Start-Up Secure

Add cybersecurity to your value proposition and protect your company from cyberattacks

Cybersecurity is now a requirement for every company in the world regardless of size or industry. Start-Up Secure: Baking Cybersecurity into Your Company from Founding to Exit covers everything a founder, entrepreneur and venture capitalist should know when building a secure company in today’s world. It takes you step-by-step through the cybersecurity moves you need to make at every stage, from landing your first round of funding through to a successful exit. The book describes how to include security and privacy from the start and build a cyber resilient company. You'll learn the basic cybersecurity concepts every founder needs to know, and you'll see how baking in security drives the value proposition for your startup’s target market. This book will also show you how to scale cybersecurity within your organization, even if you aren’t an expert!

Cybersecurity as a whole can be overwhelming for startup founders. Start-Up Secure breaks down the essentials so you can determine what is right for your start-up and your customers. You’ll learn techniques, tools, and strategies that will ensure data security for yourself, your customers, your funders, and your employees. Pick and choose the suggestions that make the most sense for your situation—based on the solid information in this book.

• Get primed on the basic cybersecurity concepts every founder needs to know
• Learn how to use cybersecurity know-how to add to your value proposition
• Ensure that your company stays secure through all its phases, and scale cybersecurity wisely as your business grows
• Make a clean and successful exit with the peace of mind that comes with knowing your company's data is fully secure

Start-Up Secure is the go-to source on cybersecurity for start-up entrepreneurs, leaders, and individual contributors who need to select the right frameworks and standards at every phase of the entrepreneurial journey.

