Written by Oren Yunger, VC investor at GGV Capital
When it comes to meeting compliance standards, many startups are dominating the alphabet. From GDPR and CCPA, to SOC 2, ISO27001, PCI-DSS, and HIPAA, companies have been charging towards meeting the compliance standards required to operate their businesses. Today, every healthcare founder knows their product must meet HIPAA compliance and any company working in the consumer space would be well aware of GDPR, for example.
But a mistake many high-growth companies make is that they treat compliance as a catch-all phrase that includes security. Thinking this way could be an expensive and painful error. In reality, compliance means that a company meets a minimum set of controls. Security, on the other hand, encompasses a broad range of best practices and software that help address risks associated with the company’s operations.
It makes sense that startups want to tackle compliance first. Being compliant plays a big role in any company’s geographical expansion to regulated markets, and in its penetration to new industries like finance or healthcare. So in many ways, achieving compliance is a part of a startup’s go-to-market kit. And indeed, enterprise buyers expect startups to check the compliance box before signing on as their customer, so startups are rightfully aligning around their buyers’ expectations. So, it’s not surprising that we’ve witnessed a trend where startups achieve compliance from the very early days, and often prioritize this motion over developing an exciting feature or launching a new campaign to bring in leads, for instance.
Compliance is an important milestone for a young company and one that moves the cybersecurity industry forward. It forces startup founders to put security hats on and think about protecting their company, as well as their customers. All at the same time, compliance provides comfort to the enterprise buyer’s legal and security teams when engaging with emerging vendors. So why is compliance alone not enough?
First, compliance doesn’t mean security (although it is a step in the right direction). It is more often than not that young companies are compliant while being vulnerable in their security posture. But what does that look like? For example, a software company may have met SOC 2 standards that require all employees to install endpoint protection on their devices, but it may not have a way to enforce employees to actually activate and update the software. Furthermore, the company may lack a centrally-managed tool for monitoring and reporting to see if any endpoint breaches have occurred, where, to whom, and why. And, finally, the company may not have the expertise to quickly respond to and fix a data breach or attack. So although compliance standards are met, several security faux pas are in place. The end result is that startups can suffer security breaches that end up costing them. For companies with under 500 employees, the average security breach costs an estimated $7.7 million, according to a study by IBM, not to mention the brand damage and lost trust from existing and potential customers.
Second, an unforeseen danger for startups is that compliance can create a false sense of safety. Receiving a compliance certificate from objective auditors and renowned organizations could portray that the security front is covered. And once startups start gaining traction and signing upmarket customers, that sense of security grows. They think, if the startup had managed to acquire security-minded customers from the F-500, being compliant must be enough for now and the startup is probably secure by association. When charging after enterprise deals, it’s the buyer's expectations that push startups to achieve SOC 2 or ISO27001 compliance to satisfy the enterprise security threshold. But in many cases, enterprise buyers don’t ask sophisticated questions or go deeper into understanding the risk a vendor brings, so startups are never really called to task on their security systems.
Third, compliance only deals with a defined set of knowns. It doesn’t cover anything that is unknown and new since the last version of the regulatory requirements were written. For example, APIs are growing in use, but regulations and compliance standards have yet to catch up with the trend. So, an e-commerce company must be PCI-DSS compliant to accept credit card payments, but it may also leverage multiple APIs that have weak authentication or business logic flaws. When the PCI standard was written, APIs weren’t common and so they aren’t included in the regulations, yet now, most fintech companies rely heavily on them. So, a merchant may be PCI-DSS compliant, but leverage non-secure APIs, potentially exposing customers to credit card breaches.
Startups are not to blame for the mix-up between compliance and security. It is difficult for any company to be both compliant and secure, and for startups with limited budget, time, or security know-how, it’s especially challenging. While in a perfect world, startups would be both compliant and secure from the get-go, it’s not realistic to expect early-stage companies to spend millions of dollars on bulletproofing their security infrastructure. But there are some things startups can do to become more secure.
One of the best ways startups can begin tackling security is with an early security hire. This team member might seem like someone you could put off until the company reaches a major headcount or revenue milestone, but I would argue that a head of security is a key early hire as this person’s job will be to focus entirely on analyzing threats, and identifying, deploying, and monitoring security practices. Additionally, startups would benefit from ensuring their technical teams are security-savvy and keep security top of mind when designing products and offerings.
Another tactic startups can take to bolster their security is to deploy the right tools. The good news is that startups can do so without breaking the bank; there are many security companies offering open-source, free, or relatively affordable versions of their solutions for emerging companies to use, including Snyk, Auth0, HashiCorp, CrowdStrike, and Cloudflare. A full security rollout would include software and best practices for identity and access management, infrastructure, application development, resiliency, and governance, but most startups are unlikely to have the time and budget necessary to deploy all pillars of a robust security infrastructure. Luckily, there are resources like Security4Startups that offer a free, open-source framework for startups to figure out what to do first. The guide helps founders identify and solve the most common and important security challenges at every stage, providing a list of entry-level solutions as a solid start to building a long-term security program. In addition, compliance automation tools can help with continuous monitoring to ensure these controls stay in place.
It is clear that to a startup, compliance is critical for establishing trust with partners and customers. But if this trust is eroded after a security incident, it will be next to impossible to regain it. Being secure, not only compliant, will help startups take trust to a whole other level and help not only boost market momentum, but also make sure their products are here to stay. So instead of equating compliance with security, I suggest expanding the equation to consider that compliance AND security equal trust. And trust equals business success and longevity.