Why security matters to early-stage startups

Security isn’t a nice-to-have. It’s critical to businesses today, and recognising and acting on threats quickly is a sign of operational efficiency. How can early-stage (and cash-strapped) startups embed cyber security best practices in their businesses from day dot? In this article, we hear from Ben King, Manager of Application Modernisation for JAPAC at Google Cloud, on how early-stage startups should approach security – with actionable insights that startups can implement today. 

‍

In the early stages of building a company, founding teams have a lot to prioritise when it comes to where they put their resources. I wouldn’t be surprised if security doesn’t always rank high on that list unless you’re operating in regulated or at-risk industries like healthcare and finance. 
‍
Regardless of industry and size of your company, it’s still important to prioritise cyber security in order to protect your business, customers and partners. There are a number of approaches you can take to secure and protect your startup from its earliest days. 

Ultimately, security isn’t about reducing risk to zero. It’s about continuously rebalancing risk as your startup grows, and embedding cyber best practices and responsibility across the full team. 

The rise of breaches 

Cyber attacks come in many forms, including crypto mining, exploitation of misconfiguration, data theft and leakage, credential abuse and ransomware – just to name a few. 

In Australia, we’re facing a widening cybersecurity talent gap, with not enough skilled professionals to help prevent or manage cyber attacks as and when they occur. 

In addition, the pandemic accelerated companies’ digital transformation plans and led to distributed workforces, which has increased organisations’ vulnerability to cyberattacks, and therefore exacerbated shortages. 

In light of these challenges, there are several steps that startups can take to protect themselves, depending on how much they decide to budget for their business’s security and where they are at in their startup’s lifespan.

Establish a good software engineering culture 

Attacks can happen as quickly as 2.5 minutes, and are often automated by bots. By taking a proactive approach and setting up alerts for wherever something happens, you can respond just as quickly or at least be made aware.

One of the biggest challenges for anyone writing software now is that developers reuse code by importing libraries, or packages. Vulnerabilities can be in any of that code. Good software engineering culture is about having a software engineering mindset over a developer mindset. Anyone can develop software, but software engineering is about ensuring that software will be able to run effectively in 10+ years. This involves incorporating cloud-native security design patterns to create platforms and systems that are secure-by-design for the cloud and establishing frameworks to ensure a startup’s team is developing and continuously validating its security, governance and compliance posture.

What can you do – and when?

You don't need to stop every bad thing from happening – in fact, trying to do so will slow down your ability to move fast. You should, however, empower your engineers with enough detection capability and ownership across the full team so people can notify them of perceived threats or attacks so that they can react in real-time. 

When you’re seed or early stage, be mindful of having too many security measures that will bog you down and instead focus on the stuff that matters at this early stage – odds are that no one is actively targeting you yet. Set yourself up with the key stuff and then get back to building your business: 

1. Adopt tools to help manage security across the business. Roll out two-factor authentication and password managers with apps like Google Authenticator or LastPass across your team. Use a password manager like 1Password. Where you can, sign in with your socials that have multi-factor authentication. 
2. Partner with your cloud service provider (CSP). Work with your CSP to create a shared understanding of risk and objectives. At Google, we operate on a shared-fate model – meaning, we believe in actively partnering to help you deploy and operate securely. Startups are responsible for securing their data, and Google or your CSP is responsible for securing the infrastructure. 
3. Prioritise automation to reduce manual workload and improve velocity. Developers and engineers have a number of tasks and processes that they have to oversee. Automation can play a vital role in allowing them to shift their focus from repetitive tasks to bigger issues, such as potential security threats. What’s more, leveraging the benefits of cloud visibility and automation can help drive proactive and automated response and remediation.
4. Adopt cloud-native security operating principles and best practices. To harness the velocity and flexibility enabled by the cloud, transform how you apply security and governance at scale and bake in security throughout the entire development lifecycle. Use purpose-built tools that can address security challenges and can seamlessly integrate with existing workflows.
5. Plan to retrain, reskill and reorganise your security workforce. In light of the ongoing security challenges and talent shortages, consider investing in your team’s development as and when possible. It’s likely going to be more cost-effective and beneficial to the overall business to put one of your engineers through a security course than to hire a full-time security professional – which are hard to come by, anyway. 

‍

The above practices are a good starting point, particularly for early-stage startups where a lot of the onus lies on the founder(s) to create a secure company. When startups reach the Series B stage or about 100+ employees, it’s fair to consider bringing on additional security support, whether a consultant or a full-time hire. 

It’s important to remember that security is everybody's responsibility, not just the technical team’s. While technical leads should adapt processes to enable the transformation of security and governance for the cloud, it’s the full team’s responsibility to contribute to the businesses' protection as it scales.
‍

Ben King is the Manager of Application Modernisation JAPAC at Google Cloud. Find him on Twitter and LinkedIn.

‍