How tech startups are building an insecure world and where we can go from here
Reflections about how lean startup methodology and other factors have inadvertently led to insecurity
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Thanks for supporting Venture in Security!
Small startups get breached daily, and quietly
Every day we hear about data breaches at large companies. Okta is the most recent example, but we can list many more — LinkedIn, Facebook, Yahoo, Adobe, Myfitnesspal, Canva, and Twitch, to name a few. Each of these security incidents has led to millions of customer records ending up in the hands of hackers.
What we hear much less about are hacks of small startups — the ones that do not yet have a solid brand or a large number of customers. This is not an original observation, and it makes perfect sense to a rational mind. First of all, startups that don’t yet have a large customer base, also don’t have the number of interested readers that would justify it for a media outlet to allocate resources to the coverage of an unknown firm. Most importantly, a few of them get disclosed publicly, and even if that were to happen, the scope of the event alone would be enough for that disclosure to be ignored almost entirely as “2,000 affected customers” wouldn’t sound as bad as, say, the 2021 exposure that impacted 700 million LinkedIn users.
The fact that we don’t hear about it, does not mean that startups don’t get breached. On the contrary, they do, and it happens quite often.
It may be tempting for founders to think that the probability their company will get attacked is low as hackers have a larger fish to fry. Unfortunately, the opposite is true, and small tech startups often fell prey to the victims. Few have the ability to put in solid security measures making the job of the hackers much easier; even fewer can investigate the breach, which means incidents can go undetected for a long time (or even forever if the startup fails anyway). On the other hand, startups have user data, and intellectual property (IP), combined with a strong desire to stay afloat making it worthwhile for hackers to target them. Many are also working with large enterprises with solid security budgets and hardened defenses, so hackers are happy to use the startup as an easy way to get to the bigger fish.
It’s not just about the money: what makes startups insecure
When we think of cybersecurity in the context of startups, it’s easy to default to the “startups just don’t have enough money” adage that explains all problems. The reality, however, is much more nuanced. Let’s dive into it.
Lean startup & the MVP approach
Lean startup is a product development methodology introduced by Eric Ries in his book The Lean Startup: How Today’s Entrepreneurs Use Continuous Innovation to Create Radically Successful Businesses. I highly recommend reading this book, especially if you are a startup founder or a product leader. The TL;DR is as follows: ship prototypes as fast as you can so that you can gather feedback and learn quickly; replace long development cycles with frequent and short iterations so that you can leverage user feedback to continuously improve.
As a product leader, I am a big fan of this approach as it enables companies to innovate and get their products out of the door quicker. As someone working in security, I am much less excited about it.
When you put on the security hat, you see that the “Build > Measure > Learn” loop is a trap.
The loop starts with the MVP (short for minimum viable product — a minimum set of features you can add that still makes it valuable for a customer and therefore should be shipped early). MVP is scrappy by definition as your goal with the MVP is to minimize wasted time and effort in building something the market may not need or want. In other words, MVP in most cases is not secure: why would you invest more time than you need securing something you are most likely going to throw away?
At this step, after the MVP is out, the team is looking to gather feedback from customers, and capture quantitative data that can later be used to validate (or disprove) their initial hypothesis and assumptions, and improve the MVP. At this point, the security of the solution is not something normally looked at, and rightfully so.
At this step, the team is looking at all the data they have collected, talking to customers, conducting smoke tests, summarizing everything they did, and making a decision to either carry on with their initial approach, or to pivot (change the product strategy, either partially or entirely).
How MVP leads to insecurity
Since the goal of an MVP is to minimize wasted time and effort in building something the market may not need or want, the focus is on expediting the learning loop by using the minimum resources.
When the MVP is built, security is commonly treated as an afterthought that can be “addressed later, at a better time”. That “later” rarely comes (we will look into the reasons soon).
The desire to get the MVP out as soon as possible leads to increased coding errors. While the industry average is about 15–50 errors per 1000 lines of delivered code, it is reasonable to assume that when the pressure is on, the deadline is tight and you are building a potentially throwaway code, the number of errors will go up. More errors in the code mean more vulnerabilities that can be exploited and more so-called “zero days” (vulnerabilities that if exploited by the hackers, a company has exactly “zero days” to fix).
