Recently I have spent more time discussing and working with startups on their security programs. I noticed there is a stronger interest for this topic and now more than ever young companies are hungry to learn and act on security. Why is that?
Security Requirements
We live in a world now where everyone has adopted a state of heightened awareness for cyber security. This shift started at the end of 2013. Target got hacked, exposing some 40 million customer debit and credit card accounts. A turning point that suddenly elevated the topic of security to the board level. Many other high profile data breaches and cyber security incidents have occurred since, making sure those board level discussions became permanent.
This new found awareness for security has tightened requirements and policies for b2b and b2c companies. There is now a much greater desire to understand the risk that vendors pose to a business. If I am for example a SaaS startup looking to close an enterprise deal with a larger company, I will now very likely have to go through a security review. These reviews often start in form of a security questionnaire that will help the bigger company understand the security posture of the SaaS vendor. For a young software company this is the moment where you have to start thinking about security at an organizational level for the first time.
How to complete a Security Questionnaire
Security questionnaires unfortunately come in different shapes and sizes. Often they are a collection of questions inside a spread sheet that are segmented into categories. Your enterprise customers want to know what risks they are accepting. These questions are simply a way for them to collect data about you and your security policies and procedures.
Here are a few tips on how to go about filling out a security questionnaire:
Step through the questions and find the ones you can quickly dismiss with N/A. Not everything inside a generic questionnaire will be applicable to your company, so feel free to answer No or N/A to things that simply don’t apply.
Mark confusing questions that need clarification from the customer or prospect. It is absolutely fine to come back to the owner of the questionnaire and ask to clarify certain questions.
Keep a copy of your completed questionnaires. This will allow you to reference past answers and reuse relevant parts for a new customer’s questionnaire.
If your company does not yet have a security policy in place you should probably start looking into establishing one. Most answers to the questions in a security questionnaire will be derived from your security policy document.
Your company’s Security Policy
Besides preparing for incoming security questionnaires it is generally a good idea to equip your young startup with a security policy. If you are wondering what exactly the purpose of a security policy is take a look at this excerpt from one:
PURPOSE
This policy defines the technical controls and security configurations users and Information Technology (IT) administrators are required to implement in order to ensure the integrity and availability of the data environment at hooli. It serves as a central policy document with which all employees and contractors must be familiar, and defines actions and prohibitions that all users must follow. The policy provides managers within hooli with policies and guidelines concerning the acceptable use of hooli technology equipment, e-mail, Internet connections, information processing network infrastructures, databases, encryption and any other methods used to convey knowledge and ideas across all hardware, software, and data transmission mechanisms.This policy must be adhered to by all hooli employees or temporary workers at all locations and by contractors working with hooli as subcontractors.
Crafting a policy for your Company is probably something you don’t wanna do on your own. So consulting on this with someone is a good idea in my opinion. At a high level a policy document will cover the following:
Establish who is responsible for security at your company, including the chain of command
Outline the responsibilities of your Employees (e.g. make sure to use 2FA)
Give an overview of data handling
Business Continuity and Disaster Recovery plan
Incident Response Plan
If we stick with the example of a SaaS Startup, you will probably end up with a policy that includes an entire section on application security, where you host that application and who exactly has access to customer data on production.
How much should I invest in security as a young startup?
This could probably be a separate post all together and honestly it depends a bit on the type of company you are. For example if your startup is hunting elephants (e.g. trying to only close Fortune 500 deals), then investing a lot in security and compliance (e.g. SOC2) might be something you do early on. But for most SaaS startups I wouldn’t go chasing certificates out of the gate. Consider this list a good starting position for a young startup:
Create a Security Policy and execute it
Have a pentest done annually by an external party
Ensure all your endpoints are protected (Next-Gen Antivirus)
Run a employee security awareness training once a year and for each new hire
Think about what you can do to mitigate the risk from Phishing (Area 1 has startup friendly terms)
You can go deeper into the security domain and build out a more robust investment from here as your company grows. What you absolutely need to avoid is a situation where you have zero effort going into security. It’s a though place to operate in and will be very visible in your inability to win business. Each larger account that your sales team is trying to win will get stuck in a long security review process, because your team has to deploy extra effort to demonstrate a security posture that isn’t there.
If you are a software startup and are wondering what you can do to improve your security I would recommend you check out Sonar. It is a free monitoring service that allows you to continously monitor the security posture of your web assets.