Security for growth companies

Five security principles when building a hyperscale cloud startup.

In 2015, as the world witnessed a surge in cyber attacks, our partner David Cowan published a comprehensive guide to security for startups to help founders and builders respond to emerging and novel digital threats. At the time, many companies were just starting their onramp to the cloud, driving new security vulnerabilities and complexities, expanding the potential threat surface area.  

Today, most growth companies are “cloud-first” and cloud-native technology has become the norm for both infrastructure and business applications. This shift to the cloud has changed the nature of the technology stack by increasing the complexity of technologies we adopt, the amount of third-party components which we leverage (APIs), and the way we build and manage software (e.g. microservices).

Simultaneously, innovation in the developer ecosystem has increased development velocity to the point where many companies push code to production multiple times per day, straining many traditional security methodologies. 

While the cloud computing paradigm shift has made it easier and cheaper to build and scale a company, it has dismantled the traditional perimeter-based approach of cybersecurity. There is no longer a centrally located and managed IT stack; instead, resources are spread across cloud environments and businesses rely on an increasing number of third parties. Extensive and manual security tests and checks are no longer feasible before deploying code. This shift has accelerated in the last few years with the growth of remote work and employees accessing enterprise resources from virtually anywhere. And of course, the major adoption of cloud computing has also unlocked a new wave of security vulnerabilities to be exploited by hackers.

 

The threat landscape has become more challenging in the cloud-native era, with attack frequency and adversary sophistication intensifying. From exploitation of cloud vulnerabilities and misconfigurations, to credential theft, to cloud service provider and multi-tenancy abuse, new types of cloud-based attacks have emerged just in the past few years. The result? Cybercrime is now a pernicious (and booming) industry. In fact, 2021 was a record year where corporate networks saw a 50% increase in cyber attacks driving $7 billion in damages.

2021 saw a 50% increase in cyber attacks.

We believe the growth of cyber attacks will only continue in the years ahead, especially as cloud adoption grows. For growth companies, this is leading to increased scrutiny on cybersecurity practices, even in their earliest stages. A startup’s cybersecurity program can serve as a revenue driver or blocker, with many enterprise customers requiring third-party certifications like SOC2 from their vendors. In addition, we continue to see companies get set back a year, or even fail altogether, at the hands of a cybersecurity attack. For example, 60% of small companies close within six months of being hacked. However, establishing a strong cyber security program can be a daunting task, particularly given the complexities of a cloud-first world and the dozens of new cybersecurity tools to choose from.

With cyber threats escalating, it’s more urgent than ever to embed security into your company’s day-to-day operations from day-one to prevent ‘security debt’ from emerging as you scale. While early stage startups have very different security needs compared to later stage ones or public companies, we believe the fundamentals remain consistent. As startups build a product and find product market fit, leaders must be cognizant of top security needs for customers and implement a progressive framework that can scale over time. Implementing a number of security tools right away isn’t always the right answer. By following five lessons, startups can be on the path to success from the beginning. 

As leaders build in a cloud-first world, we’re updating our original guide to help growth companies ensure they establish an effective cybersecurity program. We’ve collaborated with seven top CISOs to develop a modern, light-weight security guide for growth companies.

A preface for practical advice

While we think Bessemer’s five security lessons could be applied differently based on the stage of the company, early stage companies might have slightly different needs. So here are two practical areas that can be a good place to start your security program, even if you take nothing else from this article:

  1. A culture of security is a critical component in building the company’s plan, so the first rule must apply from day one. Implementation could look like the executive team communicating that “security is everyone’s responsibility” and then translating this belief into actionable steps that consistently change perspectives and behaviors to enact a company-wide security program.
  2. Identity management is another solid starting place to roll out any security practice. A very simple way to demonstrate security value and build early stage momentum is by introducing single sign-on (SSO) for employees and contractors. In most companies, users have a variety of SaaS applications, each requiring its own account, and by integrating these services with an SSO provider, security leaders can dramatically increase security and improve colleagues' log in experience. This is a win-win, and a convenient way to introduce multi factor authentication by enabling it at the SSO level.

