To say security and compliance are tricky is an understatement. Scalability, growth, and organizational maturity depend on a company’s ability to prove security. Startups clearly want to continue improving upon their security measures - and they’re starting to realize this early on.
As the survey below reveals, there is a considerable gap between goals and reality in startup security. Tech leaders understand the importance of security, but don’t fully have a handle on what it means to achieve it. Moreover, there are varying degrees in how organizations prioritize security.
So, what does this mean for fast growing startups? When it comes to security, there is a paradox. Security can enable businesses to scale and grow, but confusion around security and overly rigid practices can introduce unnecessary red tape. Our survey reveals that startups struggle to find the balance between managing risks and prioritizing security.
The good news is, this is a natural part of startup growth. In fact, hundreds of survey participants are going through similar security growing pains. Small business owners, founders, CEOs, CTOs, and anyone responsible for making decisions about organizational security share these challenges, goals, and priorities.
Most importantly, we want to share these findings so we can continue to make the internet a safer place to scale businesses. Let’s get started.
of participants are asked to prove their security measures by prospective customers.
of respondents think they should improve their security.
of participants say that “closing deals depends on maintaining security.”
of startups have no security roadmap.
of startups who are asked to prove their security are not managing compliance at all.
78% represent the United States. Other participants, each at under 5%, are located in Canada, Western Europe, South America, and Australia/New Zealand.
To determine an accurate perspective of the State of Startup Security, respondents were selected based on their professional criteria, such as industry and organizational role.
Participants were intermittently disqualified as the survey progressed depending on the answers they selected. This was done in order to curate results that reflect authentic responses, specifically from security decision makers.
represent SaaS
professionals
represent business services/consultants
each for healthcare, media, government, and education
CEOs
CTOs
Head of Security
followed closely with Product Managers, Software Engineers, COOs, Operations Leads, and Heads of IT
consider themselves the sole decision maker in the selection of software and vendors for security.
consider themselves part of the group making the final decisions
provide some input but have no decision making power
Regardless of company maturity, securing data and protecting clients is something every organization has to do. Let’s take a look at how participants feel about their current security posture.
The blockers in starting up
Startup CTOs and CEOs continue to make security decisions
One person responded, “We have a security person, but they wear other hats too.”
Security is strong, but there’s room for improvement
CEOs and CTOs are wearing multiple hats – no surprise there. The responsibility for making security decisions lands squarely on the people who might not have the time to prioritize it. But, on the positive side, CEOs and CTOs are in a position to instill a culture of security from the start.
Getting up and running as a startup is complex. And, historically, security is built and created alongside people as the company grows. It is usually not the first hire and or the first priority, but 27% of startups already have a security team or person in place, and 24% are planning for this in the next year.
We learned that nearly half of startups have no plans to hire a dedicated security person in the near future. Again, not surprising for most startups. While hiring for and prioritizing security above all else is not the strategy for all startups, there are many different approaches to staffing up security, such as nominating a dedicated individual or spreading responsibility across the team.
43% say that security and compliance were blockers in getting going, which means that startups are acknowledging a need for security and compliance earlier on - perhaps even before they’re ready to go to market. Security is no longer a second thought among tech leaders. At the same time, very few startups think they’re doing a bad job with security currently – with most responses evenly split between good, fair, and great.
20% of respondents say their company doesn’t have a security roadmap, which means that 80% of startups are intentional about their security planning at an early stage. Ideally, every company should have a roadmap in order to establish their security goals and objectives.
A roadmap can create a journey for continuous improvement. 75% of startups say their company should improve its security posture — this isn’t a bad thing. Being secure and also finding opportunities for improvement aren’t mutually exclusive. You might not consider your security to be good unless you can identify opportunities for improvement.
Companies are pursuing security early on for a myriad of reasons, including protecting customer data, closing deals, achieving compliance certifications, and preserving company assets.
Security is happening - we know this because all survey participants play a role in making security happen in their organizations. We also know that 75% of respondents want to improve their existing security posture.
So, what is being done today that doesn’t align with where people want to be? To what extent are security measures being taken? Let’s get into the tools that are being used, the time spent, and the cost that security takes in your organization.
The most common security tools remain the most, well…common.
password managers
antivirus software
log management software
endpoint protection
Other common tools, all at 32% each, include:
MDM software, email security software, open source dependency scanners, and intrusion detection software.
Rounding out the least used tools of those we surveyed are SAST and DAST, at 22% and 14%, respectively.
Budget and time are limited. We dug a little deeper into security planning to learn how startups budget for time and costs.
20% of respondents spend less than $5,000 a year on security, and 43% spend up to 10 hours a week monitoring their security. The amount of time and money startups spend is to be expected, as those responsible for security are wearing several hats.
And although many respondents recognize the need for more security measures, 44% believe they spend more time and money on security in contrast to other organizations in their industry.
While there’s no right amount of time or money to allocate for security, over 50% of respondents consider their security strong or good. For small startups, security doesn’t have to take a ton of time or money.
In fact, the security tools that are most commonly used tend to be plug and play. Password management, antivirus software, and log management software are becoming the new go-to set of security tools for startups. These tools can be both budget and time friendly.
