So, you’re a quickly growing startup. One of the last things you want to be thinking about is security and compliance. You want to focus on what really matters – moving your business forward. As a small business ourselves, at Rhymetec, we understand that completely.
But maybe you recently suffered a breach, or maybe a potential client asked you for a security questionnaire, and you realized completing one on the spot was probably not going to cut it.
In any case, you’ve decided to enter the extremely interesting world of security and compliance for startups. We’re going to cover the different types of cybersecurity firms that work with startups, which types of consulting engagements make the most sense for startups, and how to wade through the noise and pick a firm that will act as a partner.
Compliance For Startups: The Maze of Acronyms & Types of Engagements
If you’re just getting into looking for a cybersecurity firm that works with startups, be warned in advance – you are going to run into a lot of acronyms. Below are some of the most common acronyms and what they mean:
AV – Anti-virus software that is used on a computer (which is also often referred to as an endpoint because why not complicate everything).
SOC – Security Operations Center, which handles day-to-day alerts aggregated by the SIEM and other systems.
EDR – Endpoint detection and response software that is deployed to an endpoint (since we might as well use a term that acts as both a monitoring tool to detect malicious software and also as a mechanism to contain the device or respond to potential incidents).
SIEM – Security intelligence and event management software that serves as the brain of a security operation, pulling in logs and data from dozens of different systems to act as a single source of truth for a security program.
ISO 27001 – An international standard for information security management systems (ISMS) that provides a framework for managing and securing sensitive information. It focuses on risk management and data protection.
GDPR – Europe’s General Data Protection Regulation, enacted in 2016. GDPR requires organizations to safeguard EU consumer data and build governance processes that enable the correct handling of EU citizen data.
SOC 2 – System Organization Controls. A voluntary compliance framework that demonstrates to potential customers that your organization has a security program with standard security controls in place.
HIPAA – The U.S. Health Insurance Portability and Accountability Act. A data privacy law relating to healthcare that also includes a “Security Rule” requiring organizations to take predefined steps to secure patient data.
CISO – The Chief Information Security Officer is the individual responsible for the security of the organization.
vCISO – A virtual Chief Information Security Officer is an outsourced CISO as a service option. This individual (or team) provides strategic security leadership, risk management, and compliance guidance and implementation without the need for a full-time, in-house executive. This option can be ideal for startups and SMBs who may not need to make a full-time hire for this role. vCISO pricing can vary widely depending on the scope of work and level of assistance you need.
MSSP – A Managed Security Services Provider is a company that provides outsourced compliance and security services, such as threat monitoring, incident response, vulnerability management, and more, to protect clients’ digital assets.
Some of these terms may be extremely relevant to you, depending on what has sparked your interest in exploring compliance for your startup. Let’s take an example:
The Need To Build Security Into The Foundation of Your Business
Imagine your organization has just been the victim of a significant ransomware attack. Many of your sensitive files are now published on a ransomware site, creating enormous disruption to your business.
Many companies that find themselves in this situation panic and immediately engage the first MSSP they can find to help them recover. This is due to the fact that many organizations tend to take a siloed view of information security.
If you are the victim of a breach, you may think you need to work with one firm. If you need compliance, you might think you need to work with a different firm, and you may also think it’s only worth seeking out the right firm when there’s an issue.
This mindset could not be further from the truth. A good security firm will help with building a program that effectively addresses compliance, governance, technical controls, and incident response in a way that minimizes friction and effectively leverages people, processes, and technology to holistically reduce both the risk of security incidents and the risk of compliance violations.
Choosing the Right Compliance Firm For Your Startup: What Are Common Red Flags To Watch Out For?
Let’s start by talking about what to look out for (and be wary of) when evaluating different potential service providers for your organization to work with:
Organizations that promise 100% risk reduction or similar vague and aspirational promises. Unfortunately, we live in a world where 100% security is not possible. These vendors are likely selling snake oil.
Service providers that start by trying to sell you something rather than understanding your needs. Security is a process and needs customization for the end client.
