In the past year I had the opportunity to help a tech startup shape its culture and make security a brand differentiator. As the Head of Information Security, I was responsible for driving the resilience, governance and compliance agenda, adjusting to the needs of a dynamic and growing business.
I’ve previously seen security controls put in place that may stifle productivity and innovation. This can be especially harmful in the startup environment and I was keen to avoid it.
I started by understanding the business context of what we are trying to protect and why. After establishing the business requirements, technological and regulatory landscape in which we operate, I validated top assets and threats and recommended security improvements to address risks and align with strategic priorities.
After obtaining board level support for my security programme, I communicated often to ensure constant alignment and measured progress to demonstrate business value.
Securing a tech startup is not easy, as it tends to be a ‘wicked’ problem for a cash-strapped company because of the potential devastating impact of security breaches. Our business model depends on customer trust and the entire value of a company could be wiped out in a single mismanaged incident.
Therefore, cyber resilience was high on my agenda. Preventing all the incidents was not possible and I prioritised the detection and recovery capabilities instead. We drilled the incident scenarios and updated our plans when we shifted to remote working due to the pandemic.
All of this helped me better coordinate incident response activities, performing post-mortems and implementing required improvements, all the while able to be transparent with affected customers and regulators if needed.
One of my early priorities was to understand the product and who uses it. Creating personas is a useful tool when trying to understand your customers. I applied the same approach to security; while running threat modelling workshops with developers I encouraged them to think who might be after the company and why. At what stage of a customer journey might we be compromised? Using the insights from the research I conducted while writing The Psychology of Information Security, I aimed to make these meetings fun and many participants found them educational. I then created a prioritised plan and risk management approach in line with the lessons learnt from these workshops. I also attracted some developers to act as security champions in their teams.
I engaged with colleagues to factor in their experiences and insights to shape security mechanisms around their daily roles and responsibilities. I oriented security education activities towards the goals and values of individual team members, as well as the values of the organisation. I coached and mentored my team to find the balance between security and productivity to build resilient and innovative business.
My aim was to reach the state where security underpins all our products and services to offer customers a frictionless experience. To achieve this I focused on DevSecOps practices, working with software engineers to develop processes and integrate security tests in the continuous delivery pipeline. This included checking for common vulnerabilities, detecting secrets in code and checking for vulnerable dependencies. I also helped manage a bug bounty programme and coordinated regular pentests to continuously check for anything we might’ve missed with automated tests.
I spent time hardening our cloud infrastructure, improving identity and access management practices and developing logging and monitoring capability. I used AWS tools like Trusted Advisor, Access Analyser, GuardDuty, WAF, KMS, Config, Inspector and Security Hub to support the security programme. I also run automated checks using an open-source CloudMapper to identify misconfigurations, like excessive permissions and publicly accessible S3 buckets. The move to infrastructure-as-code also helped us standardise infrastructure components, enabling configuration compliance and faster troubleshooting.
There are many upsides to working for a nimble startup. In my role, I was in a privileged position to build in security and privacy by design. I embedded myself in product development and engineering from day one. This saved time and effort trying to retrofit security later – the unfortunate reality for many large corporations.
I was wary, however, of imposing too much security on the business. At the end of the day, the company is here to innovate, albeit securely. My aim was to educate about security risks and help colleagues make the right decisions, showing that security is not only important to keep the company afloat but that it can also be an enabler, especially in our business-to-business sales model.
To prove my point, I attended countless client meetings, supported business development and marketing activities, responded to RFPs, put presentations together and helped to go through the potential customer’s third party review processes. We didn’t get all the business we hoped for, but being able to demonstrate our attitude towards security definitely landed us extra wins.
I also realised that big multinationals weren’t prepared to consider us as their supplier without a formal security accreditation. I helped obtain Cyber Essentials and ISO 27001 in record time. Thankfully, I had the support of the entire leadership team and the foundation I laid with the risk-based approach was well received by the auditors.
I demonstrated to the board that security can increase the value of the company by elevating trust and amplifying the brand message, which in turn leads to happier customers. This also contributed to one of my main objectives – to increase startup valuation through demonstrating a mature attitude towards security and governance, which is especially useful in fundraising and acquisition scenarios.