Читать книгу Start-Up Secure - Chris Castaldo - Страница 8

Preface

MOST BOOKS END WITH A QUOTE from a famous source; I am starting with one. In his book The 7 Habits of Highly Effective People, Stephen Covey states “The main thing is to keep the main thing the main thing.” This should apply to your start-up and how you should view every suggestion in this book. Every cybersecurity choice you make should, at the end of the day, be to enhance whatever it is you are building. From getting a better product out the door to high customer satisfaction from the services you provide. Don't lose sight.

There are a lot of topics covered in this book and cybersecurity taken as a whole can be overwhelming. That's why there is an entire industry built around it. As you read through this book, always keep in mind what is right for your start-up and your customers. You don't need to implement all the things we discuss in this book from day one or even by day one thousand. But you should understand the important trade-offs by the end of this book.

Just knowing those trade-offs then allows you to prioritize what is right for your start-up and allows you to keep the main thing the main thing. A great example is a security incident and event management (SIEM)¹ solution, which is something you most likely won't need until after the validation phase, maybe even beyond the growth phase. I hope to provide you with the right know-how and understanding to intelligently make those decisions.

Of course, you are not in this alone. Your fellow founders, board members, venture capital (VC) advisory board, customers, peers, and vendors are all sources to validate your overall cybersecurity plan. