25

A common statement start-up executives make regarding security is that they are in a race to market and if they consciously choose to build in security from the get-go it may slow them down so much as to take them out of the race.

Hence they choose to do little to no security early on (or for several years) – accepting the risk in the hopes that the business first makes it.

Is there a strong challenge to be made against this line of thinking?

Tate Hansen
  • 13,794
  • 3
  • 41
  • 84
  • This is similar to your other question -- http://security.stackexchange.com/questions/157/what-are-a-few-good-lists-of-threats-to-use-to-kick-off-conversations-with-others -- anything else you are looking for? – atdre May 15 '11 at 08:06
  • Hopefully the answers to this question lead executives to talk more about what is asked in the question you linked to. This question doesn't presume they are interested in doing anything yet. – Tate Hansen May 15 '11 at 08:16
  • 2
    Part of the answer here could depend on what industry the start-up is in. Is it health/financial? There could be major regulatory violations involved. – Iszi May 15 '11 at 08:58
  • 2
    The executive may be right or wrong. There is no particularly helpful general answer to this question, unless you want yet another bland essay on how security is about risk management, and startups are about business management. Can you make it more specific, e.g. to a particular field with a typical blend of assets, threats, technologies and vulnerabilities? – nealmcb May 15 '11 at 14:08
  • 1
    I think we should strive to find appropriate balance between this question and [business risk - How do you manage security-related OCD (i.e. paranoia)? - IT Security - Stack Exchange](http://security.stackexchange.com/questions/3339/how-do-you-manage-security-related-ocd-i-e-paranoia) – nealmcb May 15 '11 at 14:14
  • Clearly this executive doesn't understand the mind of an attacker, and has now become prey. – rook May 15 '11 at 16:25
  • @nealmcb I'd rather not make the question specific - I think several of the answers offered already are great. – Tate Hansen May 15 '11 at 17:28

15 Answers15

14

As I commented originally in the other question, Security cannot be the primary, or even a principle concern. Sometimes, during certain phases of the startup, you really need to focus on rapidly developing the features needed to drive the product, and patch security as necessary. Security can easily get in the way of operations, employee productivity, and slow down development. Although if yours is a security-related product or business, you might certainly need bulletproof security from the beginning, you really can't generalize and say that all businesses should focus on security from the beginning. (Sony, being large enough, needs to learn a lot of lessons about software development in the new century, not just about security.)

That said, security practices and practical security should be a factor on the mind of all technical employees. Where can you add security without getting in people's way? There's no such thing as 100% secure, so how much security is enough?

Eric Falsken
  • 316
  • 2
  • 5
  • 1
    I totally agree with this. The obnoxious result though of being softer on security early on is the loss of data that is important to others. The company officers may get a black eye or the startup may fail after a breach, but the pain felt to the others can be considerable - a negative externality situation. The three man startup that loses your PHI (Personal Health Information) and CC information may simply toss their hands in the air and say oops. Solutions to this will probably flow along with how economics address the problems of externalities. – Tate Hansen May 15 '11 at 15:59
  • 1
    +1, I would add to this, not just security-related business, but also others need to have security as a core feature early on. E.g. financial / CC apps, PHI, etc. And yet still, this needs to be weighed against other features, from a business / product PoV. – AviD May 17 '11 at 16:17
  • You're ignoring that availability is still a branch of security. Security _is_ the most important thing for any organization, since it includes "not getting in the way of operations". It would be more correct to say that _confidentiality and integrity_ cannot be the primary concern. – guest Nov 19 '17 at 06:40
13

Is there a strong challenge to be made against delaying security? No, I don't think so. Unless the industry is regulated by laws.

That's why information security is sometimes similar to risk management. You minimize the risk the best you can (that usually means within budget), you don't totally eliminate it.

So, delaying security is a form of accepting risk. Hopefully, this acceptance only lasts for a short while because when the executives are doing that, they are actually borrowing from the future. When the due date comes, well, let's just say it'd be embarassing, messy, and sometimes even devastating.