Bessemer’s five cybersecurity lessons for cloud-native growth companies

  1. Build a cybersecurity culture
  2. Invest in identity
  3. Secure your cloud and development environment
  4. Manage your data assets and environment
  5. Monitor your third-party risk

1. Build a cybersecurity culture

This is not a new sentiment, but it’s primary—leaders must build a firm-wide cybersecurity culture early. With the attack surface area of companies larger than ever, what defines an “effective security strategy” has changed in the cloud-native era and it cannot be only one person’s responsibility anymore. Every person in the company must not only comply with the policies, but should also be vigilant in discovering cyber incursions, and participate creatively in the common defense. While few of us are security experts, we can all keep our eyes open for suspicious activity. As an example, Bessemer portfolio company ServiceTitan unlocked employee-wide commitment to its security program through unique programs such as communal phishing email creation, monthly security newsletters, and a collaborative cybersecurity escape room exercise as a part of employee onboarding. Since the external environment (threats, adversaries, vulnerabilities, etc.) changes so quickly, it’s important to have a program that is attuned to what’s happening externally while learning from internal activities. 

Security best practices can be integrated into team building as well. We recommend hiring a security expert and starting to build the security function early in your company’s journey so that it will be a core part of the company and culture. A hiring best practice also looks like assessing cybersecurity knowledge and techniques during software engineer interviews, as these team members write the code that could defend against or lead to vulnerabilities. When implementing security measures, it is helpful to leverage existing tools and processes rather than introducing new ones. In addition, whenever possible, strive to build security as a default rather than putting security measures later on. Finally, it’s important to avoid a culture of the ‘security team vs. everyone else.’ Security is a company-wide priority and enables better product innovation and customer satisfaction; it’s not a blocker of it.  For example, strong security tools and processes drive revenue and support the sales team, as security regulatory compliance is a core procurement requirement. Security ultimately aids the operations team to work more smoothly and the engineering teams to avoid distractions and fire-drills. 

Finally, to cultivate security within an organization, identify the biggest cyber threats to your company and plan for how you will respond to a cyberattack. How will your team identify an issue? What are the processes of getting issues resolved? We recommend assuming that attacks will happen to everyone at some point, but a key question is how will you deal with it once it happens. Start documenting and analyzing the security issues you face, how you responded, and how response can be improved. 

Leverage popular security frameworks as you get started. For example, the SOC 2 compliance framework is a helpful place for an early company to start strengthening its security posture and is also a reference and benchmark that many of your customers will be expecting adherence to. Additional popular resources and processes we see sophisticated cybersecurity organizations leveraging include NIST CSF and CIS Critical Controls. Leaders are not likely to need full adherence to frameworks early on, but there is plenty of prior art and practice you can learn from to accelerate your progress.

2. Invest in identity

Securing digital identities is critical to the security of the enterprise. Nearly 80% of cyber attacks today leverage identity-based attacks and compromise legitimate credentials. The shift to the cloud has made managing identities and credentials more complicated—employees use more SaaS apps than ever—each with their own login and permissions model, and infrastructure components use a variety of API keys to access both internal and external services. 

80% of cyber attacks leverage identity-based attacks

To start, make sure you’re using single-sign on from the beginning. This approach not only improves identity security but it also gives your employees a better experience when using both internally developed and SaaS applications. Multi-factor authentication (MFA) is another important early identity investment. Relatedly, a simple approach to advancing identity security is to treat your office network as if it was a Starbucks: There is no office or “perimeter,” but rather, employees are remote by mindset. As your infrastructure grows, you can consider leveraging system, device, application, and human identity for sophisticated access decisions and anomaly detection.

3. Secure your cloud and development environment

The product you offer customers isn’t secure unless its foundational components are also secure. Two of these components facing the biggest threats in the cloud are infrastructure and development environments. 

Operating in the cloud enables unprecedented development velocity, but it’s crucial to understand and embrace the shared responsibility security model: You must be clear about the boundaries of what you’re responsible for vs. what your cloud service provider is responsible for. The model allows you to focus on where most issues occur, such as misconfigurations that are often exacerbated by the self-service nature of the cloud.  And the stakes of a cloud intrusion are high, as research shows that cloud misconfigurations cost companies nearly $5 trillion in 2018 and 2019.

