Start-Up Secure E-Book

Table of Contents

Cover

Title Page

Copyright

Dedication

Foreword

Preface

WHY WRITE THIS BOOK?

NOTES

Acknowledgments

About the Author

Introduction

ABOUT THIS BOOK

HOW TO USE THIS BOOK

PART ONE: Fundamentals

CHAPTER ONE: Minimum Security Investment for Maximum Risk Reduction

COMMUNICATING YOUR CYBERSECURITY

EMAIL SECURITY

SECURE YOUR CREDENTIALS

SAAS CAN BE SECURE

PATCHING

ANTIVIRUS IS STILL NECESSARY BUT GOES BY A DIFFERENT NAME

MOBILE DEVICES

SUMMARY

ACTION PLAN

NOTES

CHAPTER TWO: Cybersecurity Strategy and Roadmap Development

WHAT TYPE OF BUSINESS IS THIS?

WHAT TYPES OF CUSTOMERS WILL WE SELL TO?

WHAT TYPES OF INFORMATION WILL THE BUSINESS CONSUME?

WHAT TYPES OF INFORMATION WILL THE BUSINESS CREATE?

WHERE GEOGRAPHICALLY WILL BUSINESS BE CONDUCTED?

BUILDING THE ROADMAP

CASE STUDY

SUMMARY

ACTION PLAN

NOTE

CHAPTER THREE: Secure Your Credentials

PASSWORD MANAGERS

PASSPHRASE

MULTI-FACTOR AUTHENTICATION

ENTITLEMENTS

KEY MANAGEMENT

CASE STUDY

SUMMARY

ACTION PLAN

NOTES

CHAPTER FOUR: Endpoint Protection

VENDORS

SELECTING AN EDR

MANAGED DETECTION AND RESPONSE

CASE STUDY

SUMMARY

ACTION PLAN

NOTES

CHAPTER FIVE: Your Office Network

YOUR FIRST OFFICE SPACE

CO-WORKING SPACES

VIRTUAL PRIVATE NETWORK

SUMMARY

ACTION PLAN

NOTES

CHAPTER SIX: Your Product in the Cloud

SECURE YOUR CLOUD PROVIDER ACCOUNTS

PROTECT YOUR WORKLOADS

SECURE YOUR CONTAINERS

SUMMARY

ACTION PLAN

NOTES

CHAPTER SEVEN: Information Technology

ASSET MANAGEMENT

IDENTITY AND ACCESS MANAGEMENT

SUMMARY

ACTION PLAN

PART TWO: Growing the Team

CHAPTER EIGHT: Hiring, Outsourcing, or Hybrid

CATALYSTS TO HIRING

GET THE FIRST HIRE RIGHT

EXECUTIVE VERSUS INDIVIDUAL CONTRIBUTOR

RECRUITING

JOB DESCRIPTIONS

INTERVIEWING

FIRST 90 DAYS IS A MYTH

SUMMARY

ACTION PLAN

NOTE

PART THREE: Maturation

CHAPTER NINE: Compliance

MASTER SERVICE AGREEMENTS, TERMS AND CONDITIONS, OH MY

PATCH AND VULNERABILITY MANAGEMENT

ANTIVIRUS

AUDITING

INCIDENT RESPONSE

POLICIES AND CONTROLS

CHANGE MANAGEMENT

ENCRYPTION

DATA LOSS PREVENTION

DATA PROCESSING AGREEMENT

SUMMARY

ACTION PLAN

NOTE

CHAPTER TEN: Industry and Government Standards and Regulations

OPEN SOURCE

UNITED STATES PUBLIC

RETAIL

ENERGY, OIL, AND GAS

HEALTH

FINANCIAL

EDUCATION

INTERNATIONAL

UNITED STATES FEDERAL AND STATE GOVERNMENT

SUMMARY

ACTION PLAN

NOTES

CHAPTER ELEVEN: Communicating Your Cybersecurity Posture and Maturity to Customers

CERTIFICATIONS AND AUDITS

QUESTIONNAIRES

SHARING DATA WITH YOUR CUSTOMER

CASE STUDY

SUMMARY

ACTION PLAN

NOTES

CHAPTER TWELVE: When the Breach Happens

CYBER INSURANCE

INCIDENT RESPONSE RETAINERS

THE INCIDENT

TABLETOP EXERCISES

SUMMARY

ACTION PLAN

NOTE

CHAPTER THIRTEEN: Secure Development

FRAMEWORKS

MICROSOFT SDL

PRE-COMMIT

INTEGRATED DEVELOPMENT ENVIRONMENT

COMMIT

BUILD

PENETRATION TESTING

SUMMARY

ACTION PLAN

NOTES

CHAPTER FOURTEEN: Third-Party Risk

TERMS AND CONDITIONS

SHOULD I REVIEW THIS VENDOR?

