As a startup founder you will face the challenge of building a business which incorporates a cybersecurity strategy and demonstrates to your customers that you take cybersecurity seriously.
The dilemma
One of the reasons startups exist is because it allows the development of a new business free from all the baggage that holds businesses back and can be a barrier to innovation. As a startup founder you will naturally experience the cognitive dissonance that arises from trying to think about how to push forward a new product and business model while at the same time working out how to apply business processes and controls which are standard, normal and established. This can feel like an unmanageable burden: How is it possible to reconcile these two things? It can also feel frustrating: why do your customers spend so much time talking about security certification, when they could be talking to you about adopting a unique emerging technology product?
There's quite a lot to dig into here.
Security compliance
If you are intending to produce a B2B product or service, your potential customers may want to know what security certifications your business holds. Security certifications provide a standard way to demonstrate a security capability. Security certifications use an accreditation process for assessing how a business manages its security requirements. This is done by breaking the 'security problem' into a number of capability areas. Controls are described for each capability area, and an assessor will take a look at evidence to see whether the business is compliant with the rules.
For customers with a procurement department looking to trade with other businesses, using security compliance as a requirement is an easy way to bypass any security discussions.
"Do you have ISO27001?"
"Yes, certificate number X/Y/Z"
"Great, let's do business"
Some common frameworks are:
- ISO27001 - this is a very comprehensive international standard. ISO27001 is commonly used in Europe and will be accepted to be a comprehensive statement of cybersecurity competence by any international business.
- NIST CSF - a standard defined by the NIST, a US government organisation. The CSF standard is the go-to certification in the US, and is commonly applied in the US and will be understood by any US business. The CSF defines 4 different maturity levels: Partial (1), Risk-informed, Repeatable and Adaptive (4).
- Cyber Essentials is a set of accreditation standards managed by IASME in partnership with the NCSC. The two primary standards are Cyber Essentials (CE) and Cyber Essentials Plus (CE+). Cyber Essentials is a UK standard, and will mostly only be relevant for UK business transactions. CE is a much simpler certification to get but demonstrates only basic cybersecurity maturity. CE+ is a relatively comprehensive accreditation.
To do business with UK government departments may require one of ISO27001 or CE+. While gaining security compliance has an advantage, it is not a simple process and has costs. Assuming everything is plain sailing:
- CE accreditation is largely self-assessed. Expect to pay £1.5k for the application and assessment process, plus a small number of days of effort. This includes an external network scan of IT assessments you own.
- CE+ is independently assessed, expect to pay £5k - £7.5k plus some number of days' time.
- NIST CSF doesn't specify an accreditation process, but businesses can choose to self-assess or go through an external assessment with independent verification. Expect to pay £15k - £30k for assessment as a small business.
- ISO27001 is similar, £15k - £30k and always requires an accredited, independent assessor.
Costs above are a guide and can be considerably higher for larger, more complex businesses, or business with a higher compliance requirement.
If you have no experience of security accreditation or compliance in your company, the process is unlikely to be plain sailing, and you will need some support. An experienced security consultant for suppoprt with ISO27001 could be around £8k - £20k for a small/medium business depending on the maturity.
Security accreditations need to be updated periodically, and there are regular upgrades to the minimum requirements over time.
Should you worry about compliance?
Security accreditation is a cost of doing business with some types of customer. If you want to trade with those customers, you will need to work out how to factor this cost into your business plans. Naturally, customers expect this cost of business to be part of the cost profile, but this doesn't mean that a single customer will necessarily expect to pick up this cost.
Not everyone sees the need for blanket security accreditation as a minimal requirement for business: you can find business which accept early-stage products into an innovation lab for assessment of the suitability or incubation of product features. Another option is to find supply chains which are specifically set up to mature emerging technology products. Within such a supply chain your startup will get help to mature the product and gain compliance. Incubators for early technology products get access to innovation and a source of cutting-edge technologies to form part of their offerings.
Security in your startup
Regardless of whether you have a compliance target to meet, getting a cybersecurity position is essential for anyone starting out in business. There are some legal mandates that apply to almost everyone in business, and there are some considerations which, if you get them right from the start avoid headaches further down the line.
Here are a few things to consider:
- Every business in the UK which holds personal data needs to be registered with the Information Commissioner's Office (ICO) and pay a data protection fee. You can find out if your business needs to register. Similar regulations exist for businesses registered outside of the UK.
- Protect personal data. Regardless of your stance on compliance, the General Data Protection Regulation (GDPR) regulations apply to any business handling personal data in the UK. This covers how personal data is acquired, stored and processed, how you ensure you have a person's consent to hold data, and the obligations you have to individuals whose data you hold. The ICO website has a lot of clear guidance on addressing GDPR in your business.
- Work out a process for adopting applications: You will need many cloud-based applications to run your business e.g. email, team messaging applications, document storage. The pressure is going to be on to get your business running but take some time to get a quick checklist of things to consider and keep notes regarding your decisions. There are some relevant checklists which will help getting your checklist together e.g. this example. If you keep notes on your assessment criteria that will make it easy later on if you need to update the criteria and work out the impact on existing decisions.
- Deploying applications and data storage: you aboslutely will need to put good security groundwork around anything which is deployed to handle private data. This is a blog series in its own right, any application running in the cloud can easily be a target for malicious actors. The security of your application is your reputation: don't cut corners. Any data breach in the early stages could easily be the end of hard-won customer relationships and potentially your business - particularly if a breach could have been avoided by simple protective measures. There's a great deal of advice on the internet, there are a few resources included below.
- Automate everything: For software builds and deployments, human errors abound. It is very easy to slip up and deploy the wrong thing, deploy to the wrong environment take out a key security defence. Save yourself some inevitable headaches and use automation tools to make all of this work for you. As a startup competing against the whole of the technology sector, you'll have other reasons to want to automate as much as your technology development as possible. There is a lot of DevOps / DevSecOps tooling to make this work much of which is available for free / next-to-nothing for startups, so go and find great deals.
- Use mature technology: As tempting as it is to run with all the latest cutting edge technology, cutting edge solutions tend to be low-maturity. Use reliable solutions for simple tasks.
- Start to develop the threat model for your business: Using all the research you can find and adopting “best practice” will not cover everything that you need to be aware of as a business. As you develop your product consider the security problems which you need to track which which may be unique to your business and use this to prioritise product investment decisions.
Make security your USP
Finally... you should now be aware if you weren't already: cybersecurity is a major challenge for everyone in business. As an entrepreneur think about how you can make a difference:
- Techniques for automating and securing supply chains help accelerate businesses struggling to maintain their cybersecurity stance: automating software processes and compliance testing; keeping track of what a software package contains and ensuring nothing malicious has entered the supply chain; detecting unusual events in the supply chain; integrating third party packages in a safer way.
- Automating complex security decisions help businesses to innovate faster: automating risk decisions; automating the process of building secure components; pre-packaging component frameworks which solve high-risk aspects of product development.
- Automating assurance cuts out lengthy, manual process verification.
Extra resources
- DarkTrace white paper on cloud security
- AWS Well Architected Framework - Guidance on securing applications in the AWS cloud
- Google introduction to cloud security - for Google Cloud
- AppOmni SaaS security checklist