The self-licking ice cream cone of misery for security and risk pros starts with startups

Why emerging companies have little concern for security, privacy, and regulations -- and why that's an issue.
Written by Chase Cunningham, Contributor and  Forrester Research, Contributor

Video: Cisco 2018 Cybersecurity Report: There's a tech duel between threat actors and defenders

Over the past few weeks, I was both at the annual shenanigan bonanza that is RSA and was invited to sit on a "Shark Tank" panel for emerging technology startups in Miami.

Read also: Healthcare was a top target for ransomware families in 2017

In the span of two weeks, I went from seeing big, well-established companies with massive marketing budgets and millions of dollars for R&D to the other end of the spectrum: folks pitching their "technology" -- or a good PowerPoint leading up to a real technology -- and scrambling to pay bills while pushing their dreams forward on a wing and a prayer.

Without a doubt, it was an honor to be invited to see these pitches and offer what little insight I have gained in the industry to those dreamers who see a problem they think they can solve and possibly get rich while doing it. As a former failed startup entrepreneur myself, I still have scars and nightmares from those days. Reciprocally, I consider myself lucky to interact with the titans of cybersecurity at RSA and discuss the items and trends that are driving a worldwide market. It was interesting to see the giant gap that really exists in relation to discussions and considerations around security between these types of entities.

Conversations at RSA ranged anywhere from how to go to market and leverage the Zero Trust concept to discussions on global threat vectors and microsegmentation to improve network security. Usually, those discussions were deeply technical and pointed toward trying to solve a problem on a global scale.

While that was the case at RSA, it was not even a point that came up during the discussions I had at the startup event. Those discussions went about like this:

"I like your pitch, and your technology certainly can be useful for enabling GPS location tracking of dog poo." (You get the idea; not sure how many "innovations" there are left in food delivery...) "But have you considered how your system will implement security? You said during your pitch you are using APIs and data to track user locations and better enhance your targeting. Are you aware that there are privacy concerns and data security needs for those scenarios?"

"Uh, we are considering security. We have that on our timeline."

"So you aren't focused on security or really enabling privacy, but you are using data all you like?"

"Uh, well not exactly. We value our user's privacy and we will be secure."

"OK, super. But how? What are you doing to enable those things? It sounds to me like security is an afterthought."

"Umm..." (Looks to other team members in hoodies.)

"So, just to be clear, you want to run your app, collect data, interface with established networks, and code via API, and you have no plan for how security is part of this whole thing? You're essentially becoming the avenue of compromise for your users and whatever networks you touch. Does that concern you?"

"Sure, yes, absolutely."

"OK, good. So what do you plan to do about it?"


"You said you plan on being worldwide. Do you know about GDPR?"

"What's that?"

"OK, got it. Let's chat afterward. I would love to offer you some guidance on this."

It sounds like a joke, but there were 130 startups at the event. I made it a point to ask every third team about security, privacy, and GDPR. I had five responses that I would say were even in the ballpark of security; only two even knew about GDPR. Seriously, only two! Most of them thought it was an acronym for a protocol that they would "ask their devs about."

After being at those two events and seeing all this take place, I think this is an identification of a continual problem. Those young companies are moving at the speed of development and have little if any concern for security, privacy, or regulations, because they see it as something that they can bolt on afterward. Or, in many cases it's "a barrier to onboarding users." Those same startups might become successful and grow, but then when they connect to established networks, they may be the point of failure in those infrastructures. Or if they get acquired by bigger companies, they will be absorbed into the Borg anyway. So, it goes on. This is the self-licking ice cream cone of failure that is enabling continual failures in the security space. I think it's interesting to see security failure at a product's inception and compare it with an industry focused on solving a problem introduced by the startups who are working their way into the market.

Read also: This malware checks your system temperature to sidestep sandboxing

Security has to start at the ground level and can't be seen as a barrier to growth. As long as that's the perception, the reality of failure will continue to propagate.

Will your company be ready by May 25th? Download Forrester's complimentary report to figure out what actions you should be taking and how to prioritize your efforts.

13 technologies that are safer than passwords

Related stories




Editorial standards