Startups without a CISO: You’re losing out on a big business opportunity

Many startups – and small businesses, for that matter – don’t invest in a chief information security officer (CISO) or equivalent. In fact, recent research from Navisite demonstrates the small business cybersecurity leadership gap, noting in its “The State of Cybersecurity Leadership and Readiness” report [subscription required]:

“When evaluating the lack of cybersecurity leadership by size of organization: the smaller the organization, the more likely that organization is operating without a CISO/CSO. Among the largest enterprises with 5,000 or more employees, only 10% indicated they did not have a CISO/CSO, compared to mid-sized organizations at 52% and small organizations at 64%.”

If you’ve spent any time in the startup or small business world, this likely won’t come as a surprise to you. Companies of this size are focused on one thing: getting their product or service to market as quickly and efficiently as possible. Time, resources and budgets are devoted to product/service development and go-to-market (GTM) strategies, leaving cybersecurity as an afterthought.

And, cybersecurity often becomes an after-the-fact “add-on” because many companies mistakenly view it as a cost center and business inhibitor rather than what it has the potential to be: a profit driver. 

But, you should know that if you’re running a startup or small business but not investing in a CISO, you’re doing your company more harm than good.

Making cybersecurity a profit driver

CISOs can be a profit driver for businesses just by keeping them safe from cyberattacks. Today, startups and small businesses are just as much a target for attacks as large enterprises. And, regardless of company size, the aftermath can be devastating – financial loss, customer loss, damaged reputation and much more.

In fact, in the wake of an attack, many companies of this size go out of business or struggle to stay in business. Research from the National Cybersecurity Alliance reveals that 60% of small and mid-sized businesses go out of business within six months following a cyberattack. For this fact alone, a CISO has the power to keep your business afloat – or conversely, failure to invest in this security leadership role could spell the end for your company.

Beyond this, though, CISOs can be a profit driver in other ways, too. Here are three things you can start today to enable the business.

1. Create a culture of security from the ground up. 

The reality within many startups is that no one is thinking about security. They’re solely focused on building their product or service and getting it to market. Everyone has access to everything, assets are all over and there are no security rules. Essentially, it’s the “Wild West” of security.

But, this is problematic because employees are the first line of defense against cyberattacks. And, if they aren’t trained from the beginning to prioritize security and follow good cyber hygiene (e.g., thinking twice before clicking a suspicious link or opening an attachment from an unknown source, avoiding password reuse, etc.), then it’s going to be extremely difficult to course-correct when your company is ready for prime time. 

Investing in a CISO early on eliminates challenges surrounding the “human element” by providing an opportunity for startups to build a culture of security from the start, so cybersecurity grows alongside the organization. This means making sure employees embrace a “security-first” mentality in all they do, ensuring employees – from the executive suite to the mailroom – understand how their decisions impact the company’s security posture, and implementing “security by design” controls and processes that adapt and grow with the business.

CISOs who do their job well will ingrain cybersecurity in the company’s culture from day one to reduce enterprise risk, ensure continuous and seamless business operations and position the company for long-term success.

2. Expedite GTM processes. 

Let’s face it, there are a lot of negative connotations associated with the CISO role today. Business teams meet CISOs with resistance because they see them as an inhibitor to how they operate. And, company leaders think CISOs are solely in the business of saying “no.” 

Contrary to these widespread misperceptions, though, CISOs aren’t there to say, “we can’t do this”; but rather, “we can do this, and this is how we can do it securely.” And, when this optimal balance between business agility and security is achieved early on, GTM processes can be accelerated when your product is ready for the market.

For example, startups offering a product or service might have the best engineers in the world but lack seasoned security professionals. Employing a CISO can give the company the insight it needs to improve product security and success in the development stage, so product launches aren’t delayed at the GTM phase.

Similarly, CISOs can identify ways to expedite necessary regulatory compliance, such as with SOC 2 or PCI-DSS requirements, so they don’t become roadblocks when negotiating early deals.

3. Prevent technical debt.

It’s not unusual for startup and small business leaders to keep adding new tools to their technology arsenal whenever they think it’ll help them achieve their GTM goals. But, rather than helping the company, this approach can result in complex IT infrastructures that make business processes harder to execute and introduce significant technical debt, taking dollars away from the product. 

The long-term goal of any startup or small company is achieving hyperscale growth, and while initially, you may be able to get by without cybersecurity, neglecting it isn’t a sustainable option. At some point, you’re going to have to take a step back and clean up the mess – and that’s going to be a tough job if your company suffers from technology sprawl. 

Employing a CISO from the get-go can help keep your company honest, so you’re using only the minimum number of technologies required to maintain business agility (while remaining secure). This can have a big impact on the bottom line, because preventing technical debt in the early stages can provide both short- and long-term cost savings. If your team is used to operating with a minimalist mentality when it comes to technology and processes necessary to accomplish a job, then your IT infrastructures and associated costs will never get out of control.  

Cybersecurity and business are intertwined

All of this aside, let’s not forget that, at the end of the day, security is a business problem. So, if you don’t have a CISO to ensure a strong cybersecurity posture, then you’ll not only have security issues, but business challenges, too. CISOs that help their company move the business needle — without compromising security — become the much-needed profit driver that propels success across the board. And, as more CISOs demonstrate business value in this way, hopefully, that 64% figure representing the number of small businesses without a CISO drastically decreases. 

Neal Bridges is CISO of Query.AI