Building and launching a start-up company is a challenge in itself. Securing it when it is new, young and vulnerable is something else. It’s very necessary but also hard if you don’t know what you’re doing. And can you afford a consultant in the early days?
If your new business is IT-based and focused on security then you’re in a stronger position than, say, an organic make-up business or an ethical coffee brand.
But maybe you think you can ‘do’ security later, when the business is thriving and you have more time. This is, at best, an optimistic view – you’ll never have spare time. Also, baking security into a business at the start is much easier than trying to inject it into established processes and an organisation being run by multiple managers, all of whom have their own territories that they might feel inclined to defend by being uncooperative.
There is another reason why focusing on security early is important. Four letters that strike fear into the boldest of hearts. Or, if not fear, then bored disinterest: GDPR.
Don’t stop reading. I’m not going to explain anything about GDPR.
What is important, though, is that your larger customers, particularly those in the USA, care about privacy and how you handle personal information and general IT security. In the last year SE Labs has received multiple requests (requirements, actually) to demonstrate that we take security seriously as part of general compliance programmes run by big customers.
The idea is that large companies can require their suppliers to comply with various rules. If the suppliers decline, they stop being suppliers.
After handling a few of these requirements we realised that the sensible thing to do was to achieve compliance with a well-known security standard. In our case we choose ISO 27001 because our customers usually gave this as one of two or three preferred approaches. By taking this route we could kill lots of birds with one certification stone. The alternative was jumping through a series of unpredictable hoops every few months.
In our case achieving compliance was reasonably straightforward because we had instinctively built the company with security processes in mind. With a little more formalisation we were able to take what we had and make it fully compliant with ISO 27001. And, being a small company, if we needed to add or change a policy we could just go ahead and do it without getting the buy-in of one or more management teams. If we’d left it another few years it would have been a tougher process for sure.
Our advice for new companies is to think ahead. At the very least follow the general advice given by the Cyber Essentials website (even if you don’t take the certification) and take a look at ISO 27001 with an eye to future compliance at a later date.