When it comes to meeting compliance standards, many startups dominate the alphabet. From GDPR and CCPA to SOC 2, ISO27001, PCI DSS and HIPAA, companies have strived to meet the compliance standards required to operate their businesses.
Today, every founder of the healthcare industry knows that their product must be HIPAA compliant, and any business working in the consumer industry would be well aware of GDPR, for example.
But a mistake of many high growth companies is to think of compliance as a catch-all phrase that includes security. Thinking that this could be a costly and painful mistake. In reality, compliance means that a company meets a minimum set of controls. Security, on the other hand, encompasses a wide range of best practices and software that help address the risks associated with business operations.
It makes sense that startups want to tackle compliance first. Being compliant plays an important role in the geographic expansion of any business to regulated markets and in its penetration into new industries such as finance or healthcare. So, in many ways, compliance is part of a startup’s go-to-market kit. And indeed, business buyers expect startups to check the compliance box before logging in as a customer, so startups rightly align with their buyers’ expectations.
One of the best ways for startups to tackle security is to hire security early.
With all of that in mind, it’s no surprise that we’ve seen a trend where startups are complying from early days and often prioritizing this motion over developing an exciting feature or launching a new one. campaign to attract prospects, for example.
Compliance is a big step for a start-up and a step that moves the cybersecurity industry forward. It forces startup founders to put on safety hats and think about protecting their business, as well as their customers. At the same time, compliance enables the company’s legal and buyer’s security teams to engage with emerging vendors. So why is compliance alone not enough?
First, compliance does not mean safety (although this is a step in the right direction). More often than not, young companies are compliant while being vulnerable in their security posture.
What does it look like? For example, a software company may have met SOC 2 standards that require all employees to install endpoint protection on their devices, but they may not have a way to force employees to enable and update the. software. Additionally, the business may not have a centrally managed tool to monitor and report if, where, to whom, and why endpoint violations have occurred. And, finally, the company may not have the expertise to react quickly and correct a data breach or attack.
Therefore, although compliance standards are met, several security holes remain. The end result is that startups can experience security breaches that end up costing them a bunch. For businesses with fewer than 500 employees, the average security breach costs around $ 7.7 million, according to IBM research, not to mention brand damage and loss of trust from existing and potential customers.
Second, an unforeseen danger for startups is that compliance can create a false sense of security. Receiving a certificate of compliance from objective auditors and renowned organizations could give the impression that the safety front is covered.
Once startups start to gain traction and recruit high-end customers, that sense of security grows, because if the startup is successful in acquiring security-conscious customers of the F-500, compliance must be sufficient to the moment and the startup is probably secured by association. When billing after corporate agreements, it’s the buyer’s expectations that drive startups to achieve SOC 2 or ISO27001 compliance to meet the company’s security threshold. But in many cases, business buyers don’t ask sophisticated questions or deepen an understanding of the risk a vendor presents, so startups never really get to work on their security systems.
Third, compliance only concerns a defined set of known data. It does not cover anything new and unknown since the last draft of the regulatory requirements was written.
For example, APIs are used more and more, but regulations and compliance standards have yet to catch up with the trend. So, an ecommerce business needs to be PCI-DSS compliant to accept credit card payments, but it can also take advantage of multiple APIs that have weak flaws in authentication or business logic. When PCI was first drafted APIs were not common, so they are not included in regulation, but now most FinTech companies rely heavily on them. Thus, a merchant can be PCI-DSS compliant, but use insecure APIs, potentially exposing customers to credit card breaches.
Startups are not to blame for the confusion between compliance and security. It’s difficult for a business to be both compliant and secure, and for startups with limited budget, time, or security expertise, it’s especially difficult. In a perfect world, startups would be both compliant and secure from the start; it is unrealistic to expect start-ups to spend millions of dollars protecting their security infrastructure from bullets. But there are some things startups can do to become more secure.
One of the best ways for startups to tackle security is to hire security early. This team member might seem like a ‘good to have’ that you could put off until the business hits a milestone in terms of workforce or revenue, but I would say a manager of Security is a key component of early hire, as that person’s job will be to focus entirely on threat analysis and identifying, deploying and monitoring security practices. In addition, startups would benefit from ensuring that their technical teams master security and keep security in mind when designing products and offers.
Another tactic that startups can adopt to boost their security is to deploy the right tools. The good news is that startups can do this without breaking the bank; Many security companies offer open source, free, or relatively affordable versions of their solutions to emerging businesses, including Snyk, Auth0, HashiCorp, CrowdStrike, and Cloudflare.
A full security deployment would include software and best practices for identity and access management, infrastructure, application development, resiliency, and governance, but most startups are unlikely to have the time and the budget needed to deploy all the pillars of a robust security infrastructure.
Fortunately, there are resources like Security 4 Startups that provide a free, open-source framework for startups to know what to do first. The guide helps founders identify and solve the most common and important security challenges at every step, providing a list of entry-level solutions as a solid starting point for building a safety program. long term security. In addition, compliance automation tools can help with ongoing monitoring to ensure these controls remain in place.
For startups, compliance is key to building trust with partners and customers. But if that trust is eroded after a security incident, it will be nearly impossible to regain. Being secure, not only compliant, will help startups take trust to a whole new level and not only drive market dynamics but also ensure their products are here to stay.
So instead of equating compliance with security, I suggest broadening the equation to consider compliance and safety equals trust. And trust is synonymous with business success and longevity.