WHAT TO ASK AND LOOK FOR

SUMMARY

ACTION PLAN

NOTE

CHAPTER FIFTEEN: Bringing It All Together

Glossary

Index

End User License Agreement

List of Illustrations

Introduction

FIGURE I.1 Startup Development Phases – From

Idea

to

Business

and

Talent

to

Organization

Chapter 1

FIGURE 1.1 Yubikey Product Line

FIGURE 1.2 Google Titan Security Keys

Chapter 3

FIGURE 3.1 Example of a Push-Based MFA

Chapter 4

FIGURE 4.1 Diagram Showing the Progression of Endpoint Security

FIGURE 4.2 Magic Quadrant for Endpoint Protection Platforms

FIGURE 4.3 Gartner Scope of MDR Services

Chapter 5

FIGURE 5.1 Magic Quadrant for the Wired and Wireless LAN Access Infrastructu...

FIGURE 5.2 Comparison of SDP, VPN, and Zero-Trust Networks

Chapter 6

FIGURE 6.1 Magic Quadrant for Cloud Infrastructure as a Service

FIGURE 6.2 Cloud Security Posture Management (CSPM)

FIGURE 6.3 Comparison of Popular Fleet Management Solutions

FIGURE 6.4 Depiction of Container Orchestration

Chapter 7

FIGURE 7.1 Depiction of the Differences between MDM, EMM, and UEM

FIGURE 7.2 Typical Identity Management Life Cycle

Chapter 8

FIGURE 8.1 Heat Map of Chief Security Officer Hiring Across the United State...

Chapter 10

FIGURE 10.1 Depiction of OWASP Top 10 2017

FIGURE 10.2 CIS Controls and Levels

FIGURE 10.3 SOC Report Types Comparison

FIGURE 10.4 NIST Cybersecurity Framework Pillars

FIGURE 10.5 Joint Authorization Board (JAB) Workflow

FIGURE 10.6 Agency Authorization Source: www.fedramp.gov

Chapter 11

FIGURE 11.1 Popular Certification Control Coverage Robustness

FIGURE 11.2 Shared Assessments Third-Party Risk Management Toolkit Workflow...

FIGURE 11.3 CSA STAR Levels

Chapter 13

FIGURE 13.1 The Four Pillars of BSIMM and High-Level Components

FIGURE 13.2 OpenSAMM Framework Pillar and Practices

FIGURE 13.3 CMMI Maturity Levels

FIGURE 13.4 Microsoft SDL Workflow

Guide

Cover

Table of Contents

Begin Reading

Pages

i

v

vi

vii

xv

xvi

xvii

xviii

xix

xxi

xxii

xxiii

xxv

1

2

3

4

5

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

63

64

65

66

67

68

69

70

71

73

74

75

76

77

78

79

81

82

83

84

85

86

87

88

89

90

91

93

95

96

97

98

99

100

101

102

103

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

153

154

155

156

157

158

159

161

162

163

164

165

167

168

169

170

171

172

173

174

175

176

177

178

179

181

182

183

184

185

186

187

188

189

190

191

192

Additional praise for Start-Up Secure

“It's rare to see a cybersecurity guide of any kind that is relevant, current, and, most importantly, cogent and accessible. Chris Castaldo has not only produced such a guide but has tailored it for an audience who has never before received such wisdom in a digestible manner – the startup community. Startups are notoriously fast-moving, and Castaldo's book keeps up with them, showing them the types of practical security controls they need throughout their rapid journey to whatever exit strategy they envision.”

