Cybersecurity for Startups

Founding a startup probably should keep you up at night.

Its cybersecurity shouldn’t.

Back in October 2020, just as I was starting this business, I joined South Park Commons, which I describe as an entrepreneurship community, here in San Francisco.

Being part of SPC has been a great experience for me, and one of the best parts of it has been getting to talk with so many founders so early in their startup journey—sometimes even before they had officially founded.

And there were a lot of founders at SPC who wanted to talk cybersecurity.

Over the course of many lunches and coffee chats and happy hours, they told me how important the cybersecurity of what they were working on was, and how worried they were that they didn’t have the right expertise.

Some people set out to work in cybersecurity, but I didn’t—it happened kind of by accident and sideways. I studied CS in school and took jobs out of school as a software engineer, but I wound up bouncing around for a few years because I realized that I didn’t want to spend the rest of my life sitting alone in a cubicle writing code and not talking to people.

(If you were around then, you know. If you’re younger, it was coming out of the late 00’s—the financial crisis had tanked growth, the iPhone was only a couple years old, Agile was just finally starting to take off via Hacker News, the open-plan office was new and weird. Except for that last it was a dark time. Software engineers were absolutely not supposed to talk to people, we were supposed to sit in our cubes, receive requirements from product managers, and deliver working code.)

Like I said:

Some people set out to work in cybersecurity, but I didn’t—it happened kind of by accident and sideways.

A friend and colleague I’d worked with before, who was on the cybersecurity team at Akamai, hired me in 2012 as a software engineer to work on some internal tooling. Then, almost immediately thereafter, there was a re-org, my team got handed the governance of the entire company’s incident management process, and I fell headlong into cybersecurity.

The truth is that I loved it. Cybersecurity is the intersection of the hardest technical problems that we know, like cryptography, and the hardest social problems we know, like getting people to use cryptography—or, rather, making it usable by people. Luckily my boss is a very good friend to this day, even if he is still a tiny bit salty that I never worked very much on his wiki.

But, also, those early days were very rough.

Cybersecurity wasn’t something I had studied at school, and while nowadays there are full cybersecurity degree programs, at the time, this almost wasn’t something you could study at school. MIT was lucky enough to have one cybersecurity course—but I hadn’t taken it.

I did have the benefit of some very patient mentors, first at Akamai and later at Stripe and Lyft, and an always supportive environment with no end of productive challenges. But over the next ten years I really did spend a lot of time having to learning things myself, and sometimes the hard way—that is, face-first.

And things in the wider world were changing very rapidly.

I was working at Akamai in April 2014 when the Heartbleed vulnerability in OpenSSL was discovered, and we had to patch 120,000 servers in 110 countries delivering about a quarter of the traffic on the web for it in the span of a month.

As a result, we had to grow rapidly too. Akamai’s cybersecurity team grew from 20 people to 60 in four years, Lyft’s from 20 to 120 in fifteen months, Stripe’s from 6 to 60 in fifteen months.

This was the experience of a lifetime, and I got to work with some of the best cybersecurity leaders in the world.

By the time I left Lyft in March of 2020, I had, over the course of those nearly ten years, seen quite a bit of the cybersecurity journey at several very different companies in several very different industries, and worked directly with the people who built their cybersecurity programs from day one at all of those organizations into industry leaders.

Returning to my coffee chats with founders—with the benefit of those experiences, all the mentorship and support and lessons learned, especially the hard ones:

We could, then, put together a cybersecurity plan for their organization that would keep them safe for the next six, twelve, or even eighteen months—long enough to get through the next funding round.

Surprisingly, all it took was an hour or two, usually, and we operated at whatever level of formality or informality they wanted.

Because at the end, what matters is not the formality or the process but that you have the knowledge and understanding that you need to focus on growing and building your business while sleeping soundly at night—or at least, given startups, trusting that it won’t be cybersecurity keeping you awake.

I would love to share the benefit of my hard-won experience with you too.

If all this is something that you want, let’s chat.