More information bout this line of thinking could be found from Veracode:

http://www.veracode.com/blog/2011/02/application-security-debt-and-application-interest-rates/

http://www.veracode.com/blog/2011/03/a-financial-model-for-application-security-debt/

Nam Nguyen
  • 1,460
  • 12
  • 14
  • Yes, agree, I guess my comment to @EricFalsken applies here too. – Tate Hansen May 15 '11 at 17:15
  • 1
    This is a good answer. Is it ok for "start-up" manufacturing and chemical plants to pump hazardous chemicals into the air? No, the EPA will shut the plants down if they don't meet the regulations. Yes, meeting the regulations costs money and hurts the start-up. Cost of doing business! But what are the costs to humanity? What's the long-term viability/sustainability? – atdre May 16 '11 at 07:04
  • 1
    @atdre, the cost to humanity is one of the externalities in Tate Hansen's comment. The long term viability is the question whether you can pay your debt later. This is like using a credit card. You take the goods first, and pay later. If you fail, hefty interest is imposed. – Nam Nguyen May 16 '11 at 07:20
  • My point is that we need an EPA-equivalent for IT start-ups that say, "Uh, please stop pumping so much bad code into the world -- or we're going to have to shut you down". With regards to credit cards and home loans -- this is obvious to everyone except the US government: People shouldn't be allowed to go well beyond their means; Lenders shouldn't allow their lendees to go beyond their means. Risk equations for things like Collateralized Debt Obligations (CDOs) need to work properly and be well regulated. And so does start-up software. Ohh, the future we will be... – atdre May 17 '11 at 00:20
10

I agree with the executive. If you look at the number of startups that have failed due to a security breach, vs the number of startups that have failed due to losing the race to be first, I think it's clear that the latter vastly outweigh the former.

Startups are all about taking risks to get to the big win. There are so many ways that a startup can fail. Saying that we accept a small probability that the startup fails because of a security breach just isn't that big a deal, if the benefit is that we get to significantly reduce the risk of the startup failing for other reasons.

I think the executive is proposing a plausible strategy: he is saying, we accept some security debt now, in exchange for getting to the finish line faster. This will cost the company later: the company will either have to pay down the security debt later, by re-architecting/re-implementing its systems, or else the company will later be taking a big risk of a serious security breach. But many startups would happily accept that tradeoff. "Pay later, if the startup is a big success" probably trumps "pay now, and possibly make the startup fail".

Here is my advice. Rather than trying to get the exec to change his mind, I would suggest you do two things:

  • Instill the notion of "security debt". Prepare the groundwork so that if the company becomes successful, you will later have buy-in for paying down the security debt and improving the security of the company's systems.

  • Right now, focus on cheap security mechanisms that won't slow down the company's ability to get to the finish line. I'm talking about simple things like firewalls, auto-updates, backups, etc. Also, you might brainstorm and develop more sophisticated security solutions or designs in parallel to the team's development effort, so it doesn't slow down the rest of the team -- assuming the company can spare you for that kind of effort.

D.W.
  • 98,860
  • 33
  • 271
  • 588
  • 3
    +1 for security debt or security investment. I think this is a key concept to sell, not just to startups, but in large corporates it would be a project team or similar. It's all very well taking a risk and getting the product/service shipped quickly, but you need to budget for sorting it afterwards, not just leaving it as 'shipped - done' – Rory Alsop May 17 '11 at 13:53
  • +1, and I'd like to keep upclicking for a while... I know I'm late to the game here, but you pretty much covered all the points I was going to answer. You even covered "security debt", along the lines of "technical debt", which was going to be my main point alongside risk management. – AviD May 17 '11 at 16:29
  • Btw, "cheap security mechanisms" can also be at the application layer - mostly around training and high-level threat modeling. – AviD May 17 '11 at 16:36
9

Parasites will not only ruin your potential revenue streams for products/services, but they will also ruin your early-on brand/reputation, and destroy your ability to market your products/services. They will break your SEO, AdWords, and similar Internet marketing concepts -- which are necessary to build your online presence.

