Technology startups are different from going concerns, not least of which is their approach to information security risk. Here are my observations on how cyber risk management evolves in a startup, along with a caveat emptor to potential customers of startups.
Risk Management for Dummies
Risk management is a discipline practiced only by firms that are “going concerns”, where threats to a business are identified, categorized, and assessed by probability and impact. Managers then make informed decisions to reduce the probability of threats to the going concern or make it more resilient. The following are some commonly used risk categories, of which information security is only one:
|Going Concern Risks|
|Direction and Decision Making
Management Information Systems
Fraud, Theft and Malicious Acts
Environmental Health and Safety
Startups are not “Going Concerns”
Going concerns generate their own cash, and managers can allocate that cash to best improve the survival of the firm. Comprehensive risk management makes sense for going concerns, whether formally practiced or not.
But startups are not going concerns and their survival concerns are different and narrower: Most startups are living on borrowed time determined by their cash burn rate. Burn rate determines how long they have to either become a going concern, convince investors to re-up, get acquired, go public — or cease to exist.
Startup Risk Lifecycle Management
The risks that concern a startup are the existential threats to becoming a going concern: Market, Product Technology and Execution risk are what stand between founding a startup and becoming a firm with an actual future.
- Market Risk is of course the biggest. Every start-up has to answer the question: is there a market for this product/service? Creating a market-viable product or service and finding willing buyers is the only task an early stage startup needs to manage. Investors increasingly won’t pony up without proof that buyers are out there, especially if the startup seeks to create a new market where none previously existed.
- Product Technology is second, because if the product doesn’t work, buyers flee and investors quickly follow them.
- Third is Execution Risk: Given the market question has been answered, and the technology is capable, can the current team actually execute on the business plan?
This perspective makes a huge difference how startup managers prioritize risks and allocate resources. What does this mean for technology startup’s information security strategy?
Minimal Viable Information Security
If the startup is a technology business, the perception from outside is that information security is (of course!) built in. That’s also the perception that startup salesmen strive to promote.
But that’s naive. From the startup’s perspective, there is little point investing in security resilience when security threats only might happen after the company find a market. The bigger threat is always existential.
Startup MVP’s are going to be built to maximize the desired functionality of potential buyers, with non-functional information security features deferred as long as possible.
But What about HIPAA? PCI? Regulated Financials?
“Fake it until you make it” is probably no more true than when startups in regulated markets defer information security investments.
Getting a certificate of compliance is surprisingly cheap, and are often entirely self-applied. Startups don’t want to pay for a rigorous assessment, product remediation, retesting, business process re-engineering or audits when they can instead invest in the next market-moving feature.
Until they have to, that is. Which is usually when:
- Market entry is impossible without a statement of compliance; or
- An enterprise level customer won’t buy without proof of compliance; or
- A really bad security incident happens along the way.
Minimizing Information Security Debt
As a form of technical debt, information security debt can be a very big mortgage. Anyone having gone through the process of applying strong encryption technology and processes to a large unencrypted application knows what I mean.
And that’s just the technology risk. Much of the cyber security literature finds that human behavior is the most fundamental source of vulnerability. But creating a culture that mitigates cyber risk is very hard in startups, because almost every best practice reduces productivity and slows the company down. And slowing the company down increases the existential risk of not becoming a going concern.
A Brief Case Study
A startup we recently advised approached their information security risk this way:
- As their first B2B product with minimal information security found traction with SME firms, so Market risk diminished.
- But their technical leaders soon realized that further growth was going to take them into enterprise customer markets and potentially B2C markets. A whole new level of information security was going to be needed. Product risk had increased relative to Market risk.
- Our client contracted with us to comprehensively assess their information security posture and prioritize security hardening projects, putting “Product First” above process.
- Having a real information security program, they are now better positioned to face Execution risk.
How Can the Startup CTO Sleep at Night?
There are a number of best practices to minimize information security technical debt and we’ll cover those in later posts. In the meantime:
- Remember that your job and the job of your peers is to get the business to become a going concern. You will of necessity short-change security constantly, even when you know the threats are real.
- Be honest with your peers and customers even while putting lipstick on the pig — no point risking litigation as well as getting hacked.
- Work on your security hardening program whenever you can, so when resources finally become available, you’ll know what to do.
And if that doesn’t work, there’s always Ambien.