What startup CSOs can learn from three enterprise security experts

How do you keep your startup secure?

That’s the big question we explored at TC Sessions: Enterprise earlier this month. No matter the size, every startup is an enterprise. Every startup will grow in size as it builds out. But as a company expands, that rapid growth can lead to a distraction from the foundational principle of any modern company — keeping it secure.

Security isn’t just a buzzword. As some of the largest companies in Silicon Valley have shown, security can be difficult. From storing passwords in plaintext to data breaches galore, how can startups learn from some of the biggest security lapses in the tech industry’s history?

Our panel consisted of three of the brightest minds in enterprise security: Wendy Nather, head of advisory CISOs at Duo Security, is an enterprise security expert; Martin Casado, general partner at Andreessen Horowitz, is a security and enterprise startup investor; and Emily Heath, United’s chief information security officer, oversees the security operations of the largest U.S. airlines.

This is what advice they had.

Security from the very start

Rapid enterprise expansion often comes with a tradeoff. As revenues rise, companies must expand to satisfy supply. But all too often growth comes at the expense of security.

“Move fast and break things” was Facebook’s motto for years, but the besieged company has faced criticism following a raft of embarrassing and damaging security incidents and data breaches largely attributed to Facebook’s laissez-faire attitude to security.

“One of the most important things is to start thinking about security from the beginning,” said Duo’s Nather.

That doesn’t mean necessarily having a chief security officer in place if a startup can’t afford one. There are outsourced options available to startups strapped for cash. Managed security service provider (MSSP) can significantly bolster a company’s defenses without breaking the bank. Thinking more about the fundamentals to security that can improve a company’s posture, like following strong data security practices and simple but effective technologies, like multi-factor authentication, she said.

“We’re seeing security products become simplified — they’re become consumerized,” said Casado, a veteran investor in security startups.

Some of the best products in security are successful because they’re simple, he said. Regular, everyday devices — like security keys, iPhones, and Chromebooks — can help set a good baseline security standard for devices and technologies in the enterprise.

Culture and diversity is key

Few startups will ever rise to the size of a company like United Airlines, but many can take a leaf out of their security books.

United, one of the largest companies in the world, has 90,000 staff across 338 airports, with a team of about 200 employees dedicated to information and network security. How does the company’s security chief keep the airline safe?

It’s about weaving security into the culture of the organization.

“Number one is you have to have support from the top across your organization in order to succeed,” said United’s Heath.

When Heath talks to employees, she says she talks honestly about what her security staff sees. By being open and transparent about the threats a company faces, she finds her colleagues are more receptive to why taking certain measures are important to maintain the integrity of the company’s network.

“We’ve switched so much just in philosophically how people think about security,” she said. “It’s got to be everybody’s job to think about it, it can’t just be a security team’s job.”

The larger a company becomes, the bigger the target, and the threats can be automated, targeted, and from a wide range of sources. Having a diverse security team, Heath said, contributes to a creative and diverse workforce of people with varied expertise who can respond to an ever-expanding range of threats.

“We’re solving problems that we’ve never solved before,” said Heath. “In doing that, you can’t have people that have all the same backgrounds.”

Don’t be afraid to ask

Your company may have a killer idea, a plan to execute, and sensitive corporate secrets. But security is something that shouldn’t be secret or proprietary.

“Talk to your peers and find out what they are really seeing and exchange as much as you can with them because that’s where you’re going to get the real good threat intelligence,” said Nather.

It’s that threat intelligence that companies use to bolster their defenses against new and emerging threats, and can be useful in understanding what security products, services and solutions are required to protect against them.

Not only that, having the visibility of knowing what’s in your enterprise is critical to understanding what needs securing.

“Understanding your environment is absolutely number one,” said Heath. “If you don’t know exists, you can’t secure it.”

All too often, it’s the employees who know what’s where and what’s critical to a business’ operations.

What may be the most important thing to secure in one company may be completely different in another, she said. Some systems will store user data, while others will be critical to operations — like getting the right people on the right flight.

“You really have to take a very logical, common-sense approach to understanding what matters most to your business,” said Heath.

“With security folks, we secure what they tell us, matters to us the most. But you have to work with your business to figure out what’s most important to them,” she said.

By putting security first, companies can better defend against opportunistic, non-targeted attacks, like building break-ins to automated bots.

Not only attract the right kind of investors — not the ones focused purely on profits, but the folk who recognize a company that can provably defend itself from attacks and invests in the right kind of security to continue delivering long-term returns.