I’ll admit, when I started my first company 9 years ago, security wasn’t something that crossed my mind. I just wanted to build great software and fast. I think a lot of start-ups have this same mentality. Get the product out the door and worry about “all the things” later. This article talks about some of the things start-ups should be considering when wanting to mature in the area of security.

Something I’ve found really helpful is choosing a cybersecurity framework that you want to follow. For example, NIST and OWASP have some great things you can adapt to and follow. They all have similar yet different approaches and have practical ways to help secure your applications.

I’d recommend reviewing the different options and find one that suits your way of thinking. Even a mixture of frameworks can’t hurt.

When customers question your security standards, you can point them back to the cybersecurity framework you’re using. It also sets you up for success when you push further into security which we outline in the next points.

Having a security assessment done on your company is a great way to identify potential areas of risk and create opportunities for improvement.

Generally, you’ll decide on a baseline for what you are comparing your company with to see how you stack up. Some examples of these baselines are ISO27001 or PCI DSS.

A report should be issued providing a list of business-impacting security risks to your company as well as recommendations to mitigate these risks. The next part is to start implementing what’s required to reduce the risks.

Here you would perform vulnerability scanning activities on your application to identify potential vulnerabilities. This is generally a simple and painless task in terms of having a scan done and receiving a report.

The report should detail any vulnerabilities or risks found within your application and suggested remediation actions.

From there is the maybe more challenging part of filling any holes. Performing a scan every 12 months is probably a good baseline here.

The last thing to think about is training your staff on how to identify security risks such as phishing emails and educating them on some basic security practices.

You might follow the best security practices on your software and applications but if your staff aren’t aware of how they can open the gates to threats, you can be left wide open.

There are real-life simulations you can send your staff or training manuals they follow and then answer questions to test their knowledge.

These are some practical things you can do to ensure your start-up software company is being proactive in a world where new security risks are popping up all the time.

Don’t wait until it’s too late!

Originally posted Feb 6, 2020.