In the Zoom and Zenefits examples both organizations failed to act appropriately, and admitted to deliberately misleading critical stakeholders, including users. Yet, according to Crunchbase, they have raised a combined $700 million in venture funding. This includes significant investments from some of Silicon Valley’s most reputable venture funds. If an appropriate level of due diligence had been conducted by these VC firms prior to the investment being made, or sufficient oversight maintained, surely they would have noticed the lack of planning in the security and compliance programs for these companies? By not placing a sufficient level of importance on the security policies of growing start-ups, VCs are failing to encourage companies to grow responsibly and therefore putting customer data at risk.
To be clear, these are not isolated incidents. I regularly speak to well funded tech companies about how they can improve their security and risk management programs. When discussing the cost and effort required to build a robust security program I can understand why it is tempting for startups to focus on areas of growth, rather than less transparent initiatives such as security. But this short term approach is a mistake and will eventually catch up with your organization. Although Zenefits and Zoom might be able to ride out and bounce back from these challenges, how many other companies are not so lucky but are simply not large enough for their failure to be publicized? A recent report shows that 43% of cyberattacks are aimed at small businesses and only 14% of them are prepared to defend themselves. And according to the National Cyber Security Alliance 60% of small and midsize businesses that are hacked go out of business within six months.
From our own customer data, a company’s number one reason to invest in appropriate security and risk management is pressure from a large customer. I have yet to encounter a company building out their security program as a condition of their investment from a VC organization. In fact, we recently spoke to a prospect who shared with us significant security and privacy vulnerabilities even after they had raised millions of dollars but then still managed to get acquired by a national brand company with no recognition of the risk being inherited. So are we naive to expect VCs to add this type of condition to their investments?
I have asked many investors in the past how they ensure their portfolio companies have implemented sufficient security programs. Many do not even ask, and if they do they rely on the company to self-attest. But instead of focusing solely on their mantra of “grow, grow, grow”, in my opinion, it is in their own interests to ensure these companies are operating securely.
This is easier to do today than it has ever been. Tools are available that make it easy to build, operate and showcase security programs and these tools make independent audits simpler too. VCs simply need to ensure their portfolio companies go through an independent audit, such as a SOC2. While this process can be expensive, the cost pales into comparison when compared against the millions being invested. I believe VCs should be insisting that some of this funding be used for security and to cover the cost of an audit to help reduce the likelihood of many of these security incidents. And a bi-product of this, I have found, is that companies that invest in security are almost always better run in general as they are forced to think about the processes that support their operation.
Ostendio has been helping companies for over 7 years with their security needs. During the COVID-19 crisis we are offering free MyVCM Select licenses to new and existing customers to ensure cost is not an impediment to experiencing the benefits of a robust security program during this unprecedented time of change. Reach out to firstname.lastname@example.org to find out more.
Not sure where to start?
The NIST Guide can help. We can also provide you with a free copy of Ostendio’s password policy, as an example. Just contact us at email@example.com.
Schedule a demo
We can schedule a quick overview where we talk through your security and compliance needs and showcase key capabilities of the MyVCM Platform.