Add cybersecurity to your value proposition and protect your company from cyberattacks
Cybersecurity is now a requirement for every company in the world regardless of size or industry. Start-Up Secure: Baking Cybersecurity into Your Company from Founding to Exit covers everything a founder, entrepreneur and venture capitalist should know when building a secure company in today’s world. It takes you step-by-step through the cybersecurity moves you need to make at every stage, from landing your first round of funding through to a successful exit. The book describes how to include security and privacy from the start and build a cyber resilient company. You'll learn the basic cybersecurity concepts every founder needs to know, and you'll see how baking in security drives the value proposition for your startup’s target market. This book will also show you how to scale cybersecurity within your organization, even if you aren’t an expert!
Cybersecurity as a whole can be overwhelming for startup founders. Start-Up Secure breaks down the essentials so you can determine what is right for your start-up and your customers. You’ll learn techniques, tools, and strategies that will ensure data security for yourself, your customers, your funders, and your employees. Pick and choose the suggestions that make the most sense for your situation—based on the solid information in this book.
- Get primed on the basic cybersecurity concepts every founder needs to know
- Learn how to use cybersecurity know-how to add to your value proposition
- Ensure that your company stays secure through all its phases, and scale cybersecurity wisely as your business grows
- Make a clean and successful exit with the peace of mind that comes with knowing your company's data is fully secure
Start-Up Secure is the go-to source on cybersecurity for start-up entrepreneurs, leaders, and individual contributors who need to select the right frameworks and standards at every phase of the entrepreneurial journey.
Table of Contents:
Foreword xv
Preface xvii
Acknowledgments xxi
About the Author xxv
Introduction 1
Part I Fundamentals
Chapter 1: Minimum Security Investment for Maximum Risk Reduction 7
Communicating Your Cybersecurity 9
Email Security 10
Secure Your Credentials 12
SAAS Can Be Secure 14
Patching 15
Antivirus is Still Necessary but Goes by a Different Name 18
Mobile Devices 18
Summary 20
Action Plan 20
Notes 21
Chapter 2: Cybersecurity Strategy and Roadmap Development 23
What Type of Business is This? 24
What Types of Customers Will We Sell To? 24
What Types of Information Will the Business Consume? 25
What Types of Information Will the Business Create? 25
Where Geographically Will Business Be Conducted? 26
Building the Roadmap 26
Opening Statement 26
Stakeholders 27
Tactics 27
Measurability 27
Case Study 28
Summary 30
Action Plan 30
Note 30
Chapter 3: Secure Your Credentials 31
Password Managers 32
Passphrase 33
Multi-Factor Authentication 35
Entitlements 37
Key Management 38
Case Study 39
Summary 41
Action Plan 42
Notes 42
Chapter 4: Endpoint Protection 43
Vendors 44
Selecting an EDR 45
Managed Detection and Response 46
Case Study 49
Summary 50
Action Plan 51
Notes 51
Chapter 5: Your Office Network 53
Your First Office Space 54
Co-Working Spaces 57
Virtual Private Network 58
Summary 60
Action Plan 60
Notes 60
Chapter 6: Your Product in the Cloud 63
Secure Your Cloud Provider Accounts 65
Protect Your Workloads 66
Patching 67
Endpoint Protection 68
Secure Your Containers 69
Summary 70
Action Plan 70
Notes 71
Chapter 7: Information Technology 73
Asset Management 74
Identity and Access Management 76
Summary 77
Action Plan 78
Part II Growing the Team
Chapter 8: Hiring, Outsourcing, or Hybrid 81
Catalysts to Hiring 82
Get the First Hire Right 83
Executive versus Individual Contributor 84
Recruiting 86
Job Descriptions 86
Interviewing 88
First 90 Days is a Myth 90
Summary 90
Action Plan 90
Note 91
Part III Maturation
Chapter 9: Compliance 95
Master Service Agreements, Terms and Conditions, Oh My 96
Patch and Vulnerability Management 97
Antivirus 98
Auditing 98
Incident Response 99
Policies and Controls 100
Change Management 100
Encryption 101
Data Loss Prevention 101
Data Processing Agreement 102
Summary 102
Action Plan 103
Note 103
Chapter 10: Industry and Government Standards and Regulations 105
Open Source 106
OWASP 106
Center for Internet Security 20 106
United States Public 106
SOC 106
Retail 109
PCI DSS 109
SOX 111
Energy, Oil, and Gas 111
NERC CIP 111
ISA-62443-3-3 (99.03.03)-2013 112
Federal Energy Regulatory Commission 112
Department of Energy Cybersecurity Framework 112
Health 113
HIPAA 113
HITECH 114
HITRUST 114
Financial 114
FFIEC 114
FINRA 115
NCUA 115
Education 115
FERPA 115
International 116
International Organization for Standardization (ISO) 116
UL 2900 117
GDPR 117
Privacy Shield 118
UK Cyber Essentials 118
United States Federal and State Government 118
NIST 119
NISPOM 120
DFARS PGI 120
FedRAMP 120
FISMA 122
NYCRR 500 122
CCPA 122
Summary 123
Action Plan 123
Notes 124
Chapter 11: Communicating Your Cybersecurity Posture and Maturity to Customers 127
Certifications and Audits 128
Questionnaires 129
Shared Assessments 129
Cloud Security Alliance 130
Vendor Security Alliance 130
Sharing Data with Your Customer 131
Case Study 133
Summary 135
Action Plan 136
Notes 136
Chapter 12: When the Breach Happens 137
Cyber Insurance 138
Incident Response Retainers 139
The Incident 140
Tabletop Exercises 141
Summary 142
Action Plan 142
Note 142
Chapter 13: Secure Development 143
Frameworks 144
BSIMM 144
OpenSAMM 145
CMMI 145
Microsoft SDL 147
Pre-Commit 147
Integrated Development Environment 148
Commit 148
Build 149
Penetration Testing 149
Summary 150
Action Plan 150
Notes 151
Chapter 14: Third-Party Risk 153
Terms and Conditions 154
Should I Review This Vendor? 154
What to Ask and Look For 155
Verify DMARC Settings 156
Check TLS Certificates 157
Check the Security Headers of the Website 157
Summary 158
Action Plan 158
Note 159
Chapter 15: Bringing It All Together 161
Glossary 167
Index 181
About the Author :
CHRIS CASTALDO is the Chief Information Security Officer at Crossbeam, the world’s first and most powerful partner ecosystem platform. Crossbeam acts as a data escrow service that finds overlapping customers and prospects with your partners while keeping the rest of your data private and secure. Chris is also a Visiting Fellow at the National Security Institute at George Mason University’s Antonin Scalia Law School. He previously held cybersecurity executive roles at Dataminr, 2U, IronNet Cybersecurity, Synchronoss, and the National Security Agency. He is a U.S. Army and Operation Iraqi Freedom veteran.
