Startup – Cyber Security Leadership

Working together to nurture the next generation of cybersecurity ventures

I’m thrilled to join an exclusive cybersecurity investment community – Cyber Club London . CCL is a group of cybersecurity experts and leaders who have access to new and innovative early-stage startups, the opportunity to invest in them privately, and use their expertise and connections to help these startups succeed.

The community was established to provide a platform where cybersecurity leaders, executives, startups, and venture capitalists can share knowledge and work together to invest in promising early-stage companies. This closely aligns to my goals of contributing to the community and helping ventures thrive in the cyber space, serving as a Board Advisor and Non-Executive Director.

Free security awareness training for your staff

Who needs to buy e-learning modules for employee security awareness programmes when NCSC kindly made available their training for free?

NCSC’s Top Tips For Staff includes online videos (that can be also included in your own learning management system), knowledge check and an infographic.

It’s a quick and easy way to get you started on the journey of building security culture in your company and meet some of the compliance requirements. This can be especially helpful for startups and non-profits with limited budgets.

Embedding security in the agile product development

Drawing on my experience in securing technology startups and software companies, I wrote a guest blog for ISACA on how to embed security in the modern product development. You can check it out here.

Business alignment framework for security

In my previous blogs on the role of the CISO, CISO’s first 100 days and developing security strategy and architecture, I described some of the points a security leader should consider initially while formulating an approach to supporting an organisation. I wanted to build on this and summarise some of the business parameters in a high-level framework that can be used as a guide to learn about the company in order to tailor a security strategy accordingly.

This framework can also be used as a due diligence cheat sheet while deciding on or prioritising potential opportunities – feel free to adapt it to your needs.

How to secure a business in decline

Many business have felt the economic impact of the Covid pandemic. Depending on the industry, some managed to adapt and pivot to new models and ways of working, but not all were successful.

As a result, some companies were unable to continue to operate profitably and entered administration. The cause of financial troubles, however, doesn’t have to be pandemic-related to pose new security challenges.

In this blog I would like to share some of the priority areas for a security leader in a business in, sometimes rapid, decline.

As the business is failing, the leadership might not treat cyber security as their top priority. However, the organisation still has obligations to its customers who entrusted the company with their data and comply with relevant laws and regulations. It goes without saying that previously identified cyber security threats and risks are unlikely to disappear either.

If there is a chance of survival, a poorly managed security incident can be the last straw.

How should security teams adapt? What should they focus on?

Broadly speaking, there are two main areas a CISO can support the business: securing a potential rescue deal and managing the decline.

There are investors specialising in distressed businesses and part of the administration process might involve looking for a capital injection or an acquisition of a failing company.

Potential investors would understandably need to know what they might be buying which normally involves conducting due diligence on the target. Although circumstances are different, the process itself is very similar to an M&A scenario or a startup acquisition.

As a security leader, it’s your job to provide transparency on the matters related to data protection, past breaches and existing security controls and processes. If done right, it presents the business in a favourable light as a well-governed enterprise, increasing investors’ confidence and therefore chances of a successful rescue deal.

In many ways, this is comparable to overseeing a divestment. A lot of such conversations are confidential, so raising awareness of what can and can’t be shared externally (including on social media), and maintaining appropriate need-to-know access controls is paramount.

Some things, however, are outside of our control and sometimes all we can do is to make the best out of a bad situation.

There are a few key areas to pay attention to when it comes to embedding security for a business in downturn.

People. There will naturally be a lot of leavers, so having a robust joiner-mover-leaver process is key. All access permissions should be timely revoked when no longer required. In addition, data loss prevention controls and broader insider risks should be considered as the morale in the company worsens. On a positive note, people and a culture of security can significantly contribute to the company’s security posture, especially in the conditions of scarce resources (see next point).

Resources. Investment in security is going to understandably diminish. Some of the top talent will leave, so you will have to learn to do more with less. If your desired control to mitigate a particular risk is no longer affordable, what is the next best thing? Can this be done cheaper, or better still, for free? Business leadership should be made aware of the potential consequences of risk acceptances, and there will likely be a higher than usual number of these.

Data. There also might not be enough money to pay for non business critical systems and services. These should be decommissioned in the way that ensures that sensitive (including personal) data is destroyed securely in line with company’s retention policies. Having data maps and asset inventories is invaluable to maintain visibility.

Sustaining operational resilience in the face of cost pressure is challenging but not impossible. For many, it’s a unique learning experience regardless of the outcome.

Securing GSuite: a guide for startups

GSuite is an excellent choice for any startup, especially early in the process of establishing your business. Its flexible cost structure allows you to pay per user while benefiting from range of services, including email (with a custom domain name), calendar, document collaboration and storage, videoconferencing and much more.

GSuite, being a Software-as-a-Service (SaaS), relieves you from the underlying infrastructure management in line with the shared responsibility model. This can be especially powerful for smaller companies trying out an idea, as it doesn’t require intensive capital expenditure to set up a datacentre or staff to maintain it. Startups, however, are still responsible for the data, permissions and overall configuration of GSuite if they want to keep their information secure.