– Allan Alford, CISO/CTO, TrustMAPP and Host of the The Cyber Ranch Podcast

“Start-Up Secure offers important insights and advice in an area that is often overlooked by entrepreneurs. Cybersecurity has emerged as a critical competency for businesses, and this trend will likely continue or accelerate. The guidance provided in these pages will save founders from making preventable mistakes in multiple dimensions, from technical security decisions to avoiding unreasonable contract language. The wisdom shared by Chris is hard-learned, and a valuable addition to any entrepreneur's thought process.”

– Paul Ihme, co-founder, Soteria

“Cybersecurity is often thought of as too intimidating or complex for the layperson to comprehend. Chris Castaldo's book, Start-Up Secure, seeks to take the mystery out of succeeding at cybersecurity. His straightforward and direct approach serves as an essential guide to starting out on the right foot with your security program. It is accessible and actionable and I would recommend it to anyone seeking to tackle cybersecurity, the most important business challenge of our time.”

– Brian Markham, CISO, EAB Global Inc.

Start-Up Secure

Baking Cybersecurity into Your Company from Founding to Exit

CHRIS CASTALDO

Copyright © 2021 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993, or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Cataloging-in-Publication Data is Available:

ISBN 978-1-119-70073-9 (Hardback)

ISBN 978-1-119-70074-6 (ePDF)

ISBN 978-1-119-70075-3 (ePub)

Cover Design: Wiley

Cover Image: © deepadesigns/Shutterstock

To my wife, daughter, and son, you have made reality better than the dream.

Foreword

“Connect”

I connected with Chris years ago. In classic Chris fashion: he shared a thoughtful cybersecurity insight on LinkedIn and our mutual friend connected the dots between us. While meeting him was great, little did I realize that simple connection was going to lead to years of friendship and learning.

Cybersecurity has been in such a constant state of flux that many companies still don't know how to write a chief information security officer (CISO) job description; they don't know what a CISO does in their day-to-day job. You will find CISOs as heads of IT, internal pentesters, security engineers, writing compliance reports, negotiating legal terms, reporting to any C-suite role, and some taking primarily customer-facing responsibilities.

There is little question that the security role is still in an early stage in its evolution. With all of that confusion, it is no wonder that resource-constrained start-ups and founders have no idea how to proactively build a security program. And with a start-up's demands to prioritize time, opportunity, and resources, it's no surprise to find start-ups with no security programs at all.

The reality is that as the world evolves and more business becomes increasingly digital, the security bar is rising for all vendors. Every customer that trusts a vendor with its resources (i.e., financials, customer data) wants to know that their sensitive information is being handled safely; something they know the bigger vendors are likely working on.

Luckily, start-ups are smaller targets for attackers and typically have much less legacy risk to accept. This results in high ROI, low-hanging fruit opportunities for start-ups, and large deltas in security preparedness between early stage start-ups. Coupled with the fast-paced, leading-edge value that a start-up can provide a customer, building security from the beginning is an exciting possibility.

Chris's dedication to learning and to helping the security ecosystem has been incredible to see over the years. This book is yet another example of his efforts to take his lessons learned as a CISO for different-sized companies and to help others. With this book, founders will begin to understand the necessary fundamentals of securing a start-up.

Meeting Chris years ago kicked off an awesome learning opportunity on the day-to-day dynamics of taking on a security leadership role at a fast-growing company. I'm likewise excited for readers to discover this book and to journey deeper into the world of security for start-ups.

Preface

MOST BOOKS END WITH A QUOTE from a famous source; I am starting with one. In his book The 7 Habits of Highly Effective People, Stephen Covey states “The main thing is to keep the main thing the main thing.” This should apply to your start-up and how you should view every suggestion in this book. Every cybersecurity choice you make should, at the end of the day, be to enhance whatever it is you are building. From getting a better product out the door to high customer satisfaction from the services you provide. Don't lose sight.

There are a lot of topics covered in this book and cybersecurity taken as a whole can be overwhelming. That's why there is an entire industry built around it. As you read through this book, always keep in mind what is right for your start-up and your customers. You don't need to implement all the things we discuss in this book from day one or even by day one thousand. But you should understand the important trade-offs by the end of this book.

Just knowing those trade-offs then allows you to prioritize what is right for your start-up and allows you to keep the main thing the main thing. A great example is a security incident and event management (SIEM)1 solution, which is something you most likely won't need until after the validation phase, maybe even beyond the growth phase. I hope to provide you with the right know-how and understanding to intelligently make those decisions.

