Author: Alex Dow
Minimum Viable Security: The Competitive Advantage
I've been hanging out with the startup community for the last five years through monthly Vancouver Entrepreneur Forum meetups. In that time I have enjoyed rubbing elbows with entrepreneurs, investors, advisers, and everyone in between. Naturally, I would ask about privacy and cyber security and the responses were frustrating:
Privacy and security are not a concern for us
We are not a target
Security is too expensive
Our acquirer will have the budget to fix our security flaws
Cyber security has rapidly transitioned from a nice-to-have to a must-have and has caught both startups and enterprises off guard. Recently, Mirai hosted a panel on Minimum Viable Security as part of the Vancouver Startup Week and invited Martin Twigg: privacy lawyer at Fasken, Byron Thom: VC with the Framework Ventures, and our very own Ivo Georgiev: cyber security and compliance expert with Mirai Security. We discussed what has changed, what startups and enterprises need to know, and how startups and enterprises can remain competitive in a market that demands better privacy and cyber security capabilities.
So Why has Privacy and Cyber Security Become a Thing?
First and foremost, privacy and cyber security is not new. I've been in the industry for the last two decades and for the first half of my career I worked with public and financial sectors who very much took cyber security seriously. However, the private sector has been more apathetic to privacy and cyber security. As we are rounding off another decade, the perfect storm has been brewing:
Digital Transformation: More business systems are collecting more sensitive data and being hosted beyond the enterprise's walled garden
Developers Rule the Roost: Next generation applications, typically publicly exposed to the Internet, are developed without privacy and security considerations
Cyber Crime: Personal identifiable information is an illicitly traded commodity in a billion dollar criminal economy
Breaches: Truly epic security and data breaches are almost a weekly occurrence
Laws: In response, privacy laws and compliance requirements have been created to force corporations to do the right thing
Enterprises are rapidly maturing their cyber security programs in alignment with regulatory and legal requirements. Digital transformation initiatives have increased the utilization of third-party SaaS based services which has resulted in more stringent oversight and requirements of the supply chain. This rapid maturing of privacy and cyber security at the enterprise level has created a trickle-down effect to the mid, SME and startups space, catching many off guard. Companies that haven’t taken privacy and cyber security seriously are feeling the pain of lengthy procurement/due diligence security questionnaires, stalled sales processes, and losing business to competitors who built privacy and security into the product.
The Privacy Lawyer’s Perspective
Martin pointed out that being aware of the various privacy laws and their requirements as they relate to your business and your clients is the first step. Second step is to understand and inventory what data you collect and for how long, how you protect it, and how you can remove it. Privacy laws are here to stay and are only going to become more ubiquitous with more punitive consequences. Martin pointed out that the larger enterprises are being hit with massive fines for privacy violations, which has incentivized them to push down risk management to their suppliers.
The Venture Capitalist's Perspective
Byron is both a lawyer and an engineer which has provided him with an excellent perspective on what investors are now focusing on when it comes to due diligence. He pointed out that privacy and cyber security have become market differentiators when it comes to valuation and appeasing the due diligence process. He put his engineering hat on and stated that privacy by design is now a must if you are collecting any sensitive data. Byron shared a story where a nifty tech company was about to get funded, but after the due diligence process the investment turned into an asset sale, at a much lower valuation. This was because while the startup had a great product, the investors realized the “privacy lemon” they had on their hands and decided to extract the intellectual property and scrap the rest.
The Cyber Security Expert's Perspective
Doing privacy and cyber security well is not as simple as buying a firewall or setting a strong password. In fact, we must stop thinking about managing cyber risk in such absolute terms of secure or insecure. That is because cyber risk is never entirely eliminated, rather it is reduced and managed to an acceptable level. Organizations must improve their awareness of what they are trying to protect, what threats could affect their business, and what technical and procedural measures are appropriate to align with the company’s risk tolerance and business requirements.
Ivo shared a sad but telling story about what happens when privacy and cyber security apathy goes wrong. In 2017 a local tech darling, TIO Networks, was acquired by PayPal for a $238M USD. After the acquisition, Paypal did a security audit of TIO Networks and found not only a serious vulnerability, but that it had been exploited and 1.6 million personal identifiable records were stolen. PayPal ended up suspending the TIO service and later scuttled the company.
Minimum Viable Security
First things first, it is important to understand that privacy and cyber security are now every company’s responsibility. However, it is also equally as important to acknowledge the reality that startups won’t be able to afford enterprise grade cyber security off the bat. So, what does Minimum Viable Security look like?
Too often than not companies try solving their privacy and cyber security problems by buying a “box”, such as a firewall or anti-malware solution, without really having a risk management strategy. These knee-jerk acquisitions of cyber security tooling typically result in “technology rich and process poor” companies who still get breached. While cyber security tooling are important tools in the risk management tool belt, it is recommended to first build up better awareness of the following:
The legal and/or regulatory requirements your company is under
Additional cyber security requirements or expectations from your clients
What data you collect, process and/or store and its criticality/sensitivity to the business
The cyber threat landscape and consequences of a data breach
Once you have a better understanding of what you need to protect and why, you can start defining your “how”. A cyber risk management strategy is your plan on how to manage the identified risks and meet business requirements. This is typically done through security and risk management policies that articulate how risk is managed through the adoptions of technologies and processes within the company. Startups may shy away from developing formal policies at first as they do not have immediate measurables. However, beyond the fact that most security questionnaires expect formal policies to be in place, policies are meant to continually guide the company and their employees on how to manage risk.
Lastly, once the cyber security strategy has been defined, it is about implementing technical and procedural controls to support your organization’s risk management strategies as per policy. This would include implementing technologies and processes to prevent, detect and respond to cyber threats. This likely will start with preventative technologies and procedural controls focused on access control and will eventually morph into detective and responsive capabilities.
Mirai Security is a collective of expert cyber security professionals who focus on helping organizations understand risk, develop cyber security strategies and implement cyber security capabilities. We focus on understanding the business and designing “Minimum Viable Security” strategies with a focus on enabling businesses.