How building a solid security foundation helps grow the business
Branko Džakula

December 23, 2022



 min reading time

Building a Startup on Cybersecurity Foundations

This blog intends to deliver straightforward and hard truths about cybersecurity. Its main goal is to shift the reader’s mind towards how good cybersecurity practice can and should be achieved in the earliest stages of startups. Most importantly, how you can leverage your early startup environment to do it right, with low effort and minimum investment. Cybersecurity doesn’t have to be complicated, and it doesn’t have to be expensive. You only need the right mindset.

I get that many aspects of a startup are the priority. It’s often what the investors say it is, and they often (very often) overlook cybersecurity as if it’s something to worry about later. This decision is hazardous, expensive, and up-to-fatal to the organization. Cybersecurity isn’t a bogeyman! It’s just another thing all founders should educate on when starting a business, and it’s equally important as “How to write a good pitch deck or a business plan.” Let’s put it in a super simple, dumb example: If you’re building a house, are you going to live in it without the front doors? No, you’re certainly not, so don’t do that with your business as well. Get some nice doors! Actually, I don’t even need a metaphor for this, as cybersecurity doesn’t stay at the office. If you have a smartphone and Internet accounts (and you do), you should be educated on cybersecurity, period.

Why do companies fail at cybersecurity?

So, what is the root cause of why so many organizations still don’t practice good security? In my experience, there are two apparent reasons:

They refuse to do it

Believe it or not, there are many organizations where the leadership feels cybersecurity isn’t essential and is just an extra cost to the business. These decisions are driven by a lack of knowledge, awareness, or a simple lack of interest in the matter. More often than not, there is little anyone can do to change their mind before it’s too late, too expensive, and nearly fatal to the business.

They do it, but for the wrong reasons

This one is fascinating and the one that I’ve seen the most often in practice. Organizations get mandates from their business partners (through contractual obligations) or local regulatory bodies to implement a certain list of security controls, policies, and processes in order to meet their compliance requirements. And what do they do? The bare minimum — just enough to show they did something about it without any plans to maintain, scale and mature their cybersecurity program. They’re just ticking off the boxes. This reasoning has doomsday written all over it! And same as with the first case, this practice often doesn’t change until it’s too late.

The right reasons

So, what are these right reasons? It’s caring. Caring about your business resiliency, success, and long-term future. Just use the motto of Care Bears “Caring is what counts.”

Cybersecurity is a culture

It’s not a project with a deadline. As with every culture, it requires effort and dedication to grow, and it requires human touch and care. It requires that everyone is in on it, that everyone understands it, and that it’s clear why it’s there. Culture is built around leaders, influencers, and mentors. It’s the HOW and the WHY. Take it seriously and realize it’s a never-ending process.

All hands effort

The first step should be hiring a CISO type role or delegating these responsibilities to the most experienced colleague in cybersecurity. Do remember, this absolutely doesn’t eliminate the duty of every other employee to practice good cybersecurity hygiene, follow company policy, and keep up with the latest threats targeting communication channels or devices they use. Everyone should be involved and informed. Remember what we said about the culture. Everyone must be in on it for it to move forward.

Leading by example

Let’s repeat — culture is built around leaders. Without the management commitment and care to build this culture, cybersecurity is blocked in its tracks. Cybersecurity importance must be communicated from the top, often and in short bursts, for example. Suppose you have three founders/executives in the organization. In that case, all three of them should be educated on cybersecurity importance and use every opportunity they get to remind people that they care deeply about this. This approach has a significant effect in making the cultural shift in the desired direction and enabling every part of the business to contribute to the overall cybersecurity posture.

Maintain and train

Security awareness training is another excellent way to further improve and maintain the cybersecurity culture in the organization. In my experience, the most effective and battle-tested way would be to reserve one day a month for a short 15–30 min session on one of the hot topics in cybersecurity and engage different people to present each time. Continuous, easy-to-digest, interactive, and informative sessions should be the way to go. You can do it as part of your monthly all-hands meeting or any other similar event where everyone is taking part. Please stay away from one-way lectures or sessions running over an hour. Make it interactive and focus on demos whenever possible. Remember, cybersecurity doesn’t stay at the office. During your training sessions, always reflect on the impact of cybersecurity in protecting personal data at home and on personal devices and accounts. This perspective sticks the most with your audience. They will appreciate it and have questions, I guarantee it.

Scale smart

As you scale, it is a good idea to think about the best approach to scaling your cybersecurity as well. Not just in terms of technology, but with people, and sure, you can just staff up your cybersecurity team. Still, you can do a few very effective approaches with the existing staff in your organizational units, departments, and/or teams.

Pick one person to be a security ambassador for their business unit. Even better, ask for a volunteer. Do this for each team (finance, hr, engineering, product, sales, marketing, and others). Supported by management and security staff, their responsibility should be to raise security awareness continuously and implement best practices. It’s like having a “man in the field,” which significantly improves visibility into any potential issues or incidents, increases security awareness, and ensures compliance.

It only gets better from here...

Thanks for reading this far. Now you have the most critical building blocks for a successful cybersecurity practice in your organization. If you haven’t already concluded yourself, I can help you phrase it — to succeed in cybersecurity, you, as a leader, need to care about it. The more you care, the better and easier it gets.

Just know that by building a good cybersecurity culture, you’re also getting the most valuable side-effect. Everyone is more secure at home as well. Never forget that cybersecurity doesn’t stay at the office. By educating and caring about it at work, you’re also protecting your employees at home. That makes me smile.

Stay safe and keep caring. 🤝💜

Focus on building Security and run Compliance in the background

Secfix has the largest partner network of pentesting companies and auditors in EU and can reduce the time, effort and cost for an ISO 27001 certification with its software.

non-binding and free of charge

Branko Džakula

ISO 27001