Of course, you are not in this alone. Your fellow founders, board members, venture capital (VC) advisory board, customers, peers, and vendors are all sources to validate your overall cybersecurity plan. Utilize the free resources that want to help and see your start-up succeed.

WHY WRITE THIS BOOK?

Cybersecurity is now a requirement for every company in the world, regardless of size or industry. Regulations and laws at the state, national, and international levels are being created at a faster rate. Constituents expect their elected officials to not only investigate the massive data breaches we've seen over the years, but also that those politicians do something about it. It is especially important for start-ups.

This book was written to be the go-to source for start-up founders, entrepreneurs, leaders, and individual contributors. There is no expectation for companies because of a lack of technical prowess or even experience as a cybersecurity professional. Accounting is an obvious part of all business, as is cybersecurity, and not everyone can be expected to be a certified public accountant (CPA) or an offensive security certified professional (OSCP).2

I will walk you through the sometimes chaotic and confusing world of working with cybersecurity professionals (and trying to be one yourself!), dealing with industry-specific regulations and the almost infinite supply of cybersecurity vendors.

I wrote this book because there are hundreds of books, studies, and white papers on cybersecurity and best practices but nothing speaking directly to founders and start-ups. There are even more books about start-ups and for entrepreneurs, yet not a single one mentions building your company in a secure way. The Kauffman Foundation estimated 530,000 new businesses were created every month in the United States during 2015,3 which translates to 530,000 new possible targets every month with no ability for them all to hire the experienced cybersecurity professional required to securely run a business today.

Many hiring reports indicate we are currently in a cybersecurity hiring crisis.4 However, that fact should not prevent any organization from developing and implementing a risk-based and right-sized cybersecurity strategy regardless of the industry they operate in.

This book won't create a new framework or standard, but will translate those that exist into a commonsense selection for entrepreneurs, business leaders, and individual contributors. There is no wrong framework or standard that you could select, but not adopting one will certainly spell disaster for any organization, start-up, or 100-year-old organization. A phrase I vividly remember from my time in the Army deployed to Iraq that sums this up is “get off the X”; regardless of the decision, not making one is typically always wrong.

This book is the culmination of my experience of over 20 years in cybersecurity at start-ups, global tech companies, the National Security Agency, and US military. Since I started this preface with a favorite quote I'd like to close with one that I feel sums up how this book came about. In Nassim Nicholas Taleb's book Antifragile he writes, “I write with my scars.” I cannot agree more. Without spending many years doing this work and without the support of many professionals that have helped me along the way this book would not be possible. I hope that my experience helps you start-up secure.

NOTES

1

.  A security incident and event management tool is a system that ingests, processes, correlates, stores, and sometimes takes action on security log events from your systems. These systems can be your laptop, servers running in your cloud infrastructure, or even other security tools.

2

.  The “offensive security certified professional” is an intense certification that requires hands-on testing of an individual's skills of advanced penetration testing techniques. It is one of the more difficult certifications to achieve.

3

. 

http://www.kauffman.org/∼/media/kauffman_org/research%20reports%20and%20covers/2015/05/kauffman_index_start-up_activity_national_trends_2015.pdf

4

. 

http://www.csoonline.com/article/3075293/leadership-management/cybersecurity-recruitment-in-crisis.html

Acknowledgments

THANK YOU TO EVERYONE who has helped shape who I am over my career. This book absolutely would not have happened without your impact on my life.

Will Lin: I felt I would need an entire chapter to give you proper credit – you have shaped and changed my career and life in ways I may not even know yet.

Richard Seiersen: Thank you for writing one of my favorite books – if not for you, this book most likely would not have happened. I am in debt to your generosity.

Anne Marie Zettlemoyer: Your counsel has been priceless and I feel so very fortunate to call you a friend. Thank you for making me feel included.

Chris Cottrell: I am so thankful for and miss our long walks around the building and for you being a sounding board for my crazy career aspirations I was probably in over my head on. And most of all I value your trust in me. I hope we get to work together again. I am also thankful for [redacted].

Bridgett Nuxoll: You taught me more about cybersecurity than almost anyone. I thought I was the mentor but I was definitely the mentee. And I will always buy Crane & Co.

