Building a culture of security: Early foundations and strategy

Building a culture of security: Early foundations and strategy

Originally posted to: https://www.linkedin.com/pulse/building-culture-security-early-foundations-strategy-yousuf-khan/
By: Yousuf Khan in collaboration with Aaron Wurthmann

Over the past decade, customer expectations around cybersecurity have evolved drastically. If you’re building a B2B software company of any kind in today’s landscape, built-in security features have become table stakes. Building a modern customer base means having compliance certifications in order, and doing that requires strong foundations laid early on. Wait too long, and things become very costly. Lacking the proper security controls at an organizational level inevitably leads to products that are not secure enough for the modern market.

Building security into your organization in the early days is certainly not an easy task, but it is one worth taking on. I’ve found this to be true in my own experience, one example being my time at Moveworks. We knew that we were building an enterprise-grade company, and we were forward-thinking enough to build security into the ground floor. We built a top-class security stack not just on the technical side, but on the culture and enablement sides as well. It allowed us to bring in enterprise customers from day one because we already had a security strategy in place that satisfied their requirements.

For additional insight on the subject, I got together for a chat with my friend and cybersecurity expert Aaron Wurthmann. Aaron has worked with early stage companies for 25 years, and has an incredibly diverse background across multiple markets, verticals, and company sizes. He has held senior leadership positions in IT, DevOps, and Information Security, and has experience as both CIO and CTO. Aaron’s experiences range from working with Fortune 50 companies, to founding a startup and bringing it to a successful exit that same year. He was also a single-digit IT hire at Marketo, leading the organization from public-stage to eventual acquisition by Adobe.

Aaron and I sat down to discuss the finer points of building foundational security elements in a startup environment, and how best to evaluate your own specific needs as an early-stage organization.

What do startup founders need to understand about security before they can start laying the right foundational pieces?

First and foremost, security must be everyone’s job, not just the folks in the security organization. Ideally, this is a culture that is built from the start. Secondly, getting the security function into the project process early is key. Doing so will not only aid in creating a secure outcome, but can reduce the reactive costs associated with development and operations when a vulnerability or compromise is found. Lastly, it is important to understand the difference between “compliance certifications” and risk mitigation through Security. Compliance certifications like SOC2, ISO 27001, HITRUST, FEDRAMP, and so forth are great. They often provide a framework, and may even be required for your line of business, but they are table stakes in the ever changing threat landscape. Being compliant and having a certificate doesn’t necessarily make you secure, it is simply a component.

How should startup founders go about evaluating their security needs? Are there different considerations by industry and vertical, or are the foundational elements universal?

There are absolutely different considerations per industry, product, market and customer segment. At its very core, security is about protecting what is worth being protected, including the reputation of the company. The “what to protect” is going to be different across markets and products so the “how” is different as well. There are of course commonalities experienced across verticals, for example, the leading cause of system compromise and loss over the last few years remains phishing and smshing (text fishing). Some universal aspects of security are endpoint detection and response (including cloud assets), firewalls (including web application firewalls), vulnerability scanning/assessment, and secure configurations based on the asset type.

What is the first step founders should take to implement the right security stack?

Inventory. It might sound obvious but it is very often overlooked. Take and keep inventory of your assets: human assets, physical (laptops/servers), software/SaaS apps, cloud assets/workloads (compute nodes, repositories), source code, data, and data flows; know what and where your assets are. You cannot protect what you aren’t aware of.

Preferably the next step of managing assets' feeds your inventory process and vice versa. Be it a cloud asset or a physical asset the ability to manage assets in a uniform manner at mass is key to achieving scale. Inventory, Manage, Assess, Secure.

What is the first dedicated security hire a company should make, and what does that role typically look like?

There are two core functions that need to be served, and which is prioritized will depend on the individual company. First, because the majority of companies require some form of compliance certification or a path towards that goal, having someone that knows the compliance requirements and frameworks is key to achieving the return on investment of the headcount.

Second, a technical person that is, at a minimum, going to implement the controls required to achieve compliance. For these reasons, early inventory and assessment of skill sets and company goals is essential. If the goals are to reach compliance as quickly as possible and there is another technical resource to implement those requirements, then a compliance framework hire might be best. If however the goal is to secure the product/environment beyond certification then a technical security engineer might be best with a loose idea of compliance security framework being followed.

As a company grows, what are the signals that they have the right security foundations in place? What are red flags that indicate they don't?

There are several key indicators of success. First, compliance certification audits and milestones are being met on time. It may seem like I don’t value compliance, I assure you I absolutely do; I just want folks to know that compliance and certification is one large goal of a few. Secondly, IT and or Security can demonstrate that 100% of assets (again physical, virtual, software) and user accounts (employees, contractors, consultants and temps) are accounted for and managed. Lastly, security considerations and controls can be demonstrated at each and every stage of the product life cycle. This one isn’t going to happen overnight, what you are looking for here is progression towards that goal.

So many, many things can be wrong or go wrong. Obvious red flags are the inverse of the above – compromise, the inability to correct “security bugs” or critical vulnerabilities in a timely manner, etc. The not-so-obvious red flags are when security is only a consideration at the Operate and Monitor phases of a product life cycle. If that is your security team’s only connection point to a product then chances are (if you are fixing your security bugs) you are spending 2 to 3 times more on operations and development costs.

What are the benefits to getting this right at a foundational level, and what are the potential consequences of getting it wrong?

The benefit, put simply, is lower risk of business disruption and compromise, more effective use of resource time, and lower overall costs (lower cost of goods sold, lower cost of revenue).

The consequences are compromise, business disruption, and doubling or tripling costs associated with correcting items that could have been mitigated earlier in the product or process lifecycle. Starting off with a culture that ensures no secrets or passwords are hardcoded into the source code or that all third party libraries are inventoried or assessed before going into production has proven to reduce cost by as much as 75% vs. adopting a reactive approach.

What final advice do you have for startups and founders as they think about implementing early security foundations?

We’ve touched on this already, but it all starts with the culture of the company. The founders and leaders drive that culture. Building a “Secure by Design, Secure at the Start” foundation is going to protect your company and business in a way that no single security tool can. Building this culture doesn't add costs, and it will continue to pay off.

Title: Building a culture of security: Early foundations and strategy
Authors: Yousuf Khan and Aaron Wurthmann
Date: 6/8/2023
Link: https://www.linkedin.com/pulse/building-culture-security-early-foundations-strategy-yousuf-khan/