2022
State of
Startup Security
REPORT

What's inside:

1
Introduction: About our survey
A brief introduction of our first annual State of Startup Security Report and our objectives for reporting.
2
Key findings by the numbers
3
Demographics: Who participated?
The majority of respondents are tech leaders representing small businesses based in the US.
4
Security posture: Present day practices
Connecting the dots between how secure companies are and how secure they think they are.
5
Security spend: Tools, cost, and time
Highlighting the disconnects in startup security.
6
Security proof: Is your security known?
Learning about how security is shared.
7
Security testing: What’s your take on penetration testing?
Getting into the nitty gritty of penetration testing.
8
Where does security compliance fit?
Understanding where startups are at with compliance standards.
9
Retrogressive to strategic: Planning for resilient security
For the first year ever, we created a survey about startups and their security. We asked startups to honestly and anonymously answer questions about their security posture, their security roadmap, and how satisfied they are with their security in general.

Over 500 people took part in our survey and we break down the results in our first annual State of Startup Security Report.

Introduction: About our survey

To say security and compliance are tricky is an understatement. Scalability, growth, and organizational maturity depend on a company’s ability to prove security. Startups clearly want to continue improving upon their security measures - and they’re starting to realize this early on.

As the survey below reveals, there is a considerable gap between goals and reality in startup security. Tech leaders understand the importance of security, but don’t fully have a handle on what it means to achieve it. Moreover, there are varying degrees in how organizations prioritize security.

So, what does this mean for fast growing startups? When it comes to security, there is a paradox. Security can enable businesses to scale and grow, but confusion around security and overly rigid practices can introduce unnecessary red tape. Our survey reveals that startups struggle to find the balance between managing risks and prioritizing security.

The good news is, this is a natural part of startup growth. In fact, hundreds of survey participants are going through similar security growing pains. Small business owners, founders, CEOs, CTOs, and anyone responsible for making decisions about organizational security share these challenges, goals, and priorities.

Most importantly, we want to share these findings so we can continue to make the internet a safer place to scale businesses. Let’s get started.

Key findings by the numbers

of participants are asked to prove their security measures by prospective customers.

of respondents think they should improve their security.

of participants say that “closing deals depends on maintaining security.”

of startups have no security roadmap.

of startups who are asked to prove their security are not managing compliance at all.

Demographics: Who participated?

The majority of respondents are tech leaders representing small businesses based in North America.

78% represent the United States. Other participants, each at under 5%, are located in Canada, Western Europe, South America, and Australia/New Zealand.

To determine an accurate perspective of the State of Startup Security, respondents were selected based on their professional criteria, such as industry and organizational role.

Participants were intermittently disqualified as the survey progressed depending on the answers they selected. This was done in order to curate results that reflect authentic responses, specifically from security decision makers.

Company stats

60%
of startups have been in business for five years or longer
40%
represent companies that are younger than five years old
37%
of those have been in business for under two years
51%
have between 11-250 employers
35%
have between one to 10 employees
14%
are organizations with +250 employees

What industry do you work in?

49%

represent SaaS
professionals

9%

represent business services/consultants

<5%

each for healthcare, media, government, and education

What is your job title?

25%

CEOs

19%

CTOs

8%

Head of Security

followed closely with Product Managers, Software Engineers, COOs, Operations Leads, and Heads of IT

How involved are you in the selection of software/vendors for security?

31%

consider themselves the sole decision maker in the selection of software and vendors for security.

41%

consider themselves part of the group making the final decisions

27%

provide some input but have no decision making power

Security posture: Present day practices

Regardless of company maturity, securing data and protecting clients is something every organization has to do. Let’s take a look at how participants feel about their current security posture.

Getting up and running

The blockers in starting up

Which of the following were blockers in getting your startup started?

product development
43%
SECURITY & COMPLIANCE
43%
FINANCING
42%
TIME
37%
HIRING
32%
DON'T KNOW
11%

The responsibility of security

Startup CTOs and CEOs continue to make security decisions

Who is responsible for security in your org?

CTO
Head of Security
CEO
Software Engineer
Head of IT

Does your company plan to hire a dedicated security person?

have a security team or person
have no plans to hire now or
in the next year
plan to hire a security person
in the next year

One person responded, “We have a security person, but they wear other hats too.”

How is your organization’s security?

Security is strong, but there’s room for improvement

How you would rate your organization’s security posture?