Jeff Dewberry: I sleep soundly every night knowing you are providing the blanket of freedom our country enjoys.

Yael Nagler: I can't find the words to express how appreciative I am to know you and benefit from your friendship and always accurate advice.

Koos Lodewijkx: Your mentorship has been a huge influence on this book, and while I might never be able to repay that debt, I hope I can at least pay it forward.

Ryan Naraine: Thank you for giving me my first break on a podcast and always being the voice of reason.

Kevin O'Brien: Your feedback has helped make this book even more valuable for the founders that will read it.

Paul Ihme: I appreciate your honesty, feedback, and friendship all these years. I feel lucky to have “come up” together from our days in the government.

Brian Markham: Thank you for making time for me and giving me your valuable experience to make this book a resource for founders. Who knew I'd gain a great friend from one interview?

Gary Hayslip: Thank you for your advice and support. You are always setting the example for cybersecurity leaders and I'm fortunate to continue learning from you.

Allan Alford: Your willingness to always help others is an inspiration to me. Thank you for the honest feedback.

Harold Moss: Thank you for your sound judgment and for leading by example.

Ganesh Pai: Your advice as a founder has been instrumental in helping my audience and giving other founders the critical information they need.

Masha Sedova: Thank you so much for your time and always putting users first. You are truly changing cybersecurity for the better.

Michael Piacente: Your kindness and thoughtfulness when giving your time is a gift. I still remember our first phone call that felt like I was talking to a longtime friend.

Sinan Eren: Thank you for your perspective as a serial founder and all that you have done and do for the cybersecurity community.

Chris Berry: Thank you for being the type of leader someone can aspire to be and teaching me to “ask for forgiveness, not permission.” It has served me well over my entire career.

John Scilieri: Your friendship and mentorship over the years helped me make all the right decisions. Thank you for the copy of

The Obstacle Is the Way

, which motivated me to take a risk that paid off and opened my eyes to Stoicism.

Eric Kough: You gave my resume on

Monster.com

a chance and opened countless doors for me. I'm forever in debt.

Joe Karolchik: It was a privilege to have you as a leader and mentor to learn from.

Victor Goltsman: I'm so grateful for the opportunity I had to work with you, and I try to apply every day what I learned from you.

Security Tinkerers: Thank you to each and every one of you. I am extremely fortunate to be in your company.

About the Author

Chris Castaldo is an industry-recognized chief information security officer (CISO) and expert in building cybersecurity programs for start-ups. Chris's cybersecurity experience stretches over 20 years in start-ups, Fortune 1000s, and the US Government. He has scaled cybersecurity programs and teams from the ground up, and he also advises start-ups. Chris is a US Army veteran and a Visiting Fellow at the National Security Institute at George Mason University's Antonin Scalia Law School.

Introduction

ABOUT THIS BOOK

Chapter 1 will discuss and get you comfortable with building a minimally viable cybersecurity program for a minimally viable product. You don't need to start with National Security Agency (NSA) level security on day one, and most founders reading this book won't even need it the day they ring the opening bell.

Chapter 2 will help you think through and build your cybersecurity roadmap regardless of where you are starting in the start-up life cycle. While it may seem out of order – why wouldn't you plan your roadmap first? – not everyone starts at the point of needing a roadmap, with a defined and documented strategy. If you are a month into building your minimally viable product (MVP) and just received your legal documents officially forming your company, a three-year cybersecurity roadmap is going to take up time and then sit on the shelf.

Chapter 3 is, in my opinion, the most important chapter in this book. If you read one chapter only, make it this one. Your credentials, which make up a username and password, are your keys to your digital self. These are most critical to protect as they underpin nearly all other systems in a cybersecurity program.

Chapter 4 will explore the ever-changing world of antivirus that began nearly 40 years ago and is now called endpoint detection and response (EDR) or endpoint protection platform (EPP). EDR and EPP is an important layer to your cybersecurity program, one that might be difficult to delay beyond the formation phase of your start-up.

Chapter 5 tackles the necessary evil that is our office network, how we connect to the Internet. It makes all of this possible and is also first to be blamed when we can't load our favorite cat video on our office Wi-Fi network.

