Development of the Lean Startup Security Guide
The process of developing the Lean Startup Security Guide is described on this page. The figure below shows in detail how I created and verified the Lean Startup Security Guide. Each step is shortly described below the activity diagram.
Definition of the target group
The first step for creating this Lean Startup Security Guide was to identify the target audience and their characteristics. In this way it is much easier to tailor security recommendations, because there is much less variety.
The target audience properties
- The company does not need to fulfil any kind of security standards (e.g. because of legislation, industry, parent company, customers)
- The company develops software or Internet services
- The company has between 1 and 20 employees (including founders)
- The company is a startup. Growing fast, low budget, employees work hard (60h/week)
- The company owns no (or not many) hardware resources:
- Laptops, tablets, Smartphones can belong to employees
- Infrastructure might be outsourced
- The company has no security expert employed
- The company’s office is at home or in a co-working space
- The company uses agile and lean startup methodologies
If property a) and at least 4 of the 7 other properties can be answered with “yes” by a company it belongs to the target audience of this guide. Of course also other startups can use this guide to improve their security level, but there might be some measures which are only useful to software and Internet startups.
Discard risk management
Risk assessment and risk management are important parts of existing information security standards, like ISO 27001. Both processes can be hard and time intense for medium or large- sized companies, but risk assessment and management is especially difficult for startups. Due to the unstable nature and the lack of resources it can be really challenging to guess the severity and to keep the risk analysis up to date. Also a young company might have no experience about which kind of threats are waiting for them and how likely those threats apply.
For those reasons the approach of the BSI with its Grundschutz catalogues fits startups much better. The Grundschutz approach to define modules and to suppose general threats and safeguards for them is very convenient for many SMEs. They can skip the risk assessment and focus on the various threats and implementing security measures based on the company’s structure, processes, infrastructure, IT and needs.
Identify relevant and applicable IT Grundschutz modules and take over only the safeguards
The IT Grundschutz is still too heavy-weight for a young and fast growing company with 1 to 20 people. The following question arises: “Does a startups really need to know all the details of the threats which belong to a certain module?” The answer is not easy to tell. Of course it is important to know the threats for making the right decisions and to implement the safeguards in the right context and with the correct focus. But on the other hand, all the different kinds of threats distract the security responsible from implementing the safeguards in a fast way. Therefore the lean startup guide emphasises the safeguards and only describes the threats when necessary.
Discard all modules which are not relevant for the target group
In this step I’ve removed all the IT Grundschutz modules which are not relevant for the target group. The “not-relevant” classification were done based on the different properties of the target group. This ensures that only the relevant security mechanism are within the guide, so that they can stay lean.
Add practices and recommendations from other standards, papers and sources
There are many other sources of information about options for companies to increase their security and privacy level. I’ve considered different kinds of sources to improve the guidelines. Examples for additional references are:
- Corporate vs. Product Security 
- What Every Tech Startup Should Know About Security, Privacy, and Compliance 
- Web Security – A White Hat Perspective
- OWASP Top 10 
Restructure, combine and slim down the identified safeguards
The identified safeguards, practices and guidelines from the different sources need to be slimed down and combined to create practices which can be easily implemented by startups. This increase in simplicity comes with the cost that the safeguards can no longer be directly associated with certain standards or other sources, because the different measures are merged together.
In this step I’ve implemented the lean startup security guide for verification if the single measures can be easily fulfilled. I used the different problems which arose from the implementation to update the corresponding safeguards. During implementation I’ve created different kinds of checklists and other documents. Those are available in the Templates section.
The safeguards which are based on findings during the practical implementation are marked with the sentence “Finding during Rentog implementation”.
 P. Watson, “Corporate vs. Product Security,” May 2013. [Online]. Available: https://www.sans.org/reading-room/whitepapers/bestprac/corporate-vs-product-security-34237. [Accessed 19 06 2016].  P. Watson, “Corporate vs. Product Security,” May 2013. [Online]. Available: https://www.sans.org/reading-room/whitepapers/bestprac/corporate-vs-product-security-34237. [Accessed 19 06 2016].  L. Z. Hanqing Wu, Web Security – A WhiteHat Perspective, 6000 Broken Sound Parkway NW: CRC Press, 2015  The Open Web Application Security Project, “OWASP Top 10,” [Online]. Available: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project. [Accessed 2016 09 29].