How not to Get Hacked: Security 101 for Startups
How to Get Started with Information and Cyber Security as a Startup
They are out to get you - your money, your data, your intellectual property. Or they are simply on a vendetta to harm or destroy you. This is about how you can protect your company from hackers, disgruntled ex-employees, and everybody out there that has a grudge against you.
Large Enterprises had years, sometimes decades, to build up their security posture. This is a luxury most startups don’t have. They need to play on the same level in a very short amount of time. But without the governance, processes, and security infrastructure in place, it is hard to adopt established security frameworks and have short-term success.
This article shows you how to get from a basic or no coordinated security off the ground quickly. The recommended processes and security controls are based on the established security frameworks and control sets. You can extend your security posture to any of the major frameworks and the steps you’ve already taken fit right in.
What do You Want to Achieve with Information and Cyber Security?
Simplified, Information Security is about ensuring confidentiality, integrity, and availability of your data (called the CIA triad). Cyber Security adds a focus on networking and supplier management in our highly interconnected world. More complex and modern security frameworks add a focus on abuse (Malware like Bots, Ransomware) and more modern attack vectors.
There are four fundamental goals you can achieve with Information and Cyber Security:
- Improve your Information Security Posture
- Identify and manage your IT Risks
- Fulfill your legal, regulatory and contractual requirements
- Attestations and Certificates about your Information Security Posture
In most cases, you want a combination of all four, but you need to be aware of how you prioritize. Improving your security posture and getting a security certificate is not the same. There are a lot of activities that dramatically improve your security posture, but do not affect audit results, and vice versa.
Keeping Track of Your Security Requirements
The actual requirements you need to cover with your information security strategy are a mix of some generic elements, like how to handle personally identifiable information or PII, and highly specific elements, like individual contracts between you and your customers.
Large enterprises usually have a governance and compliance framework to track all the requirements and ensure everybody follows them. They also track all known risks and how they handled them.
Information Security is usually a large part of governance, risk, and compliance (GRC) within every company. We will focus on this in a separate article.
Information Security Frameworks and Control Sets
The good news: as millions of companies worldwide face the same challenges with information security, there are hoards of consultants, auditors, and organizations that try to help you. Some of them have written lists of safeguards and countermeasures (Control Sets), others contain best practices on what processes, documents, and authority you need to keep everything running (Security Frameworks).
The bad news: as they try to cover a vast range of attack vectors, it’s mind-bending if you have your first look at them. They are definitely not the easiest stuff to digest. But established information security frameworks and control sets give you a good idea of how a sensible security setup should look like and perform.
However, most security frameworks and control sets don’t tell you how to implement them and how long it takes. I.e. they tell you “develop a plan to assess and track vulnerabilities continuously on all enterprise assets” [CIS Control 7: Vulnerability Management] but give you no clue on how to do that.
If you have a look at even the more basic frameworks and control sets, the time to implement them is usually months, if not years.
This article gives you an opinionated approach on how to go from basic security to mature information security management. But beware: there is no single magical tool to “fix” security for you. You need to invest some time (and money) to get this right.
How to Get Started — an Opinionated Approach
Information Security Frameworks are complex beasts. If you already have your corporate governance, risk management, and compliance (GRC) as a foundation, they are still a lot of work to implement. If you need to establish GRC alongside, it is even more. For this reason, this article is split into multiple parts.
Our goal is to get a secure setup for your production data as soon as possible, that is compatible with the established frameworks. The other parts of this series extend the basic setup to cover all common requirements for a good security posture up to where your company is ready for certification.
Avert Immediate Danger: Identify and Protect Your Most Critical Assets
You don’t have the time and resources to get from zero to a consistent security posture and GRC framework at once. Start with identifying and securing your sensitive data and most critical assets first.
This article explains the technical steps necessary to achieve this.
You can use this as a platform to extend your scope to all assets and extend it to achieve compliance with all major frameworks. This is your first step on the journey.
Formalize Security: Establish Information Security Governance, Risk Management, and Compliance
Now that your most critical assets are secured, bring your Information Security Governance and Compliance Framework in place.
Identify all the legal, regulatory, and business requirements you need to fulfill and build consistent documentation for everyone in your company.
This article explains the documentation hierarchy (Policies, Control Objectives, Standards, Procedures, Guidelines, Controls, Threats, and Risks), how to evaluate the information security risks your company faces, how to mitigate and document them:
More practical advice on established security frameworks that you can adopt for your own information security program is in the second part:
Security Architecture: Design and Implement the Infrastructure for Your Security Architecture
Security controls need to be handled as an integral part of your IT Architecture to be successful.
This upcoming article explains the necessary and useful tools a security department can provide for others to build upon (like SIEM, vulnerability, and compliance Scanning) and how to integrate security controls in application architectures (like IAM requirements, log requirements, separation of environments, network segregation).
Extend Your Scope
We now have a basic security posture, GRC sorted, and the security architecture in place. It is time to extend the scope to all assets in your company and extend the control sets based on your company’s risk appetite.
This upcoming article gives an overview of the most common security frameworks and controls sets, where they overlap, and where they differ. Some controls are more or less universal (like “establish asset management”), while some are very specific (like “never store a CVV code” from PCI-DSS).
Get Certified
Some of the common security frameworks allow you to do a self-assessment, but most of the common frameworks usually require an external audit.
This upcoming article gives an overview of the currently most common security audits and certifications to formally verify and approve your security setup. This can give your customers and your investors the trust they need to invest in you!
What’s Next
I have worked as a consultant for large enterprises and startups for over 20 years. This series of articles summarizes the common questions about their security setup many of my customers faced over the last years.
If you like this series, please clap or send me a short note to let me know there is actually an audience out there for this. If you have a better solution for any of the scenarios described here, please comment or contact / DM me on Twitter @DevSecArchitect.
