What do Start-ups focus on and why?
Since the Dot Com Boom around 2000, technology related start-ups have been come common place and may even be viewed as the norm. This can be attributed to the relative low cost of creating some technology based products, including service based products. It appears that all you need to create a technology start-up is a “good idea”, some people who can build the technology and a plentiful supply of potential funding.
In fact, the advent of cloud computing has further reduced the cost of entry and this is focusing many start-ups on delivering products which are Internet based services, often leveraging mobile technologies.
All organisations are constrained by the resources available to them and start-ups are no different in this respect. Therefore, if you are building a product or service then it is necessary to prioritise the features and functionality in it. Additionally, it is necessary to get the initial product to market as quickly as practically possible, in order to generate some revenue. It is this dynamic that leads to the prioritisation of user features over other functionality including security features.
Consequently, the vast majority of start-ups are focused on creating minimal viable products which provide sufficient user rich features and neglecting functionality which is not immediately obvious to the users.
Cyber Security must be part of the Minimal Viable Product
Failing to include security features is not acceptable when a product is being delivered through an increasing hostile environment such as the Internet. The sheer number of threats and their level of sophistication are growing and likely to continue to do so. Added to this, users are becoming more aware of the dangers and starting to demand that they and their privacy are better protected.
For a start-up to be successful over the medium and long term, it is critical to establish and continuously build trust with their customers and potential customers. We have highlighted the importance of trust in our previous article “Internet of Things, Big Data, Cloud: Take Security and Privacy seriously to stay in the game”.
For start-ups to believe that they are too small for cyber attackers to take note of them is naive and misguided. Whilst the start-up may not be the ultimate target of an attack, it may well provide a route into a more significant target. For example, an attacker could compromise a senior executive’s device who uses a start-up’s service to gain access to a multi-national company, if the start-up’s service is not sufficiently protected.
In addition to the need to build customer trust, governments are under increasing pressure to act and take measures to better protect their citizens. Within the European Community, this is demonstrated by the new GDPR regulations which are currently being introduced to strengthen EU citizens’ personal data rights and force higher standards on all organisation handling their personal data.
From the start-ups perspective, there are significant advantages to taking security seriously from the beginning. The challenge of trying to retro-fit security into any technology product is significant because can be very costly and tends to be highly disruptive. Therefore, it is much more sensible to design a full security model at the very beginning of the design phase rather than when the product is already in the market.
This does not mean that every security feature needs to be implemented before the initial version of the product goes to market as this would prevent bring a product to market in a timely manner. However, having insufficient security features in the initial product is equally unlikely to succeed in the medium to long term. This approach is exactly the same way that user features are delivered.
Today, building some basic security into a product is much easier than it used to be. Taking user authentication as an example, there are a number of options that can be adopted to leverage existing publicly available solutions. Two potential solutions that instantly come to mind are Microsoft and Google … they both maintain user databases and have authenticator smartphone applications which can be leveraged. This approach makes it much quicker and cheaper to implement some industrial strength security into the minimal viable product, so why won’t you just include it.
Cyber Security is an essential component of all technology products and not a “nice to have” or “something to be added later”. Therefore, it is essential that the basic cyber security components are part of any “Minimal Viable Product” and that additional security features are added throughout the product lifecycle in line with its evolution and the changing environment that it is being used in.
Start-ups that ignore cyber security will struggle to survive in the medium to long term because they will be breached and their customers will lose trust in them.
Find out more about how your business can truly protect its future from cyber threats by contacting Corix Partners. Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and other C-level executives in resolving Security Strategy, Organisation & Governance challenges.