32%
STRONG
29%
FAIR
28%
GOOD
9%
weak

Should your organization improve its security?

YES
75%
NO
12%
NOT SURE
13%

How important is security to your organization today?

THE TOP PRIORITY
20%
ONE OF THE TOP PRIORITIES
52%
SECURITY IS IMPORTANT, BUT IT IS NOT A PRIORITY
28%

What dictates your security roadmap?

29%
compliance based needs
24%
company-wide responsibility
20%
have no security roadmap
16%
our security team
creates our roadmap
8%
engineers create KPIs
1%
other

What are your top 3 motivations for maintaining security?

70%
improving protection for
our customers
52%
compliance certification
41%
Closing sales deals
depends on it
35%
improving protection of our
company's IP/assets
26%
preventing downtime
of our services
21%
internal organizational
trust
12%
It is mandated by
our execs/VCs

Key takeaways

Security posture: Present day practices

CEOs and CTOs are wearing multiple hats – no surprise there. The responsibility for making security decisions lands squarely on the people who might not have the time to prioritize it. But, on the positive side, CEOs and CTOs are in a position to instill a culture of security from the start.

Getting up and running as a startup is complex. And, historically, security is built and created alongside people as the company grows. It is usually not the first hire and or the first priority, but 27% of startups already have a security team or person in place, and 24% are planning for this in the next year.

We learned that nearly half of startups have no plans to hire a dedicated security person in the near future. Again, not surprising for most startups. While hiring for and prioritizing security above all else is not the strategy for all startups, there are many different approaches to staffing up security, such as nominating a dedicated individual or spreading responsibility across the team.

43% say that security and compliance were blockers in getting going, which means that startups are acknowledging a need for security and compliance earlier on - perhaps even before they’re ready to go to market. Security is no longer a second thought among tech leaders. At the same time, very few startups think they’re doing a bad job with security currently – with most responses evenly split between good, fair, and great.

20% of respondents say their company doesn’t have a security roadmap, which means that 80% of startups are intentional about their security planning at an early stage. Ideally, every company should have a roadmap in order to establish their security goals and objectives.

A roadmap can create a journey for continuous improvement. 75% of startups say their company should improve its security posture — this isn’t a bad thing. Being secure and also finding opportunities for improvement aren’t mutually exclusive. You might not consider your security to be good unless you can identify opportunities for improvement.

Companies are pursuing security early on for a myriad of reasons, including protecting customer data, closing deals, achieving compliance certifications, and preserving company assets.

Security spend: Tools, time, and cost

Security is happening - we know this because all survey participants play a role in making security happen in their organizations. We also know that 75% of respondents want to improve their existing security posture.

So, what is being done today that doesn’t align with where people want to be? To what extent are security measures being taken? Let’s get into the tools that are being used, the time spent, and the cost that security takes in your organization.

The tools you use

The most common security tools remain the most, well…common.

Which security tools does your org use?

password managers

antivirus software

log management software

endpoint protection

Other common tools, all at 32% each, include:
MDM software, email security software, open source dependency scanners, and intrusion detection software.

Rounding out the least used tools of those we surveyed are SAST and DAST, at 22% and 14%, respectively.

The price you pay - time and money

Budget and time are limited. We dug a little deeper into security planning to learn how startups budget for time and costs.

How much of your annual
budget is spent on security?

How much time does your organization
spend each week on security?

Combining time and money, we asked participants whether they believe their organization spends more or less than other businesses in their industry.

44%
say they invest more in security than peers
24%
say they spend less than peers
23%
unsure

Key takeaways

Security spend: Tools, time, and cost

20% of respondents spend less than $5,000 a year on security, and 43% spend up to 10 hours a week monitoring their security. The amount of time and money startups spend is to be expected, as those responsible for security are wearing several hats.

And although many respondents recognize the need for more security measures, 44% believe they spend more time and money on security in contrast to other organizations in their industry.

While there’s no right amount of time or money to allocate for security, over 50% of respondents consider their security strong or good. For small startups, security doesn’t have to take a ton of time or money.

In fact, the security tools that are most commonly used tend to be plug and play. Password management, antivirus software, and log management software are becoming the new go-to set of security tools for startups. These tools can be both budget and time friendly.

Security proof: Is your security known?

Being secure and proving security are two different things. So how do organizations go from security processes to security with evidence?