Adversaries automate parasitic infection of websites with botnets and other forms of automation -- making every website a potential target, especially those in start-up mode (because they often rely on third-party hosting/CMS/blog/forum/e-commerce packages, components, services, etc).

atdre
  • 18,945
  • 6
  • 59
  • 108
  • 1
    Playing devil’s advocate – isn’t this throwing the FUD card? A startup I know is doing nearly zero security and hasn’t experienced anything bad yet. From their perspective they gambled right. The money that comes from leading the business race can be used to strengthen security later – it’s hard to convince them to flip that order. – Tate Hansen May 15 '11 at 08:35
  • 2
    Actually it is easy - you just have to wait for the disaster. – Martynas Saint May 15 '11 at 11:23
  • @Systemsninja – wholeheartedly agree, I subscribe to the “one breach away from a budget increase” style of management :) – Tate Hansen May 15 '11 at 16:48
6

Recently I set up an FTP server from home because I work remotely and wanted a way for colleagues and customers to be able to transfer large files to me over night (other side of the world). I was really shocked to discover how many (automated?) attempts are made each week to break in to my FTP server - just a little home server with out advertising. It has convinced me that you can't be paranoid enough - people will try to break in and steal your data or your customer's data. Anything less than doing your best wrt security is a fail

hamishmcn
  • 169
  • 2
  • Indeed. I run a SSH server and have observed a very high volume of attacks for what isn't really a well advertised target. +1, it is not sufficient to assume you're not being targeted. –  May 15 '11 at 09:33
  • 3
    I don't think this answer proves anything. Those are blind, dumb attacks, and they are easily stopped through very elementary security methods -- set up a firewall. I suspect the exec would say, sure, set up a firewall, that takes like 30 minutes for the IT support staff -- but don't spend a lot of time on building security into the new software the startup is developing. – D.W. May 15 '11 at 17:51
6

Security is about risk management, which is ultimately a business decision.

You need to help your startup exec understand not only what the risks are, but also what the implementation costs will differ between doing it now and later. Trying to embed security into software after it's released is difficult and far more expensive.

If this is a race to the finish line, then offer solutions that don't impede their progress. Developers and engineers can still build software while you work in parallel to them. Try to find a compromise solution that:

  • uses commercial off the shelf defences or pre-built packages (for example, web app firewalls)
  • allows you to integrate security in more effectively later through early stage architectural decisions (specifically, knowing where the defensive code will go when you have time to implement it)
Ben
  • 605
  • 4
  • 11
  • I haven’t seen a startup executive seriously change course when provided with the advice that “trying to embed security into software after it’s released is difficult and far more expensive”. In fact, often it fuels their resistance because the tone of it economically scares them (i.e. security is expensive – there is no way I can do security right now). It’s a great point, but it can fail to really resonate. – Tate Hansen May 15 '11 at 16:28
  • I agree, it rarely works but it's also the most likely to succeed of all approaches if you've got a startup exec who's not interested in rational arguments or swayed by FUD. This of course assumes time and not money is the primary constraint. – Ben May 15 '11 at 17:18
6

One answer missed so far is around getting security on the agenda as a value-add for the startup. This can be effective, especially in industries which have recently had a highly publicized attack. If the VCs or stakeholders can understand how improved security can help them sell the product r service then it becomes an argument they can understand: profit!

Yes, it can be very difficult to persuade them, and a lot comes down to timing; as I said, it is much easier right after something like the PSN crack to push the concept of security as a value add to a company doing online gaming, but sadly not as easy to use the same example in a different industry, despite the fact that the issue was around compromise of personal data from a customer database, which should be relevant to everyone!

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
  • +1 for security as marketing... unfortunately, the marketing of security is often not reflected by reality, so the benefits are possible with the real costs. – AviD May 17 '11 at 16:32
3

Is the executive cool with running the company without any insurance? If yes, listen to what everyone else has said so far (and run away from this company -- fast), if not, ask them why they are doing it then by not thinking about security.

