For David Cowan, the tipping point was a cyberattack from Anonymous.
Cowan, a venture capitalist at Bessemer Venture Partners, had spent years asking startup founders what they planned to do if hackers targeted their business. Often, the founders on the other side of the boardroom would shrug and say, “We don’t hold any personal information, so they don’t need to come after us.”
That changed, he said, after the email marketing company SendGrid was hit in 2013 with a denial-of-service attack that ultimately may have caused some of the young company’s clients to walk away, Cowan said. Attackers struck roughly 14 months after Bessemer had led a $21 million funding round for the company.
The attack occurred after an employee, Adria Richards, publicly complained that a developer from the gaming company Playhaven made sexual remarks in the audience at the 2013 PyCon tech conference. Playhaven fired the employee, infuriating an online mob that sent Richards death threats. Anonymous got involved too, launching a denial-of-service attack that overwhelmed SendGrid’s servers with so much web traffic they could not function.
SendGrid clients quickly noticed the company couldn’t send emails on time and, while the startup survived, it lost some of its business, Cowan said. In a statement, a SendGrid spokeswoman said it was impossible to determine “if customers that churned in our normal range were terminating because of the [attack], but we did not incur any churn that was outside our normal rate.”
As a result of that incident and others like it, Cowan spent months asking security leaders at established companies what they wished they knew in startup mode. Bessemer published the resulting research in 2015 as advice to smaller companies.
“I could tell you 30 stories like that,” Cowan said. “Some companies went away as a result of a breach and others survived, but it was difficult. It just one of many incidents that caused us to understand that these startups just weren’t taking it seriously.”
Now, Cowan asks startup founders to skip canned speeches about their plan to quickly install security updates and avoid ransomware. Instead, he asks them to plan for a day when hackers bring their small company to its knees.
“I ask them, ‘If someone publishes emails from your CEO spouting racist views, would you survive?’ Or, if it’s a dating app, ‘What are you going to do if hackers break in and publish all the addresses for your female users?’”
“If you’re not asking yourself that, you’re just killing time until you’re dead,” he said.
No security, no deal
Small Silicon Valley players now say they are considering security in ways that once-darling startups like Facebook and Uber, which last year said it would pay states $148 million to settle data breach suits, did not.
That’s mostly because of pressure from investors like Cowan and demands from corporate heavyweights that understand entering a new partnership means introducing new risks. After all, 59 percent of companies say they were breached because of a third party, with 42 percent saying that event had occurred within the last year, according to a November 2018 Ponemon Institute survey.
“Often with startups the whole point is to go fast because if you make a mistake you can quickly fix it,” said David Hannigan, head of information at security at Spotify. “But you might have a bunch of teams all going really fast, and they’re empowered to make their own decisions about whether or not to fix a small security risk. And it might be a small risk for each of them. But if other groups are also doing that, those risks could combine into a larger issue.”
Firms now are moving to coordinate those efforts sooner.
Some technology startups look to hire a CISO in early fundraising stages, perhaps as early as Series B, rather than taking the traditional approach of bringing on a security boss around their initial public offering of stock, says Austin Krissoff, a CISO practice leader at the executive search firm True Search.
The shift is motivated at least in part by self-interest, as startups pursue business deals with corporations that ask tougher questions about whether their data is safe. Failure to answer the right questions with confidence, or quickly remedy any problems, could result in both sides walking from the negotiating table.
When the startup analytics company Spire Global launched in 2012, it was immediately clear that if the firm wanted to survive, it would need to secure its data.
The San Francisco-based startup has launched dozens of bottle-sized satellites into low Earth orbit since 2014, using radio occultation antennas to track what’s happening on the planet below. Spire uses the technology to monitor everything from weather conditions on behalf of the National Oceanic and Atmospheric Administration to the movement of container ships for clients who might have a financial stake in exactly when an asset arrives in port after a journey across the ocean.
“Commodities traders will trade on just about anything,” said Nick Allain, Spire’s head of brand. “If they find out an oil company is letting 20 or 30 tankers sit out in the middle of the bay they know something is up. … We do get a lot of customer inquiries in that space, but they don’t want people to know they have our data.”
Spire last month announced a partnership with the European Space Agency to gather weather data that could be worth as much as $2.7 billion over the next 25 years, the company told CNBC. Such deals, along with funding from Bessemer Venture Partners, have made it especially important for Spire to limit risk, and demonstrate it protects its data.
“The data that comes from our satellites is encrypted the whole way down,” Allain said. “It doesn’t get decrypted until the user pulls it out of our database from the cloud.”
Investment in security has grown as Spire’s business has grown. The company uses its own API to send data to clients, protecting that data with a rotating set of cryptographic keys to access sensitive information. Meanwhile many of the startup’s recent hires come with experience from industries where they’re used to dealing with hackers, such as financial software, Allain said.
“It’s built into our DNA to make sure things are secure,” he said.
Early hires sit at the negotiating table
Cloud-monitoring company SignalFx hired Marzena Fuller as chief security officer early last year, before closing its Series D funding round. The company had fewer than 200 employees at the time.
Fuller’s responsibilities include forming SignalFx’s cybersecurity program while considering the 5-year-old company’s go-to-market strategy. Startups that intend to sell to mid-market companies will approach security differently than firms hoping to work with Fortune 500 corporations, or the government. Clarifying that approach sooner can help companies grow faster, she said.
It’s part of a broader realization that effective security leaders no longer lead “the department of no,” and should be integrated into the larger business, said Hannigan, of Spotify.
Security bosses also are accountable to the bottom line, he said, meaning it’s up to engineers to figure out how to protect information without getting in the way of business strategies. But it remains challenging for many companies to know when is exactly the right time to invest in security staff or technologies that will cost money, rather than make it.
“That’s still hard,” he said. “It seems like a simple question, but it’s about knowing when this thing you’re doing, whether it’s selling something or building profiles on people, is actually valuable to other people. Not when you do it for 1,000 customers, probably, but if it’s 1 million, then yes.”
At SignalFx, part of Fuller’s role also includes participating in sales calls with other businesses to address any concerns that working with SignalFx means opening a channel to hackers. Conversations traditionally have involved SignalFx’s approach to authentication and other issues concerning the company’s overall architecture. But those calls have become more nuanced thanks to a steady flow of headlines about major data breaches.
“They definitely become more detailed,” she said. “Questions start at a higher level and from there it can become a deep dive about encryption and key management or cloud security practices.”
In the face of tougher questions, startups also are trying to remain competitive with their peers, according to Gene Zafrin, head of information security at the insurance company Oscar. Oscar’s security team asks would-be partners roughly 120 questions about topics ranging from whether the firm has its own CISO to whether data is encrypted at rest.
“I have had instances where we assess the environment and we say, ‘We expect you to uplift some of your security controls,’ and they do,” Zafrin said. “Some of that is doing periodic vulnerability scans….in other instances we discovered the processes our companies used to distribute information did not use encryption.”
Oscar intends to expand its own security team from six employees to at least 13 as the six-year-old firm experiments with a new way of assigning security responsibilities. Zafrin’s plan involves assigning each security employee to their own vertical, such as application security, infrastructure security, or access management, and charging that staffer with leading Oscar’s approach to the issue.
“We still haven’t finalized the positions yet but, in principle, we’re building a team of people who take ownership,” he said, adding that Oscar is recruiting employees with an engineering background. “We’re never going to be a 100 or 1,000-person security team, so every one of us needs to be hands on.”
UPDATE, 01/28/19, 5:53 p.m., EDT: This story has been updated to include a statement from a SendGrid spokeswoman, and to clarify in more detail when a cyberattack against the company occurred.