Corporate vs. Product Security in Startups

Corporate vs. Product Security in Startups

When corporations search for an information security specialist most of the time their goal is to find someone who can keep their organization secure. He need to be able to protect the company’s secrets and resources. If this person takes over the Chief Information Security Officer (CISO) role then his main task is to write, maintain and control the Information security concept and the security guidelines of the whole company or a division within a larger corporation. If the person is recruited as cybersecurity specialist within the (local) IT department, then he or she might be actually implementing the security concept, is writing working instructions with checklists and writes inventory registers, configuration documents and security reports.

What both have in common is the focus on the company’s secrets and resources. This can include access restrictions and authorization mechanisms for the building and the IT, backups of company data and so on. In the Lean Startup Security Guide the role for these tasks is called Corporate Security Responsible.

On operational level some organizations split the security tasks in physical (facility) security and network (IT) security groups, but their goals are still the same: Securing the corporate’s secrets and resources. [1]

But for many companies there is also a need for an additional security team, the product security team. Those companies produce a product or operate a service and have a need to make their product or service secure. Most of the employees who focus on product security are simply part of the engineering teams. In some cases they have even different job titles and descriptions like “security engineer” or “security tester” and are involved each step during the software development life cycle (analysis & specification, design, implementation, testing, integration and maintenance). In many other cases this security engineering tasks are a little bit overlooked and are only thought about when the first issues from the production environment are reported. In the Lean Startup Security Guide the role for these tasks is called Product Security Responsible.

 

Relation to Startups

Because Software and Internet startups directly deliver software or they offer software as a service to their customers, they need to deal with corporate security and product security.

Ideally the product security team is separated from the corporate security team, since they operate in different environments and on different tasks. Therefore they also need different kinds of skills. While for product security it is necessary to have software development skills, for corporate security it is important to have knowledge on networks, off the shelf appliances and their configuration ( [1], chapter 2.2). Separation can also be important, because of the prioritization of tasks. What is more important: updating a flaw in the server configuration or updating a flaw in a company’s product? ( [1], chapter 2.1)

This separation in product and corporate security teams can also be the implemented in small software companies. Example: One of the software developers is responsible for product security and the system administrator (if there is one) is responsible for corporate security tasks. Both are steered and have to report to the CTO.

For startups which offer Internet services (e.g.: web shops, social media platforms, apps with constant server communication or software as a service products) it is a little bit more difficult to differentiate, since

  • the company’s secrets, like the customers and all the information about them and the source code of the software are part of the product and stored on servers which can be directly accessed through the Internet.
  • many startups use cloud services (Infrastructure or platform as a Service product from Amazon, Google, Microsoft, etc.) and they do not even have their own infrastructure.
  • the backend software which is written in Java, PHP, Ruby, Python, JavaScript, etc., might have interfaces to other off the shelf server software like the database, ERP or SAP systems, server monitoring software and other tools.
  • often either the system administrator or a developer is also responsible for DevOps (= a clipped compound of development and operations) tasks and software deployment is automated in many cases. So it might be the case that a developer (and not an administrator) is installing and configuring server software, like the web server software or tools to index and query databases.

 

Therefore the borders blur a little bit. A hacker can get access to sensitive company data through misconfiguration or exploits in off the shelf server software, but he or she can also get access through misconfiguration or exploits in the backend software which is developed by the company. For such companies it is advisable to build a joint corporate and product security team, since many of the tasks and skills overlap.

Nevertheless, especially in those cases it’s important to have clear responsibilities, rules and guidelines. If a developer is configuring off the shelf server software, then he or she also needs to have expertise in doing so, or the whole task needs to be reviewed by someone who has the knowledge.

Because this is a very important organizational topic, there is an own safeguard on “Corporate vs. product security” in the Lean Startup Security Guide.

 

[1] P. Watson, “Corporate vs. Product Security,” May 2013. [Online]. Available: https://www.sans.org/reading-room/whitepapers/bestprac/corporate-vs-product-security-34237. [Accessed 19 06 2016]

 

Online survey on IT Security in Austrian Software Startups

Online survey on IT Security in Austrian Software Startups

In this blog post I am publishing the survey results of an online survey I’ve conducted for writing my master thesis. Because my thesis targeted “Information Security in Software Startups” the survey is all about “How Austrian Internet and software startups deal with information security”. The results of the survey showed me where I need to have a special focus during specification of the Lean Startup Security Guide.

 

Figuring out the number of candidates needed

With an estimated population size of 325 Software and Internet startups in Austria (according to http://www.austrianstartups.com/map/), a confidence level of 90% and a margin of error of 10%, the calculated minimum sample size needs to be 56 samples. This means that 56 people, who work in different startups, need to take part in the survey. In other words: 17.23% of all Internet startups in Austria needed to take the survey.

 

The survey results

Altogether 60 of about 325 (18.5%) Austrian software and Internet startups participated in the online survey.

Getting to know the audience

The first questions had the goal of getting to know the survey audience. The following questions were asked:

1) What roles do you take in your startup? (multiple answers possible)
q1

  • More than 90% of all participants are in a managing role as CEO or CTO (only very few interviewees stated to be CEO and CTO in one person).
  • Only 16% of the interviewees own the IT security or privacy responsible role. All participants which stated to be IT security or privacy responsible also owned the CTO role.

2) In what kind of startup do you work at? (single choice)

This question ensured that only Internet and software startups were considered in the result interpretation.

q2

  • Fintech are Software Startups in the financial sector.
  • The 7% other consist of startups in the Biotech and Electronics sector. They have conducted the survey because they either have an online shop or also produce software products (but not as their main product).

