3 Questions Every Investor Should Ask About Security Before Giving Money to a Startup
Investing in startups is a risk. The earlier the stage, the more the investment is about promises rather than products, to say nothing of proven business models. Yet startups are worth the investment because funding a successful one can mean a huge payoff. The problem is that a significant obstacle often lurks in these investments: poor security.
Imagine giving money to an innovative young company working on revolutionary technology, only to find out they were destroyed by a massive security breach. At that point, you’d probably wish you had asked a few critical questions about how they thought about security. But what are those questions? And how do you avoid the irrelevant questions while focusing on the important ones?
Let’s dive in.
Why every startup needs a security plan
Cybercrime evolves rapidly, and if businesses don't stay ahead of the latest threat vectors, they increase the likelihood of being attacked. Startups can’t assume that because they’re young companies with small headcounts and few customers, they don’t need to worry about security. They need to consider the stakes: 60% of small businesses fold six months after a data breach.
Startups must consider cybersecurity from the beginning, accounting for areas like intellectual property (IP), such as patents. IP is a startup's most valuable asset because it demonstrates a unique vision and an innovative mindset. For example, a patent portfolio can be invaluable for a future acquisition or IPO. For these reasons, cyber bad actors target IP and related data. Do Fortune 500 companies have IP to steal? Sure. But in terms of security, they’re guarded fortresses. Targeting an emerging business that doesn’t even think about zero trust or attack surface management is much easier.
Startups are also vulnerable to security lapses because they are laser-focused on building their minimum viable product (MVP) and seeking new opportunities. They’re under immense pressure to create new tech, file patents, prove use cases, seek out buyers, and develop a go-to-market strategy. If they’re leveraging systems, generating data, and creating and storing valuable information, they’re unlikely to slow down. Instead, they’ll probably keep speeding ahead, leaving security and compliance in the dust. This can expose them to cyberattacks and may even force them to exit markets because of their inability to meet data privacy regulations.
The way to handle these issues is to ensure a startup has them covered from the beginning. If they get behind, it can be painful to catch up, costing time and money. Just think: a startup will eventually confront a security threat, so why wait for that moment? That business risk could easily be avoided by asking a few key questions before giving money to the startup.
So what are those questions? Here are the three most critical ones you should ask a startup BEFORE you hand over any of your hard-earned green.
Question 1: What is your DevSecOps plan?
If you want to cut to the core of a startup’s plan for security, start by asking them about DevSecOps. DevSecOps stands for development, security, and operations. It’s shorthand for the application development practice of integrating security into all phases of the software development life cycle (SDLC). DevSecOps is one of the easiest and most efficient ways to ensure you’re building security into your MVP, so you want to know about it. NOTE: This section is more pertinent if a startup creates an application, meaning it needs to use the SDLC for the application’s development. If not, there is still value in learning what they plan to do about their Security Operations or SecOps.
As you ask this question, pay attention to both the responses and the way the responses are delivered. DevSecOps can get pretty technical pretty quickly. The startup’s founders might be technical experts who can explain their DevSecOps plan in smart, normal-person terms. Or they might be technical experts who feel like they can skimp on DevSecOps — but didn’t expect you to ask the question — so they give you a confusing technobabble answer that tries to avoid the question.
Or what if they don’t know anything about DevSecOps? Do they admit that outright and talk about their funding need to hire more security experts? Are they willing to listen to your questions about DevSecOps and have a thoughtful, sophisticated conversation about security? Or do they just want to move to their awesome slide about their hockey stick growth projections?
If they do have a handle on DevSecOps, here are some things to try and surface with them to determine how serious they are about it:
How is security integrated throughout the SDLC?
Does the company have a process for continuously monitoring and improving its security tools and practices?
Does the company have a strategy for ongoing security monitoring of deployed applications to detect and respond to threats?
Who is in charge of DevSecOps and what is their level of influence in the company?
The bottom line is asking upfront about DevSecOps is a great way to introduce security into your assessment of a startup and its risk mitigation plan. If a startup has a firm handle on DevSecOps, it indicates your investment risk will be minimized.
Question 2: How will you secure your supply chain?
It is essential to ensure that all supply chain integrations, like Electronic Data Interchange and Application Programming Interfaces, are secure. However, I want to discuss another: software-as-a-service (SaaS) applications, mainly because they are ubiquitous in the startup ecosystem and arguably the most critical to a startup’s supply chain. They should be fully understood before a company blindly integrates with them.
