Скачать книгу

be action plans that you can take immediately and as your start-up scales to implement those suggestions.

      These plans will be broken out into generalized phases in your start-up journey from founding to exit. Obviously, not every company takes the same path, so specific catalysts will be mentioned and grouped in a way that may seem contradictory.

      1 FormationOne to three foundersNo additional full-time staffAngel or friends and family or bootstrap funding

      2 ValidationFounders + Key Strategic HiresMVP existsLighthouse/marquee customersSeed round funding

      3 GrowthFounders + Key Strategic Hires + Engineering TeamsSeveral customersA series and beyond

cintrof001

      Source: Startup Key Stages by Startup Commons is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

PART ONE Fundamentals

       An ounce of prevention is worth a pound of cure.

      – Benjamin Franklin

      NO ONE PLANS ON THEIR START-UP not making it past a year of business, so you should also plan for your investment and planning in cybersecurity to scale into the future. While selecting the bare minimum may seem and feel counterintuitive and is certainly against the opinion of many cybersecurity professionals, it will ensure the continuation of the business.

      Just as the heart is the first organ to receive oxygenated blood from the lungs, the continued operation of your start-up should be the number one priority. Security must enable the business to operate and find a balance as a requirement for the business. Cybersecurity is now a priority business function and no longer solely an IT issue.

      Cybersecurity must be included in your enterprise risk management along with things like compliance, financial reporting, business continuity, etc. It should be all-encompassing and avoid siloing each off into its own risk management vertical. Cybersecurity is a huge part of all of these pieces. All of the following compliance and regulatory requirements require a varying level of cybersecurity practice and maturity (and we'll review these in more detail in Chapter 10):

       Payment Card Industry (PCI)

       Sarbanes–Oxley Act (SOX)

       North American Electric Reliability Corporation (NERC)

       Health Insurance Portability and Accountability Act (HIPAA)

       HITRUST

      The credibility of your business is important to protect. This is why you seek professional advice from lawyers and accountants. A start-up with three founders and without capital cannot afford to hire a full-time world-class lawyer (also referred to as general counsel) or accountant, let alone a chief finance officer (CFO). There are, however, many services that offer those capabilities that can meet a start-up's needs at every phase of the scaling life cycle. You shouldn't feel concerned by the fact that you can't afford a full-time chief information security officer (CISO) or world-class cybersecurity team; alternatives exist that are appropriate for your start-up life cycle stage.

      There is a common phrase when describing old-school cybersecurity approaches where it is like an M&M – crunchy outside and soft inside. When cybersecurity is applied with a hardened perimeter, the thing you want to protect most may actually be more vulnerable from the false sense of security that is created.

      When approaching cybersecurity for your new start-up you should focus on the following:

       The data or capabilities you want to protect

       The systems with that data or capabilities you want to protect

       The people with access to those systems you want to protect

      Communication is a critical part of our lives. It is also critical to the success of your business. Communicating with your fellow founders, potential or existing customers, vendors, or investors is vital. In cybersecurity, there is a common philosophy called CIA: confidentiality, integrity, and availability. To better understand this, we can apply this methodology and framework to email. In the case of the sender and intended recipients of that email, only those individuals can access the communications; the information being communicated is unmolested and it is accessible when required respectively. This philosophy is applied across cybersecurity, not just to communicate, but for this discussion we will refer to it as such. It should also be noted that each are not always equal in every situation. There may be times when availability is favored over confidentiality.

      Email has become a digital repository for nearly everything in our lives. From communicating with our children's teachers at school, to our doctors, to our accountant when filing our taxes, it is a literal treasure trove. On top of just the sensitive data in one year of sent and received emails, our email accounts are now the key to accessing nearly all of our other accounts in other systems. Think back to the last time you reset a password. You most likely received a password reset link to your “email address on file.”

Скачать книгу