Thankfully, Google made available a short checklist for small businesses, describing the necessary steps to safeguard company data. Similar guidance is available for larger (100+ users) organisations.

The plan you select will determine how many security features are available to you. Depending on the criticality of your data and the amount of control you require, it can be a good idea to upgrade to the Enterprise plan.

Hint: if you ask customer support to put you in touch with a sales representative and request a discount, it might just be given to you. Provided you are willing to commit to the subscription for a couple of years.

Security professionals will feel at home with the advanced features available after the upgrade. It includes encryption, data leakage prevention (DLP), granular access control and much more. Managing it is also going to become easier, as various reports and healthcheck dashboards are now at your fingertips.

Regardless of the plan you use, it won’t hurt to enable multi-factor authentication on all accounts, as it dramatically reduces the risk of account takeover. It might also be a good idea to backup your critical business data somewhere off GSuite for extra resiliency.

How to secure a tech startup

scrum_board If you work for or (even better) co-founded a tech startup, you are already busy. Hopefully not too busy to completely ignore security, but definitely busy enough to implement one of the industrial security frameworks, like the NIST Cybersecurity Framework (CSF). Although the CSF and other standards are useful, implementing them in a small company might be resource intensive.

I previously wrote about security for startups. In this blog, I would like to share some ideas for activities you might consider (in no particular order) instead of implementing a security standard straight away. The individual elements and priorities will, of course, vary depending on your business type and needs and this list is not exhaustive.

Product security

Information security underpins all products and services to offer customers an innovative and frictionless experience.

Improve product security, robustness and stability through secure software development process
Automate security tests and prevent secrets in code
Upgrade vulnerable dependencies
Secure the delivery pipeline

Cloud infrastructure security

To deliver resilient and secure service to build customer trust.

Harden cloud infrastructure configuration
Improve identity and access management practices
Develop logging and monitoring capability
Reduce attack surface and costs by decommissioning unused resources in the cloud
Secure communications and encrypt sensitive data at rest and in transit

Operations security

To prevent regulatory fines, potential litigation and loss of customer trust due to accidental mishandling, external system compromise or insider threat leading to exposure of customer personal data.

Enable device (phone and laptop) encryption and automatic software updates
Make a password manager available to your staff (and enforce a password policy)
Improve email security (including anti-phishing protections)
Implement mobile device management to enforce security policies
Invest in malware prevention capability
Segregate access and restrict permissions to critical assets
Conduct security awareness and training

Cyber resilience

To prepare for, respond to and recover from cyber attacks while delivering a consistent level of service to customers.

Identify and focus on protecting most important assets
Develop (and test) an incident response plan
Collect and analyse logs for fraud and attacks
Develop anomaly detection capability
Regular backups of critical data
Disaster recovery and business continuity planning

Compliance and data protection

To demonstrate to business partners, regulators, suppliers and customers the commitment to security and privacy and act as a brand differentiator. To prevent revenue loss and reputational damage due to fines and unwanted media attention as a result of GDPR non compliance.

Ensure lawfulness, fairness, transparency, data minimisation, security, accountability, purpose and storage limitation when processing personal data
Optimise subject access request process
Maintain data inventory and mapping
Conduct privacy impact assessments on new projects
Data classification and retention
Vendor risk management
Improve governance and risk management practices

Image by Lennon Shimokawa.

Security product management

In one of my previous blogs I wrote about building a security startup. Here I would like to elaborate on the product management aspect of a venture.

There are many businesses springing up in the cybersecurity space at the moment. A lot of them are developed by great technologists yet still struggle. The market conditions might be right and the product itself can be secure but it often fails to get traction.

When I’m asked why this might be and what to do about it, my immediate response is to dive deeper and understand the product management function.

In truth, it’s not enough to have a technically flawless solution, it has to align with what your customers want. Moreover, the bar in new product adoption is high. As Nir Eyal famously pointed out in his book Hooked, “for new entrants to stand a chance, they can’t just be better, they must be nine times better … because old habits die hard and new products or services need to offer dramatic improvements to shake users out of old routines. Products that require a high degree of behaviour change are doomed to fail even if the benefits of using the new product are clear and substantial.”

Thankfully, it’s not all doom and gloom – there are things you can do to overcome this challenge.

Depending on the stage of your venture, the most important question to answer is: are people using your product? If not, get to the point where customers are using your product as fast as you can. Then talk to them and learn from them. Find out what problem they are trying to solve.

Provide that solution and measure what matters (revenue, returning usage, renewal rate) and build measurement targets and mechanisms into your specifications.

Disciplined product management is there to bridge the gap between business (sales and marketing) and technology teams. As a product manager, you should support these teams with market analysis, planning, prioritisation, design and measurement based on customer feedback.

Knowledge of the customer and their needs will help define your strategic position and overarching guiding principles to support decision-making in the company.

That strategy in turn should be supported by tactical steps to achieve the vision. We are now beginning to shape actual work deliverables and help the technology teams prioritise them in your development sprints.