We know that 41% of participants say that “closing deals depends on maintaining security.” In order to understand how deals are dependent on security, we asked participants if they prove security and how they do it.

Stakeholders want proof

Questionnaires are still a thing

57%
are asked to prove their security measures by prospective customers
51%
are asked by existing customers
22%
are asked by venture capitalists
24%
have not been asked to prove security at all

How do respondents prove security
for those looking for it?

56%
complete security questionnaires
21%
provide an internal dashboard
44%
provide third-party audit reports
20%
have an internal audit report
39%
provide self-attestation reports

One person wrote in saying, “We simply tell the customer that their data is secure.” Another participant wrote, “I don't (prove security), but since taking some online networking classes, I now know how important it is.”

Key takeaways

Security proof: Is your security known?

Nearly two thirds of organizations are being asked to prove security by prospective customers. So, it is no wonder that managing security is top of mind for startups.

While proof is primarily being asked by customers and prospects, about one fourth of startups are also getting asked by venture capitalists. This is a significant statistic in that venture capitalists want to ensure that the startups they are backing are secure. Furthermore, venture capitalists are asking for a show of security faith in order to help organizations scale.

It’s clear that compliance and security are critical components of long-term success for a startup, and many of our survey’s respondents seem to acknowledge that.

It is unsurprising that the majority of respondents are being asked by customers to show proof of security. But, with limited time, budget, and human hours, the fact that security questionnaires continue to be the most common way to prove security is worth highlighting.

Questionnaires are generally known to be a long and arduous process for anyone who has to manage them. In this case, CTOs and CEOs are spending what little available time they have manually proving software security.

Moreover, the burden of a questionnaire lies squarely on the startup. Since it is the dominant form of proof among respondents, it stands to reason that vendors are completing several at a time. And, likely, combining them with third-party audit reports – as they are the second most common security proof among startups.

One way to shift the burden is to prompt the conversation and plan in advance for the expectation of being asked to prove security. Over two thirds of respondents need to show proof in one form or another, so it is fair to say that stakeholders will ask and startups know they need to be ready.

Security testing: What’s your take on penetration testing?

Penetration testing is one way to evaluate the security of a system. Penetration testing helps to discover vulnerabilities and there are a few ways to get it done. We asked startups about their penetration testing practices.

Is your organization using penetration testing?

Penetration testing is happening, but not with everyone

We started simply by asking, “Do you use third-parties to conduct external penetration testing?” A majority, at 60%, say yes, their organizations do. The remaining 40% do not.

We asked follow up questions only to those who answered yes.

Do you use third-parties to conduct external penetration testing?

Your penetration testing ways

Keeping access to source code off limits

Digging a little deeper into penetration testing, we asked about whether penetration testers have access to your source or just a running version of the application.

56%

running version of the application

33%

access to the source code

8%

unsure

Key takeaways

Security testing: What's your take on penetration testing?

As just slightly over half of respondents report using penetration testing, there is room for growth in this area. Startups may see current penetration testing offerings as too much work or too costly. More lightweight providers that come in at a lower price point might offer considerable security improvements for startups that aren’t currently in the market.

A majority of startups currently penetration test by running a version of the application. As long as you have a trusted penetration test provider, providing source code can be a win, and 33% of startups are doing just that. The most efficient option is to do both – run a version of the application and provide source code.

Where does compliance fit?

As startups mature towards a more secure framework, the need for compliance has become more apparent. Scaling to an international market or winning the business of a government agency are great reasons to invest in compliance. Where do startups stand today with compliance management?

Your security compliance management

Making the shift to compliance automation

50%
use software to manage
their compliance today
45%
use external audit services
31%
use internal audit services
27%
not managing compliance at all

How satisfied are you with your compliance management approach?

very satisfied
dissatisfied
satisfied
very dissatisfied
neither satisfied or dissatisfied

Compliance management solutions and certifications

Your awareness of compliance tools and standards

SOC 2 is the most completed standard

have completed the SOC 2 compliance process

are in the process now or will be in the next couple years

Which compliance standards organizations have pursued or are planning to pursue?

GDPR

24%

already compliant

34%

pursuing now or within the next 1-2 years

25%

have no plans to get this in the next 1-2 years

ISO 27001

12%

already compliant

37%

pursuing now or within the next 1-2 years

27%

have no plans to get this in the next 1-2 years

HIPAA

16%

already compliant

24%

pursuing now or within the next 1-2 years

43%

have no plans to get this in the next 1-2 years

PCI DSS

18%

already compliant

18%

pursuing now or within the next 1-2 years

40%

have no plans to get this in the next 1-2 years

Key takeaways

Where does compliance fit?