To summarize, while great for product strategy discovery and validation, the MVP approach inadvertently leads to insecurity, especially when amplified by other factors that affect startups.
The minimum viable product allows startups to build in sync with customers, ensuring that the solution solves the right problems and will not be a waste. At the same time, in recent years many critics of the approach have been arguing that a bare-bone “minimum” feature set is not what will enable any company to outpace its competitors and that MVP is not good enough to delight customers. That’s how a whole new set of abbreviations came to be, which include (but are not limited to) the following:
Minimum Marketable Product (MMP)
Minimum Lovable Product (MLP)
Minimum Awesome Product (MAP)
What all of these have in common is that they optimize for speed and customer experience, which, I think, is the right approach. One important piece that is missing from each of these “minimum products” is security.
It’s either too early or too late
The reality of startup life is that at any point in time, it feels like it’s either too early or too late to start investing in security.
In the early stages when the startup is pre-product and pre-revenue, there are no assets and no customer base to protect, so it’s easy to brush off security as tomorrow’s problem. It’s hard to argue with that approach as cybersecurity is just one of the components a founder needs to worry about, so before there is something to protect, it would feel unwise to allocate resources to protection.
The problem is that “tomorrow” tends to come unexpectedly: a first customer has signed an agreement, an investment was received, or some users started a proof of concept (POC). It’s that moment in time when there is already something to protect, even if it doesn’t feel like a lot, that is so important to spot. What starts as “just one” customer today, will hopefully grow into five, ten, hundred, thousand, and more organizations tomorrow. It’s important to start building a business by establishing a secure foundation; bolting security on later will be much more expensive and prone to gaps which, in turn, lead to a less secure product.
Growth expectations and why tomorrow will never come
While each company is unique, all startups go through similar stages in their development. Lauren Bass has a great article outlining five phases of the startup lifecycle, namely:
Minimum Viable Product (MVP)
When a startup is pre-product, the main focus is to launch an MVP & get the product out. When a startup is pre-revenue, the goal is to start getting paying customers. When a startup is a pre-product-market fit (pre-PMF), the goal is to get to PMF as soon as possible. You get the picture: there is always something to focus on, and that something is never going to be cybersecurity. This is why it will always be so tempting to say “we have X to do today, let’s deal with security tomorrow” and is also why the “tomorrow” will not come.
Startups are expected to grow, and this expectation is the deciding factor when it comes to prioritizing work. If a startup raises venture financing — the expectations will only grow higher, with investors often expecting the accelerating month-over-month growth. The day when founders can finally “step back and think about everything including security more strategically and holistically” rarely comes.
“Scrappy” is often a synonym for “insecure”
One of the factors that enable startups to move fast is the lack of rigid processes and procedures common in large enterprises. It makes perfect sense: there are fewer people to coordinate, things are changing daily, it’s easy to align everyone in the same direction when two pizzas are enough to feed the whole company, and the ability to move fast is critical for survival.
At the same time, early-stage startups tend to develop an allergy to any processes and structure at all, even those that are important. Cybersecurity requires uniformity: if the whole company uses a password manager, then both Jackie, the head of finance, and Aaron, the head of sales, have to do it. Enforcing MFA, password managers and other practices that improve cybersecurity hygiene is critical, even if it will slightly slow down the speed with which people can do their job.
People in early-stage startups have to wear multiple hats: one person can be doing everything from engineering to customer support, sales, and marketing. This means that founders and employees often have access to more systems than they ideally should (including admin access to many of them) leading to potential security challenges. Add to this the fact that limited budgets for licenses and SaaS access lead to credentials sharing, and that most early-stage companies pride themselves on transparency and openness, and you just got a dangerous setup that is prone to human errors and is easy to exploit.
Founders are (generally) not security professionals
Most entrepreneurs are not security professionals. The same is true about any other profession: startup founders can rarely have a solid background in all areas needed to grow a company like sales, engineering, accounting, customer success, product, operations, human resources, marketing, etc. However, while most books, podcasts, MBA programs, and other resources targeting entrepreneurs provide a decent overview of these other broad functional areas, very few offer a similar level of knowledge about cybersecurity. This means people starting their companies more often than not have a very limited understanding of what it takes to protect the customer data and keep the business safe from cybercriminals; very few even think of security as a necessary component to run the business.
