Existing security standards vs. startups

It is only meaningful to target a certain security level, if it can be reached economically reasonable and with the available personnel and financial resources within a reasonable time.

 

There are many measures available to improve the information security of your company, like buying a firewall or defining guidelines, but the best measures and most expensive measures are worthless if your security process as a whole is not properly planned and managed. If you just implement safeguards, but no one in your company defined the security objectives in the first place and there is no one responsible for measuring the performance and acceptance of a safeguard, then in most cases the effort and expenses will result in insufficient results.

The following steps are designed to implement lean but managed information security measures. All steps and suggestions are based on a questionnaire and survey results from the Austrian Startups scene, personal experience, papers, recommendations and industry standards, like ISO 27001 and BSI Grundschutz. The goal is to keep the effort and costs very low but the outcome high.

 

Why existing standards do not fit startups

General thoughts about standards, certificates and audits

In my experience many companies (existing, not startups) take huge efforts to gain certifications. In many cases certain tasks, processes or rules don’t even make sense, but they are still implemented because of an upcoming audit. Also, in many cases in the last weeks before audits and assessments all the necessary documents are reviewed for existence and correctness. Employees are chosen and trained for answering the questions of the auditors. Open point lists (OPLs) are created and worked through. Everything is brightly polished for the audit. After the assessment, when everything and everyone has returned to reality again, no one cares for the OPLs and shortcomings until the next audit arises on the horizon again. Of course not every company is working this way, but certainly nearly all of them need to prepare for audits somehow. [1], [2]

With these facts in mind, it is obvious that startups can’t afford such time and resource intense events in the early stages. Therefore it is no surprise that the online survey I’ve conducted showed that nearly none of the startups is certified after a security standard (or any other standard). In general companies want to gain certificates for the following reasons (according to [3] and Djan Kosutic, Author of the ISO 27001 and ISO 22301 Blog):

  • The industry or regulations require it (state of the art, safety, …)
  • A customer requires it
  • The company wants to get a competitive advantage
  • There have been major problems within this area in the past

 

For most software startups none of those reasons apply.

Nevertheless a company certainly can implement a standard/framework or parts of it without getting certified. If they want to improve security in their company, why not use existing and well tested standards? While many companies certainly do exactly this, according to my survey many software startups (98%) seem to ignore them. Around 83% of Austrian software startups haven’t even heard about the Austrian Information Security Standard or guide. In the personal questionnaire the interviewees gave the following reasons for this:

  1. They do not have an employee who is familiar with corporate information security and any of the related standards. Information security is not boosting their productivity or customer metrics. Developers, sales people and marketing experts on the other hand do so.
  2. The learning curve and the respect of the heavy standards is too high. At the first glance the 4200 sites of the IT Grundschutz or the various documents and requirements of the ISO 27001 seem to be overwhelming for people who never had to deal with information security.

Therefore many startups implement some security (related) mechanisms, like data backup (88%), encryption of personal/sensitive data (54%) and physical access control (47%), but around 70% of the software startups do not go any further with their security practices (according to my survey).

This indicates that conventional standards do not really fit the needs of these kind of dynamic companies and that it is time to define much more light-weight processes, which allow Internet and software startups to reach their appropriate “security level”.

 

[1] O. Boiral, ISO Certificates as Organizational Degrees? Beyond the Rational Myths of the Certification Process, Université Laval, Canada: Web of Science Data, 2015.

[2] M. Power, The Audit Explosion, London: White Dove Press, 1994

[3] H. Sun, Comparing Reasons, Practices and Effects of ISO 9000 Certification and TQM Implementation in Norwegian SMEs and Large Firms, City University of Hong Kong: Web of Science Data, 2015