Steve
  • 15,215
  • 3
  • 38
  • 66
3

You can take the practical approach. Take permission and hire a (preferably) junior penetration tester and let him "steal" the most major company secret you have, or find some other major flaw, or even perform a social engineering attack (like sending a malicious pdf file to a secretary). Then present the executive with the findings and focus on reputational damage (that's where startups hurt the most).

Pen & paper scenarios are not quite as effective in demonstrating insecurity as your secrets out in the open. That should convince them to at least think about putting some money in security.

The argument to be made here is not that you are insecure, but the easiness that someone with little experience can break in or find a big fault that could have been avoided with minumim security investment.

john
  • 10,998
  • 1
  • 36
  • 43
  • Pentesting is not an economic priority for most startups – they push to delay almost all security work. The only startups I see purchasing pentests are the ones that have suffered an incident, are required to by a business agreement, or subject to a law or regulation. – Tate Hansen May 15 '11 at 17:50
  • I agree. My point was not to purchase a commercial, expensive, full scope pentest, but to hire an individual junior pentester to do a demonstration attack as a proof of concept, to highlight insecurities. I've seen it happening, and have done it myself: I was working in a startup as an administrator and when I wanted budget for security, I acted myself as an external pentester, found some flaws and presented them to my superiors. (I was qualified enough, so I didn't hire another person). They were socked and invested in a small extra sum for security in the yearly budget. – john May 15 '11 at 17:59
2

You can have balance.

Don't open ANY unnecessary ports, and keep your "admin" stuff restricted to the LAN or from certain known admin IPs. That way at least the stuff you're taking shortcuts on becomes internal only.

Every startup should be expected to follow basic, practical security principles. If you can't invest in security the way you want to, rely on simplicity and a little inconvenience on your part to reduce your attack surface area.

Brandon
  • 129
  • 1
  • 2
    Unforunately this just isn't suitable for a rapid startup to market, for the reasons @Tate outlined. in many cases the only thing they have to prove to VCs is that the product can sell, and quickly. – Rory Alsop May 15 '11 at 14:22
  • @rory I respectfully disagree. This is absolutely basic and practical and it does not impact productivity. The "investment" in security is tiny and shouldn't even show on a balance sheet. You can also point it out to your VCs as a selling point. A VC is not going to be happy if they lose their investment because some bot rooted the server on which everything is stored and weeks or months of work is lost. – jrwren May 15 '11 at 15:44
  • Many startups don’t even have a full time systems engineer/administrator and have no clue how to do basic system hardening… – Tate Hansen May 15 '11 at 17:42
  • @Rory, what, specifically isn't suitable? Only opening necessary ports? :-/ – Brandon May 15 '11 at 19:22
  • @Tate, it doesn't take a full time position to understand that the public Internet is the enemy here and spend a few hours to guard your firewall against that. – Brandon May 15 '11 at 19:27
  • @routeNpingme - agree it doesn't take a full time person, but a firewall does little against popular threat vectors (e.g. sqli, client-side, wifi mitm) and execs don't speak at this level of technical detail – Tate Hansen May 15 '11 at 20:10
2

If your exec cannot grasp the concept of IT security as a business risk issue, he is either not the right one for the position itself (because risk management should be a key issue from the beginning) or nobody was able to make him/her aware of this issue.

Knowing and accepting risks is a valid approach, for all businesses.

kindofwhat
  • 299
  • 1
  • 2
  • your second paragraph seems to contradict the first....? – AviD May 17 '11 at 22:25
  • @AviD: Well, my answer was rather stupid anyway: what I wanted to say that accepting the risk is an acceptable behavior as long as the risk has been assessed in a proper manner. I guess the main question for a startup is: "how much will bypassing security in the beginning cost us in the future?" Tough question, but has to be asked ... – kindofwhat May 28 '11 at 08:58
2

It's the job of an executive to manage risks. If he thinks that security should be delayed, it's his to make that decision.