Questionnaires are still a thing
One person wrote in saying, “We simply tell the customer that their data is secure.” Another participant wrote, “I don't (prove security), but since taking some online networking classes, I now know how important it is.”
Nearly two thirds of organizations are being asked to prove security by prospective customers. So, it is no wonder that managing security is top of mind for startups.
While proof is primarily being asked by customers and prospects, about one fourth of startups are also getting asked by venture capitalists. This is a significant statistic in that venture capitalists want to ensure that the startups they are backing are secure. Furthermore, venture capitalists are asking for a show of security faith in order to help organizations scale.
It’s clear that compliance and security are critical components of long-term success for a startup, and many of our survey’s respondents seem to acknowledge that.
It is unsurprising that the majority of respondents are being asked by customers to show proof of security. But, with limited time, budget, and human hours, the fact that security questionnaires continue to be the most common way to prove security is worth highlighting.
Questionnaires are generally known to be a long and arduous process for anyone who has to manage them. In this case, CTOs and CEOs are spending what little available time they have manually proving software security.
Moreover, the burden of a questionnaire lies squarely on the startup. Since it is the dominant form of proof among respondents, it stands to reason that vendors are completing several at a time. And, likely, combining them with third-party audit reports – as they are the second most common security proof among startups.
One way to shift the burden is to prompt the conversation and plan in advance for the expectation of being asked to prove security. Over two thirds of respondents need to show proof in one form or another, so it is fair to say that stakeholders will ask and startups know they need to be ready.
Penetration testing is one way to evaluate the security of a system. Penetration testing helps to discover vulnerabilities and there are a few ways to get it done. We asked startups about their penetration testing practices.
Penetration testing is happening, but not with everyone
We started simply by asking, “Do you use third-parties to conduct external penetration testing?” A majority, at 60%, say yes, their organizations do. The remaining 40% do not.
We asked follow up questions only to those who answered yes.
Keeping access to source code off limits
Digging a little deeper into penetration testing, we asked about whether penetration testers have access to your source or just a running version of the application.
running version of the application
access to the source code
unsure
As just slightly over half of respondents report using penetration testing, there is room for growth in this area. Startups may see current penetration testing offerings as too much work or too costly. More lightweight providers that come in at a lower price point might offer considerable security improvements for startups that aren’t currently in the market.
A majority of startups currently penetration test by running a version of the application. As long as you have a trusted penetration test provider, providing source code can be a win, and 33% of startups are doing just that. The most efficient option is to do both – run a version of the application and provide source code.
As startups mature towards a more secure framework, the need for compliance has become more apparent. Scaling to an international market or winning the business of a government agency are great reasons to invest in compliance. Where do startups stand today with compliance management?
Making the shift to compliance automation
Your awareness of compliance tools and standards
SOC 2 is the most completed standard
have completed the SOC 2 compliance process
are in the process now or will be in the next couple years
already compliant
pursuing now or within the next 1-2 years
have no plans to get this in the next 1-2 years
already compliant
pursuing now or within the next 1-2 years
have no plans to get this in the next 1-2 years
already compliant
pursuing now or within the next 1-2 years
have no plans to get this in the next 1-2 years
already compliant
pursuing now or within the next 1-2 years
have no plans to get this in the next 1-2 years
SOC 2 compliance is considered the most accepted security standard in the U.S. As the majority of participants are located in the States, it is no surprise that 66% say they either have SOC 2 or plan to get it in the next one to two years.
It is becoming increasingly important for small startups to work towards SOC 2 compliance. The same can be said of other compliance certifications. 34% are pursuing GDPR now or within the next one to two years. And, 37% of startups are either in the process of getting ISO 27001 certified or plan to in the next couple of years.
Compliance certification is becoming a must-do even for small and scaling startups. And, the high percentage of plans among startups underscores the fact that respondents know this is a priority in order to grow. More importantly, over 60% of participants are very satisfied or satisfied with their current compliance management approach.
Many companies use an automation tool to streamline their compliance. However, over a quarter of startups aren’t managing compliance at all, which can have a direct impact on their businesses over the long term. This is especially true for the 41% who pursue security management in order to close a deal.
Startups understand that planning security early on is essential for long term scalability – and it is happening. In fact, security is considered one of the top priorities for over 50% of startups.
CEOs and CTOs at the small startup level are split between whether or not to staff for security teams now or in the near future.
of startups consider security
the top priority
of respondents are in favor of improving security
of prospective startup customers are requesting a ‘security stamp of approval’
Protecting customer data is the primary driver for implementing and maintaining security for a majority of participants. However, it isn’t the only factor that startups are paying attention to. Security is a prerequisite for scaling - both by prospective customers and venture capitalists looking to fund viable businesses.
What most startups agree on is the use of common security tools like password managers, antivirus software, and log management software. Many startups share that they are investing in these standard starter-pack tooling. Beyond that, there are varying degrees of uncertainty in how to plan and implement a security roadmap.
This is the natural progression in scaling organizations – one size security does not fit all. There will always be necessary improvements if you want to stay on top of your security processes. As companies scale, security goals and gaps will change in order to better serve your customer data.