About this guide
The Security 4 Startups (“S4S”) was designed by a working group of investors and small, mid, and large-corporation CISOs. Its purpose is to empower startups with reasonable security controls that are intelligently applied and have a favorable cost-effect ratio. Simply put: S4S strives to help early stage startups solve for their greatest security risks, in a balanced way, and in a manner that’s sustainable and doesn’t demand great security expertise. While S4S will not solve every security vulnerability, it provides a solid baseline addressing the most common and important security challenges companies face and will provide a solid starting point from which companies can grow their security program.
Open-source vision: The S4S is an open-source project that is managed by the core group, but accepts changes and additions from the community. It will be updated periodically.
Startups and security: Bridging the gaps
Small deposits wisely invested accrue compound interest. This is true of action and inaction regarding cybersecurity. Though security is generally perceived as important, not all early stage startups address it. Why? Because investing in security is not perceived as urgent, but costly and difficult to maintain.
Nonetheless, accepting the risk of a cybersecurity event through inaction is statistically likely to be catastrophic to a startup, even at a very early stage:
- The U.S National Cyber Security Alliance found that 60 percent of small companies are unable to sustain their businesses over six months after a cyber attack
- According to the Ponemon Institute, the average security breach cost for small businesses stands at $2.7M
Startups that invest in their security posture can expect to reap the following benefits:
- Drive sales by addressing the needs of small and large companies alike
- Protect future revenue estimates by reducing liability from breaches
- Defend company brand and reputation by avoiding negative media mentions
- Comply with laws and regulations
To help startups take security action in a structured and cost-effective way, we put Security 4 Startups together.
The working group had several objectives in putting S4S together:
- Create a usable, detailed and technical document for founders and early stage executives to empower them to address security, before hiring a head of security
- Provide visibility into the considerations and expectations of security practitioners as they evaluate new technologies for their companies, bridging the gap between how startups and cybersecurity executives view security risks
- Accompany the recommendations with a survey to elicit suggestions for improvement and utility
- Be relevant to any startup, and available free of charge to all
This guide will be most useful to Technical founders / Technical leadership of a startup at either a) Pre-seed / seed stage or b) Series A+ stages.
- As startups vary in resources, we divide the guidelines between seed and early stages (1-100 people)
- The guidelines start from security concerns founders should address, then cover controls they could implement as they integrate security into the company and product
The expected takeaways of this guide
- Learn about security measures that are cheap to implement and easy to maintain
- Comprehend customers’ concerns from security and privacy perspectives
- Prepare for potential regulatory requirements
- Build security in, not after, with a focus on execution
The opinions contained in S4S are provided for general information purposes only and do not constitute legal or other professional advice on any matter, nor shall they be relied on or treated as such legal or other professional advice in any manner or under any circumstances. S4S writers do not accept any responsibility for any loss which may arise from reliance on S4S. Cybersecurity as well as technology, law, and regulation are complex, frequently-changing domains with far-reaching consequences. You should consult with qualified professionals who are fully aware of your startup’s particular circumstances before you make any decision or take any action. The tools mentioned in the guidelines are provided as examples for cost-effective solutions for the specific control. These solutions are not to be considered best in class. S4S core members were not influenced by direct relationships with any vendors in putting the suggestions in the guide together.
- You're invited to the S4S Slack channel to interact with like-minded community members as well as security professionals
- As an open-source project, the S4S initiative strives to get better from suggestions and ideas shared by the community. Please feel free to suggest your ideas and improvements via our GitHub repository
- Security 4 Startups was created by a group of security professionals. To learn more visit our Credits page
Risk profile: guiding questions to get started
To navigate to the guidelines most suited to your specific use case, please start with answering a few guiding questions