Yes, you heard that right, virtual CISOs. Just as the pandemic was crashing around us, Taylor Hersom, CEO, and founder of Eden Data noticed a gap in the marketplace. Startups and SaaS-based businesses needed security support but either didn’t know how to find someone, couldn’t find anyone, or couldn’t afford it. In this week’s Reimagining Cyber episode, “Virtual meetings, virtual concerts, and now virtual CISOs?” Hersom shares his insights over the past two years in the start-up space.
Security Trends in the Start-up Space
“Whether you are a startup or a huge organization, a lot of security applies the exact same across the board…if you go look at the cybersecurity trends of 2022 and 2021, and further back, they're always the same,” Hersom says.
“It's always people clicking on bad links; it’s always cloud misconfigurations. It's always ransomware. And a lot of the attack vectors are the same.”
This simple fact has allowed Eden Data to create a blueprint for SaaS businesses to execute against, streamlining, and simplifying the overwhelming cybersecurity process.
While some organizations don’t know where to start, it can also be overwhelming regarding the basics in things like compliance.
“SOC2 is huge in the startup community, I think basically in the U.S. ... beyond the U.S. it's of course, ISO 27001,” Hersom says.
Startups are primarily concerned with getting their businesses and SaaS offerings up and running, and rarely is security top of mind. Yet compliance to SOC2 requirements can be incredibly overwhelming for these firms.
“If I had $1, for every time I've heard, ‘Hey, we use AWS, and they’re SOC2 certified, so I'm covered,” he says, “It's, it's like, once they have the realization that they're not covered, and they lose their first deal, or they get hit with their first angry customer email, or they even get some kind of scare from a regulator than they're usually suddenly shifting their focus on what's important and what's not.”
Thus, a few lost deals due to non-compliance can be a significant driver. Another driver is around obtaining or retaining cybersecurity insurance for these SMB firms. Hersom has also seen the insurance providers and underwriters raise the bar on required security controls, as was discussed in the episode with Shawn Tuma.
Instead of being reactive to these requirements, Hersom recommends being proactive and getting your basics up and running early. Some things, like becoming SOC2 compliance, take four to six months, so getting ahead is essential. This may result in either hiring the expertise, like was discussed in the episode with Ty Sbano, or finding a virtual CISO service that provides the necessary skilled resource. , Either way, these firms can then achieve compliance faster with fewer road bumps. But Hersom points out that once you start cybersecurity, it doesn’t stop - “security is a loop, not a line.”
As to when you engage the services of a virtual CISO vs. Hiring one, Hersom recommends “Any time you're under 500 employees, I think that there is actually value in going the virtual route or the vendor route. I do think that as companies get past that 500-employee mark, you need to have some kind of internal stakeholder, it doesn't necessarily need to be a CSO.”
By getting your security plan set up early, you can mitigate a lot of these risks.
Security Headcount in the Start-up Space
OK, so you want to implement a security strategy and plan, but how much headcount should you allocate to security?
Hersom recommends 1% of an organization’s total headcount.
“People don't realize that that's … a pretty significant investment,” he says.
“So, you go look at the salary of a CSO and a Data Compliance or a Data Privacy Officer/Compliance Manager. They start to add up a lot, and I think I truly believe that, especially for the startup and scale-up market, you can replicate and use a lot of - you can usually get more value out of contractors than you can out of hiring full time.”
Hersom quotes the volatility of the technology space and cyber industry as reasoning to look into contractors and virtual CISOs.
I’m a start-up, and I’ve been breached. Now what?
Hersom and his team at Eden Data often get pulled into post-breach situations to help mitigate conversations with cyber insurance companies. They typically help fill out applications and questionnaires about the current state of affairs as well as help negotiate rates for customers. He cautions that he and his colleagues are seeing insurance agencies adjust their coverage models and remove coverage benefits (for more about cyber insurance, check out these two podcast episode with Shaun Tuma, Attorney at Spencer Fane: “Cyber Insurance in the Wake of Log4j,” and “So you’ve been hacked, now what?”)
A look into the Future
If Hersom had a crystal ball, he’s hoping he’d see the following:
- Automation: automating controls and procedures to mitigate human error
- More internal audits: while some organizations fear internal auditors, they’re there to help and mitigate any impact.
- Insight into third-party applications: Understanding a third-party’s security posture is critical. While most organizations send an SAQ (Self-Assessment Questionnaire), it’s on the honor code that it’s filled out truthfully and correctly. Hopefully, we will see some automation to help this area in the future.
The start-up and entrepreneurial spaces are full of innovation and excitement. A breach doesn’t have to be one of those. By working with organizations like Eden Data to get your security posture, you can mitigate breaches or attacks before they happen.
Do you work for a start-up? What trends are you seeing? Drop them in the comments below.
You can find the latest episode of Reimagining Cyber on BuzzSprout, Apple, Soundcloud, Stitcher, Spotify, and Google. Give it a listen, and let me know what you think. Log in or register to comment below.
CyberRes is a Micro Focus line of business focused on helping companies protect, detect, and evolve their security framework and helping organizations become more cyber resilient. To learn more, visit CyberRes.com.