M.1) Security kick-off meeting with founders

Category:        Organizational, Initial

Responsible:   CTO or the person who initiated the security discussion

Effort:              2 hours preparation + 80 minutes meeting with CEO, CTO and responsibles

Based on:       IT Grundschutz M 2.1 / M 3.7 / M 3.8 / M 3.44 / M 3.96 / M 2.193 / M 2.200 / M 2.259

The first measure is an organizational one. It is important that the founders initiate and support the plans for implementing or enhancing the startup’s information security and privacy processes and measures. This ensures that everyone knows the importance of security safeguards and that the following steps are supported and accepted by everyone in the startup. The following topics should be on the agenda of the security kick-off:

  1. Introduction and agenda (5min). Everyone should know what this meeting is about. Define a person who writes down the results of each step in this meeting (protocol).
  2. Introduction to information security (10min). This agenda point is necessary to motivate the participants and to ensure that everyone knows that this topic is important and stays focused. The person who initiated the meeting should talk about the following questions:
    • Why do we need information security in our startup?
    • What are the possible consequences if we don’t improve our security level? What is the worst case?
    • How easy could we get compromised?
    • Which other (similar) companies already had problems with hackers
  3. Introduction to the Lean Startup Security Guide (15min). The participants should read through the headlines of this guide to get an overview. The initiator of this meeting should tell the others which measures are already implemented and which are open points.
  4. Information security and privacy documentation (10min). The meeting attendees should define where and how all the security related documents, reports, protocols should be stored. This can be for example a simple folder, network storage or a wiki page. It is important that every employee can access the documents and that it is possible to implement access restrictions for certain kind of documents.
  5. Identify the major risks the company is facing (20min). This step doesn’t need to be a comprehensive risk analysis/assessment, like for example ISO/IEC 27001 requires. But the meeting participants should discuss what the company’s business processes are and what the worst case scenarios would be. This is not only important from the information security perspective. The CEO should always know what kind of risks his/her company is facing and should have at least a feeling for the probability of occurrence and the impact each risk could have. Only in this way it is possible for him/her to manage the risks. Example for an analysis of the major company risks:
    Business case Online platform for car sharing
    Business process Users can register on platform for sharing and renting cars. Each user needs give his credit card information and needs to be verified manually to avoid fraud. Users can create listings for their vehicles by setting a price per day, uploading photos and giving vehicle details…
    Valuable data ·      Customer database

    ·      Driving licenses of customers

    ·      Other personal information of customers

    ·      Contracts with partners

    ·      Employee database

    ·      Source code

    ·      Operating data (research, surveys, marketing strategy)

    Worst case scenarios ·    Customer data gets deleted à Company is ruined and sued by customers.

    ·    Customer database is stolen by a competitor and they can target and acquire our customers à Company is ruined

    ·    Hackers can steal money from customers à Company is ruined and sued by customers.

    ·    Platform is hacked and is used to infect our customers with malware à Company is ruined

    This list is just an overview and should motivate the participants to help increase the information security level. The list can be extended at any time and it is also possible to derive information security risk treatment options from this risk analysis (like in ISO 27001) but the Lean Startup Security Guide uses another approach to ensure a basic level of security (by assuming standard threats).

  6. Identify and assign roles and responsibilities (10min). The following roles make sense for startups:
    1. Corporate security responsible (CSR) (see also this blog post)
    2. Product security responsible (PSR) (see also this blog post)
    3. Privacy responsible

    Each of these roles can be assigned to one person, multiple employees or even teams.

  7. Define next steps, milestones and reporting (10min). It is necessary to plan the next steps and to define milestones. The progress should be reported to the CTO. The CTO is also the person who governs the whole process and who is the supervisor and contact person for the security and privacy responsibles.


Preparation and Management:  The person who initiates the lean startup security kick-off should be prepared for the meeting. His or her task is to lead through the meeting and to show the others why information security is essential for their company. Therefore this person has to prepare each single step above.



The information contained in this website is for general information purposes only. You can find more information about the accuracy of the information on the disclaimer and terms and conditions pages.