Additional 2) Start with risk management

Category:        Further security improvement, growth

Responsible:   CEO, CTO

Effort:              –

Based on:       [36]

If all the different safeguards of the Lean Startup Security Guide have been implemented by the startup or the company starts to grow, it is time to start with risk management.

In the initial security kick-off (measure M.1) meeting the major risks have already been identified. But this guide did not use this initial risk assessment for identifying safeguards. Instead the safeguards in this guide are based on a standard risk and thread level, which was assumed by the author. Now it is time to start extending and managing these risks.

The process is basically a PDCA cycle and consists of the following 4 steps:

  • Risk assessment – find and define the company’s risks
  • Risk evaluation – for each potential risk the likelihood of occurrence and the impact is determined. This evaluation shows how critical the different risks are and allows the company to prioritize the risks.
  • Risk management – Risks can be treated in the following ways:
    • Acceptance – If the impact is lower than the costs for risk treatment, then this tactic can be chosen.
    • Mitigation – Many risks can’t be eliminated, but they can be reduced to an acceptable level by defining certain kinds of measures.
    • Transfer – In some cases risks can be transferred to external parties, like an insurance company.
    • Avoidance – The company can also try to avoid risks by taking a different approach or course of action.
  • Measure – The company’s risks have to be re-assessed periodically to ensure that the defined measures are working. Also new risks can arise and they also need to be handled properly.

Because there are plenty of good resources concerning risk management online available (like the following link the Lean Startup Security Guide won’t go further into detail here. Furthermore there also exist standards and frameworks for risk management. Examples are the

  • ISO/IEC 27005, which covers “Information security risk management”
  • ISO/IEC 31000, which provides a process, principles and guidelines for risk management in organizations
  • COSO 2004, which provides a framework for Enterprise Risk Management

These standards are again a little bit heavyweight for startups, but provide good input on how risk management can be executed if the company further grows.



The information contained in this website is for general information purposes only. You can find more information about the accuracy of the information on the disclaimer and terms and conditions pages.