Startups: The Most Important Audience in Cyber

No, you do not need to hire a CISO!

Cyber security professional like to talk about “baking in” cyber security when designing or developing an information technology product. But it really goes back even further… to “baking in” cyber security as a way of thinking about your business.

If you search on the terms “cyber security framework” two frameworks developed by the National Institute for Standards and Technology (NIST) will likely be at the top of the search results (the Cybersecurity Framework and Risk Management Framework, or RMF). There are others as well, like CIS 20 from the

The NIST frameworks are quite comprehensive (especially RMF). But this is only a strength for larger, more established businesses. It is a significant weakness for startups as it assumes a certain bureaucratic structure to an organization. ISO 27001 is superior because its starting focus is the business itself rather than technologies used by the business. But the process of certifying on an ISO standard is probably too involved for the early stage startup. CIS 20 is better in that respect, digesting its framework into 20 “controls” (or best practices). But the path in CIS 20 is tech-centered (rather than business centered) and has been left behind (and badly so) by the fact that startups almost certainly do not have their own internal network and inventory of assets, but rather rely on cloud “Software as a Service” (SaaS) and “Infrastructure as a Service” (IaaS) providers. Australia’s Essential Eight is right-sized for a startup, but also suffers from being tech-centered and for not accounting for the cloud.

So what’s a startup to do?

Three Perspectives in Cyber

I’ll start with something completely outside of tech: Gallup’s “Business Profile 10” assessment tool. Gallup has digested the people in startup businesses into three roles: the Rainmaker, the Conductor, and the Expert. It so happens to be (IMHO) that in cyber security there are three (and only three) perspectives: the Executive, the Operational, and the Technical perspectives. The Executive perspective is what Gallup calls the Rainmaker. This is the CEO who is responsible for making choices on trade-offs when it comes to accepting risks in how the company does business. The Operational perspective is what Gallup calls the Conductor. This is the guy/gal who makes the trains run on time. And the Technical perspective is what Gallup calls the Expert. This is the tech guy or gal who works miracles. They know, though, that there are no such things — just really cool tools.

In an early stage startup it is likely the Executive and Operational perspectives are seen by the same person. They usually have someone they rely on for tech support — that person sees the Technical perspective.

And that’s it right there! If you can identify who makes executive decisions, who keeps the trains running on time, and who solves your tech problems, you can bake cyber security into your business from the very start!

The Business Plan and the Security Concept of Operations

If your startup has a formal business plan, you are actually well on your way. And if your business has been around long enough to have an ISO 9001 Quality Management System (QMS), you are yet even further along. In fact, with a Business Plan and a QMS you have already done at least 80% of the hard work in cyber.

The next step is taking these things and eliciting from them a “Security Concept of Operations” (SeCONOPS). This is simply an articulation of how you do business, but is focused on steps you take to secure your operations. As you do this, focus on the thing a hacker is after — your data. This can be found both on paper and in digital form. Identify what kinds of data pose risks (meaning if it were lost or stolen you would be exposed to civil/criminal penalties and/or loss of reputation). As you develop this, keep an eye out for what you do today (the “as-is”) and what you can improve on (the “to-be”). This will be the key to the next step.

The System Security Plan

Once you have a strong grasp of what you do on a day-to-day basis from a security point of view, you are ready to choose a framework and then build out a System Security Plan. It is important to understand that this is a “plan” — you should have an idea of where you are today, where you want to be in the future, and a path and timeline to get there.

When you work with a framework, keep in mind that they are developed with the understanding that a typical business will not be (and should not be expected to be) in “compliance” with every “best practice” presented by the framework. They also should be viewed as a generalization which should guide your specific implementation. This is why it is so critical to do the SeCONOPS first.

You should go into this project expecting that the Operational perspective will push back on some of the framework’s security controls as creating obstacles to delivering on customer expectations. This is normal, and is where you look “behind” the framework language to understand what risk(s) are being controlled. Now the question becomes:

How can we control these risks in a way that is as close as possible to the framework’s articulation, but still allow operations to deliver on our business value commitment to our customer?

When you ask yourself this question about the controls articulated by the chosen framework you avoid the trap of “why we can’t.” Executives get too wrapped up in seeing these things as “standards” which demand “compliance.” Operations then wastes tons of energy trying to explain “why we can’t.” The tech guy or gal just sits quietly wishing these people could just make up their minds!

When you realize the framework language is generalized, and it is perfectly acceptable to write what NIST’s RMF calls a “compensatory control” and use it as a substitute for the control you cannot otherwise implement (for perfectly legitimate operational reasons) you are switching from “why we can’t” to “how we can.”

“How we can” vs. “why we can’t…” There is simply no more important mindset in cyber security… None. Period.

Implementing a Framework

So, for a startup, either CIS 20 or Australia’s Essential Eight would be an excellent starting point… However…

Start by taking an inventory not of your computers but of your data. And remember that data “lives” on paper just as much as it lives on thumb drives, laptops, servers, etc. Your SeCONOPS should sketch out a life-cycle for your data, including printed reports, from birth to death. It should consider the ramifications of the data being compromised (e.g. losing what should be confidential information, unauthorized changes to the data, or loss of access to the data). And that path from birth to death should identify all places where the data can be found. It is most likely today that this includes cloud service providers as well as company and personal devices.

These things make up your “system.” And your “System Security Plan” lists what parts of your system currently implement the framework controls, which parts do not, and which parts you do not know or have visibility into (e.g. cloud providers). When faced with conflicts between a control and operational needs, resist the temptation to write a compensatory control so you can say you are implementing it. Write compensatory controls with an idea of what you can and should be doing, even if you are not doing it right now or you do not know or have visibility into what is being implemented by a cloud provider.

Then finally, take all of the parts of your system which are not implementing your framework’s controls and lay out a multi-year plan. Eat the elephant one bite at a time. Do what you can with what you have today, and budget your upcoming years so as your startup grows, your cyber security capabilities grow with it. Understand that you will need to research your cloud providers, and may need to change to providers who can offer greater assurance of how they secure your data. But again, do what you can today with what you have and otherwise plan to make needed changed. And if you have a business plan, once you complete your System Security Plan, double back and revise your business plan to support it going forward.

This will “bake” cyber into how you, and the people you rely on, think about your business. It is far better for everyone to think of the business in terms of cyber risks and how they are controlled, than to hire someone else to do this thinking for you. This will be far more consequential for cyber security than all of the great tech ideas of the entire global pocket-protector set combined.