SOC 2 compliance is considered the most accepted security standard in the U.S. As the majority of participants are located in the States, it is no surprise that 66% say they either have SOC 2 or plan to get it in the next one to two years.

It is becoming increasingly important for small startups to work towards SOC 2 compliance. The same can be said of other compliance certifications. 34% are pursuing GDPR now or within the next one to two years. And, 37% of startups are either in the process of getting ISO 27001 certified or plan to in the next couple of years.

Compliance certification is becoming a must-do even for small and scaling startups. And, the high percentage of plans among startups underscores the fact that respondents know this is a priority in order to grow. More importantly, over 60% of participants are very satisfied or satisfied with their current compliance management approach.

Many companies use an automation tool to streamline their compliance. However, over a quarter of startups aren’t managing compliance at all, which can have a direct impact on their businesses over the long term. This is especially true for the 41% who pursue security management in order to close a deal.

Retrogressive to strategic: Planning for resilient security

Startups understand that planning security early on is essential for long term scalability – and it is happening. In fact, security is considered one of the top priorities for over 50% of startups.

CEOs and CTOs at the small startup level are split between whether or not to staff for security teams now or in the near future.

of startups consider security
the top priority

of respondents are in favor of improving security

of prospective startup customers are requesting a ‘security stamp of approval’

Protecting customer data is the primary driver for implementing and maintaining security for a majority of participants. However, it isn’t the only factor that startups are paying attention to. Security is a prerequisite for scaling - both by prospective customers and venture capitalists looking to fund viable businesses.

What most startups agree on is the use of common security tools like password managers, antivirus software, and log management software. Many startups share that they are investing in these standard starter-pack tooling. Beyond that, there are varying degrees of uncertainty in how to plan and implement a security roadmap.

This is the natural progression in scaling organizations – one size security does not fit all. There will always be necessary improvements if you want to stay on top of your security processes. As companies scale, security goals and gaps will change in order to better serve your customer data.

2022
State of
Startup Security
REPORT

What's inside:

1
Introduction: About our survey
A brief introduction of our first annual State of Startup Security Report and our objectives for reporting.
2
Key findings by the numbers
3
Demographics: Who participated?
The majority of respondents are tech leaders representing small businesses based in the US.
4
Security posture: Present day practices
Connecting the dots between how secure companies are and how secure they think they are.
5
Security spend: Tools, cost, and time
Highlighting the disconnects in startup security.
6
Security proof: Is your security known?
Learning about how security is shared.
7
Security testing: What’s your take on penetration testing?
Getting into the nitty gritty of penetration testing.
8
Where does security compliance fit?
Understanding where startups are at with compliance standards.
9
Retrogressive to strategic: Planning for resilient security
For the first year ever, we created a survey about startups and their security. We asked startups to honestly and anonymously answer questions about their security posture, their security roadmap, and how satisfied they are with their security in general.

Over 500 people took part in our survey and we break down the results in our first annual State of Startup Security Report.

Introduction: About our survey

To say security and compliance are tricky is an understatement. Scalability, growth, and organizational maturity depend on a company’s ability to prove security. Startups clearly want to continue improving upon their security measures - and they’re starting to realize this early on.

As the survey below reveals, there is a considerable gap between goals and reality in startup security. Tech leaders understand the importance of security, but don’t fully have a handle on what it means to achieve it. Moreover, there are varying degrees in how organizations prioritize security.

So, what does this mean for fast growing startups? When it comes to security, there is a paradox. Security can enable businesses to scale and grow, but confusion around security and overly rigid practices can introduce unnecessary red tape. Our survey reveals that startups struggle to find the balance between managing risks and prioritizing security.

The good news is, this is a natural part of startup growth. In fact, hundreds of survey participants are going through similar security growing pains. Small business owners, founders, CEOs, CTOs, and anyone responsible for making decisions about organizational security share these challenges, goals, and priorities.

Most importantly, we want to share these findings so we can continue to make the internet a safer place to scale businesses. Let’s get started.

Key findings by the numbers

of participants are asked to prove their security measures by prospective customers.

of respondents think they should improve their security.

of participants say that “closing deals depends on maintaining security.”

of startups have no security roadmap.

of startups who are asked to prove their security are not managing compliance at all.

