Moss: Thank you for your sound judgment and for leading by example.
Ganesh Pai: Your advice as a founder has been instrumental in helping my audience and giving other founders the critical information they need.
Masha Sedova: Thank you so much for your time and always putting users first. You are truly changing cybersecurity for the better.
Michael Piacente: Your kindness and thoughtfulness when giving your time is a gift. I still remember our first phone call that felt like I was talking to a longtime friend.
Sinan Eren: Thank you for your perspective as a serial founder and all that you have done and do for the cybersecurity community.
Chris Berry: Thank you for being the type of leader someone can aspire to be and teaching me to “ask for forgiveness, not permission.” It has served me well over my entire career.
John Scilieri: Your friendship and mentorship over the years helped me make all the right decisions. Thank you for the copy of The Obstacle Is the Way, which motivated me to take a risk that paid off and opened my eyes to Stoicism.
Eric Kough: You gave my resume on Monster.com a chance and opened countless doors for me. I'm forever in debt.
Joe Karolchik: It was a privilege to have you as a leader and mentor to learn from.
Victor Goltsman: I'm so grateful for the opportunity I had to work with you, and I try to apply every day what I learned from you.
Security Tinkerers: Thank you to each and every one of you. I am extremely fortunate to be in your company.
About the Author
Chris Castaldo is an industry-recognized chief information security officer (CISO) and expert in building cybersecurity programs for start-ups. Chris's cybersecurity experience stretches over 20 years in start-ups, Fortune 1000s, and the US Government. He has scaled cybersecurity programs and teams from the ground up, and he also advises start-ups. Chris is a US Army veteran and a Visiting Fellow at the National Security Institute at George Mason University's Antonin Scalia Law School.
Introduction
ABOUT THIS BOOK
Chapter 1 will discuss and get you comfortable with building a minimally viable cybersecurity program for a minimally viable product. You don't need to start with National Security Agency (NSA) level security on day one, and most founders reading this book won't even need it the day they ring the opening bell.
Chapter 2 will help you think through and build your cybersecurity roadmap regardless of where you are starting in the start-up life cycle. While it may seem out of order – why wouldn't you plan your roadmap first? – not everyone starts at the point of needing a roadmap, with a defined and documented strategy. If you are a month into building your minimally viable product (MVP) and just received your legal documents officially forming your company, a three-year cybersecurity roadmap is going to take up time and then sit on the shelf.
Chapter 3 is, in my opinion, the most important chapter in this book. If you read one chapter only, make it this one. Your credentials, which make up a username and password, are your keys to your digital self. These are most critical to protect as they underpin nearly all other systems in a cybersecurity program.
Chapter 4 will explore the ever-changing world of antivirus that began nearly 40 years ago and is now called endpoint detection and response (EDR) or endpoint protection platform (EPP). EDR and EPP is an important layer to your cybersecurity program, one that might be difficult to delay beyond the formation phase of your start-up.
Chapter 5 tackles the necessary evil that is our office network, how we connect to the Internet. It makes all of this possible and is also first to be blamed when we can't load our favorite cat video on our office Wi-Fi network.
Chapter 6 we soar into the sky and take a look at the clouds. It is nearly impossible to not use a cloud-based product today and as a founder there is a very good chance you are building a cloud-based product or will use them to scale your start-up.
Chapter 7 covers the actual basics and predecessor to all of this, information technology (IT).
Chapter 8 covers an equally critical topic to Chapter 3: hiring. Making your first cybersecurity hire is a high-impact decision for your start-up. The wrong hire can have disastrous consequences. And making sure you know what you are actually looking for, being honest with yourself and founders, will pay back dividends. Cybersecurity is one of the most competitive fields for jobs and has been for nearly a decade now.
Chapter 9 is a personal favorite of mine. Not everyone enjoys the negotiating challenges of working with a customer's general counsel on terms and conditions, or arguing the auditor's definitions of “was.” Being compliant can sometimes mean you can or cannot do business in an industry, country, or with a specific business. This is a chapter you shouldn't skip.
Chapter 10 continues and builds on Chapter 9 and dives specifically into government law and industry regulations. These, much like being compliant with a legal agreement, can stop a start-up in its tracks or open the doors to prospective partner, acquirers and customers.
Chapter 11 will prepare you for the day when people ask you if your product is secure and how you protect their data. It's a good idea to start thinking about these answers now and then look at your answers and verify that you are actually doing that. Someone will eventually want to audit you. Being ready to comfortably and confidently talk about your cybersecurity program will build a lot of trust with investors, customers, and partners.
Chapter 12 will discuss the inevitable data breaches. They are a part of doing business today and we build our cybersecurity programs to the antifragile so we improve when they happen.
Chapter 13 dives further into the technical needs for start-ups that are developing a technical solution, and covers baking cybersecurity into the product you are building, not just your start-up.
Chapter 14 looks at outside risks of doing business today. Third-party vendors, really any vendor, you use will bring some risk to your business. The reward must simply outweigh that risk. This chapter will help you understand how to quickly evaluate that risk.
Chapter 15 will bring us back to where we started and set you and your co-founders on the way to building a secure start-up.
HOW TO USE THIS BOOK
This book is written specifically for founders to take immediate and continuous actions in their start-up to bake in cybersecurity. After each chapter, I will summarize the contents and highlights of the most critical takeaways.