If you’ve read anything of mine in the past year, you know just how complicated security can be.
Every day it seems there’s a new security lapse, a breach, a hack, or an inadvertent exposure, such as leaving a cloud storage server unprotected without a password. These things happen, but they don’t have to; aecurity isn’t as difficult as it sounds, but there’s no one-size-fits-all solution.
We asked Google’s Heather Adkins, Duo’s Dug Song, and IOActive’s Jennifer Sunshine Steffens for their best advice. Here’s what they had to say.
Quotes have been edited and condensed for clarity.
1. Don’t put off the security conversation
The one resounding message from the panel: don’t put security off.
“There are basically three areas that folks should start considering how to bucket those risks,” said Duo’s Song. “The first is corporate risk in defending your users and applications they access. The second is application security and product risk. A third area is is around production, security and making sure that the operation of your security program is something that keeps up with that risk. And then a fourth — a new and emerging space — is trust, and not just privacy, but also safety.”
It’s better to be proactive about security than to be reactive to a data breach; not only will it help your company bolster its security posture, but it also serves as an important factor in future fundraising negotiations.
Song said founders have a “very direct obligation” to think about security as soon as they take someone else’s money, but especially when a company starts gathering user or customer data. “You have to put yourself in the shoes of those folks whose data you have to protect,” he said. “It’s not just your existential threats to your business, but you do have a responsibility, right to figure out how to do this well.”
IOActive’s Steffens said startups are already a target — simply because it’s assumed many won’t have thought much about security.
“A lot of attackers will go after startups who have high value data, because they know security is not a priority and it’s going to be a lot easier to get ahold of,” she said. “Data these days is extraordinarily valuable.”
2. Start with the security basics
Google’s Adkins, who runs the search giant’s internal information security team, joined the company almost two decades ago when it was just the size of a large startup. Her job is to keep the company’s network, assets, and employees safe.
“When I got there, they were so fanatical about security already, that half of the job was already done,” she said. “From the moment [Google] took its first search query, it was thinking about where those logs are stored, who has access to them, and what is its responsibility to its users,” she said.
“Startups who are successful with security are those where the chief executive and the founders are fanatical from day one and understand what threats exist to the business and what they need to do to protect it,” she said.
Song said many popular products and technologies these days come with strong security by default, such as iPhones, Chromebooks, security keys and Windows 10.
“You’re better off than the 90% of large companies out there,” he said. “That’s one of those few strategic advantages you have as a smaller, nimbler organization that doesn’t have a lot of legacy,” he added. “You can do things better from the start.”
“A lot of the basics are still key,” said Steffens. “Even as we come out with the new shiny technology, having things like firewalls and antivirus, and multi-factor authentication.”
“Security doesn’t always have to be a money thing,” she said. “There’s a lot of open source technology that’s really great.”
3. Start looking at security as an investment
“The sooner you start thinking about security, the less expensive it is in the end,” said Steffens.
That’s because, the experts said, proactive security gives companies an edge over competitors who tack on security solutions after a breach. It’s easier and more cost-effective to get it right the first time without having to fill in gaps years later.
It might be a hard sell to funnel money into something where you won’t actively see financial returns, which is why founders should think of security as investments for the future. The idea is that if you spend a little money at the start, it can save you down the line from the inevitable — a security incident that will cost you in bad headlines, lost customer trust, and potentially fines or other sanctions.