Bake it in from the start: “Moving fast and breaking things” will become a thing of the past as customers and investors take security and privacy more and more seriously
It seems that security is still – at best – an afterthought for most start-ups as they go about building their Minimum Viable Product (MVP).
We highlighted it earlier in the context of the Internet of Things, but it is true across the board.
Quick iterative cycles and fast go-to-market seem to be often prioritized over the security of a product before putting it in users’ hands, with sometimes terrible consequences. Indian cab-hailing startup OLA or restaurant discovery service Zomato are cases in point that a poorly protected product can lend itself to being hacked regardless of a company’s age or size. “For start-ups to believe that they are too small for cyber attackers to take note of them is naive and misguided” as we already highlighted in 2016.
In fact, it is the dominant mindset in the entrepreneurial world which is often at odds with actual security measures being put in place early on, at both company and product level. In the immortal words of Mark Zuckerberg: “Move fast and break things. If you are not breaking things, you are not moving fast enough”. This mentality is simply misplaced in the context of cybersecurity. Indeed, leaking the passwords and banking details of your early users can have much more serious consequences than a bug in your app or picking the wrong colour for your logo. And this is likely to get worse as regulation tightens around the world.
You simply can’t afford to A/B test your product’s security.
All the more paradoxical is that implementing security and privacy best-practices and putting the right controls in place from the start should not be that expensive or time-consuming in a context where every feature costs money and take time. But the fact is that security is rarely seen as a feature, and privacy is often cynically sacrificed on the altars of data monetization.
Quite simply, the features included in the MVP will be those that users and VCs will really notice and those which will drive valuations up. But this is often more a matter of perception than proper research and it is plagued by cognitive biases on all fronts, in particular the “imaginability” or “availability” biases theorized by Nobel-laureate Daniel Kahneman.
And for now, perception amongst this community is that security and privacy won’t drive sales and valuations, and therefore don’t matter.
Security and privacy audits in early-stage funding due-diligence are virtually non-existent, and there are simply no incentives for start-ups to take all this seriously.
This is dangerously short-termist and goes against 2 clear trends:
- Data breaches and cyber-attacks keep happening at an alarming rate and nobody is immune as we highlighted above. Society at large is taking security and privacy more and more seriously, as demonstrated by the rise of anger against Facebook over the past few years. Politicians have jumped on that band wagon and regulation is tightening worldwide.
- Different investors look at different horizons and ESG is becoming a more and more important factor for many. Security and privacy are important pillars of the social and governance dimensions and research has started to emerge showing that good ESG practices support higher valuations.
In the long-term, every start-up must understand that the real secret sauce is Trust: In a context of increasing levels of consumer awareness around privacy and data protection, your most valuable asset will be the trust of your customers in your product.
In fact, fighting early on against the current data-driven trust deficit might be your smartest bet as a new company.
“Moving fast and breaking things” has never created trust.
Start-ups must build customer trust from early days by embedding sound security and privacy practices in the products and in their culture.
Jean-Christophe Gaillard is Founder and Managing Director of Corix Partners
He is a senior executive and a team builder with over 25 years of experience developed in several global financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.
A French national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris Tech and has been co-president of the Cyber Security group of the Telecom Paris Tech alumni association since May 2016.
He runs the Corix Partners blog and contributes regularly on the CIO Water Cooler, and has previously published articles on, InfoSecurity Magazine, Computing, the C-Suite.co.uk, Info Sec Buzz and the IoD Director websites. He was listed in the top 10 of UK 30 most influential thought leaders on Risk, RegTech and Compliance by Thomson Reuters in April 2017.