Toreon Office | Grotehondstraat 44 1/1 - 2018 Antwerpen | +32 3 369 33 96
Written by Süleyman Yilmaz
In the world of technology companies, growth is a crucial aspect. Whether this growth concerns start-ups taking their first steps or established companies that want to keep innovating: each stage brings its own challenges.
Cybersecurity is one of the most critical aspects of growth in today’s digital world. Ensuring the security of data and systems is vital, regardless of the size or growth stage of a technology company.
Siebe De Roovere, Head of Sales & Marketing at Toreon, chats with Thomas Heyman and Thomas Dejagere.
With a Ph.D. in software security and experience as a CISO (Chief Information Security Officer) at various major organizations, Principal Consultant Thomas Heyman has acquired in-depth expertise in cybersecurity. Senior Consultant Thomas Dejagere is known for the support he provides to start-ups, scale-ups and companies backed by the Flemish Innovation and Enterprise Agency (VLAIO), and is considered an emerging talent in this field.
Product-market fit
The first stage is the ‘product-market fit’, during which smaller companies ask themselves whether their product actually solves the customer’s problem. Since customer trust is crucial to the success of the product, cybersecurity plays a major role in this regard
Scale stage
The second stage is the scale stage: technology start-ups have already raised some money and landed their first customers. Now, these scale-ups want to grow by attracting new customers and increasing their market share. Gaining trust in the field of cybersecurity becomes a challenging task in this process.
Larger companies
Cybersecurity is not just about start-ups and scale-ups, however. Established companies also face challenges in this area. We investigate what they struggle with and which specific problems they encounter in ensuring the security of their systems and data.
In the first stage, the ‘product-market fit’, we zoom in on start-ups. These are smaller companies that are still defining their first product. If you were the CISO or security expert for these companies, what would you focus on?
You’ve just started, you’re enthusiastic and looking at your own product. And you want to market it as quickly as possible, but in a qualitative way. And sometimes cybersecurity is overlooked which, of course, isn’t ideal. Especially in times like these, when cybersecurity is a top priority for many stakeholders.
Even though resources are often limited, start-ups can still take the first steps. Everything depends on the market and the customers you have or want to target. But a good way to start is to do a penetration test once the product is developed. This gives you a good overview of the cybersecurity maturity level of your product and you can immediately detect and fix critical or early vulnerabilities.
Carrying out a requirements engineering process is essential, particularly in the first stage, to get a clear picture of what customers expect. Of course, it depends on the segment you want to target, but especially in security-sensitive market segments, such as banks or technology companies that may handle a lot of intellectual property, you have to deal with strict procurement processes. Although you’re in the early stages, that doesn’t mean you shouldn’t have an in-depth understanding of what those expectations will be going forward.
First of all, you must ensure that your infrastructure and devices are properly secured. These basic hygiene measures are an important first step. The endpoints must be properly secured to provide sufficient protection against malware and ransomware.
In terms of product security, this can include measures like penetration testing, especially in the case of products or services that require the customer to add specific data. And it can also relate to security architecture.
When an end customer asks you: “Tell me, what does your product do?” and “What does it look like?”, as a start-up you can immediately tell them what you think the security architecture should look like, inform them of the threat model and the type of threats you anticipate. It increases their trust, as they feel that you know what you’re doing and have at least thought about it, especially in the early stages.
If you don’t have a fully finished product yet, it doesn’t mean you can’t have a completed roadmap. So, even in the first phase of that initial sales call, you can show the IT security requirements that your company needs. This is necessary to gain the trust of your customers.
The principles of the first stage also apply in the second stage. It is important to meet the basic expectations. If you’ve defined them well from the start, they can easily grow with your business. The more proactive you are with security, the easier it is to integrate your project into the business.
But, as a side note, it is important to build maturity gradually. While you can think proactively, not everything has to be ready from the outset.
As for hiring staff, look for security competencies that can help you during the current growth stage from 20-30 team members to a team of 100 people. More than that can lead to overly technical profiles. This puts you ahead of the game. It is difficult to find people internally, especially in the case of a scale-up that is subsidised by VLAIO. VLAIO customers are scale-ups looking to start a cybersecurity project and are eligible for grants. These grants cover about 50% of the costs, making it affordable for them.
A mix of internal development and external support is an ideal scenario.
Toreon’s involvement:
Measuring the maturity level is one of the key recommendations. This is where frameworks such as CIS can be helpful. This assessment can help determine priority areas and identify the steps that need to be taken to improve security.
Risk management is a second recommendation. A thorough analysis of the business processes and risks of the business objectives is carried out to identify the main focus areas. Based on these findings, a targeted approach can be developed to improve security.
A third important recommendation is to work according to international standards, such as the ISO 27001 standard. While achieving ISO 27001 certification is not immediately necessary, it can act as a framework to implement initiatives step by step and gain a competitive edge. An internationally recognised standard also helps build trust with customers.
The final recommendation has to do with the security roadmap, depending on the available resources. Under resources, not just financial means, but also time should be analysed.
What do most entrepreneurs have in common? They are dreamers. Daredevils. Risk-takers.
Do tech entrepreneurs see security as something they have to do? Something that hinders their growth? Or do they see it as an opportunity? Does that depend on the customer?
And do you see differences when customers take a proactive approach to cybersecurity and see it as an opportunity compared to organizations that see it as an obligation?
If you think of it as an obligation, then you’re not getting as much value out of it as you could. It may be a cliché, but if you approach security the right way, it can help accelerate your growth.
Risk management doesn’t mean you can’t take risks. It’s about thinking about how much risk you want to take and who makes those decisions ahead of time. And that fits perfectly with an entrepreneurial mindset.
Defining those things explicitly and making sure everyone is on the same wavelength, including potential investors, will help avoid misunderstandings.
Regardless of the size of a company, managing information security requires constant attention. This applies to all kinds of aspects, such as quality management.
When the right approach is adopted from the start, problems are less likely to arise and then be repeated by different people within the organization.
If, on the other hand, the approach is perceived as something separate, then chances are someone will say at some point: “Why are we doing this anyway? Let’s stop.”
If things are handled in a structured way from the start, this strategy can grow together with the organization. And as a company grows bigger, more mature and more successful, security must be integrated into the corporate culture.
But a large and complex company doesn’t automatically mean it’s getting easier. Quite the opposite, in fact.
It’s important to create a shared understanding, especially when you’re no longer dealing with individuals like John who has notions of IT and Bob who can develop a little, but an entire IT department and possibly even an international development team or organization. It is all the more important that all those involved understand each other at different levels, so that there is a common view on risk management.
Written by Laurent DupontThe CRA promotes innovation and cybersecurity in European digital products. Learn how your company can comply with applicable standards.
Written by Laurent DupontIn the fifth episode of The Wide Open, we welcome two experts, Jasper Hooft and Thomas Dejagere, who delve deeper into the…
Written by Süleyman YilmazA CISO is the last line of defence to protect your assets. What’s the CISO’s role? And what makes a good CISO?
Written by Süleyman YilmazTech companies go through 3 stages. Which cybersecurity issues do they face at each stage? We cover it all on this edition…
Written by Süleyman YilmazPlanning to develop your own application? You might want to consider the many possible pitfalls. We explain them in this article.
Written by Süleyman YilmazWant to integrate a cloud solution without a strategy? That’s risky. Check out what you need to do to grow your business…
Contact us, our security experts would be happy to assist you.
Contact us, our security experts would be happy to assist you.