Cybersecurity startups make the problem worse
A lot has been said about vendor overload and the fact that having more security tools in your organization increases the potential attack surface and often worsens the security posture. What is not mentioned as often are the underlying reasons why this is happening.
Similar to people in all other fields, security professionals turned entrepreneurs also have limited resources. They know they need to think holistically, but they can only afford to tackle a small problem. So, they carefully pick one bite-sized problem to focus on and build a company around it while adding yet another widget to the mix causing the vendor overload.
In the hope of a successful exit, cybersecurity startups actively pitch their solutions to other companies, encouraging them to “imagine how our tool will help you” (the opposite of starting with the problem in mind and figuring out the tooling last). Once a company has set revenue and growth objectives, hitting sales targets becomes more important than ensuring that the product being sold will actually help the buyer.
This is how startups with the very best intentions contribute to the problem of vendor sprawl. Building standalone tools made sense when each of them was novel and tackled an absolutely new use case in security. As the industry is getting more mature, and use cases broaden, we are already seeing a strong trend of vendor consolidation.
Future (may be) better than you think
I am an optimist. There is indeed a multitude of problems, but there are many improvements stemming from the market forces (another way of saying “inevitable”).
Cybersecurity as a survival measure
With the number of breaches growing year after year, startup founders are realizing that they are no longer “a small fish nobody cares about”. With every data loss and highly publicized cyberattack, more and more companies are starting to implement measures to secure their organizations. A report from the end of 2021 shows that mid-market organizations were as much as 490% or more likely to experience a security breach by the end of 2021 as they were in 2019. Cybersecurity is slowly moving from a “nice extra” that a startup could focus on to a required survival measure.
Investing in security from day one enables startups to limit security debt. The cost of making the right design decisions early is much lower than doing it later when the number of customers has grown and products get more complex.
Scrappy startup culture can indeed co-exist with the culture of security. For that to happen, founders need to understand that cybersecurity is a necessary component of running the business, the same way as marketing, sales, or accounting. Building a business without protecting that business makes little sense.
Investor and acquirer expectations
Venture capital (VC) and private equity (PE) firms are starting to include cyber due diligence in the scope of their due diligence efforts on potential investments. The need for cyber due diligence is no longer centered around healthcare and privacy-related businesses and is becoming sector-agnostic as investors know the high price of not establishing strong security measures and not being compliant with regulations such as GDPR. It no longer matters what industry you operate in or what stage the company is at; if you are thinking about fundraising, you need to be prepared to disclose your cybersecurity posture.
Cybersecurity due diligence is even more critical during mergers and acquisitions (M&A) as there have been multiple cases when cyber breaches have either resulted in the acquisition falling through entirely or the final price being substantially lowered (like in the case of Verizon’s Acquisition of Yahoo). It can, however, be even worse like in the case of Marriott’s acquisition of Starwood Hotels & Resorts when a few years after the acquisition, a major breach was revealed that happened a long time before the M&A was executed and ended up costing Marriott hundreds of millions in fines and losses due to the damaged brand.
Customer expectations & security as a differentiator
Enterprise companies are looking for ways to broaden their defenses by requiring vendors deep in their supply chains to satisfy compliance and security requirements.
More and more buyers are requiring independent assessments and certifications such as SOC2 and PCI audits from all potential partners and suppliers, further promoting the need for security. This is especially relevant now as the memories of the SolarWinds supply chain attack are still fresh.
Customers today expect privacy, security, and compliance, and in many industries, security is quickly becoming a differentiator allowing companies to build a brand known for security. Examples include products like cameras, smartphones, and internet browsers built around the promise of protection and security.
The cybersecurity industry needs visionary founders
The vendor sprawl we are seeing today is the result of a multitude of interconnecting factors, a few of which I have discussed above. As with any systemic issue, it is hard to recommend simplistic solutions that do not address the dynamics of funding, incentive systems, M&A activity, the emergence of new attack vectors, and many more. There is, however, a shortcut that makes me very hopeful: we need more visionaries in cybersecurity. We need founders who think holistically and tackle big security problems rather than building isolated solutions to very niche problems and looking for a quick exit. It won’t change everything, but it will take us closer to a more secure world. Or so I hope. What do you think?