Martin Gibson is a venture partner at Accel. In this article, he explains why tech founders need to make cybersecurity a priority if they want to raise from investors.
As an investor, you’re often asked by early-stage companies how they should get ready to pitch for their next funding round. The obvious answers are in areas most founders already know to focus on: product, market opportunity, people. There is another consideration however, one that despite its growing importance is still not as widely acknowledged as it should be: cybersecurity.
You don’t need to look far to see how cyber attacks are becoming a routine part of the business landscape. In the last year, major security breaches have caused chaos in organisations from Equifax to Verizon and the UK’s National Health Service. But it’s not just large companies that are under threat. Startups and small companies, are the focus of cyber attacks more and more frequently. Research from Symantec found that, while in 2011 just 18% of spear phishing attacks were targeted at small businesses, by 2015 that proportion had risen to 43%.
As companies amass ever-greater pools of customer data, more and more devices become connected, and consumers live a larger proportion of their lives online, the opportunities for hackers and ransomers are proliferating. And it’s smaller companies who increasingly find themselves in the firing line as attackers target organisations they perceive to have less sophisticated cyber defences and cyber policies.
That means for an early-stage business aspiring to raise venture funding, developing your cyber readiness is important, and investors should want to know that you take it seriously.
Prior to Series A, a company should be able to show that they have a security mindset. In other words, they consider security as a key part of product design and early technology choices, plus they are laying the groundwork for a cyber-aware organisation. It’s important at this stage that the CEO sets the tone from the top for the whole organisation, so that cybersecurity is understood as a business-critical issue, rather than one for the tech team only.
At later funding rounds, investors will want to see that you have the infrastructure in place to protect your IP, safeguard your customers’ data, and limit the scope for the financial and reputational damage a cyber attack can bring. As the cyber threat grows and diversifies, startups need to balance being focused on the nature of what they are building and for whom with greater care towards protecting what they have built.
There are some clear steps a startup can take to strike the right balance:
Make cyber a company-wide issue
Having set the tone pre-Series A on cybersecurity, the CEO must continue to lead from board level to ensure it remains a company-wide issue. Information security needs to be understood and embraced by everyone— from non-executives to temporary staff. That applies as much to board members, whose data security can be harder to manage, as it does the full-time staff.
Not every cyber attack can be prevented, or relates to security breaches caused by human error. But prevention is nine tenths of the cure, or close to it. The UK’s National Audit Office has reported that 80% of cyber attacks could be prevented by “simple computer and network ‘hygiene’”, from software patches to stronger passwords and a more robust approach to managing permissions and monitoring network activity. A company with a CEO who champions these basic but essential measures is much likelier to see stronger levels of compliance and, as a result, improved security.
Every young company is in a rush to launch new products and services into a very competitive market. However, it should not come at the expense of security, which is easily pushed down the list of priorities. By doing so you risk creating vulnerabilities that will only grow over time, leaving significant gaps of legacy exposure.
It might cost you a little time today, but a security-first approach can save significant cost and embarrassment further down the line. That means developing a risk matrix early on, identifying and resolving the biggest risks in your platform, products and networks, and codifying a plan for cyber defense and response in the case of attacks. Your cyber plan should have exactly the same rigour in timelines, reporting and accountability (at board level) as product development or marketing. The earlier you start doing this, the easier it is to embed as an essential piece of business infrastructure that will empower you to scale faster and deliver more effectively later on.
The cybersecurity requirement can seem daunting for companies trying to run as lean an operation as possible. But there are ways of developing robust cyber defences without breaking the bank. Startups should look to off-the-shelf managed security services or security-as-a-service providers, designed to help smaller companies on a budget.
Being cyber ready as a venture-backed company doesn’t necessarily mean having a CISO in place, although many do. But it does mean using the tools at your disposal to build robust, commonly-understood and applied procedures to ensure your company is as prepared as it can be for the threat of cyber attack, and as careful as it should be with its IP and customer data.
Cyber attacks have become an unavoidable part of the business landscape, and no company can be completely hack-proof. Startups need to have a more sophisticated conversation about cybersecurity, at an earlier stage than many currently do. Those seeking Series A investment need to prove that cybersecurity is front of mind, and, at later funding rounds, prove that they are as robust on cyber readiness as they are innovative on product, confident on market size and ambitious on growth.