Here’s why startups need to think about security from the beginning
Or, a lot of what I know about early-stage startups I learned from sea turtles
Launching a startup can make you feel like a sea turtle hatchling—there's danger everywhere, and most don't make it to the ocean. When you're in sea turtle mode, it makes sense to focus on survival. But how can you tell which projects really matter for survival and which ones are perilous detours, like the lights from the boardwalk distracting you from the ocean?
It's a question I often hear from founders in the early days of their company:
how much effort do you expend on security now versus later?
Having spent two decades in cyber security, getting to work with founders as an advisor, being part of a founding team, and being a founder myself — I want to share my somewhat unique perspective on the topic.
The tl;dr:
Investing early and wisely in security is a key survival strategy. Far from being a pre-MVP inhibitor, security is a foundational element that pays dividends over time.
Robust security measures allow companies to scale while avoiding hidden expenses, speed up development in the long run, and claim a competitive edge in the market.
Here are four reasons why you should invest early.
#1 Making the right security investments early reduces the cognitive load for developers later on
When startups prioritize their security architecture early, they don't have to retrofit security as they grow. This early investment translates to more time for innovation and product development later down the line. Thoughtful security controls that are seamless and integrated into development workflows can help ensure robust protection at the various stages of growth—without impeding speed and agility.
#2 Unifying on technology from the start makes it easier to grow
Early-stage startups benefit from selecting a unified set of technologies from the beginning. Do you really need 15 different project management solutions? The unified technology selection can help reduce attack surfaces by having one, not ten, of the same tools to secure. It also reduces employees' and security teams' cognitive load and learning curve. Having one tool to learn means you have one tool to learn how to secure as a security team. Yes, over time, you need specialized tools. Still, hopefully, that need corresponds with a slightly larger security budget where your security team can support securing and integrating the additional tools into the security program.
#3 Building in automation early saves the time and work of manual oversight
Startups also benefit early on from embedding automation and auto-remediation into their development processes and daily workflows. Establishing this early helps build a culture that leans on automation to simplify and enhance security. For example, tools like Dependabot, which can be configured to automate dependency updates, ensure that software remains current—with minimal oversight. Having tools like this in place early will provoke productive conversations amongst developers about how to test for breaking changes — versus introducing automation later, which often results in discussions about how to turn off the automation because it broke something.
#4 Being secure from the beginning is a competitive differentiator
The stereotypical startup is moving fast—and breaking things. Often, those broken things introduce security risks. So when a startup shows up with a strong security posture and great documentation, they stand out from competitors and put design partners at ease. Especially if you are entering a market with old incumbents who haven't had the opportunity to build a culture of security from the ground up.
Choosing the right security investments
There are a lot of vendors and a lot of options in the security world. Here are just a few that I think stand out for early-stage companies that want to build solid security program in the short term and a solid foundation for the future.
Please note: This is NOT a complete list of vendors I think make sense for startups. I have NO vested interest in any of these companies' success other than I'm genuinely a fan of what they’re building and the teams they’ve assembled.
Push Security
The advantage of adopting Push Security's tools (or something like them) lies in eliminating guesswork regarding account proliferation, streamlining future management of SaaS application usage, and safeguarding where and how credentials are used. As a startup, you are signing up for and testing many different technologies (most often in the form of SaaS0, and you can't recall all the places you created accounts. Push Security, from my perspective, helps with that and more. They've got additional features that educate users with banners and help lock down SaaS apps that aren't easily secured. With all this, you ensure clear visibility into what users are using, you get insights into application usage (think budgeting), and a little user education never hurt anybody. Push Security also offers attractive pricing for startups. With the multiple use cases they support (ROI), their attractive pricing, and the high likelihood that, as a startup, you'll be exploring many different SaaS solutions early on -- Push Security is an obvious early security purchase.
ChainGuard
It may seem like a check box, but reducing vulnerabilities on your build images is important. There's nothing more annoying than vulnerabilities popping up in libraries and packages that are never used. It leaves you saying, "This should be a solvable problem; can you tell I'm not using that package?" The answer is yes. To avoid this at Fixify, we've adopted ChainGuard for our base images to ensure that we have the thinnest number of packages possible and that they're up-to-date with patches. ChainGuard alleviates the headaches of manually revving, patching, and building new images. My advice, get it integrated early so you don't pay the migration tax, in the form of people and time later.
Infrastructure as code (IaC) and git commit signing
Adopting (IaC) and git commit signing early in your journey sets a precedent for managed, reviewable, auditable, and recoverable changes. It lays the groundwork for secure and scalable practices. Using tools like Pulumi, which is Fixify's preferred choice for IaC, brings additional benefits in my view. Expressing infrastructure as code in your primary language not only minimizes context switching but also encourages collaboration among developers. This approach ensures a broad range of perspectives during reviews (yay security!), I believe it has also significantly enriched the development process.
Product-specific security measures
Sometimes, the best security control is one you build yourself. You hopefully know your product, its attack surface, and common concerns your customers have about risk and security better than anyone. This means you're in a great position to build in native controls or detections where it counts. For instance, at Fixify, since we require SSO to access Fixify’s product, we have built specific product features to detect the reuse of potentially stolen SSO tokens. This early initiative addresses some common security worries that customers might have using a SaaS application like ours.
Test your assumptions early
Engaging in early penetration testing or red team exercises with a third party is a great step in testing your startup's security and risk assumptions. Timing this testing is essential; it should occur when your architecture is established enough to provide meaningful results yet still flexible enough for quick adjustments based on the findings. This balance ensures that vulnerabilities are identified and addressed before they become serious threats without distracting from launch preparations. By adopting this proactive approach, you are not only helping your startup now, you're laying a solid foundation of collaboration between security and product while building trust with early customers.
Making it to the ocean
At a startup, it’s easy to get so focused on building a product quickly that you set aside anything that feels like it might slow you down. And it’s easy to see why—I’m thinking about those sea turtles again, and they are in a hurry for good reason! But the reality is that investing in security early makes you more competitive from the start (if you’re still on board with my metaphor, think of security as a stronger shell). A good security foundation also helps you move more quickly later. After all, once you’re in the ocean, you’ve got to be strong enough to swim through the waves.
I recently stepped out of the cybersecurity world to launch something new. At Fixify, we’re aiming to change the face of IT, and we’d love to have you follow along. Learn more and join our update list here!