“Security is not something you’re going to start doing and then someday stop because you finished,” she said. It’s wise to prepare for every eventuality so that if something happens, you’re ready to jump into action and begin remediation, she said.

“We always recommend anybody go through tabletop exercises,” said Song. “What would happen if your customer database was was leaked? It’s not just the incident response that you have to contain, but also how do you manage the public relations?”

4. Many startups are dispersed; balance security with flexibility

A lot of startups have teams all over the country — even the world. How do founders keep a secure startup safe without inhibiting workers?

Adkins described the traditional “castle mode,” where all secure systems and databases are in one place behind a firewall and inside a secure building. “But now we have people working from home and traveling,” she said. “We realized that this castle mode no longer works.”

Google’s approach is one that startups could learn from. Its logic is that you can be anywhere in the world, even inside a Google building, but no matter where you are, you do not get any extra trust on the network.

“I like to tell people that sort of like, you should be able to run your whole business out of a Starbucks,” said Adkins. “Your laptop is your ‘view’ into your IT systems or your production environment should be secure no matter where it is in the world,” she said.

The plus side? “We have a totally mobile workforce,” she said.

“If these kinds of technologies are now available, your startup can adopt them on day one. As a ten-year-old company when [Google] did it, it was really hard and it took a long time,” said Adkins.

5. It’s not just the security team’s job — everyone plays a role

Security isn’t one person’s job — it’s everybody’s job. Making sure that everyone is aware of the risks and threats your business faces can contribute to better awareness and fewer mistakes.

“Culture is is very important,” said Steffens. “If you have that culture of security from the top down and if it’s ingrained in you from the day you start onboarding, there’s ongoing awareness,” she said.

Google’s security team has about 1,000 members who come from a wide range of backgrounds, Adkins says. “We have a pretty diverse team. It’s a global team — people who’ve come from all different countries.” She said that different backgrounds bring different viewpoints, and that diversity can help when dealing with advanced, sophisticated and highly innovative threats.

“All of these people bring a different perspective of the users we’re trying to protect on how the bad guys are working,” she said.

6. Security isn’t just about defense; train your staff to speak out

Another major challenge is bigger challenge is changing how we think about security. Instead of shaming people who get security wrong, it’s important to allow for an open, honest and safe environment for staff to actively report when something bad has happened.

“Some of the best companies have built cultures where people are not blamed for actually clicking on the link or doing these things, but actually are somehow incentivized and rewarded for it,” said Song.

The logic goes that the quicker that an incident is reported, the less damage there might be.

“We need to remove the shame of being a victim,” said Adkins. “Whether you’re the person who clicked a link or a company that got targeted by an adversary far and above your level, you are a victim — and we should stop victim shaming.”

“And that means when you watch your competitors get hacked, don’t make fun of them, because that might be you someday,” she said.