So lately in the press you may have seen quite a bit about so-called security lapses, compliance lapses, and the like in high-profile start-ups.
Don’t snicker. Don’t be smug. Let me be clear. TBFTGOGGY. There But for the Grace of G– Go You.
Running a multi-tenant web app is full of constant potential drama, especially until you are big enough to afford a 30+ person SecOps team, a multi-continent DevOps team, a full-time PenTest team, and all the rest.
The only reason you haven’t been hacked, been flamed, been exposed is because — you are too small and too boring.
We talked about this a few months back here — It’s Time For You to Make Security a Core Feature, Not a Tax. The summary points were:
- First, until you have your first real Enterprise customer with a true security audit — do the best you can. Just do the best you can.
- Then, you’ll go through your first security audit. Don’t roll your eyes. Don’t shrug. Don’t let your team push back. Here’s the Trick, the Hack — It’s a Gift. A detailed, written security audit. Because It’s Your Roadmap. It’s Your Necessary and Brighter Future. The first time you get one of these, it will be 20 pages and 100s of questions. And you’ll fail a lot of them. And you’ll only sorta, kinda pass a few others. It’s not OK, but it is what it is. If there are 200 questions, and you can only answer a clear “Yes” to 20 … use the other 180 as part of your product roadmap to a better future.
- Take all the security items you fail on, and devote at least 15% of your dev budget to them. For every release. Forever. Maybe even more than 15%. With no excuses.
- If you can, do something like Salesforce Appexchange certification early. This will force you to be better.
- And finally, once you hit $10m ARR at the latest, hire a full-time Chief Security Officer to manage this. Take it away from your VP of Product or VP of Engineering.
That’s a good framework I think.
But I want to go further here and make a few more actionable suggestions that are less about doing better, and getting more customers — and more about saving your arse:
- First, once a quarter — have a TBFTGOGGY Meeting With Your Engineering + Product Team. “A There But For the Grace of G– Meeting“. Here’s what you do. Everyone comes to the meeting with 1-2 top things they are worried about in security and infrastructure. You put it all up there:
- First, you force the team to force rank the priorities.
- But also. You force everyone on the team to talk about their Top 2. If you haven’t done this before, you’ll not only learn. You may even turn white as a sheet, on occassion.
- Second, if you don’t have one — put up your own version of trust.salesforce.com. External accountability is critical here. Everyone can pretend if no one is really watching. I did this early. Everyone hated it. Which was a good thing.
- If you are really selling into the enterprise, i.e. Big Companies — make the senior hires around their concerns as early as you can afford them. Hire a Chief Security Officer as soon as you can. Stop outsourcing it. And hire a General Counsel as early as you can ($4-$5m if you can, even). A GC that has dealt with scaling SaaS issues. Not someone three levels down from Facebook or other Cool Web Company.
- Be scared. This is a good thing. If nothing worries you about security as your SaaS start-up, you don’t have enough information. You are doing it wrong. “Being on AWS” won’t save you. “Being encrypted-at-rest” won’t save you. Having a CTO that worked at some other web company before won’t save you. If you aren’t a bit worried, a bit scared. You’ll get burned.
And whatever you do, don’t be smug, don’t be confident when you read something about someone else. It almost definitely, certainly, could have been you.
Instead, today, go ask your team what you can do to make sure it doesn’t happen to you.