Why startup leaders need to set the tone for security

Amid new calls from federal authorities for prioritizing security in tech startups, industry experts stress the importance of having firm leaders set a cultural tone.

Federal consumer-protection authorities have called on the entrepreneurs building tech startups to prioritize cybersecurity from the earliest stages of the development process.

[ Related: Tech startups need to get serious about security ]

But a variety of factors -- cost, lack of technical expertise, rush to market, etc. -- can make security seem like more of a burden or an impediment to the startup's growth than anything else.

At a recent event convened by the Federal Trade Commission, industry insiders emphasized the importance of incorporating security as an integral part of any company's operations, not just the services or applications that it produces.

At startups in particular, which are often led by a founder/CEO whose personality can to a great degree define the culture of the organization, it is crucial that the firm's leaders establish the expectation that security is a company-wide priority.

"I think company founders, management are really critical to developing a culture," says Devdatta Akhawe, a security engineer at Dropbox. "In my experience, the companies that have responded well and responded seriously to security issues are often the ones where the founders are driving this sort of culture and these sort of values."

[ Related: Internet of Things Demands Security by Design ]

It's worth noting that the idea that the founders should set the tone from the top on security is hardly confined to startups. Frank Kim, chief information security office at the SANS Institute, recalls the predicament of Microsoft in the late 1990s and the early part of last decade. In 2002, when then-CEO Bill Gates issued an all-hands warning about the need to prioritize security in the company's ubiquitous software, Microsoft was viewed as a "laughing stock of the security industry," Kim says. The result of Gates' warning was Microsoft's Trustworthy Computing initiative, a concerted effort that considerably improved the company's security posture.

In part, security became a priority at Microsoft because the company's customers demanded it. And fledgling startups trying to carve out a slice of market share can ill afford a data breach or the reputational hit that comes from the perception that its applications aren't secure -- customers are likely to vote with their feet.

Making security in a startup a high-level goal

It seems easy enough to designate security a high-level goal within a startup, but how should that work in a practical sense?

Window Snyder, CSO at Fastly and an experienced hand at security who has done stints at Apple and Mozilla, emphasizes the importance of starting from the earliest stages of the development process and training the engineering team on some basic tenets of secure programming.

[ Related: The 7 Deadly Sins of Startup Security ]

Then, she suggests that companies implement a peer review process whereby the security experts and others get a chance to kick the tires on a particular feature before it is released to the public, noting the benefits that can emerge from bringing disparate teams together to focus on security.

"That creates a sense that it's everyone's job," Snyder says.

The argument for more clearly defined security roles

That maxim that everyone is responsible for promoting security on its face sounds simple enough, but not everyone is on board. Count among the dissenters Jonathan Carter, a veteran security professional and software engineer who argues for more clearly delineated roles within the development team.

"I take a slightly more controversial approach," Carter says. "Whenever I see something like 'security is everyone's responsibility,' that makes me cringe inside because, really, that means security is no one's responsibility. It's the diffusion of responsibility psychological principle, where suddenly it's on no one's radar and it's just this amorphous concept. So as a software engineer, I would say your responsibility is to identify issues and confer with your local security champion within your immediate team."

There was scant disagreement, however, on the broader point that startups and mature companies alike would do well to elevate security as an organizational priority.

And to the concern that a more security-intensive development process would carry more cost than a cash-strapped startup could afford -- to say nothing of the delay in time to market -- Akhawe urges firms to consider the alternative, the disastrous effects of a breach or the release of a product with glaring vulnerabilities.

"Security's much, much, much cheaper the earlier you do it," he says.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleBillCountCSODropboxFederal Trade CommissionMicrosoftMozillaSANS Institute

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kenneth Corbin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts