Use ‘productive paranoia’ to build cybersecurity culture at your startup
![](data:image/svg+xml;charset=utf-8,<svg height="712" width="1024" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
Image Credits: JakeOlimb
As any startup grows, getting new products out the door and securing that next round of funding are always top priorities.
But security, all too often, falls by the wayside. After all, why would you invest money in something that you hope never happens when you could be funneling cash back into the business?
Fostering a corporate culture that embraces cybersecurity best practices keeps customer data safe and your company’s reputation intact. But security isn’t something you can easily tack on later. It must be ingrained in your company’s culture, and it’s so much easier to start in the early days of your company than scrambling in the aftermath of a data breach.
But how do you get there?
At TechCrunch Early Stage, we asked Casey Ellis, founder, chairman and chief technology officer at Bugcrowd, to share his ideas for how startups can improve their security posture.
Bugcrowd helps companies dip into a huge pool of cybersecurity talent — including hackers and security researchers — to find vulnerabilities. By helping companies identify flaws, they can shore up their defenses before malicious hackers break in. Few know better than Ellis — who’s run Bugcrowd for close to a decade — which policies, procedures and protections companies have put in place to get there.
Extra Crunch subscribers can log in and watch the video below.
Ellis says startups should instill what he calls “productive paranoia.”
“The reality is that the finance team can have as profound impact on the overall risk of the organization as someone pushing a line of code into production,” said Ellis. “Part of the way you do that is by having your team internalize the fact that bad stuff can and does happen if you do it wrong.”
You don’t do that by naming and shaming, or disciplining your employees for opening a malicious email. You build a culture around security by talking about it, testing each other or even gamifying it. What you need is a culture of openness and transparency, and your staff to feel comfortable talking about security — even when things go wrong. Encourage your staff to come forward, so you can remediate the issue.
“It’s an everyone problem,” said Ellis.
But there are also plenty of simple, effective technical things you can do to lock down your startup.
Want to know a not-so-secret? The vast majority of hacks can be stopped with even the most basic security features. But so many startups grow in size and scale, suffer a security incident, panic — and only then try to retrofit security in all the places where it should’ve been in the first place.
“Teach your business to wash its hands while it’s still young,” said Ells. That is, implement basic security features from the very early days of your company and push the security mantra as your company grows.
“A lot of the lessons that we’re learning from the pandemic are actually translating quite neatly across into being able to explain security,” he said. “It’s the simple things that actually get you quite a way ahead.”
He suggested:
- Use an enterprise password manager. This helps prevent password reuse, and keeps your enterprise’s passwords safely within its walls. “It’s a really common way that organizations and platforms get hacked,” said Ellis. LastPass, Dashlane and 1Password are widely recommended.
- Force two-factor authentication whenever you can. This additional layer of security helps block the use of stolen passwords. “It operates on the assumption that if you just know the password, we still need a little bit more proof that you’re the person that you say you are,” said Ellis. Two-factor is widely available on most consumer services, as well as many enterprise systems. “Ultimately, you want to try to roll out two-factor across your entire organization,” he said. Duo and Authy are highly regarded in the two-factor and identity management space.
- Apply updates. Nobody likes updating their computers, let alone an entire enterprise. Update your enterprise devices — your phones, your computers and your other technology — as soon as you can. Patching vulnerabilities can prevent most automated hacking efforts. If you’re a startup building hardware, make updates easier for your customers. Push the updates to the devices, don’t wait for your customers to do it. (You might be waiting for a very long time.)
- Use platforms. It’s not uncommon to outsource parts of your business that aren’t core to your organization. Often they are more secure than you. That’s a reason why you should let the experts in. “If it’s something that you can afford to give to an expert, do that and focus on the things that you need to do to make your business unique and valuable,” said Ellis.
Security isn’t just a good thing for your company’s reputation and your customers’ privacy, it’s a selling point. By baking in security from the beginning, it’s another reason why your customers should trust you.
You can watch the full session below.
![](data:image/svg+xml;charset=utf-8,<svg height="93" width="187" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
![](data:image/svg+xml;charset=utf-8,<svg height="125" width="187" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
![](data:image/svg+xml;charset=utf-8,<svg height="120" width="187" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
![](data:image/svg+xml;charset=utf-8,<svg height="105" width="187" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