Demographics: Who participated?

The majority of respondents are tech leaders representing small businesses based in North America.

78% represent the United States. Other participants, each at under 5%, are located in Canada, Western Europe, South America, and Australia/New Zealand.

To determine an accurate perspective of the State of Startup Security, respondents were selected based on their professional criteria, such as industry and organizational role.

Participants were intermittently disqualified as the survey progressed depending on the answers they selected. This was done in order to curate results that reflect authentic responses, specifically from security decision makers.

Company stats

60%
of startups have been in business for five years or longer
40%
represent companies that are younger than five years old
37%
of those have been in business for under two years
51%
have between 11-250 employers
35%
have between one to 10 employees
14%
are organizations with +250 employees

What industry do you work in?

49%

represent SaaS
professionals

9%

represent business services/consultants

<5%

each for healthcare, media, government, and education

What is your job title?

25%

CEOs

19%

CTOs

8%

Head of Security

followed closely with Product Managers, Software Engineers, COOs, Operations Leads, and Heads of IT

How involved are you in the selection of software/vendors for security?

31%

consider themselves the sole decision maker in the selection of software and vendors for security.

41%

consider themselves part of the group making the final decisions

27%

provide some input but have no decision making power

Security posture: Present day practices

Regardless of company maturity, securing data and protecting clients is something every organization has to do. Let’s take a look at how participants feel about their current security posture.

Getting up and running

The blockers in starting up

Which of the following were blockers in getting your startup started?

product development
43%
SECURITY & COMPLIANCE
43%
FINANCING
42%
TIME
37%
HIRING
32%
DON'T KNOW
11%

The responsibility of security

Startup CTOs and CEOs continue to make security decisions

Who is responsible for security in your org?

CTO
Head of Security
CEO
Software Engineer
Head of IT

Does your company plan to hire a dedicated security person?

have a security team or person
have no plans to hire now or
in the next year
plan to hire a security person
in the next year

One person responded, “We have a security person, but they wear other hats too.”

How is your organization’s security?

Security is strong, but there’s room for improvement

How you would rate your organization’s security posture?

32%
STRONG
29%
FAIR
28%
GOOD
9%
weak

Should your organization improve its security?

YES
75%
NO
12%
NOT SURE
13%

How important is security to your organization today?

THE TOP PRIORITY
20%
ONE OF THE TOP PRIORITIES
52%
SECURITY IS IMPORTANT, BUT IT IS NOT A PRIORITY
28%

What dictates your security roadmap?

29%
compliance based needs
24%
company-wide responsibility
20%
have no security roadmap
16%
our security team
creates our roadmap
8%
engineers create KPIs
1%
other

What are your top 3 motivations for maintaining security?

70%
improving protection for
our customers
52%
compliance certification
41%
Closing sales deals
depends on it
35%
improving protection of our
company's IP/assets
26%
preventing downtime
of our services
21%
internal organizational
trust
12%
It is mandated by
our execs/VCs

Key takeaways

Security posture: Present day practices

CEOs and CTOs are wearing multiple hats – no surprise there. The responsibility for making security decisions lands squarely on the people who might not have the time to prioritize it. But, on the positive side, CEOs and CTOs are in a position to instill a culture of security from the start.

Getting up and running as a startup is complex. And, historically, security is built and created alongside people as the company grows. It is usually not the first hire and or the first priority, but 27% of startups already have a security team or person in place, and 24% are planning for this in the next year.

We learned that nearly half of startups have no plans to hire a dedicated security person in the near future. Again, not surprising for most startups. While hiring for and prioritizing security above all else is not the strategy for all startups, there are many different approaches to staffing up security, such as nominating a dedicated individual or spreading responsibility across the team.

43% say that security and compliance were blockers in getting going, which means that startups are acknowledging a need for security and compliance earlier on - perhaps even before they’re ready to go to market. Security is no longer a second thought among tech leaders. At the same time, very few startups think they’re doing a bad job with security currently – with most responses evenly split between good, fair, and great.

20% of respondents say their company doesn’t have a security roadmap, which means that 80% of startups are intentional about their security planning at an early stage. Ideally, every company should have a roadmap in order to establish their security goals and objectives.

