ABOUT THIS BOOK
Chapter 1 will discuss and get you comfortable with building a minimally viable cybersecurity program for a minimally viable product. You don't need to start with National Security Agency (NSA) level security on day one, and most founders reading this book won't even need it the day they ring the opening bell.
Chapter 2 will help you think through and build your cybersecurity roadmap regardless of where you are starting in the start-up life cycle. While it may seem out of order – why wouldn't you plan your roadmap first? – not everyone starts at the point of needing a roadmap, with a defined and documented strategy. If you are a month into building your minimally viable product (MVP) and just received your legal documents officially forming your company, a three-year cybersecurity roadmap is going to take up time and then sit on the shelf.
Chapter 3 is, in my opinion, the most important chapter in this book. If you read one chapter only, make it this one. Your credentials, which make up a username and password, are your keys to your digital self. These are most critical to protect as they underpin nearly all other systems in a cybersecurity program.
Chapter 4 will explore the ever-changing world of antivirus that began nearly 40 years ago and is now called endpoint detection and response (EDR) or endpoint protection platform (EPP). EDR and EPP is an important layer to your cybersecurity program, one that might be difficult to delay beyond the formation phase of your start-up.
Chapter 5 tackles the necessary evil that is our office network, how we connect to the Internet. It makes all of this possible and is also first to be blamed when we can't load our favorite cat video on our office Wi-Fi network.
Chapter 6 we soar into the sky and take a look at the clouds. It is nearly impossible to not use a cloud-based product today and as a founder there is a very good chance you are building a cloud-based product or will use them to scale your start-up.
Chapter 7 covers the actual basics and predecessor to all of this, information technology (IT).
Chapter 8 covers an equally critical topic to Chapter 3: hiring. Making your first cybersecurity hire is a high-impact decision for your start-up. The wrong hire can have disastrous consequences. And making sure you know what you are actually looking for, being honest with yourself and founders, will pay back dividends. Cybersecurity is one of the most competitive fields for jobs and has been for nearly a decade now.
Chapter 9 is a personal favorite of mine. Not everyone enjoys the negotiating challenges of working with a customer's general counsel on terms and conditions, or arguing the auditor's definitions of “was.” Being compliant can sometimes mean you can or cannot do business in an industry, country, or with a specific business. This is a chapter you shouldn't skip.
Chapter 10 continues and builds on Chapter 9 and dives specifically into government law and industry regulations. These, much like being compliant with a legal agreement, can stop a start-up in its tracks or open the doors to prospective partner, acquirers and customers.
Chapter 11 will prepare you for the day when people ask you if your product is secure and how you protect their data. It's a good idea to start thinking about these answers now and then look at your answers and verify that you are actually doing that. Someone will eventually want to audit you. Being ready to comfortably and confidently talk about your cybersecurity program will build a lot of trust with investors, customers, and partners.
Chapter 12 will discuss the inevitable data breaches. They are a part of doing business today and we build our cybersecurity programs to the antifragile so we improve when they happen.
Chapter 13 dives further into the technical needs for start-ups that are developing a technical solution, and covers baking cybersecurity into the product you are building, not just your start-up.
Chapter 14 looks at outside risks of doing business today. Third-party vendors, really any vendor, you use will bring some risk to your business. The reward must simply outweigh that risk. This chapter will help you understand how to quickly evaluate that risk.
Chapter 15 will bring us back to where we started and set you and your co-founders on the way to building a secure start-up.
HOW TO USE THIS BOOK
This book is written specifically for founders to take immediate and continuous actions in their start-up to bake in cybersecurity. After each chapter, I will summarize the contents and highlights of the most critical takeaways. Additionally, there will be action plans that you can take immediately and as your start-up scales to implement those suggestions.
These plans will be broken out into generalized phases in your start-up journey from founding to exit. Obviously, not every company takes the same path, so specific catalysts will be mentioned and grouped in a way that may seem contradictory.
1 FormationOne to three foundersNo additional full-time staffAngel or friends and family or bootstrap funding
2 ValidationFounders + Key Strategic HiresMVP existsLighthouse/marquee customersSeed round funding
3 GrowthFounders + Key Strategic Hires + Engineering TeamsSeveral customersA series and beyond
We'll use these generalized stages in the life cycle of a start-up to delineate specific milestones and actions that you should consider taking. So as your start-up and product mature, so does your cybersecurity (Figure I.1).
FIGURE I.1 Startup Development Phases – From Idea to Business and Talent to Organization
Source: Startup Key Stages by Startup Commons is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
CHAPTER ONE Minimum Security Investment for Maximum Risk Reduction
An ounce of prevention is worth a pound of cure.
– Benjamin Franklin