But what is SaaS, exactly?
Simply put, SaaS is a way for an organization to allow users to connect to and use said organization’s cloud-based apps over the Internet. Google’s Gmail is a prime example of SaaS. You can use Google’s email app anywhere you can access the internet.
SaaS helps startups integrate with critical business applications in an incredibly flexible, dynamic, and low-cost way. SaaS providers give startups tools that, before the digital era, would have required significant and risky investments for such young companies. But today, startups can leverage and scale with SaaS applications as they mature — on average, organizations of all sizes use well over 100 SaaS applications.
But SaaS also presents a security risk, as they are given access to very sensitive and large amounts of data, while they operate outside of the direct control of the organization that utilizes them. Because of this, startups need to know if SaaS providers always prioritize the highest levels of cybersecurity. The vast number of SaaS providers complicates this. Suppose a startup relies on different SaaS providers for financial management, customer relationship management, and other necessary capabilities. In that case, it needs to evaluate those vendor’s security and test them throughout implementation.
The problem is that most startups don't think about this. As they build their MVP and realize they need a new SaaS solution, they may go with whatever SaaS provider offers them the cheapest, most straightforward path to going live. So, if you’re investing in this startup, you want to ask them how they will keep their networks secure whenever they bring in a new supplier. Here are some things you should be trying to assess as it pertains to their supply chain security (SaaS or otherwise):
Is there a formal process for identifying and assessing potential supply chain risks?
What monitoring practices are in place for integrated systems?
Are there contractual agreements with their suppliers that outline expectations for risk mitigation?
Is a business continuity plan in place to address potential supply chain disruptions?
The bottom line is that you can reduce your investment risk by having in-depth conversations with startups about their supply chain before you invest.
Question 3: Who is giving you security guidance and advice?
Generally speaking, most startup founders are “inexperienced.” Let me explain. Even if they have years of industry experience, they may be completely new to entrepreneurship and building something from scratch. They may have decades of experience in the area of specialization (in which their company is based). Still, they may deal with matters in which they have little to no experience, such as venture capital fundraising or cybersecurity. No matter how talented and ambitious they are, they must rely on plenty of people for guidance and advice.
As an investor, you likely don’t want to see your money burn to the ground. So, you must be confident that security is considered throughout the startup’s hierarchy. Push startups to infuse security in all parts of their organization. They should hire people with a security mindset and background at all levels, from critical individual contributors to their board of directors. Here are some things you should be trying to assess whether or not the startup has a sufficient level of cybersecurity guidance:
Are board members business leaders, former government officials, or law enforcement officials specializing in navigating the threat landscape?
Is there a designated cybersecurity leader with decision-making authority? If so, what is their background?
Does their hiring plan infuse cybersecurity expertise at critical levels in the organization?
Are they getting security advice from executives who ran companies that suffered data breaches?
In my experience, having leaders (or, at a minimum, advisors) with cybersecurity experience is crucial. They will help ensure that security-centric decision-making and processes are in play in the startup. For instance, when a startup needs to build a dev team, will it vet based on security? Will it look into the reputation and references of overseas contractors, or will it hire based on price point only? How will it guarantee the dev team is experienced in DevSecOps?
The bottom line is that you can reduce your investment risk by ensuring the startup actively seeks meaningful guidance from cybersecurity professionals. Let me say this: if you have only one question to ask a startup about security, ask, “Who is the cyber expert on your board of directors?” How they respond will give you a quick sense of how much they think about cybersecurity. If they say, “When you say ‘cyber expert,’ what do you mean? Like someone who works in tech?” …then you should probably take your investment elsewhere.
Conclusion
Investing in a startup can produce great rewards but comes with security risks. Imagine watching that ambitious young company grow on a trajectory to a massive acquisition or IPO, only to be destroyed at the last moment by a devastating data breach because it didn’t take cybersecurity seriously enough or thought it didn’t need to worry because it wasn’t yet a Fortune 500 company. The simplest way to avoid a financial pitfall is to ask the startup critical security questions before giving it money. Making these three questions part of your evaluation process will help you make an informed decision. Not doing so will undoubtedly cost you.
Ready for more epic articles?
Here's looking at you, kid. I hope you share this article with all your chums!
Are you looking to go to a persona page?
Cyber 101 | The Solopreneur | SMB | BoD