A roadmap can create a journey for continuous improvement. 75% of startups say their company should improve its security posture — this isn’t a bad thing. Being secure and also finding opportunities for improvement aren’t mutually exclusive. You might not consider your security to be good unless you can identify opportunities for improvement.

Companies are pursuing security early on for a myriad of reasons, including protecting customer data, closing deals, achieving compliance certifications, and preserving company assets.

Security spend: Tools, time, and cost

Security is happening - we know this because all survey participants play a role in making security happen in their organizations. We also know that 75% of respondents want to improve their existing security posture.

So, what is being done today that doesn’t align with where people want to be? To what extent are security measures being taken? Let’s get into the tools that are being used, the time spent, and the cost that security takes in your organization.

The tools you use

The most common security tools remain the most, well…common.

Which security tools does your org use?

password managers

antivirus software

log management software

endpoint protection

Other common tools, all at 32% each, include:
MDM software, email security software, open source dependency scanners, and intrusion detection software.

Rounding out the least used tools of those we surveyed are SAST and DAST, at 22% and 14%, respectively.

The price you pay - time and money

Budget and time are limited. We dug a little deeper into security planning to learn how startups budget for time and costs.

How much of your annual
budget is spent on security?

How much time does your organization
spend each week on security?

Combining time and money, we asked participants whether they believe their organization spends more or less than other businesses in their industry.

44%
say they invest more in
security than peers
24%
say they spend less than peers
23%
unsure

Key takeaways

Security spend: Tools, time, and cost

20% of respondents spend less than $5,000 a year on security, and 43% spend up to 10 hours a week monitoring their security. The amount of time and money startups spend is to be expected, as those responsible for security are wearing several hats.

And although many respondents recognize the need for more security measures, 44% believe they spend more time and money on security in contrast to other organizations in their industry.

While there’s no right amount of time or money to allocate for security, over 50% of respondents consider their security strong or good. For small startups, security doesn’t have to take a ton of time or money.

In fact, the security tools that are most commonly used tend to be plug and play. Password management, antivirus software, and log management software are becoming the new go-to set of security tools for startups. These tools can be both budget and time friendly.

Security proof: Is your security known?

Being secure and proving security are two different things. So how do organizations go from security processes to security with evidence?

We know that 41% of participants say that “closing deals depends on maintaining security.” In order to understand how deals are dependent on security, we asked participants if they prove security and how they do it.

Stakeholders want proof

Questionnaires are still a thing

57%
are asked to prove their security measures by prospective customers
51%
are asked by existing customers
22%
are asked by venture capitalists
24%
have not been asked to prove security at all

How do respondents prove security for those looking for it?

56%
complete security questionnaires
21%
provide an internal dashboard
44%
provide third-party audit reports
20%
have an internal audit report
39%
provide self-attestation reports

One person wrote in saying, “We simply tell the customer that their data is secure.” Another participant wrote, “I don't (prove security), but since taking some online networking classes, I now know how important it is.”

Key takeaways

Security proof: Is your security known?

Nearly two thirds of organizations are being asked to prove security by prospective customers. So, it is no wonder that managing security is top of mind for startups.

While proof is primarily being asked by customers and prospects, about one fourth of startups are also getting asked by venture capitalists. This is a significant statistic in that venture capitalists want to ensure that the startups they are backing are secure. Furthermore, venture capitalists are asking for a show of security faith in order to help organizations scale.

It’s clear that compliance and security are critical components of long-term success for a startup, and many of our survey’s respondents seem to acknowledge that.

It is unsurprising that the majority of respondents are being asked by customers to show proof of security. But, with limited time, budget, and human hours, the fact that security questionnaires continue to be the most common way to prove security is worth highlighting.

Questionnaires are generally known to be a long and arduous process for anyone who has to manage them. In this case, CTOs and CEOs are spending what little available time they have manually proving software security.

Moreover, the burden of a questionnaire lies squarely on the startup. Since it is the dominant form of proof among respondents, it stands to reason that vendors are completing several at a time. And, likely, combining them with third-party audit reports – as they are the second most common security proof among startups.

One way to shift the burden is to prompt the conversation and plan in advance for the expectation of being asked to prove security. Over two thirds of respondents need to show proof in one form or another, so it is fair to say that stakeholders will ask and startups know they need to be ready.

Security testing: What’s your take on penetration testing?

Penetration testing is one way to evaluate the security of a system. Penetration testing helps to discover vulnerabilities and there are a few ways to get it done. We asked startups about their penetration testing practices.