One way to stay on top of cloud security is by adopting software that will provide visibility across cloud environments and will continuously monitor, detect, and automatically remediate risks in the cloud (e.g. misconfigurations, policy violations, infrastructure drift). In addition, an organization can look for tools to provide it with a proactive approach toward vulnerabilities, compliance violations, exposed secrets, over permissive policies, and other mistakes. Other leading approaches for cloud security include adopting infrastructure-as-code (IaC) principles and centrally logging all security events to a security data lake.

With faster development cycles, growing architectural complexity, increasing use of open source, and new attack surfaces such as container images and CI servers, it’s more critical than ever to incorporate security into the software development process. The first thing to do is to understand how your development process works, and to embed security as a constant consideration rather than as last-minute audit or compliance consideration. Software can help automate security practices. We recommend solutions that scan the codebase for issues in both custom and open source/third-party components as well as ones that monitor the full CI/CD pipeline and help protect the entire software supply chain. Deployment frequency will inevitably increase as you scale, and it is critical to integrate automated security checks throughout the pipeline.

4.  Manage your data assets and environment

An organization hosts and manages many different assets, such as data, virtual machines, documents, devices, databases, and others, and it is important to know where those assets live and how they are secured. The right approach to asset management will vary by company, but it is a foundational control. CISOs need to know where the assets are and their relative criticality to efficiently and effectively secure the environment.

The shift to the cloud has elucidated data as one of the most vulnerable assets in any organization today. Companies are generating unprecedented volumes of data, and these volumes continue to grow exponentially. At the same time, with a company’s data now stored in data warehouses, data lakes, databases, and many other structured and unstructured data stores in the cloud, companies are now more susceptible to costly data breaches. For example, the average cost of data security breach was $4.24 million in 2021. In addition, according to the Seven Sins of Data Privacy Engineering, companies often collect too much consumer data and fail to adequately secure it. Strong data security is only more critical and consequential given the ubiquity and growth of regulations over data security such as GDPR, PCI, and HIPAA. 

In 2021, the average cost of a data security breach was $4.24M.

As organizations store more data and more employees access the data for analytics and other purposes, we often see that companies struggle to know where their data is stored, and more importantly, where sensitive data is stored and who has access to it. We believe it is critical for an organization to keep an inventory of their sensitive and critical data (including PII, PHI, PCI, and more). Then it can start monitoring access to the data, identify suspicious activity or compliance violations, and ensure it maintains basic data hygiene.

5. Monitor your third-party risk

All companies—especially software businesses—have always had a ‘supply chain’ relying on applications, infrastructure, and tools from third-parties, but the shift to the cloud has made those dependencies even more entrenched. 

The proliferation of open source code, third-party SaaS apps, and APIs as an architectural shift has allowed organizations to become more agile by outsourcing non-core-product infrastructure and features. However, many of those APIs end up connected to core systems and the most sensitive data and some APIs ask for more access than they should. CISOs no longer can assume that products are secure by monitoring activity of what’s been built in-house. Abnormal activity can be coming via APIs or as part of your software supply chain. While this is often less relevant for very early stage companies, as the company matures we recommend managing these external interactions (ideally in a centralized way), and ensuring that the organization’s security programs account for these extensions. More than half of the breaches that have occurred over the past two years were caused by a third party, and 50% of apps have security vulnerabilities.

To address third-party risk, the first step we’d recommend is to take inventory of your third-party dependencies - including vendors, suppliers, partners, contractors, and service providers (both human and technological!). Rank your vendors based on risk, sensitivity of data exposure, and criticality (low, medium, high). Consider establishing minimum data access and default permissions for third-parties, as well as tools that monitor third-party dependency and activity. Establish a process for dealing with issues around third-party risk—from adjusting access and configurations to fully offboarding vendors. In summary, know your vendors, know your open source code, know your third-party dependencies—and manage them proactively.

And finally—once you’ve started monitoring your third-party risks, this is a good point to consider how your company’s customers will perceive you as a vendor:

We’d love to continue the conversation and refine this guide. If this guide resonated with you, please let us know by emailing us at karp@bvp.com, dc@bvp.com, alex@bvp.com, jchan@bvp.com, yschiff@bvp.com, aschmitt@bvp.com, and ctarnopol@bvp.com.