editione1.0.0
Updated October 9, 2023🚀 As explained by Laura
When it comes to figuring out how much security is “enough” for your business, there is no “one-size-fits-all” template you can follow. Use the following prompts to understand how your business, industry, and aspirations will affect how much or how little security will be needed for your stage.
Factors affecting your minimum viable security requirements:
Your budget and runway. Whether you need to purchase new equipment or software, or just invest your time—there is always an opportunity cost when implementing security. Your available budget for security will determine how much time and resources you can dedicate to it. Be realistic and pragmatic when assessing your budget. It’s better to pick a small list of achievable actions that you can afford to commit to, rather than stretching your budget too thin trying to address everything from day one.
Your market or domain. Your market sets expectations for security—just as it does in terms of marketing language, brand definition, and operational model. If you operate in a market that handles sensitive information such as health data, financial information, or sensitive commercial IP, the level of security expected, even at early stages, will be higher than in other industries and markets.
While there is often an understanding that early-stage companies won’t have the same standards or practices as more established companies, customers and regulators will still expect the organization to have a plan to achieve this level.
Your growth plans and strategy. The faster you intend to grow, the more likely it is that you will be selling to larger, more discerning customers. High growth requires high sales and so you need to be prepared for what that brings with it. Often larger companies will include security due diligence processes in their purchase processes and your company will need to be prepared for this (a subject we cover later). Additionally, if your plans include raising funds, acquisition, or other significant operational or financial change, security requirements will need to be included in these plans.
Once you’ve determined what each area above looks like for your situation, you can start to prioritize.
Take time early in your security planning to prioritize your approach and make it clear to your team what you expect the organization to achieve and what will be added to the backlog for a later stage.
This process of reviewing your security needs and prioritization will need to happen at regular, key milestones for your business. These typically include:
annual reviews as part of planning and strategy
significant operational or product changes such as a pivot or diversification
significant market or environmental changes
significant financial change such as funding, sale, acquisition, or significant revenue growth.
When prioritizing your approach, consider the impact of the work you undertake and plan higher-impact work sooner than later.
The following outlines our approach to prioritizing early-stage security management.
| Stage | What’s Involved |
|---|---|
| 1. Survival | • Create the processes and plans needed to respond to and recover from security incidents and service disruption. • Create basic awareness and monitoring to identify potential security incidents early. |
| 2. Education | • Help your entire team understand why security matters for your business and your expectations as a leader. |
| 3. Definition | • Define the policy, standards and processes that allow you to reduce risk to a tolerable level. This will be the framework that defines how security should be implemented. |
| 4. Implementation | • Create the controls that meet your defined policy and reduce the organization’s risk. • Improve monitoring and alerting mechanisms. |
Survival is first because there will always be the chance of a security incident. The following stages then help build culture and awareness—engaging the wider team in your security efforts, and defining and implementing the controls you need to reduce risk.
Implementation of controls may feel like the most urgent or important stage and leaving it to last can feel frustrating; however, keep in mind that the options for implementing security controls are wider reaching and include thousands of potential actions. By jumping straight to implementation you can lose focus, feel overwhelmed, and may focus time and limited resources on reducing the wrong (or less likely) risks to your organization.
Figure: The cycle of security management: survive, educate, define, implement.
Remember that when planning security for your startup, there is no room for perfectionism. There is no such thing as 100% secure. Be patient, prepare for the worst, engage your team, define your aims, and then start implementing; you will find you have more support and help, and a clearer idea of your achievements and risks.
🚀 As explained by Laura
Identifying and protecting that which has value for your organization and your customers is at the heart of how you should approach security. For many of us, that value lies in the data we store and process.