Is your organization using penetration testing?

Penetration testing is happening, but not with everyone

We started simply by asking, “Do you use third-parties to conduct external penetration testing?” A majority, at 60%, say yes, their organizations do. The remaining 40% do not.

We asked follow up questions only to those who answered yes.

Do you use third-parties to conduct external penetration testing?

Your penetration testing ways

Keeping access to source code off limits

Digging a little deeper into penetration testing, we asked about whether penetration testers have access to your source or just a running version of the application.

56%

running version of the application

33%

access to the source code

8%

unsure

Key takeaways

Security testing: What's your take on penetration testing?

As just slightly over half of respondents report using penetration testing, there is room for growth in this area. Startups may see current penetration testing offerings as too much work or too costly. More lightweight providers that come in at a lower price point might offer considerable security improvements for startups that aren’t currently in the market.

A majority of startups currently penetration test by running a version of the application. As long as you have a trusted penetration test provider, providing source code can be a win, and 33% of startups are doing just that. The most efficient option is to do both – run a version of the application and provide source code.

Where does compliance fit?

As startups mature towards a more secure framework, the need for compliance has become more apparent. Scaling to an international market or winning the business of a government agency are great reasons to invest in compliance. Where do startups stand today with compliance management?

Your security compliance management

Making the shift to compliance automation

50%
use software to manage
their compliance today
45%
use external audit services
31%
use internal audit services
27%
not managing compliance at all

How satisfied are you with your compliance management approach?

very satisfied
dissatisfied
satisfied
very dissatisfied
neither satisfied or dissatisfied

Compliance management solutions and certifications

Your awareness of compliance tools and standards

SOC 2 is the most completed standard

have completed the SOC 2 compliance process

are in the process now or will be in the next couple years

Which compliance standards organizations have pursued or are planning to pursue?

GDPR

24%

already compliant

34%

pursuing now or within the next 1-2 years

25%

have no plans to get this in the next 1-2 years

ISO 27001

12%

already compliant

37%

pursuing now or within the next 1-2 years

27%

have no plans to get this in the next 1-2 years

HIPAA

16%

already compliant

24%

pursuing now or within the next 1-2 years

43%

have no plans to get this in the next 1-2 years

PCI DSS

18%

already compliant

18%

pursuing now or within the next 1-2 years

40%

have no plans to get this in the next 1-2 years

Key takeaways

Where does compliance fit?

SOC 2 compliance is considered the most accepted security standard in the U.S. As the majority of participants are located in the States, it is no surprise that 66% say they either have SOC 2 or plan to get it in the next one to two years.

It is becoming increasingly important for small startups to work towards SOC 2 compliance. The same can be said of other compliance certifications. 34% are pursuing GDPR now or within the next one to two years. And, 37% of startups are either in the process of getting ISO 27001 certified or plan to in the next couple of years.

Compliance certification is becoming a must-do even for small and scaling startups. And, the high percentage of plans among startups underscores the fact that respondents know this is a priority in order to grow. More importantly, over 60% of participants are very satisfied or satisfied with their current compliance management approach.

Many companies use an automation tool to streamline their compliance. However, over a quarter of startups aren’t managing compliance at all, which can have a direct impact on their businesses over the long term. This is especially true for the 41% who pursue security management in order to close a deal.

Retrogressive to strategic: Planning for resilient security

Startups understand that planning security early on is essential for long term scalability – and it is happening. In fact, security is considered one of the top priorities for over 50% of startups.

CEOs and CTOs at the small startup level are split between whether or not to staff for security teams now or in the near future.

of startups consider security
the top priority

of respondents are in favor of improving security

of prospective startup customers are requesting a ‘security stamp of approval’

Protecting customer data is the primary driver for implementing and maintaining security for a majority of participants. However, it isn’t the only factor that startups are paying attention to. Security is a prerequisite for scaling - both by prospective customers and venture capitalists looking to fund viable businesses.

What most startups agree on is the use of common security tools like password managers, antivirus software, and log management software. Many startups share that they are investing in these standard starter-pack tooling. Beyond that, there are varying degrees of uncertainty in how to plan and implement a security roadmap.

This is the natural progression in scaling organizations – one size security does not fit all. There will always be necessary improvements if you want to stay on top of your security processes. As companies scale, security goals and gaps will change in order to better serve your customer data.