How to think about security as a startup
In the previous briefing, we outlined the threat landscape facing startups working with innovative and emerging technologies. In this brief we outline three points that startups should consider when they think about security.
Point 1. Think about security early on
As a rule of thumb, it is easier to scale up security than to reverse engineer security onto an organisation. The longer an organisation waits before it takes security seriously, the more disruptive it will be to find the right people, processes, and technology to assure the desired level of security.
When we talk about security, we mean security in a holistic sense; this includes cybersecurity and physical security, as well as processes for vetting staff and external partners. However, perhaps even more important is the development of security awareness and culture among an organisation’s personnel and stakeholders.
Retrofitting technical cybersecurity controls onto a growing organisation’s IT infrastructure is challenging, but it is even more difficult to change an organisation’s culture. Building this in from the beginning is easier, and underlines the importance of thinking about security when your organisation is a startup.
Point 2. Security is a team sport
The second key point about security is that it is a team sport. It is not something that can be left to one team – it involves everybody in the company. What is more, it involves working with external partners in government and the private sector.
Security depends on an informed understanding of the threat landscape and of the organisation itself, its activities, assets, and vulnerabilities. In a complex, interconnected world, it is beyond the capabilities of any one person or organisation to make sense of this complexity. Collaboration is a necessity.
For example, in the previous briefing we talked about the need to develop a granular, current understanding of the threat actors that an organisation faces. This is a challenging task, not least because those threat actors rely on secrecy and going undetected to achieve some of their goals.
Developing that picture in the cyber domain requires a broad range of capabilities and areas of expertise, ranging from highly technical cyber skills, through geopolitics, to intelligence analysis methodologies. In other words, it involves a range of capabilities that most startups do not have.
Should startups invest their limited resources in developing these new capabilities and areas of expertise? In almost all cases, the answer is no. Instead, they should work with people and organisations who already have those capabilities. Sometimes those relationships will be commercial, but there are also a host of government and civil society initiatives around information sharing and collaboration.
And crucially, your organisation has a key role to play within this team…
Point 3. Lean into the home field advantage
Before thinking about developing new expertise, organisations concerned about the security of their research and innovation should prioritise understanding their own activities, assets, and vulnerabilities.
This is one of those tasks that sounds easy in principle but is challenging in practice. It is particularly challenging for less mature organisations that are rapidly growing and changing - like a startup.
This comes back to the team sport point above. Other organisations will bring to the table a greater knowledge of cyber threats, or geopolitics, or access control systems, for example. What do you bring to the table? You bring your knowledge of your organisation’s structure, and – maybe even more important – your expertise in your sector or area of technological innovation.
We will explore this point in more detail in our next brief, when we argue that for startups and other organisations at the cutting edge of innovation, security starts at home.
