#Cybersecurity #EarlyStageStartups #SaaSFounders
Hey fellow builders! 👋 When does cybersecurity become important to you when developing products for early-stage tech startups? As a product manager focusing on cybersecurity platforms, I’ve seen a range of opinions on this.
After scrolling through Reddit, I’ve noticed that many startups tend to overlook cybersecurity for reasons like being small and “under the radar,” cost concerns, or simply being too busy with growth to prioritize it. However, compliance requirements in regions like the EU are pushing founders towards implementing security measures.
So, to all SaaS founders handling sensitive customer data:
#### When do you believe is the ideal time to start thinking about integrating security measures into your products?
Here’s a possible solution I’ve come up with to help startups ease into cybersecurity:
– Offer discounted security packages for early-stage companies
– Provide informative content on quick and cost-effective security measures
– Collaborate with cybersecurity experts for guidance and assistance
I’m eager to learn from your experiences! Share your thoughts on when cybersecurity becomes crucial for your startup. 💬
Looking forward to hearing your insights! ✨
Cheers,
Art
I am also building a cybersecurity platform and the initial plan was to target startups. We quickly gave up on that plan once we realized a couple of things:
* It’s typically not something they care about, especially early on
* They have way more important things to tackle (or what they perceive to be more important)
* They don’t have money. And that includes startups that have already raised a round or two.
You and I both know they should give it at least *some* priority, but after talking with hundreds of prospects, the sad truth is that they don’t.
the first time you get hacked lol
Honestly? It’s the messaging that’s missed. I’ve been doing cyber for a looong time and have been analyst to iCISO in that time. Which I mention to say, is the data that informs my perspective.
For example – in CritInfra, a specialist subset of cyber that deals exclusively with protecting the grid, water, etc., there is a guiding best practice of Secure-by-Design. The systems these orgs use are designed securely, from the ground up (or are supposed to be). The ones that fail in crisis are evident but also usually anticipated. A luxury afforded by proactively designing systems securely.
The messaging missed with SaaS start ups is similar in that they seem to assume they will arrive at security as a late stage compliance need rather than an early stage product requirement. Rather than building secure code, by default, with proper DSO – they ship MVPs to drive early revs.
Now, that’s a fair trade off depending on perspective but I offer this argument:
Your value capture is directly related to your proximity to potential client and user data. That data is also your future income stream. If you intend on closing that proximity gap strategically, you have to be aware of the risks that are presented to your firm by the correlated increase in proximity to sensitive data custodianship.
Edit: so security starts now
Happy to chat more on this, hit me up.
Target specific industries and use the compliance angle. I’m in Fintech and we’ve had cyber security from very early on because if we touch anything to do with money no one will take you seriously at any stage if you don’t have this in place. Anything industry that handles sensitive data will likely be interested much earlier (if they are in any way competent).
when I heard about a dating app that got hacked and hackers asked for payment to delete the data.. but in the end they revealed the chats, profiles.. all the data striped naked in front of the public.
And the surprising thing was 85% of the users were male.
Dumb question but when SHOULD we be thinking about it? Obviously this is a very important topic but if I plan to use cloud based services such as AWS, do I really need to think about cyber security?
My assumption is no (apart from being knowledgeable about what is being used by AWS)
Am I missing something?
As someone who’s already had one successful exit, I’ll tell you when you *should* think of cybersecurity. From the beginning, if you’re a tech based startup.
There are three main reasons for this:
1. If you sell to Enterprise customers, they’re going to be sending you big, ridiculous questionnaires asking about privacy and security.
2. When you buy insurance, you can anticipate either being denied coverage or having to pay extremely high premiums.
3. During M&A: Not having your security in order will, at best, cause massive headaches during Due Diligence or, at worst, cause the other side to walk away.
Security, like Privacy and Accessibility, are waaaaay easier to deal with in the very earliest phases of your product.
It’s scary that lots of startups and saas makers have so little care about data security.
They will share my emails with some cheapest auth saas.
Public vps with data on the same instance as sqlite file.
Public RDS endpoint.
API dumping all data from tables to json.
No segregation of dev and prod API keys for thirdparty like OpenAI.
They start caring about it when they incur financial loss due to lack of security. Until then, they’ll be like “So what? I gotta find more users to boost sales than caring about such petty issues”
We’re a “cyber adjacent” start-up, providing a service that pairs well with more typical cyber offerings. In our area, I’d say the awareness is quite high.
However, we won’t be targeting start-ups per se. Could be organizations of varying sizes.
You think about it when it starts impacting sales. Vanta capitalized on that need very well.
Theres a cross over point where it starts to become a competitive advantage. Work in consulting and advising startups is interesting because you dont want to hamstring them on compliance and security whilst peers are running away with development. So its case by case really, but at the start its not really worth focusing on