Why startup leaders
need to set the tone for security
Amid new calls from federal authorities for
prioritizing security in tech startups, industry experts stress the importance
of having firm leaders set a cultural tone.
·
Security
Federal consumer-protection authorities have called on the entrepreneurs building
tech startups to prioritize cybersecurity from the earliest stages of the
development process.
But a variety of factors -- cost, lack of
technical expertise, rush to market, etc. -- can make security seem like more
of a burden or an impediment to the startup's growth than anything else.
At a recent event convened by the Federal
Trade Commission, industry insiders emphasized the importance of incorporating
security as an integral part of any company's operations, not just the services
or applications that it produces.
At startups in particular, which are often led
by a founder/CEO whose personality can to a great degree define the culture of
the organization, it is crucial that the firm's leaders establish the
expectation that security is a company-wide priority.
"I think company founders, management are
really critical to developing a culture," says Devdatta Akhawe, a security
engineer at Dropbox. "In my experience, the companies that have responded
well and responded seriously to security issues are often the ones where the
founders are driving this sort of culture and these sort of values."
It's worth noting that the idea that the
founders should set the tone from the top on security is hardly confined to
startups. Frank Kim, chief information security office at the SANS Institute,
recalls the predicament of Microsoft in the late 1990s and the early part of
last decade. In 2002, when then-CEO Bill Gates issued an all-hands warning
about the need to prioritize security in the company's ubiquitous software,
Microsoft was viewed as a "laughing stock of the security industry,"
Kim says. The result of Gates' warning was Microsoft's Trustworthy
Computing initiative, a concerted effort that considerably
improved the company's security posture.
In part, security became a priority at
Microsoft because the company's customers demanded it. And fledgling startups
trying to carve out a slice of market share can ill afford a data breach or the
reputational hit that comes from the perception that its applications aren't
secure -- customers are likely to vote with their feet.
Making security in a startup a high-level goal
It seems easy enough to designate security a
high-level goal within a startup, but how should that work in a practical
sense?
Window Snyder, CSO at Fastly and an
experienced hand at security who has done stints at Apple and Mozilla,
emphasizes the importance of starting from the earliest stages of the
development process and training the engineering team on some basic tenets of
secure programming.
Then, she suggests that companies implement a
peer review process whereby the security experts and others get a chance to
kick the tires on a particular feature before it is released to the public,
noting the benefits that can emerge from bringing disparate teams together to
focus on security.
"That creates a sense that it's
everyone's job," Snyder says.
The argument for more clearly defined security
roles
That maxim that everyone is responsible for
promoting security on its face sounds simple enough, but not everyone is on
board. Count among the dissenters Jonathan Carter, a veteran security
professional and software engineer who argues for more clearly delineated roles
within the development team.
"I take a slightly more controversial
approach," Carter says. "Whenever I see something like 'security is
everyone's responsibility,' that makes me cringe inside because, really, that
means security is no one's responsibility. It's the diffusion of responsibility
psychological principle, where suddenly it's on no one's radar and it's just
this amorphous concept. So as a software engineer, I would say your
responsibility is to identify issues and confer with your local security
champion within your immediate team."
There was scant disagreement, however, on the
broader point that startups and mature companies alike would do well to elevate
security as an organizational priority.
And to the concern that a more
security-intensive development process would carry more cost than a
cash-strapped startup could afford -- to say nothing of the delay in time to
market -- Akhawe urges firms to consider the alternative, the disastrous
effects of a breach or the release of a product with glaring vulnerabilities.
"Security's much, much, much cheaper the
earlier you do it," he says.
This story, "Why startup leaders need to
set the tone for security" was originally published by CIO.