Techcrunch: Use ‘productive paranoia’ to build cybersecurity culture at your startup

At TechCrunch Early Stage, we asked Casey Ellis, founder, chairman and chief technology officer at Bugcrowd, to share his ideas for how startups can improve their security posture.

From Techcrunch, 11th September 2020

Use ‘productive paranoia’ to build cybersecurity culture at your startup | TechCrunch

Bugcrowd’s Casey Ellis talks prioritizing security at your startup.

TechCrunchZack Whittaker

SUMMARY

Casey Ellis, founder and CTO of Bugcrowd, discusses practical ways startups can prioritize cybersecurity early to protect themselves from increasing threats and differentiate their business.

IDEAS:

• Startups often neglect security initially since payroll and survival feel like more immediate, pressing concerns
• Instilling "productive paranoia" across the entire team ensures security awareness isn't limited to just engineers.
• Password reuse remains a major vulnerability and must be actively discouraged within startups from early stages.
• Implementing two-factor authentication early significantly reduces security vulnerabilities and simplifies security management as startups scale.
• Automating software and system updates dramatically improves security posture by preventing outdated, vulnerable software from persisting.
• Outsourcing non-core security functions to specialized platforms allows startups to focus their resources on core intellectual property.
• Making secure processes intuitive and insecure actions obviously problematic helps embed good security habits across teams.
• Having multiple owners of critical accounts prevents single points of failure and allows better oversight of anomalies.
• Security should not be viewed purely as an engineering issue; other departments like marketing and finance significantly influence overall security risk.
• Gamifying security awareness through benign and humorous internal activities improves team engagement and security hygiene.
• Chromebooks or limited devices for non-technical teams like sales and marketing reduce the likelihood of security incidents.
• Security can become a positive differentiator, allowing businesses to leverage it as a competitive advantage in the market.
• Proactive vulnerability disclosure programs and bug bounty initiatives help startups gather crucial external security feedback from ethical hackers.
• Compliance with security standards should be approached incrementally, addressing relevant and achievable requirements progressively rather than immediately.
• Entrepreneurs must view cybersecurity as an integral part of overall business risk management rather than as a separate, niche concern.
• Effective security response to breaches requires calm, systematic assessment of facts rather than panicked reactions based on incomplete information.
• Organizations should carefully avoid prematurely labeling security incidents as breaches due to strict regulatory definitions and consequences.
• Positive reinforcement and rewards are more effective than punishments for encouraging employee security awareness and good practices.
• Security budgets should be thoughtfully integrated into overall financial planning rather than treated as arbitrary percentages of IT spend.
• Enterprises transitioning from traditional IT approaches to agile methodologies face significant challenges in modernizing their cybersecurity practices.
• Security awareness and internalization by employees provide more long-term value than superficial checkbox compliance approaches.
• Creating channels and systems for receiving unsolicited security feedback from external researchers helps startups proactively identify vulnerabilities.
• The COVID-19 pandemic accelerated digital adoption and remote work, significantly elevating cybersecurity as a critical, front-of-mind issue globally.
• Startups must anticipate security feedback from external researchers regardless of whether they actively seek or encourage such interactions.
• Internal cybersecurity practices established during early startup stages become significantly easier to maintain and scale as the company grows.

INSIGHTS:

• Integrating security practices early helps prevent costly and difficult retrofitting of cybersecurity measures later on.
• Viewing cybersecurity as an inherent part of business risk management removes stigma and encourages practical solutions.
• Security differentiation in a startup can create significant competitive advantage and positively influence market perception.
• Instilling security awareness as a positive cultural value company-wide is more effective than isolated training for engineers.
• Incremental and realistic adoption of compliance standards allows startups to manage security expectations without sacrificing agility.
• Proactive and positive engagement with ethical hackers provides valuable external security validation and strengthens organizational resilience.
• Automating cybersecurity basics such as updates and authentication systems dramatically reduces human error and organizational risk.
• Security budgeting must be intentional, aligned with business objectives, and viewed as a strategic investment rather than cost.
• Encouraging productive paranoia across departments ensures security awareness permeates all layers of the organization effectively.
• Positive reinforcement and gamification of security habits lead to better employee engagement and sustainable security practices.