Foreword xv

Preface xvii

Acknowledgments xxi

About the Author xxv

Introduction 1

Part I Fundamentals

Chapter 1: Minimum Security Investment for Maximum Risk Reduction 7

Communicating Your Cybersecurity 9

Email Security 10

Secure Your Credentials 12

SAAS Can Be Secure 14

Patching 15

Antivirus is Still Necessary but Goes by a Different Name 18

Mobile Devices 18

Summary 20

Action Plan 20

Notes 21

Chapter 2: Cybersecurity Strategy and Roadmap Development 23

What Type of Business is This? 24

What Types of Customers Will We Sell To? 24

What Types of Information Will the Business Consume? 25

What Types of Information Will the Business Create? 25

Where Geographically Will Business Be Conducted? 26

Building the Roadmap 26

Opening Statement 26

Stakeholders 27

Tactics 27

Measurability 27

Case Study 28

Summary 30

Action Plan 30

Note 30

Chapter 3: Secure Your Credentials 31

Password Managers 32

Passphrase 33

Multi-Factor Authentication 35

Entitlements 37

Key Management 38

Case Study 39

Summary 41

Action Plan 42

Notes 42

Chapter 4: Endpoint Protection 43

Vendors 44

Selecting an EDR 45

Managed Detection and Response 46

Case Study 49

Summary 50

Action Plan 51

Notes 51

Chapter 5: Your Office Network 53

Your First Office Space 54

Co-Working Spaces 57

Virtual Private Network 58

Summary 60

Action Plan 60

Notes 60

Chapter 6: Your Product in the Cloud 63

Secure Your Cloud Provider Accounts 65

Protect Your Workloads 66

Patching 67

Endpoint Protection 68

Secure Your Containers 69

Summary 70

Action Plan 70

Notes 71

Chapter 7: Information Technology 73

Asset Management 74

Identity and Access Management 76

Summary 77

Action Plan 78

Part II Growing the Team

Chapter 8: Hiring, Outsourcing, or Hybrid 81

Catalysts to Hiring 82

Get the First Hire Right 83

Executive versus Individual Contributor 84

Recruiting 86

Job Descriptions 86

Interviewing 88

First 90 Days is a Myth 90

Summary 90

Action Plan 90

Note 91

Part III Maturation

Chapter 9: Compliance 95

Master Service Agreements, Terms and Conditions, Oh My 96

Patch and Vulnerability Management 97

Antivirus 98

Auditing 98

Incident Response 99

Policies and Controls 100

Change Management 100

Encryption 101

Data Loss Prevention 101

Data Processing Agreement 102

Summary 102

Action Plan 103

Note 103

Chapter 10: Industry and Government Standards and Regulations 105

Open Source 106

OWASP 106

Center for Internet Security 20 106

United States Public 106

SOC 106

Retail 109

PCI DSS 109

SOX 111

Energy, Oil, and Gas 111

NERC CIP 111

ISA-62443-3-3 (99.03.03)-2013 112

Federal Energy Regulatory Commission 112

Department of Energy Cybersecurity Framework 112

Health 113

HIPAA 113

HITECH 114

HITRUST 114

Financial 114

FFIEC 114

FINRA 115

NCUA 115

Education 115

FERPA 115

International 116

International Organization for Standardization (ISO) 116

UL 2900 117

GDPR 117

Privacy Shield 118

UK Cyber Essentials 118

United States Federal and State Government 118

NIST 119

NISPOM 120

DFARS PGI 120

FedRAMP 120

FISMA 122

NYCRR 500 122

CCPA 122

Summary 123

Action Plan 123

Notes 124

Chapter 11: Communicating Your Cybersecurity Posture and Maturity to Customers 127

Certifications and Audits 128

Questionnaires 129

Shared Assessments 129

Cloud Security Alliance 130

Vendor Security Alliance 130

Sharing Data with Your Customer 131

Case Study 133

Summary 135

Action Plan 136

Notes 136

Chapter 12: When the Breach Happens 137

Cyber Insurance 138

Incident Response Retainers 139

The Incident 140

Tabletop Exercises 141

Summary 142

Action Plan 142

Note 142

Chapter 13: Secure Development 143

Frameworks 144

BSIMM 144

OpenSAMM 145

CMMI 145

Microsoft SDL 147

Pre-Commit 147

Integrated Development Environment 148

Commit 148

Build 149

Penetration Testing 149

Summary 150

Action Plan 150

Notes 151

Chapter 14: Third-Party Risk 153

Terms and Conditions 154

Should I Review This Vendor? 154

What to Ask and Look For 155

Verify DMARC Settings 156

Check TLS Certificates 157

Check the Security Headers of the Website 157

Summary 158

Action Plan 158

Note 159

Chapter 15: Bringing It All Together 161

Glossary 167

Index 181

CHRIS CASTALDO is the Chief Information Security Officer at Crossbeam, the world’s first and most powerful partner ecosystem platform. Crossbeam acts as a data escrow service that finds overlapping customers and prospects with your partners while keeping the rest of your data private and secure. Chris is also a Visiting Fellow at the National Security Institute at George Mason University’s Antonin Scalia Law School. He previously held cybersecurity executive roles at Dataminr, 2U, IronNet Cybersecurity, Synchronoss, and the National Security Agency. He is a U.S. Army and Operation Iraqi Freedom veteran.

Cybersecurity is an increasingly important requirement for every company, regardless of size or industry. Competent and effective data security and privacy are now table stakes for start-ups as well, with new legislation, regulations, and consumer expectations driving increasing levels of security and protection.

Start-Up Secure: Baking Cybersecurity into Your Company from Founding to Exit delivers all the information an entrepreneur or venture capitalist needs to know when building a secure company in today’s increasingly dynamic landscape. From their first round of funding through successful exit, the book describes how to incorporate security and privacy into each stage of a start-up’s life.

It shows founders, cybersecurity professionals, and others involved in a start-up how to integrate cybersecurity into your company and build a resilient company. You’ll learn basic cybersecurity concepts every founder needs to understand and discover how data security and privacy can improve your value proposition in your target market. You’ll also learn how to scale cybersecurity within your organization as you grow.

Start-Up Secure demonstrates how and why data privacy and security are not add-ons that can simply be tacked on at the end of the entrepreneurial journey. Instead, they form part of the foundation of any successful company. A secure and successful exit is not possible without securing a start-up’s data and the privacy of its customers. The book shows you how to accomplish that goal using techniques, tools, and strategies appropriate for your industry, organization, and circumstances.

