When Is the Right Time for a Startup to Take Data Security Seriously?

Photo by Franck on Unsplash

The age-old battle of democratic governments wanting to open backdoors in software is enough to make any startup CIO go bald from pulling their hair out. To make it worse, when there are data breaches, then government agencies are quick to slap on heavy fines and point the finger.

Data breaches can also have a catastrophic effect on share prices. For private startups, that usually translates into a lack of faith from the private equity firms backing them, possibly even spurring some to initiate an exit.

Tech company competitiveness

Competition in the tech world is fierce. One moment, you’re planning to be the first person to fly to space in a space tourism aircraft, and the next, some 71-year-old billionaire pushes up his schedule and takes all the glory.

But big companies like Blue Origin and Virgin Galactic have cash flow and clout. They can take a hit or two and still survive. As a big company, when you’re not the first horse out of the gates, you might suffer a momentary slowdown. But failing to be the first startup out the gate could be catastrophic, especially when you’re trying desperately to show VC firms that their investments are solid.

The demand for startups to get a product out early, even if it isn’t completely ready, only adds to the desire of regulatory bodies to gradually tighten the thumbscrews to ensure compliance with basic security practices.

So, the startup is facing pressure on two fronts:

  1. Get a product out now or be annihilated by the competition.
  2. Get the mammoth task of 100%, foolproof cybersecurity in now or be annihilated by the FTC.

Is pressure to perform a good thing for startups and cybersecurity?

All of the above comes under the heading of pressure to implement a tech feature, rather than choice. Pressure in tech startups is not necessarily a bad thing, although it can turn ugly.

The late Steve Jobs was a model exemplar of this. His ruthless, unrelenting, and often tyrannical treatment of the team that developed the first Macintosh resulted in groundbreaking technological breakthroughs on multiple fronts—things that we don’t even blink at today: smooth graphical user interfaces, a mouse that can move in any direction, circles, rounded corners on windows, beautiful fonts. When members of his team didn’t create precisely what Jobs wanted, even if it seemed technically impossible, Jobs emotionally abused them until they did do it, according to his biographer Walter Isaacson.

Some thrived under that pressure, but others caved.

Yet the resultant breakthroughs were two or more decades ahead of their time. (It also resulted in several human casualties—many of the original Macintosh team ended up leaving Apple because of continuing conflicts with Jobs.)

Pressure built the Macintosh but it had a terrible human toll.

The first Mac also wasn’t perfect despite its impressive launch event. All the unrealistic demands that Jobs made resulted in a “woefully slow” machine that didn’t sell very well.

Developing security because of coercion and pressure has the same effect—it might lead to spurts of genius, but the integrated whole ends up lacking.

A change in mindset is needed for better cybersecurity

A better mindset for implementing great security is to do it by choice because it’s just the right thing to do. If project leads and senior management think of data security as part of the user experience—which it is; stolen credit card details are definitely a terrible user experience—rather than as something they’re being coerced to do, they’re far more likely to do a better job on it.

To demonstrate, we can call on Steve Jobs again—this time with his announcement to stop supporting Flash on iOS devices. It sent ripples through the tech world and added coal to the decade-old feud between Apple and Adobe. In his open letter on the subject, Jobs cited security as one of the reasons to dump Adobe Flash. And even though, years later, an Apple engineer claimed it was for other reasons, no one can deny Jobs’s personal passion for annihilating Flash from the web.

And, hey, let’s be frank: Flash was insecure and its APIs gave browsers direct access to the filesystem, camera, and mic without even asking for permission!

Steve Jobs’s passion for this meant that it was done right, and the web is a far better place because of it.

A simpler solution is needed that helps startups instead of bashing them

The time for startups to take data security seriously is right at the start of their venture, but when they are able to do it depends on funding and resources.

Even if startup teams are developing security for the right reason, the question is how. HIPAA enforcement and stunning FTC fines might add regulatory pressure but they don’t do much to help startups find ways to do security feasibly because the cybersecurity industry is so fragmented.

Entrepreneurship is all about risk, and sometimes the risk that “we might be hacked” is far less than the risk that “we are definitely going to be creamed by the competition if we don’t release now.”

Tech giants such as Google and Amazon have come up with cloud services that provide key rotation services and a central config but they don’t offer dedicated key derivation. To get that, a startup would need to go to a company like Thales. And it’s then up to the startup to link those two services together.

None of these companies offer end-to-end encryption so that would need to be coded locally.

The result is a mishmash of services with weak links in it.

The problem is worsened by these services’ lack of crypto-agility—the ability to easily switch between cryptographic algorithms. Often, this requires an enormous amount of code-rewrite, not to mention the bureaucratic burden of getting it all approved.

If the industry really wants startups to get cybersecurity right from the start, a workable solution must be provided in addition to just enforcing heavy fines. That solution should include end-to-end encryption with key derivers and key rotation functions, and it should ideally be a plug-and-play SDK that everyone can use with just a few steps to get started.

In short, the only way for all startups to get security right is to make it easy.

Ready to protect your data?

Learn the most common data protection opportunities and how Peacemakr works with your infrastructure and products to stop data breaches.