QUOTES:

• "Teach your business to wash its hands while it's still young."
• "Make secure easy and insecure obvious." – Diego Moneka (quoted by Casey Ellis)
• "Security is inherently difficult; it's easier to pass through a hole than unlock a door."
• "Instill productive paranoia in your entire team, security is not just an engineering problem."
• "Cybersecurity is becoming a differentiator, not just a responsibility."
• "Be ready for security feedback from the internet, whether you're asking for it or not."
• "Security awareness is often a part of compliance; checkbox security doesn't cut it."
• "Security becomes a lot easier if you start when you're small."
• "Don't refer to it as a breach until it's absolutely confirmed that it is a breach."
• "Cybersecurity is just one of those risks; the less scary it becomes, the more practical it is."
• "Implementing two-factor authentication early significantly reduces vulnerabilities."
• "Outsource security functions that aren't core to your intellectual property."
• "Positive reinforcement works better than punishments for encouraging security awareness."
• "Budgeting for security must be thoughtful and proactive, not just an arbitrary percentage."
• "Every user is different; some are good at security, others frankly terrible—that's just humans."
• "Chromebooks or cut-down devices for sales teams reduce security incidents significantly."
• "Security is part of overall risk management; less spooky, more practical."
• "Compliance standards should be incrementally adopted, not tackled entirely at once."
• "Gamifying security internally can be fun and highly effective if done without shaming people."
• "Productive paranoia creates a culture that values security across the organization."

HABITS:

• Implementing two-factor authentication universally within the organization early on ensures security from the start.
• Avoiding password reuse by using enterprise password managers like 1Password, Keeper, or LastPass boosts security.
• Automating software updates to eliminate reliance on human action significantly reduces vulnerabilities and security risk.
• Assigning two primary owners for key service accounts to avoid single points of failure and oversight issues.
• Gamifying security awareness internally, using humor and positivity to reinforce good security habits among employees.
• Using simplified or secure-by-design devices like Chromebooks for non-technical departments reduces overall security risks.
• Actively creating channels for external security researchers to report vulnerabilities through bug bounty or disclosure programs.
• Proactively budgeting for security as an intentional strategic investment, rather than an afterthought percentage of spending.
• Encouraging a culture of productive paranoia across all departments, not limiting security awareness to technical teams alone.
• Implementing incremental compliance measures, addressing relevant security standards progressively rather than attempting immediate full compliance.
• Calmly assessing security incidents based on facts without prematurely labeling them breaches to avoid unnecessary regulatory complications.
• Rewarding employees for proactively identifying and reporting suspicious security activities to encourage continuous security vigilance.
• Instilling early-stage security practices to build habits that scale effectively as the startup grows in size.
• Outsourcing non-core security functions and infrastructure to expert platforms to maintain focus on core business intellectual property.
• Regularly reviewing and updating internal security processes and habits as the startup expands and evolves over time.

FACTS:

• Bugcrowd has paid over $40 million to ethical hackers for responsibly reporting vulnerabilities through bug bounty programs.
• Reused passwords are one of the most common and easily exploited vulnerabilities causing security breaches in organizations.
• Two-factor authentication has become increasingly standard and expected for securing critical accounts like email and finance.
• COVID-19 pandemic accelerated digital adoption and remote work, dramatically elevating the global importance of cybersecurity.
• Ethical hackers and security researchers proactively seek and report vulnerabilities even without explicit invitations from organizations.
• GDPR and CCPA compliance standards have significantly raised security expectations and requirements for startups selling globally.
• Companies prematurely labeling security incidents as breaches may inadvertently trigger regulatory actions and unintended legal consequences.
• Security awareness training often forms part of compliance standards but can be superficial without internalization of security values.
• Chromebooks and similar simplified devices significantly reduce security risks compared to traditional, full-access employee laptops.
• Security incidents handled calmly and transparently by companies tend to preserve user trust and minimize reputational damage.

ONE-SENTENCE TAKEAWAY:

Integrate practical cybersecurity measures early in your startup to prevent future vulnerabilities and create competitive differentiation.

RECOMMENDATIONS:

• Implement two-factor authentication across all critical startup accounts immediately to significantly reduce future security incidents.
• Use enterprise password managers early to prevent password reuse and reduce common startup cybersecurity vulnerabilities.
• Automate software and device updates to minimize security risks associated with outdated or vulnerable software versions.
• Establish multiple account owners for critical services to prevent single points of failure and security oversight.
• Instill productive paranoia in all teams, ensuring cybersecurity is not perceived as solely an engineering issue.
• Use simplified devices like Chromebooks for non-technical teams to reduce the likelihood of cybersecurity incidents significantly