Perfect for entrepreneurs, venture capitalists, leaders, founders, and individual team members at start-ups in any industry and of any size, Start-Up Secure offers readers an invaluable and comprehensive treatment of a crucial topic at a critical moment.

PRAISE FOR
START-UP SECURE

“A must-read for any start-up organization whether they are providing an application or developing the next great widget. Chris has taken a complex subject and made it relatively simple with step-by-step examples and references to help founders understand their threats. If you are building an organization and plan to be acquired, Chris covers the elements that will happen in a review and highlights the importance of addressing them upfront to reduce costs and make your assessment or funding round as painless as possible.”
—HAROLD MOSS, former CTO, IBM

“Cybersecurity is often one of the things that early stage companies defer—and in doing so, they put their data, their reputations, and their businesses at significant risk. Chris Castaldo offers a clear, comprehensive, and actionable approach to making information security a cornerstone of a modern company’s construction and does so with eloquence and precision. It’s the closest thing to having the ability to hire a seasoned CISO on day one and should be essential reading for every founder.”
—KEVIN O’BRIEN, CEO and Co-founder, GreatHorn

“Chris works to bring a valuable introduction to security basics for the start-up world in a practical, relatable way.”
—ANNE MARIE ZETTLEMOYER, Vice President, Security Engineering, Payments Industry; Visiting Fellow, National Security Institute

“In Start-Up Secure Chris Castaldo does an exceptional job of covering the core essentials founders need when building their companies. He develops the groundwork for entrepreneurs to incorporate sound IT and cybersecurity practices into their start-ups as part of their innovative culture. His book is a great read; I found myself taking notes and really enjoyed the experience. I feel it will provide value to everyone in the start-up community for years to come and can’t wait to see what he writes next.”
—GARY HAYSLIP, CISO, SoftBank Investment Advisers

“Start-up security has been an afterthought for far too long, getting pushed to later stages, and yet a single data breach might doom your fledgling business. Unfortunately, far too many fast growing start-ups fall into this trap and have to deal with the impossible public relations nightmare after a breach. Delay no more! In this thoughtful and approachable book, Chris Castaldo gives you an actionable roadmap to mitigate this massive, yet snubbed, risk to your business. You can easily use this book to get your security program going at any budget or team size. Pick it up, read it, and get implementing.”
—SINAN EREN, CEO and founder, Fyde

Additional praise for Star-Up Secure: Baking Cybersecurity into Your Company from Founding to Exit

"It's rare to see a cybersecurity guide of any kind that is relevant, current, and most importantly, cogent and accessible. Chris Castaldo has not only produced such a guide but has tailored it for an audience who has never before received such wisdom in a digestible manner−the startup community. Startups are notoriously fast-moving, and Castaldo's book keeps up with them, showing them the types of practical security controls they need throughout their rapid journey to whatever exit strategy they envision."

--Allan Alford, veteran CISO and co-host of the Defense in Depth podcast

"Start-Up Secure offers important insights and advice in an area that is often overlooked by entrepreneurs. Cybersecurity has emerged as a critical competency for businesses, and this trend will likely continue or accelerate. The guidance provided in these pages will save founders from making preventable mistakes in multiple dimensions, from technical security decisions to avoiding unreasonable contract language. The wisdom shared by Chris is hard-learned, and a valuable addition to any entrepreneur's thought process."

--Paul Ihme, co-founder, Soteria

“Cybersecurity is often thought of as too intimidating or complex for the layperson to comprehend. Chris Castaldo’s book Start-Up Secure seeks to take the mystery out of succeeding at cybersecurity. His straightforward and direct approach serves as an essential guide to starting out on the right foot with your security program. It is accessible and actionable and I would recommend it to anyone seeking to tackle cybersecurity; the most important business challenge of our time.”

--Brian Markham, CISO, EAB Global Inc.