Chapter 6 we soar into the sky and take a look at the clouds. It is nearly impossible to not use a cloud-based product today and as a founder there is a very good chance you are building a cloud-based product or will use them to scale your start-up.

Chapter 7 covers the actual basics and predecessor to all of this, information technology (IT).

Chapter 8 covers an equally critical topic to Chapter 3: hiring. Making your first cybersecurity hire is a high-impact decision for your start-up. The wrong hire can have disastrous consequences. And making sure you know what you are actually looking for, being honest with yourself and founders, will pay back dividends. Cybersecurity is one of the most competitive fields for jobs and has been for nearly a decade now.

Chapter 9 is a personal favorite of mine. Not everyone enjoys the negotiating challenges of working with a customer's general counsel on terms and conditions, or arguing the auditor's definitions of “was.” Being compliant can sometimes mean you can or cannot do business in an industry, country, or with a specific business. This is a chapter you shouldn't skip.

Chapter 10 continues and builds on Chapter 9 and dives specifically into government law and industry regulations. These, much like being compliant with a legal agreement, can stop a start-up in its tracks or open the doors to prospective partner, acquirers and customers.

Chapter 11 will prepare you for the day when people ask you if your product is secure and how you protect their data. It's a good idea to start thinking about these answers now and then look at your answers and verify that you are actually doing that. Someone will eventually want to audit you. Being ready to comfortably and confidently talk about your cybersecurity program will build a lot of trust with investors, customers, and partners.

Chapter 12 will discuss the inevitable data breaches. They are a part of doing business today and we build our cybersecurity programs to the antifragile so we improve when they happen.

Chapter 13 dives further into the technical needs for start-ups that are developing a technical solution, and covers baking cybersecurity into the product you are building, not just your start-up.

Chapter 14 looks at outside risks of doing business today. Third-party vendors, really any vendor, you use will bring some risk to your business. The reward must simply outweigh that risk. This chapter will help you understand how to quickly evaluate that risk.

Chapter 15 will bring us back to where we started and set you and your co-founders on the way to building a secure start-up.

HOW TO USE THIS BOOK

This book is written specifically for founders to take immediate and continuous actions in their start-up to bake in cybersecurity. After each chapter, I will summarize the contents and highlights of the most critical takeaways. Additionally, there will be action plans that you can take immediately and as your start-up scales to implement those suggestions.

These plans will be broken out into generalized phases in your start-up journey from founding to exit. Obviously, not every company takes the same path, so specific catalysts will be mentioned and grouped in a way that may seem contradictory.

Formation

One to three founders

No additional full-time staff

Angel or friends and family or bootstrap funding

Validation

Founders + Key Strategic Hires

MVP exists

Lighthouse/marquee customers

Seed round funding

Growth

Founders + Key Strategic Hires + Engineering Teams

Several customers

A series and beyond

We'll use these generalized stages in the life cycle of a start-up to delineate specific milestones and actions that you should consider taking. So as your start-up and product mature, so does your cybersecurity (Figure I.1).

FIGURE I.1 Startup Development Phases – From Idea to Business and Talent to Organization

Source: Startup Key Stages by Startup Commons is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

PART ONEFundamentals

CHAPTER ONEMinimum Security Investment for Maximum Risk Reduction

NO ONE PLANS ON THEIR START-UP not making it past a year of business, so you should also plan for your investment and planning in cybersecurity to scale into the future. While selecting the bare minimum may seem and feel counterintuitive and is certainly against the opinion of many cybersecurity professionals, it will ensure the continuation of the business.

Just as the heart is the first organ to receive oxygenated blood from the lungs, the continued operation of your start-up should be the number one priority. Security must enable the business to operate and find a balance as a requirement for the business. Cybersecurity is now a priority business function and no longer solely an IT issue.

When discussing cybersecurity many thoughts come to mind, all culminating with three important categories: people, processes, and technology. As a start-up, you won't always have the option of deploying all three. And even many mature organizations do not. This is why when we discuss cybersecurity we must also discuss risk and managing risk. The goal of your cybersecurity strategy should be to reduce, mitigate, and accept risk. No two organizations are the same, even within the same industry vertical. The risk of not being Payment Card Industry Data Security Standard (PCI DSS) certified could mean the loss of revenue for one organization and absolutely nothing to another.