informa
/
Operations
Commentary

Startups Should Do Things That Don't Scale, but Security Isn't One of Them

Emerging businesses that don't embrace scalable security do so at their own peril.

One piece of advice that fledgling startup founders often hear from successful entrepreneurs is to "do things that don't scale," an idea popularized by Paul Graham of Y Combinator. At first, it might seem confusing to recommend ignoring scalability, since any business process that isn't scalable becomes exponentially more burdensome as the business grows.

But focusing on scalability means deprioritizing the type of "above and beyond" efforts that help catapult startups into solvency — like relationships with a startup's first and most crucial customers. These will usually be won only with dedicated, personalized, and all-hours service that is anything but scalable.

Related Content:

Can't Afford a Full-time CISO? Try the Virtual Version

The Changing Face of Threat Intelligence

On The Edge: SASE 101

However, there is one area where startups need to scale from the get-go: security. Emerging businesses that do not embrace scalable security do so at their own peril. Thankfully, building scalable security practices requires far less investment and effort than it once did.

Why Startups Need Scalable Security
Startups are especially attractive targets to hackers due to a combination of limited resources and the proliferation of business models that revolve around collecting customer data. In fact, research shows over 67% of companies with under 1,000 workers have experienced a cyberattack, and 59% were successfully breached.

Investing in scalable security is a startup's best hope at defending against an attack that statistics say it should expect. Lack of scalability in security detracts from efficiency and opens gaps in a startup's networks. It forces IT to preoccupy itself with the endless application of security to new resources and users rather than with optimizing or monitoring. In these cases, companies are often too busy working in the trenches to notice they've been hacked until it's far too late.

It's not all bad news, however. Security is no longer a zero-sum game. It has been commoditized into various products in recent years, allowing young companies to balance its risks and rewards by scaling in pieces that won't become obsolete or demand too much attention from IT.

Thinking Scalably About Security
Security processes like encryption, firewalls, and authorized access once required hardware and lots of work to operate at scale. They can now be easily integrated and extended across growing companies on-demand through the cloud, but it's important to adopt security tools at a manageable pace while making sure they do not clash or require too much effort from IT.

One excellent way to strike this balance is to assess existing threats at milestones of growth, continually discussing the trade-offs between adopting or not adopting new security technologies. For a small business that sees every threat as an existential one, this can mean identifying its breakeven point on a sliding scale of risk and then, based on relevant factors, deciding which security solutions should be integrated next.

If your company is smaller than 10 people, for instance, it's worthwhile to adopt two-factor authentication and a cloud provider that will batten down the hatches on your resources to the point where hackers won't take interest. Once you're up to 20 employees, you likely have enough value to justify a permanent security hire and the firewall-as-a-service traffic monitoring solution they'll be responsible for. Past 50 employees? You might want to consider network segmentation and granular access rule management.

New Ideas Remove Barriers to Scalability
New practices, like zero trust, have gained traction over the past few years, as they provide a clear path toward singular, persistent models for scalability.

Zero trust is the idea that no user can be entirely trusted within your network. It uses widely available yet relatively new technology to help companies craft and automatically assign access policies based on user identifiers. Even young startups can piece together this type of long-lasting, scalable security foundation without many tools.

Scalable security was once a resource- and time-intensive process for startups and small businesses — all but unattainable. As security tools have evolved and new methodologies, like zero trust, have come to the forefront, startups are gaining access to technology and processes that can quickly and easily grow with them. With that in mind, startups might want to build one thing that does scale: their security.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5