Word on the street is you’re in charge of selecting your startup’s tech stack. The decisions you make today and in the coming months will lock your business onto a path. What that path ends up looking like depends entirely on you.
So yeah, no pressure.
Security Questions to Ask When Adopting New Technology
You might be a seasoned technologist with years of experience building high-performing tech stacks. Or maybe you’re a total n00b, licking your chops at the thought of all the cool tools you’re going to adopt. Whatever the case, you understand that there are plenty of variables to consider when adopting new technology.
- Will it incur technical debt further down the road?
- Is it going to create friction for your dev team? How about the wider company?
- If it’s customer facing, will it make the user’s life easier, or more complicated?
- Will it create security risks for your company?
I could go on, but you get it. You live and breathe this stuff.
Cyber Security Decisions for Startup Tech Stacks
In this article, we’re going to focus on one variable that can come back to haunt you if you don’t give it enough thought: security. That is, how to build a kickass stack while keeping security top of mind. That way, you can save yourself and whoever is responsible for security at your startup from lots of unnecessary stress and sleepless nights. Plus, you can rest assured that you’re doing your best to protect your organization’s sensitive information.
A security person going into a hundred different companies has to look at a hundred different setups. It’s not like we have uniformity and that’s part of the challenge.
But before we dig in, some context. Everything written here comes from a chat we hosted of the same name. In it, Blake Brannon, CSO at OneTrust; Joe Sullivan, CISO at Cloudflare; and Cailin Sullivan, Security Engineer at Appcues had a frank discussion about startups, security and technology. You can check it out here without any annoying email gates.
Security Best Practices for Startups
Launch a security program that protects your business, builds trust with customers, and impresses your board, with Security Best Practices for Startups.Download eBook
Start As a Cloud Native Organization
Choosing cloud-based solutions across the board is a no-brainer. You can buy based on consumption and scale. They have a low entrypoint. And since they’re a managed service, you don’t have to worry about security, assuming they have a good posture.
Being cloud native also puts you at a huge advantage over businesses that have been around 10, 20 years. These businesses still have stuff running on old servers in a closet somewhere. That said, they’re all migrating to the cloud, with differing degrees of success, and it’s slowing them down.
So being cloud native is key, which begs the question…
Which Cloud Service Provider (CSP) Has The Best Cybersecurity?
When it comes to security, there’s no right answer.
To Joe Sullivan, CISO at Cloudflare, all CSPs are raising the bar on security. It’s a matter of understanding the default settings for each provider, how they’re different and how they ultimately support your objectives.
For Cailin Sullivan, Security Engineer at Appcues, scalability is key. Her business is at roughly 100 full-time employees and growing fast. AWS provides different modules you can add as you need them. FYI, nearly half of respondents for our annual tech stack survey also use AWS as their CSP.
Joe and Cailin both agree on a key point: do not implement multiple CSPs. Doing so introduces unnecessary complexity and risk to your environment’s security.
The Endpoint Management Software Security Spiel
It doesn’t matter if you’re an enterprise like Cloudflare or a fast-growing startup like Appcues, you can’t ignore endpoint management. That’s because people are your biggest security threat.
The big problem for startups is where to begin?
For Cailin, the answer is simple…
Start With Security Awareness Training
Here, you don’t need a fancy learning management system. Cailin’s team uses a combination of Powerpoint and SurveyMonkey to educate and inform her company’s employees about security best practices. Appcues also uses role-based training to ensure team members are only receiving training relevant to their role.
Joe agrees that you don’t have to break the bank when it comes to security awareness training. He advises that startups turn to YouTube, where larger enterprises and universities with deep expertise regularly publish free educational resources.
Finally, startups need to ensure their employees are aware of and acknowledge policies that relate to information security annually or when any changes have been made. You can do this manually, if you have the time and patience to do so, or automate the process with HR software, or Tugboat Logic.
Top Endpoint Management Tools for Startup Tech Stack Security
Okay, now that we’ve got training out of the way, let’s take a look at the top endpoint management tools for startups, based on recommendations from our two experts.
Workstation Management: You’ll want a workstation that is committed to security, like MacOS or Microsoft.
Next-Generation Antivirus: Like Bitdefender, CrowdStrike or Sophos, for example.
Mobile Device Management: You’ll need to be able to enforce password policy and software updates to your workstations. Joe recommends Microsoft Intune, Jamf or JumpCloud.
The earlier you set up and have a vision for your employee experience that integrates security into it, the better. If you wait until you have 50 employees to try and roll out your single sign on, it’s going to be much more challenging than if it existed on day one. So single sign on and admin rights are a couple decisions you can make really early in your growth as an organization.
Single Sign On (SSO): Joe is adamant that startups should implement a good SSO experience as early as possible. SSOs give you control and oversight over who is logging into your apps and when.
Endpoint Security: At Appcues, Cailin and her team rely on Kolide. It provides end users with recommendations that ensure they meet the company’s security and compliance requirements.
Security Information and Event Management (SIEM): While SIEMs aren’t strictly an endpoint management tool, they do include some capabilities. While these tools can be expensive, managed services are available.
Penetration Testing and Certifications
Being able to prove your systems are secure is critical—and it’s an ongoing process.
When it comes to penetration tests and vulnerabilities assessments, Joe has a lot to say. There are thousands of vendors out there. Service will depend entirely on the people a vendor assigns to you. He recommends doing two to three bids to get a sense of what certain vendors are good at and what they think you should include in the scope of your project.
Use this process to get to a price you’re comfortable with and learn more about how outside testers see your business. It can be expensive, but sometimes customers who request it will split the cost with you. Just make sure you get to see the report first.
Startups often wonder if they can use a pentest report instead of a more thorough industry certification, like SOC 2. Joe has seen smaller businesses do this. As a baseline, businesses in North America will want to see SOC 2 Type 2 compliance, while European businesses will look for ISO 27001. You may also be legally required to maintain compliance with certain standards and regulations depending on your business model or jurisdiction.
We lean heavily on our SOC 2 as an attestation of our security organization controls. A lot of the businesses we work with ask for that type of certification. But you can also get a third-party risk assessment, which includes an attestation letter you can send out in lieu of a SOC or a pentest.
No matter what you use to demonstrate security assurance, the objective is the same: to prove you have the people, processes, and technology in place to ensure the safety of your customers’ sensitive information.
Choosing a Tech Stack That Is Zero-Trust Compliant
Adopting a zero trust approach to cybersecurity doesn’t have to be complicated. In fact, many of the technologies and techniques covered above are designed to help you do just that.
When it comes to choosing a tech stack that is zero-trust compliant, it helps having a vendor evaluation process in place. That way, you can assess whether a solution can be trusted with your sensitive information.
Enterprises will typically have a robust process in place with the resources to support it. For startups, an attestation like SOC 2 might be all you need to prove that a vendor can be trusted. Whether you take a maximalist or minimalist approach, just make sure you have a process in place that it is formalized and documented.
What Is Zero Trust?
One of the primary tenets of zero trust is “Never Trust. Always Verify”.
Zero trust (or ZT) is an IT security model in which all devices and users accessing resources inside a network must undergo strict identity verification. It has six key principles:
- Continuous monitoring and validation
- The principle of least privilege
- Device access control
- Preventing lateral movement
- Multi-factor Authentication (MFA)
If you missed the in-depth chat covering everything in this article and more, you can check it out here. By now, you might be tired of talking about security and want to start taking action.
Whether you’re looking to launch your first information security program or eager to get compliant with an industry attestation, we can help. You can get in touch with us here, or try a free trial of our product.