That said, you should make sure that it's an educated decision. As always, this needs a as-thorough-as-possible list of threats, likelihood and possible damages that could happen. So for example someone could steal the customer database. Or a backdoor could be installed in your products.

The problem here is that the likelihood is most often unknown or you're in a N*M situation where N is the likelihood and M is the damage and N is many order of magnitude smaller than M. It's like the nuclear plants in Japan: The possible damage is huge but the probability of an incident is really, really tiny. "Once in 100'000 years". That "once" can be tomorrow (and it was in several cases as we all have seen). So in this case, the resulting number if pretty worthless.

What I would do is make sure that the executive is making an educated decision: I would connect his wage with the risk. If he's right, he gets a fat bonus. If he's wrong, the damages should go against his personal wealth, first.

This kind of safety net usually makes sure that people don't take too much risk. But it can also kill your start up since the manager might stop taking any risks.

Aaron Digulla
  • 365
  • 1
  • 8
2

As pointed out in other answers and comments the two most common arguments for building security in from the start can - probably validly - be rejected in a time-pressured startup environment:

  • It is guaranteed to be more expensive to retro-fit security than start with it - the tech start-up business model assumes that there will be orders of magnitude more money available at the business's tipping point than at its initiation.
  • Reputational damages or costs from a breach can sink the business - if first-to-market is the only advantage you have there won't be anything worth breaching if the initial development process is lenghthened.

This isn't only an issue with security - it affects other quality metrics like usability and maintainability as well.

There is one argument which is specific to startups - and it may point to where the right balance lies for this environment: What if security concerns require you to make intrusive changes once the product had acquired a significant number of users?

We know that software often ends up being used differently to how the creators had envisaged. It follows that what the designers viewed as key features may not be what the users join up for. This makes judging whether a change will disrupt stickiness or user acquisition very difficult. A design decision which would have been completely acceptable to users as part of the initial product may even cause backlash if it's dropped on existing users of the product.

A review to minimise changes required after the product has users should be salable on this argument. It's probably also the appropriate level of security activity for a startup engaged in a headlong rush to be first to market.

Bell
  • 975
  • 9
  • 12
1

Does this executive fear bad press?

Look at what's happening with Dropbox lately: Dropbox Lied to Users About Data Security, Complaint to FTC Alleges.

I'm sure they're not happy with this sort of attention.

Consider your startup's business model and paint a few bad case scenarios in which lack of security could potentially not just bring bad press, but bring down the business.

Doug Harris
  • 111
  • 3
  • 2
    The only executives I know that really fear bad press are the ones with substantial money/reputation to lose (i.e. they have a sufficient ownership to make them feel/act like the company is there own). Otherwise it’s just another job and they tend to not want to appear crazy to the board by suggesting they spend valuable resources on buying security for “what ifs”. – Tate Hansen May 15 '11 at 17:58
1

When you start a new company, you have no reputation outside of the leaders who may have their previous accolades in tech/biz. As a result, if a startup does have that security breach card fall in front of it, it's reputational damage will be substantial. Places like Sony, TJX, Michael's are huge companies that may be able to sustain such a blow, but if an exec for a startup feels that they can survive a breach as a startup, they have a naive and myopic view on basic risk management. Essentially, in such an event, a small startup would be at the mercy of their competition and the press which could easily overwhelm the minds of their prospective buyers by tainting their image of the startup's ability to protect client or regulated data or simply access to their infrastructure.

VerSprite
  • 19
  • 1
  • 5
    A lot of startups I’ve run into do not plan to survive a breach early on – it’s just not a priority given the typical economics of the situation. Actually, I haven’t personally witnessed any startup that has suffered how you described – do you know of examples? – Tate Hansen May 15 '11 at 16:11
  • @TateHansen, Dropbox? – Pacerier Jul 17 '12 at 22:52