One of the questions I frequently ask startup founders is how much they’re spending on security. Unsurprisingly, everyone has a different answer.
Startups and small companies are invariably faced with the prospect that they’re either not spending enough or are spending too much on something that’s hard to quantify in terms of value. It’s a tough sell to sink money into an effort to stop something that might one day happen, particularly for bootstrapped startups that must make every cent count — yet we’re told security is a crucial investment for a company’s future.
Sorry to break it to you, but there is no easy answer.
The reality is that each company is different and there is no single recommended dollar amount to spend. But it’s absolutely certain that some investment is required. We know because we see a lot of security incidents here at TechCrunch — hacks, breaches and especially data exposures, often a result of human error.
We spoke to three security experts — a head of security, a security entrepreneur and a cybersecurity fellow — to understand the questions facing startups.
Know and understand your threat model
Every company has a different threat model — by that, we mean identifying risks and possible ways of attack before they happen. Companies that store tons of user data may be a greater target than companies that don’t. Each firm needs to evaluate which kind of risks they face and identify weaknesses.
“The smartest thing a startup can do is have their risk person — usually whoever is running finance — figure out their risk profile and threat model and allocate resources according to that,” says Tarah Wheeler, a cybersecurity policy fellow at New America.
“I’ve never seen the need for a dedicated offensive security staffer inside a company until that company is at least 500-750 people,” says Wheeler. “It’s just too easy to knock over targets before that and you can buy those assessments for much cheaper than a full-time salary of one of the most desirable, hottest skill-sets in the world right now,” she said.
Justin Berman, chief security officer at Dropbox, told TechCrunch that companies should consider their risk tolerance and evaluate investments depending on what needs securing.
“Take a company who doesn’t have sensitive data or doesn’t handle particularly people’s personal information,” says Berman. “If the company doesn’t handle that kind of data, I think it’s reasonable for them to invest less, especially when they’re still trying to find product-market fit,” he said.
Do you really need to collect that data?
Trying to find a dollar amount to spend on security is nigh on impossible. But one thing is clear: The more data you collect, the greater your defenses have to be.
One of the ways to keep costs down is to simply refrain from collecting sensitive data to begin with, says Elissa Shevinsky, a serial security entrepreneur who now serves as chief executive at Faster Than Light.
“Any startup that is handling sensitive user data such as medical records or financials should — at minimum — spend for a security engineer,” Shevinsky says. “That’s because these startups need security to be baked into their architecture and into everyday decisions.”
“Most startups don’t have security expertise and are on a shoestring budget,” she says. “The most inexpensive, easy way to protect users in that situation is to just avoid collecting and storing user data in the first place.”
Startups have to be security-savvy, but also scrappy — and outsourcing is one way to reduce security overhead. It’s how companies like Stripe and Amazon Web Services got so big. Startups increasingly rely on outsourced partners to collect and store customer data without it having to touch their own systems, which will be a far easier target for hackers than more experienced companies like Stripe or AWS. In other words, they can do it better.
Tackling the low-hanging fruit is cheaper than you think
A company’s security isn’t just about keeping customer data safe. It’s about keeping the company secure from both insider threats and outside threats to ensure that access cannot be abused by, for example, a hacker who steals an employee’s password.
Tackling the low-hanging fruit at the beginning is a good investment in the future. It’s easier to build in security from the start than to tack it on at the end. That can mean installing basic features like two-factor authentication and enforcing a strong policy on passwords (or passphrases), but also ingraining security within the culture of the organization, such as building high-quality, secure code and helping employees understand the nature of the threats they face.
In most cases, these are things companies can do for free, Shevinsky says.
“The highest-impact things that most startups can do to protect their users aren’t actually expensive in terms of cash spend — it’s making the time to find and fix the lowest-hanging fruit in terms of security issues,” she says. “A startup that is truly tight on cash can use free open-source tools like Bandit, for example, to find vulnerabilities in their code.”
According to Shevinsky, security in startups isn’t necessarily a money issue, it’s a balancing act of ensuring everything else within the organization is growing at a pace without being stifled.
“Startup founders will have difficulty prioritizing medium and long-term threats — like user data being stolen — when the team is fighting to fundraise or sell enough just to survive that long,” she says. “Then comes the hard part — actually allocating time in the calendar for engineers to fix insecure code, enforce operational security like two-factor for all team members and building in defense in-depth.”
Remember, security isn’t a one-time thing — it’s a continuing process. Both Shevinsky and Wheeler say to buy at least one pen test or a security assessment each year — or even more frequently — and allocate the time to fix the problems that will inevitably arise.
Once you grow, find dedicated staff
The basics are important. Understanding the threat model is one thing, but knowing how to minimize data collection and outsourcing some of your operations to a qualified third-party is critical. Once a company grows, so does the responsibility for ensuring security on a larger scale.
“The biggest thing startups need to recognize is that ‘fractions of a role’ are a thing,” says Wheeler. “If you have a 10-person company that stores no or very little user data on-premise, your fraction of infosec — such as responding to phishing or prepping for potential ransomware — is going to be less than one.”
“If you’re going to have that fractional component in someone’s job, then the leader of that company must jealously guard that person’s fractional commitments,” she says. “If you, as the chief executive of a small company, have an IT human and you have told them to dedicate a quarter of their time to infosec, take that seriously.”
Wheeler says the first dedicated security person in a company should be someone managing a monitoring service that’s a security operations center (or SOC) in a box. “They’re fundamentally a blue team,” she said, referring to that person as dedicated to the defense of the company’s operations. “That’s why a blue team is so much more important initially.”
As a company grows, it’s important to balance the number of staff working defensively to offensively — that’s the part of the company that actively tries to breach the company from within, trying to find flaws and security problems so that they can be fixed before a hacker finds them.
“I have found, anecdotally, that you need about one red teamer per 10 blue teamers, depending on the company’s business. Basically, after that, red teamers will provide so much fixable data that a blue team can’t keep up,” says Wheeler. “That’s the offensive advantage you’re always hearing about in corporate environments.”
Comment