3) Where is your startup located? (country; single choice)

This question was asked to ensure that only Austrian Startups are participating the survey.

4) Number of employees in your startup? (single choice)

q3

The answers to this and the next question shows a problem I faced. It was particularly hard to find very early stage startups with just a few employees. This might be due to the fact that very early stage startups do not invest much time in being visible to investors and the public yet.

Nearly 63% of all interviewed startups had more than 4 employees. Nearly 28% even had more than 9 employees.

5) How old is your company in years? (single choice)

q4

Like already described in the previous question most interviewed startups are already out of the early stage phase in terms of employees. This can also be seen in the answers to this question, since only around 37% are 2 years or less of age.

6) Cloud Services

More than 83% of the interviewed startups use Software as a Service (SaaS) and 51% use Infrastructure as a Service (IaaS) for their business. Only 11% stated that they do not use cloud services at all.

7) Processing of personal data – 49% stated to process personal data only within the European Economic Area and 44% even do this only on their own servers. More than 28% stated that they either don’t know where their data is processed or that they process data outside of the European Economic Area.

 

Questions about information security

Question 1: Are startups willingly taking risks in terms of cybersecurity by lacking information security processes and mechanisms?

This question is tricky to answer, because it is hard to distinguish between lack of knowledge and willingly taking risk. In many cases even the interviewees in a personal interview couldn’t answer this question, because many times they were somewhere in between those two situations.

Because of this difficulty I used the following approach for the online survey:

Ask the startups…

  1. if security is important for their startup
  2. why security is not important for them
  3. if they are afraid of being hacked
  4. if they performed a risk assessment
  5. if they have an information security responsible
  6. what kind of measure they have implemented

While the first 3 questions target the personal feeling of the survey participant, the other 3 target the actual situation within their company. I combined and interpreted the answers of those 6 questions to give an answer to this first question.

The answers

  • 33% stated that information security is very important for their company
  • 58% stated that information security is important for their company
  • 9% stated that information security is not really important for their company
    • Of these 9%…
      • 29% never thought about it
      • 71% don’t have enough resources for it
  • 19% stated that they are definitely afraid of being hacked, while the other 81% think that it might be possible. None of them think that they aren’t a potential target or that they have spent too much money on IT security to be hacked.
  • 12% stated that they have performed an information security risk assessment
  • 19% stated that they have the role “IT security responsible”
  • The answers to question 6) will be answered separately below

Conclusion for Questions 1

Although more than 91% of the participants stated that IT security is an important topic for their company, only very few companies (19%) have an employee who is responsible for IT security. Furthermore only around 30% of the young companies seem to implement something like a well-though cyber security concept. Together with the fact that 100% of all participants thought that they could be hacked, this indicates that most of the young companies are aware of the security risks and also know that they are not perfectly prepared for an attack. Although most of them did not perform a risk analysis and therefore do not know all of the potential threats which they are facing, it seems like they are willingly accepting the remaining information security risks. But without a risk assessment, employee training on security and an information security responsible, this topic can certainly not be described as “managed”. In my opinion the risks are (partially) known but simply neglected in many cases.

Question 2: Do accelerators, investors and venture capitals care if their startups have an eye on Information security?

This question has been targeted with the survey question: “Who cares about information security in your startup?” The results:

  • 49% of the CEOs
  • 74% of the CTOs
  • 59% of the Developers
  • 5% of the Investors
  • 5% of the Accelerators and Incubators

This shows that nearly none of the accelerators or investors actively trigger their startups to invest resources into information security.

Question 3: How many startups did already experience security breaches?

From all questioned startups around 14% stated that they had been victims to successful hacker attacks (5% of them even more than once).

q5

While this certainly seems like a small number in percentage, in absolute terms more than 45 companies in Austria have already been victims. And most of them have not even been existing for more than 4 years (74%). Furthermore some of the startups might not even know that they have been victims to successful hacker attacks (dark figure).

Question 4: Would your startup implement a very lean Security process and lean Security measures if it would only cost between 2 and 4 working days (depending on company size)?

q6

The previous questions already showed that there is much space for improvement. The answers to this question confirm this, because more than 76% of all participants are willing to implement a “Lean Startup Security Guide” or are willing to discuss such a guide with their colleagues. This also highlights the relevance of the Lean Startup Security Guide.

Question 5: What kind of risk evaluation techniques, information security measures and processes do Austrian startups implement to deal with cyber security threats?

  • 88% of the participants perform regular data backups
  • 54% encrypt personal or sensitive data
  • 40% perform code reviews with focus on information security
  • 35% execute penetration tests
  • 30% have security trainings for employees and founders
  • 33% centrally manage their employees’ devices (laptops, phones, tablets)
  • 30% have security policies
  • 19% have an IT security responsible
  • 12% have performed an information security risk assessment
  • 2% implement information security standards

The results show that only the first two safeguards are implemented by more than 50% of the software and Internet startups. The fact that 40% perform code reviews with focus on IT security, but only 30% train their employees on information security topics, indicates that there is a higher focus on product security than on corporate security.

Additional results

  • 83% of the survey participants did not know the “Österreichisches Informationssicherheitshandbuch” or the “IT Sicherheitshandbuch for KMU”
  • 30% have a privacy responsible in their company
  • 35% have at least someone in their company who knows something about the EU privacy laws
  • 9% of the startups handle privacy by consulting their lawyer

 

My conclusion

The survey showed that many startups lack on their information security handling. Many of them do this on purpose. In parallel they are willing to implement lean security safeguards if the effort only takes between 2 and 4 working days. This is why I created the Lean Startup Security Guide to improve the information security level of Internet and software startups.