Posted on

Minimum Security Budget (MSB)

A good friend of mine once said that “a startup without money is just a hobby”.

When I first heard those words, I hadn’t yet started down my own small business path and so I laughed and agreed. These seemed like wise words to me.

Then I started SafeStack and I quickly learned that having no money wasn’t the defining characteristic of my new adventure, but it was a recurring theme — especially when we started to develop a product. I also knew this was far from being a hobby.

A note to the reader, As someone who both builds product and sells security services, this article may well be a conflict of interests. I don’t teach and write to sell things. I write because I want to share what I know. There are many other fine purveyors of security services, many of which will even live in your country. Feel free to ask them for help.

No money != not enough money

Startups and young businesses share a sense of fragility when it comes to finances. For most of us (despite what the news would have us believe), when you start up your own venture, golden unicorns do not magically appear and poop rainbows and money all over your new business. In fact, you learn quickly that operating lean isn’t just a nice to have, it’s a survival skill.

Victory! Early stage funding achieved

Cash flow comes from a small number of places in those first months and years. First to go in the pot are your own personal savings, next up are generous offerings from generous friends and family (if you are lucky enough to have them) and finally banks and grants come to the table if you are so inclined, lucky enough or have the right collateral.

If you are in the right industry of course you may have client revenue early. Service industries are pretty good for this. Training and consultancy will provide funds early on where product companies may struggle.

Whatever your background, offering or experience though it’s likely your cash reserves are in short supply.

Lean principles and failing fast

Most startup experts will normally chime in at this point and say that cash flow and spend for early stage companies has to follow lean principles. There are lengthy books and essays on the subject but the cliff notes is that our business resources are finite so we have to make tough, information driven decisions on what we spend it on.

As well as only spending on essentials, these mantras encourage us to iterate quickly over ideas, creating only the minimum viable solutions to our problems and moving on quickly when they fail or we see shortcomings.

Is security part of MVP?

One of the ongoing debates in early stage security is whether we include security into this idea of Minimum Viable Product (MVP). In a traditional view of MVP, nothing is included that is not essential to the needs of the customer and the function being provided.

Considering security at MVP stage increases complexity which can distract the startup from their customers needs and their business opportunity. Time, money and energy that could be used to churn through multiple iterations of MVP would have to be spent on additional engineering and controls for an unproven product or solution.

The almost MVP

Whether we like it or not, security has to come into the picture early. As soon as functionality is agreed on or validated, security has to be considered. The decisions made at this stage, before the heavy lifting of core product engineering are key to the ongoing design of our software architecture.

So if security has to be in our products and architectures from such an early stage, how do you balance this additional engineering need with the limited cash flow and resources of your small business?

What is Minimum Security Budget (MSB)?

So if you know that security needs to be in place from these very humble beginnings, what are the key costs that you will need to fund on your journey to startup security success.

Homemade security and doing it yourself

If you have only a few dollars to spare and need to spend it well in the security space, there are number of projects you can spend a little money on up front and save some pain later.

  • Version control and software lifecycle software — Keep your software safe in the simplest ways. Get used to versioning, branching and tracking your issues. Test out tools before you pay for them.

  • Logging and monitoring — Logging is going to be essential to every aspect of scaling your system, not just the security side. Get a tool in place early and get into a rhythm when adding logging. Spend a few hours learning to log well and what you should/shouldn’t send to a third party log server.

  • Continuous integration software — A good software build chain will save you thousands of hours over time. This is the skeleton from which you can run your unit tests, vulnerability scanning and build checking as you mature.

Erm… these aren’t security things at all..

Did you notice that none of these were security specific tools or techniques?

It’s true.

This is not a mistake.

Good security at this stage starts with good development practices. Even if your product team is 1–2 developers, these foundations will help you write good clean, well tested code in a visible and repeatable way. This is essential for ongoing security and maintainability.

Outsourced security

Outsourced security services are expensive. I know this. I sell some of them. I also have to buy them for my product. In fact I am about to tell you to buy less of them and focus on only those services that will help your product grow long term.

There are three minimum services you will need to budget for down the track.

  1. Penetration Testing — Whether you like it or not, most compliance regimes require this. I will rant some other time about why I don’t like penetration testing, it’s limitations and how to buy it but for now remember — this is the one service that your customers will probably want to see the results of. You should probably care about that. Estimated cost $10k–20k from a specialist firm)

  2. Architecture Advice — Securing complex architectures is hard and getting a professional set of eyes over your decisions and designs early means you can avoid some nasty reengineering later on. Get someone you can trust and let them call out your decisions and ask you questions. A good architect will help you understand your complexity and risk but more importantly offer suggestions to improve. (Estimated cost $2k per day length varies based on complexity, typically 1/2 day minimum)

  3. Survival Skills — Preparing your startup to tackle security events and disasters (from documenting processes, to training and process testing).

Security adds credibility in large sales

Taking even basic security steps and making design considerations early can be a real selling point when your are attempting to sell to large enterprise environments or into fields that are compliance driven.

For complex architectures or products, problems can be anticipated early. Even if you can’t address them in early beta releases, you can plan these fixes into your strategy and remove bumps in the road ahead.

Typical security behaviour for a product

If your product touches financial or health data, is involved with children or education or has some form of compliance overhead (such as PCI DSS), you will eventually need to prove to customers, compliance organisations and insurance companies that you are prepared to handle this risk.

Taking small steps with your tiny budget early can ease this transition and prepare your small startup to grow quickly when it matters most.

Avoid the cost of not doing it

Of course, you could ignore all of this and declare security an afterthought, something for when you mature.

The truth is however, security is a basic requirement now; It is table stakes for developing in an always connected world. The cost of dealing with a security breach is not just measured in money, it is measured in reputational damage.

While a large established organisation might survive such an incident, there are few startups who feel confident that they could claim the same resilience.

The cost of not doing security from day 0 from organisations like ours is not getting past day 0.

I know this is a risk I’m not willing to take.