Principles described here are applicable in any type of organisation, it doesn’t have to be security specific. The industry you are in matters less than the company culture.

People often focus on tools when talking about product management or adopting agile development. The reality is that it’s often about the culture of collaboration. Break the silos, make sure customer feedback is guiding the development and don’t lose sight of the strategy. Your customers will love it, I promise.

Startup security

14188692143_8ed6740a1d_z

In the past year I had a pleasure working with a number of startups on improving their security posture. I would like to share some common pain points here and what to do about them.

Advising startups on security is not easy, as it tends to be a ‘wicked’ problem for a cash-strapped company – we often don’t want to spend money on security but can’t afford not to because of the potential devastating impact of security breaches. Business models of some of them depend on customer trust and the entire value of a company can be wiped out in a single incident.

On a plus side, security can actually increase the value of a startup through elevating trust and amplifying the brand message, which in turn leads to happier customers. It can also increase company valuation through demonstrating a mature attitude towards security and governance, which is especially useful in fundraising and acquisition scenarios.

Security is there to support the business, so start with understanding the product who uses it. Creating personas is quite a useful tool when trying to understand your customers. The same approach can be applied to security. Think through the threat model – who’s after the company and why? At what stage of a customer journey are we likely to get exposed?

Are we trying to protect our intellectual property from competitors or sensitive customer data from organised crime? Develop a prioritised plan and risk management approach to fit the answers. You can’t secure everything – focus on what’s truly important.

A risk based approach is key. Remember that the company is still relatively small and you need to be realistic what threats we are trying to protect against. Blindly picking your favourite NIST Cybersecurity Framework and applying all the controls might prove counterproductive.

Yes, the challenges are different compared to securing a large enterprise, but there some upsides too. In a startup, more often than not, you’re in a privileged position to build in security and privacy by design and deal with much less technical debt. You can embed yourself in the product development and engineering from day one. This will save time and effort trying to retrofit security later – the unfortunate reality of many large corporations.

Be wary, however, of imposing too much security on the business. At the end of the day, the company is here to innovate, albeit securely. Your aim should be to educate the people in the company about security risks and help them make the right decisions. Communicate often, showing that security is not only important to keep the company afloat but that it can also be an enabler. Changing behaviours around security will create a positive security culture and protect the business value.

How do you apply this in practice? Let’s say we established that we need to guard the company’s reputation, customer data and intellectual property all the while avoiding data breaches and regulatory fines. What should we focus on when it comes to countermeasures?

I recommend an approach that combines process and technology and focuses on three main areas: your product, your people and your platform.

Product

Think of your product and your website as a front of your physical store. Thant’s what customers see and interact with. It generates sales, so protecting it is often your top priority. Make sure your developers are aware of OWASP vulnerabilities and secure coding practices. Do it from the start, hire a DevOps security expert if you must. Pentest your product regularly. Perform code reviews, use automated code analysis tools. Make sure you thought through DDoS attack prevention. Look into Web Application Firewalls and encryption. API security is the name of the game here. Monitor your APIs for abuse and unusual activity. Harden them, think though authentication.

People

I talked about building security culture above, but in a startup you go beyond raising awareness of security risks. You develop processes around reporting incidents, documenting your assets, defining standard builds and encryption mechanisms for endpoints, thinking through 2FA and password managers, locking down admin accounts, securing colleagues’ laptops and phones through mobile device management solutions and generally do anything else that will help people do their job better and more securely.

Platform

Some years ago I would’ve talked about network perimeter, firewalls and DMZs here. Today it’s all about the cloud. Know your shared responsibility model. Check out good practices of your cloud service provider. Main areas to consider here are: data governance, logging and monitoring, identity and access management, disaster recovery and business continuity. Separate your development and production environments. Resist the temptation to use sensitive (including customer) data in your test systems, minimise it as much as possible. Architect it well from the beginning and it will save you precious time and money down the road.

Every section above deserves its own blog and I have deliberately kept it high-level. The intention here is to provide a framework for you to think through the challenges most startups I encountered face today.

If the majority of your experience comes from the corporate environment, there are certainly skills you can leverage in the startup world too but be mindful of variances. The risks these companies face are different which leads to the need for a different response. Startups are known to be flexible, nimble and agile, so you should be too.

Image by Ryan Brooks.

Cyber startups: keys to success

Innovation

What makes a cyber startup successful? From my working with a number of companies, there are four key areas cyber entrepreneurs should consider:

Idea

Are you passionate about the idea?
How unique is it?
Can your intellectual properly be protected?

Credibility

Do you have genuine expertise in your domain?
What do people in your community think of you?
Do you have a strong network and business skills?

Client-focus

Do you know your client?
Do you understand their issues?
Do they trust you to solve them?

Learning

Are you focusing on the right things?
Are you measuring the right things?
Are you incorporating client feedback into the development?

The key here, as you can see, is clients. There is really no way around understanding them, pleasing them and focusing on what they want. This feedback will allow you to pivot where required. Above all, stay focused and avoid premature scaling – don’t do too much too soon.