Why startup leaders need to set the tone for security

Amid new calls from federal authorities for prioritizing security in tech startups, industry experts stress the importance of having firm leaders set a cultural tone.

Federal consumer-protection authorities have called on the entrepreneurs building tech startups to prioritize cybersecurity from the earliest stages of the development process.

[ Related: Tech startups need to get serious about security ]

But a variety of factors -- cost, lack of technical expertise, rush to market, etc. -- can make security seem like more of a burden or an impediment to the startup's growth than anything else.

At a recent event convened by the Federal Trade Commission, industry insiders emphasized the importance of incorporating security as an integral part of any company's operations, not just the services or applications that it produces.

At startups in particular, which are often led by a founder/CEO whose personality can to a great degree define the culture of the organization, it is crucial that the firm's leaders establish the expectation that security is a company-wide priority.

"I think company founders, management are really critical to developing a culture," says Devdatta Akhawe, a security engineer at Dropbox. "In my experience, the companies that have responded well and responded seriously to security issues are often the ones where the founders are driving this sort of culture and these sort of values."

[ Related: Internet of Things Demands Security by Design ]

It's worth noting that the idea that the founders should set the tone from the top on security is hardly confined to startups. Frank Kim, chief information security office at the SANS Institute, recalls the predicament of Microsoft in the late 1990s and the early part of last decade. In 2002, when then-CEO Bill Gates issued an all-hands warning about the need to prioritize security in the company's ubiquitous software, Microsoft was viewed as a "laughing stock of the security industry," Kim says. The result of Gates' warning was Microsoft's Trustworthy Computing initiative, a concerted effort that considerably improved the company's security posture.

In part, security became a priority at Microsoft because the company's customers demanded it. And fledgling startups trying to carve out a slice of market share can ill afford a data breach or the reputational hit that comes from the perception that its applications aren't secure -- customers are likely to vote with their feet.

Making security in a startup a high-level goal

It seems easy enough to designate security a high-level goal within a startup, but how should that work in a practical sense?

Window Snyder, CSO at Fastly and an experienced hand at security who has done stints at Apple and Mozilla, emphasizes the importance of starting from the earliest stages of the development process and training the engineering team on some basic tenets of secure programming.

[ Related: The 7 Deadly Sins of Startup Security ]

Then, she suggests that companies implement a peer review process whereby the security experts and others get a chance to kick the tires on a particular feature before it is released to the public, noting the benefits that can emerge from bringing disparate teams together to focus on security.

"That creates a sense that it's everyone's job," Snyder says.

The argument for more clearly defined security roles

That maxim that everyone is responsible for promoting security on its face sounds simple enough, but not everyone is on board. Count among the dissenters Jonathan Carter, a veteran security professional and software engineer who argues for more clearly delineated roles within the development team.

"I take a slightly more controversial approach," Carter says. "Whenever I see something like 'security is everyone's responsibility,' that makes me cringe inside because, really, that means security is no one's responsibility. It's the diffusion of responsibility psychological principle, where suddenly it's on no one's radar and it's just this amorphous concept. So as a software engineer, I would say your responsibility is to identify issues and confer with your local security champion within your immediate team."

There was scant disagreement, however, on the broader point that startups and mature companies alike would do well to elevate security as an organizational priority.

And to the concern that a more security-intensive development process would carry more cost than a cash-strapped startup could afford -- to say nothing of the delay in time to market -- Akhawe urges firms to consider the alternative, the disastrous effects of a breach or the release of a product with glaring vulnerabilities.

"Security's much, much, much cheaper the earlier you do it," he says.

Show Comments