We live in a world where security is something that you have to do, and very rarely something that you want to do. In the world of young companies and startups, security isn't even something they have to do, it's something they literally can't afford to do. Security as a requirement must change. Security is a basic right that all companies should have, at a cost they can afford, and in a way that allows them to build security the right way over the long haul.
The Problems Start At Inception
Security is complex and often requires significant investment in both tooling and people. Security is difficult. Oftentimes this complexity can be solved with resources - both financial and human. But most early stage companies don't have access to this level of resources and by default an adequate level of security.
Most early stage companies want to be secure, but unfortunately the ROI doesn't make sense. If a small startup has to hire an additional one or two security professionals when the company is a total of ten people it quickly becomes impossible to afford. It just doesn't make sense to spend $100,000s to protect a business that is generating little to no revenue.
Due to high cost and complexity, small companies are forced down a path that makes security an afterthought. When your biggest business problem is finding enough revenue to keep the lights on, security is not a priority.
Security is Mandatory - And You Don't Have It
As a business grows, their customers require a certain level of security maturity. They are frequently mandated to deliver proof of security to land new business. Prospects start asking the business for vendor security reviews and for proof of passing security audits such as SOC 2.
At this point, the burgeoning enterprise does what anyone else would, they scramble to prove they are secure. They scramble and adapt because there is no security foundation built from day one, and they look for the quickest, easiest way to check the customer requirement boxes. They have no intention to cut corners or find the path of least resistance, but the situation at hand dictates they either do that or lose the business.
Creating A Cycle of Security Tech Debt
This early stage security debt is causing a toxic cycle to occur within the security industry. There is constant downward pressure on the security consulting and auditing industry to provide the least cost version of an assessment. This results in a very low bar for security compliance and a lower level of accuracy around actual risk and security maturity to the customer. Additionally, buyers of low cost tooling and services are knowingly committing to technical debt so that they can check the box and get through the audit as quickly as possible. They aren't focusing on doing the right thing and making security that can scale. Eventually they have to rip their security program out and start over when they realize that they have created an unscalable security model. Even worse, many chose to do nothing about the technical debt making the world less secure as a whole. The waste and enterprise risk that this creates is staggering.
A Security Parable
A young person, let's call him Tommy, is just graduating college. Times are tough in the job market so he takes the first job that he can find. It pays next to nothing, but Tommy is focused - he studies, trains, and grows his skills and eventually his career. During the early days, Tommy pays no attention to his health and wellness. He's just too focused on being the best employee he can be. He eats fast food every day, overloads on chips and soda, and generally doesn't pay attention to what's going into his body. This isn't because he doesn't care, he does. He wants to do what's right, but it costs so much money and takes so much time to go to the grocery store, to pick the correct ingredients, cook the right meals, and to even take the time to understand nutrition in the first place.
Fast forward a few years. Tommy has gained weight, doesn't have the energy he once did, and in general is unable to work and play as hard as he once could. He took on too much health and wellness debt. He made bad choices early in his career because he couldn't afford the time and resources needed to do it right. It came back and bit him because now he can't operate like he once did. He is in need of a reset. He has to throw away everything he has learned and start from zero in order to get his health back. This is identical to what is happening in security at startups today.
Security Is A Basic Right -- Compliance Should Not Cost Extra
Security, the wellness of an organization, must be taken care of from the very beginning, when the organization is young. Today we live in a world where young startups are unable to avoid the pitfalls that Tommy went through. With the way that security tooling, resources, and processes are designed, it's nearly impossible to achieve your security wellness goals and your business goals simultaneously.
Most startups currently live in a world of "cyber poverty". Having access to good security solutions should be treated as importantly as having access to clean water and basic healthcare. If you can't afford it, it should be provided. Security should be a basic right of all companies.
On top of paying for security, organizations today often have to pay the compliance tax -- in terms of additional tooling and/or resource hours -- to collect compliance evidence and satisfy requirements of an assessment or audit. When faced with budget and resource limitations, many choose to go down the path of "checking the box". That is, paying for compliance and kicking the security can down the road. Instead, compliance should be a natural outcome of security. It should not require much more work, and it should not cost extra.
As much as we'd love all the revenue we can get as a business, we believe a securer and happier community is more important. After all, we are part of the same community. We are JupiterOne.