The ongoing startup revolution is driven by innovation and disruptive business models, invariably enabled by technology. But technology has introduced security as a prominent business risk, which if not addressed appropriately and at the right time can pose major challenges to a startup's efforts to scale and even sustain itself.
But as with traditional brick-and-mortar enterprises, security is never a first priority for technology-based startups. The focus is on innovation, functionality, speed-to-market and survival - mantras that are essential to succeed in this competitive landscape. The eventual result is security that gets bolted-on later.
How can startups ensure that security is built into the company and products from day one? What are some security mistakes that are difficult to fix afterwards, and will cost the most?
These mistakes can be classified in production issues and corporate issues, says Diogo MÃ³nica, a senior member of the Institute of Electrical and Electronics Engineers, or IEEE, and security lead at open app building platform developer Docker.
"Corporate mistakes are the least considered and the most common - a lot of the media headlines today started with relatively unsophisticated attacks that compromised an unmanaged system, which was then used to pivot," he says. "Trying to fix this once the company is up to a 1,000 employees on day 400 becomes impossible, and by then there is already a poor culture of security."
Some common yet costly security omissions on the production side include not using Transport Layer Security and HTTPS from day one in the infrastructure, MÃ³nica says. Many startups also make the mistake of sharing everything customer-facing, including blogs, on the same domain, setting themselves up for potential compromise.
As a senior IEEE volunteer and a security solutions architect, MÃ³nica has seen patterns emerge from his work with numerous startup companies in the way they approach security issues.
The Right Investments
It is a question of awareness, and founders and the executive management need to invest in tools and infrastructure that make security easy, he says. It is not fundamentally more difficult to implement stronger security or make better security choices when making infrastructure decisions, especially if it is easier to do the secure thing than to do the wrong thing, he says. And this is the posture that startups need to take early on, he advises (see: How Secure is Mobile App Development?)
In this in-depth audio interview (see audio link below photo), MÃ³nica speaks about:
- Startup security mistakes that are the most difficult to fix;
- Security and the speed-to-market challenge;
- The strategic view to security that startups need to be taking.
MÃ³nica is a senior member of IEEE and security lead at Docker, which offers an open platform for building, shipping and running distributed applications. At Docker, he advises startups, programmers, development teams and operations engineers on security and IoT issues. MÃ³nica was involved in building the security infrastructure at Square. He has spoken at dozens of conferences all over the world, taught security classes and published papers.