How to build a cybersecurity strategy for startups

For some startups security is the last priority on a very long list of priorities. It seems like such a daunting task, one that will only cost money, take up time, and slow down the business.

But the reality is that security is an important factor in any startup’s success. Many customers will ask for assurance that there is a clear, effective cybersecurity strategy in place. Further, a cyber attack could have a significant impact on business that few startups can afford. Finally, the sooner a cybersecurity strategy is created, the easier it is to embed into the startup’s culture.

The challenge is building a cybersecurity strategy for startups that is appropriate to current needs but is scalable as the company grows.

What is a cybersecurity strategy for startups?

A cybersecurity strategy for startups is a detailed plan for implementing cybersecurity across the company.

Cybersecurity strategies are often multi-layered, with many different plans, policies, and processes that sit below them in order to create a more secure company overall.

Why is a cybersecurity strategy important for a startup?

A cybersecurity strategy for startups will have many benefits for the company, including:

• The strategy is a clear detailed plan for how the company will secure itself over the next period of time, whether it is one year, three years, or five years.
• It can set out the plan for reducing security gaps, including priority areas, quick wins, future requirements, and time lines. After all, not everything can be done at once.
• A formal strategy aligns security with the startup’s roadmap, helping ensure that security supports the business’s requirements rather than blocking them.
• Cybersecurity strategies enable the startup to move from reactive security (simply responding to an incident as it takes place), to a proactive strategy, including preventative measures monitoring, and incident response plans.
• A formal strategy can act as evidence demonstrating a commitment to security to potential customers. Good security posture is often a must-have for startups to find their way into the market.
• A cybersecurity strategy shows regulators that a startup has the protections in place to adhere to their regulations, for example GDPR, HIPAA, or PCI-DSS.
• Communicating the strategy to all employees lets everyone know what their roles and responsibilities are in building a secure business, supporting them to build a secure culture.

Step 1: Determine what you need to protect and why

The first step in establishing an effective cybersecurity strategy for a startup is to understand the  company, its assets, and the risks and threats it faces.

What do you need to protect?

• What are the most important assets the company has (intellectual property, code, employee data, customer data etc)?
• Where are these assets held (in the cloud, on prem servers, individual’s laptops, within a database, on a SaaS system or more)?
• What are your business’ objectives in the short, medium, and long term, and how will that impact what needs to be protected?

What are the risks to your startup?

• Understand the specific threats and risks facing the company
• What is the environment your startup operates in?
• Are you subject to any regulations?
• Who are your customers, are they subject to any regulations?
• What would an attacker gain from attacking your company?
• What is the company’s tolerance to risk?

Step 2: Assess the startup’s cybersecurity maturity

The next step is to understand the company’s cybersecurity maturity, identifying what protections are in place, and how well they secure the assets and risks identified in the earlier stage.

Some statups may find it useful to assess their cybersecurity maturity against a framework such as ISO 27001, which contains controls against all areas of information security. This can be carried out as a gap analysis exercise only, not an intention to get the certification.

The results of this gap analysis can then be used to inform the next stage – prioritisation of controls.

Step 3: Identify what you need to implement and when

As they say, Rome wasn’t built in a day, and neither will a cybersecurity programme. A very valid element of a cybersecurity strategy for startups is to justify what should be left for another day – as long as it can be justified.  

That’s why this stage is about prioritistion.

For example, if you don’t have any customers yet, you may not need to implement certain security functions. Further if everyone is working remotely, and you don’t have an office, consider the importance of remote working practices as a priority, and physical security as not needed just yet. But it may be important to you to protect your product’s source code at all costs, and implement certain protections to do so.

Some of the considerations are:

• Is everything you are doing now properly secured?
• What do you actually need now, and what will you need in the future?
• What are the quick wins to implement right now, and what will take more effort to implement?
• What benefits can you get from the tools you use? For example, the big tech vendors such as AWS, Azure, GitHub, and so on all offer various inbuilt security features that can be turned on with the click of a button.

For tech startups, another consideration at this point is how to incorporate security in the software development life cycle in order to move from a Software Development Lifecycle (SDLC) to a Secure Software Development Lifecycle (SSDLC).

This prioritisation stage will also enable you to understand the security budget you have now, and the budget you will need going forward. This stage will also enable security to tie key cybersecurity upgrades to the business plan and ensure that cybersecurity is one step ahead, for example by putting in necessary protections before the product launches and is exposed to the internet.

Step 4: Document the cybersecurity strategy

Make sure that everyone has access to the strategy, and understands what you are trying to achieve through a documented set of plans, policies, processes, statements, and more. These documents will enable you to set out the goals and direction for cybersecurity in the company, provide clear guidelines for teams to follow, and allow you to demonstrate commitment to customers, auditors, and regulators alike.

Step 5: Train your employees to be part of it

A significant amount of cyber attacks originate from employee activity (for example falling for a form of social engineering). However, without team cooperation, the cybersecurity strategy will fail. 

Team involvement can include encouraging individuals to take ownership for security in their area of responsibility and training everyone across the company to adopt secure practices, from MFA to secure coding.

Step 6: Build an ongoing programme

A cybersecurity strategy is never one and done. It requires constant review and update in order to ensure that it addresses both the changing business needs of a growing startup and the ever changing cybersecurity landscape.

Stay safe