Startup Security Strategy

On making decisions and foreseeing consequences

You’ve a killer concept and the passion to take it far. You’ve done your research, read your startup bibles and assembled a small dedicated team of passionate people. You know you need to hustle to find clients and your product-market fit. You’ve already made a raft of choices about risk and threats and security and … wait, roll back. Security? Do you really need to think about that when you’ve not even got a product yet! But you’re making security decisions, even if you’ve not recognised them. We’re here to talk through one an example of the choices you’ve already made.

Right from the very start there are big decisions to be made about what technology you use and how you use it. If you’re founding your technology startup, you’re familiar with the “Shift Left” concept, and all the difficulties and benefits it provides. Similarly thinking through the implications of decisions now, at the earliest possible stage, when they've the smallest consequences for future experimentation or simply changing your mind, can give you significant advantages.

Dedicated hardware or BYOD?

One option brings more expense, but also more security and easier decisions.

Choosing to go with BYOD, or Bring Your Own Device, means that you and your staff use your personal equipment for work purposes. In some industries that probably just means you have a different browser identity for the online email and document sharing service you work on. But otherwise you’re just “you”, using the same online services for both personal and work contexts, because your personal identity and work identity are essentially the same. Or depending on the devices being used, your staff can swap between two logins when needed, which provides the necessary separation for between their personal and work contexts.

BYOD is a choice that new companies can find themselves making by default - it’s the easiest way to get started, and causes the least friction.

Choosing BYOD means it’s easier for staff to integrate the demands of startup life into their day to day responsibilities, and the existing contacts they may use and need are already right there in their address books. And the founder’s personal contact details are already known to many potential customers or new employees, making it much more likely that any sales opportunities will be acted on in a timely manner.

The security of standard operating systems is now arguably sufficient that, unless you’re working in a high risk and/or tightly regulated industry, BYOD will provide the required level of protection while you road test your idea.

Dedicated Hardware, so uncool

If you don’t want to go with a BYOD strategy, dedicated hardware is the way to go. But this option means there’s more expense from the very start of the organisation’s existence, and you - and everyone you work with and everyone you hire - will probably be carrying around at least two phones and two laptops while they’re working with you. Also you, as their employer, will be in charge of imaging the devices, and issuing them to new starters, and any technical support they require.

But dedicated hardware does come with benefits - and these may make sufficient difference in the medium term that you should be willing to go to the extra effort in the short term.

Most prominently, with dedicated hardware security is a lot easier to manage. You can impose whatever necessary restrictions you want - the use or absence of biometrics, required levels of encryption, restrictions on transferring data onto or off of the device, and so on. You can do this knowing that you won’t be affecting a user’s personal device, with all the consequences that can bring. While any kind of endpoint management and security capability is an cognitive overhead on top of everything else you’re thinking about right now, implementing it right from your organisation’s inception establishes good security practice from the very beginning. Similarly if you plan to implement Endpoint Detection and Response in-house, or Managed Detection and Response using a third party, the “dedicated hardware” option reduces friction all round.

Decisions and their consequences

Think of what impending decisions you’ve got to make, and what consequences they have. Especially how to give yourself more options, or more time. With thanks to my writing partner who couldn't get signoff from their scale-up for this piece - this an example of a simple decision, that can be made before the company even starts, with surprising long term ramifications.

If these are the kinds of decisions you're facing please look up my contact details and get in touch, either I can help you, or I can find the right people for you to talk to.