We normally associate the term “small business” or SME (small to medium sized enterprise) with commercial operations that buy and sell, manufacture products or provide services – lawyers, plumbers, accountants, web developers etc…
However – there is an important class of small business operations that is often overlooked when it comes to information security and is the technology startup. A high tech startup is an SME by all definitions – usually less than 50 employees but it doesn’t buy and sell and neither does it provide professional services.
Unlike other small businesses, a high tech startup is almost purely focused on product research and development. Almost all startups have a very high percentage of software development. Even if the startup develops hardware – there is still a strong software development focus.
Intuitively – one would say that a primary concern for a startup is IP (intellectual property) protection and that starts with protecting source code.
Counter-intuitively this is not true. There are two basic reasons why source code leakage is not necessarily a major threat to a startup:
1) If the startup uses FOSS (free open source software), there is nothing to hide. This is not strictly speaking correct – since the actual application developed using FOSS has immense value to the startup and may often involve proprietary closed source code as well.
2) A more significant reason that source code leakage is of secondary importance is that a startup IP is invariably based on a combination of three components: Domain expertise, implementation know-how and the implementation itself (the software source code). The first two factors – domain expertise and implementation know-how are crucial to successful execution.
The question of how to protect IP still remains on the table but it now is reshaped into a more specific question of how best to prioritize security countermeasures to protect the startup’s domain expertise and implementation know-how.
Prioritization is of crucial importance here, since startups by definition do not generate revenue and have little money to spend on luxuries like data loss prevention (DLP ) technologies.
Software Associates works exclusively with technology and medical device developers and I’d like to suggest a few simple guidelines for getting the most security for your money:
The startup management needs to know how much their information security measures will cost and how it helps them run the business. Business Threat Modeling (TM) is a practical way for a manager to assess the operational risk for the startup in dollars and cents.
The advantages of the business threat modeling methodology are:
- Threat modeling places the focus on asset management and Value at Risk reduction before acquisition of information and security technologies
- Threat modeling helps select the right countermeasures often prioritizing monitoring before active data loss prevention (for example)
- Threat modeling, when done right, quantifies risk in dollar terms. This is particularly important when reporting back to the investors on exposure to data loss of IP
- Threat modeling helps justify investments in security, compliance and risk management to the management board – simply because it puts everything into financial values – the value at risk and cost of the security portfolio.
These are similar objectives to GRC (Governance, risk and compliance) systems.
The problem with most GRC (governance, risk and compliance) and ERM (enterprise risk management) systems is that they don’t calculate risk, they make you work hard and they’re not that easy to use.I think that we can all agree that the last thing that a hi-tech startup needs is a system to manage GRC activities when they’re working to make the next investor milestone.
Startup management needs a simple security management approach that they can deploy themselves, perhaps assisted with some professional consulting to help them get started and get a good feel for their exposure to security and compliance issues.
How does a practical security management methodology like this work? Well – it works by using common language of threat modeling.
You own assets – for example, expensive diamond frakelry stored at home. These assets have a dollar value.
Your asset has vulnerabilities – since you live on the ground floor and your friendly German Shepherd knows where the bedroom is and will happily show anyone around the house.
The key threat to the asset is that an attacker may break in through the ground floor windows.
The countermeasures are bars for the windows, an alarm system and training your dog to be a bit less friendly around strangers with ski-masks.
Using countermeasure costs, asset value, threat probability of occurrence and damage levels, we calculate Value at Risk in financial terms, and propose an prioritized, cost-effective risk mitigation plan.
That’s it – adopt a language with 4 words and you’re on a good start to practical security management for your high tech startup.
Cross-posted from Israeli Software