Consultants who have you only speaking to sales without talking directly to the practitioners (like a vCISO) who are doing the work. Good salespeople can be extraordinarily helpful in coordinating engagements but shouldn’t take the place of security expertise if you have more technical questions or concerns.
Organizations that plan all communication through email and don’t set up regular engagements with you (the customers). Security should be a continuously integrated part of your business. An email a month from your “security team” won’t cut it.
Firms that cap hours. MSSPs that set strict hour limits can leave your business vulnerable if issues arise outside of the allotted time. Security needs don’t follow a clock, and your provider should be able to respond effectively without arbitrary limitations.
Firms that outsource their services. Some MSSPs may outsource critical functions to third parties, leading to potential inconsistencies in quality and responsiveness. Your security provider should have a clear, direct line of accountability for all services they offer.
Be sure to ask if they outsource any services overseas in particular, and if so, where. Outsourcing overseas can impact a vendor’s control and oversight, and certain locations may have different regulations and standards around security.
5 Green Flags To Look For In Firms Providing Security & Compliance Services For Startups
Now, what types of characteristics should you look for in a firm that will help your organization succeed?
Geographically Local Talent
There are incredible security professionals all over the world. However, organizations have dramatically different risk profiles based on their local geography and regulatory environments. A healthcare practice in Italy has an entirely different set of laws and regulations than a medical clinic in New York. Choosing a security provider that has staff and experience in your country helps streamline the process and avoid miscommunication and knowledge gaps that may occur by trying to outsource the work.
Strong Communication
A reputable security services firm should be willing to join a Slack channel with you or establish another near-instant way to communicate directly between security practitioners and corporate staff. Effective communication is absolutely critical to building a great cybersecurity program.
Experience Across Compliance For Startups And Cyber Risk Reduction
Many people view cybersecurity compliance as a tradeoff with risk reduction. You can be compliant, or you can run a “serious” security program focused on reducing risk. This is reductive and untrue. Building an information security program that also reduces risk for an organization should be the goal of every security team.
They Ask Good Questions
What business problem are you trying to solve by working with a firm that specializes in compliance for startups?
This is an important question that all firms should be asking their prospects. When a consultant tries to understand the business problems you are trying to solve, it improves their ability to generate positive outcomes from the engagement.
Transparent Pricing
Security programs are complex, and they can be hard to price. These facts are both true, but that doesn’t mean the vendor should put that complexity on you.
Look for a vendor that is willing to provide straightforward, transparent, and honest pricing that makes sense for your organization.
Compliance For Startups: Pricing
So, how do firms price their security offerings? There are a few different methods:
Fixed Price/Project-Based: Using this method, the vendor estimates the work that needs to be done, writes a statement of work (SOW), and quotes a single fixed price for completion of the SOW. This is often the simplest option. In some cases, vendors can split payments into quarterly or monthly.
Flat Monthly Recurring Fee: Many vendors charge a flat monthly recurring fee, particularly for ongoing projects such as compliance maintenance, endpoint detection and response, or security operations center monitoring. This provides simplicity to the end client and avoids surprise billing.
Hourly: Many MSSPs and security consulting vendors charge an hourly rate. While hourly can be valuable in some cases, it can also be quite risky and lead to surprise billing and contractual disagreements.
Check out our blog post on vCISO pricing for more information on standard industry fees for security and compliance for startups.
From here, you should have a good idea of what to look for in a firm specializing in compliance for startups and be ready to start assessing vendors. As you select your MSSP or security consultant, it’s important to take the time to thoroughly interview them and pick one that is right for your organization.
About Rhymetec
Our mission is to make cutting-edge cybersecurity available to SaaS companies and startups. We’ve worked with hundreds of companies to provide practical security solutions tailored to their needs, enabling them to be secure and compliant while balancing security with budget. We enable our clients to outsource the complexity of security and focus on what really matters – their business. Contact us today to get started.
Interested in reading more? Check out more content on our blog.