Federal consumer-protection authorities have called on the entrepreneurs building tech startups to prioritize cybersecurity from the earliest stages of the development process.
But a variety of factors -- cost, lack of technical expertise, rush to market, etc. -- can make security seem like more of a burden or an impediment to the startup's growth than anything else.
At a recent event convened by the Federal Trade Commission, industry insiders emphasized the importance of incorporating security as an integral part of any company's operations, not just the services or applications that it produces.
At startups in particular, which are often led by a founder/CEO whose personality can to a great degree define the culture of the organization, it is crucial that the firm's leaders establish the expectation that security is a company-wide priority.
"I think company founders, management are really critical to developing a culture," says Devdatta Akhawe, a security engineer at Dropbox. "In my experience, the companies that have responded well and responded seriously to security issues are often the ones where the founders are driving this sort of culture and these sort of values."
It's worth noting that the idea that the founders should set the tone from the top on security is hardly confined to startups. Frank Kim, chief information security office at the SANS Institute, recalls the predicament of Microsoft in the late 1990s and the early part of last decade. In 2002, when then-CEO Bill Gates issued an all-hands warning about the need to prioritize security in the company's ubiquitous software, Microsoft was viewed as a "laughing stock of the security industry," Kim says. The result of Gates' warning was Microsoft's Trustworthy Computing initiative, a concerted effort that considerably improved the company's security posture.
In part, security became a priority at Microsoft because the company's customers demanded it. And fledgling startups trying to carve out a slice of market share can ill afford a data breach or the reputational hit that comes from the perception that its applications aren't secure -- customers are likely to vote with their feet.
Making security in a startup a high-level goal
It seems easy enough to designate security a high-level goal within a startup, but how should that work in a practical sense?
Window Snyder, CSO at Fastly and an experienced hand at security who has done stints at Apple and Mozilla, emphasizes the importance of starting from the earliest stages of the development process and training the engineering team on some basic tenets of secure programming.
Then, she suggests that companies implement a peer review process whereby the security experts and others get a chance to kick the tires on a particular feature before it is released to the public, noting the benefits that can emerge from bringing disparate teams together to focus on security.
Sign up for Computerworld eNewsletters.