It is a rare day that you invite a tax inspector into your home to celebrate your success.
Much like our brothers and sisters in government finance, security consultants are rarely engaged to show the world how awesome you are.
Ok. So that’s a lie. Sometimes that’s precisely what my clients want. But as we know what we want and what we need are very rarely the same thing.
Security consultants live in dark places
It’s our job to know the 17 ways the world is broken and why exactly that puts your application, organisation or people at risk. We literally spend all day surrounded by the monsters from the closet. Some of these monsters are even counted as close friends.
Security consultancy for startups is tricky
When you work with an established enterprise they are prepared to deal with bad news. They have lawyers and processes. Hopefully they have budget and best of all its not their first rodeo. They already know much of what you have to say.
In early stage companies however they rarely have any of this.
They build applications and companies based on good ideas, validation and momentum.
They are the dreamers, the builders and the hopeful few.
To them, I am become Death, destroyer of worlds.
Hint, I’m normally the one with the briefcase
Same Same but different
So if you are an early stage company and need to get on with your security journey (or you are a security person who for whatever reason is about to dip your toe into start-up land), here are some things I have learned along the way.
You will find many issues. You can only fight for a few.
Nobody cares if you found 50 problems on your review. Life is complex and most founders know they have missed things and have issues. They don’t have the energy and time to wade through this noise. Pick 3–5 things that could actually save the company from a serious incident or help them recover quickly, then quietly note the rest for later.
They may have no time, energy or money to change the world for security
Vendors are expensive. Consultants are expensive. Time is expensive.
Make their decisions easy and cheap where possible. Help them or get out of their way.
Dealing with a founder != dealing with the board
A board has a legal responsibility to address risk and act when issues are raised. They operate differently to founders. If you don’t understand the difference here… stop and go learn about boards. Sometimes terrifying the board is not the most productive thing you could do.
Yes, you are probably correct in your findings but remember early stage security is more compromise and pragmatism than it is accuracy and formality.
Never hide serious issues from the board, just be mindful that a hosepipe of security findings aimed straight at them will have a pretty serious impact.
They don’t give a rats about your frameworks and standards
They want a human who can empathise not a robot with a certificate and a patronising tone of voice.
Knowing frameworks is important but you are there to facilitate and translate, not dictate and preach a global standard.
They trust you to help them solve problems not just find them
“Your baby is ugly and you should feel bad” might be the easiest report to deliver but its useless to an early stage firm.
Give them options, help them understand and address.
If you can’t do that. Stay home and wait for an enterprise client to call. It’s easier for all involved.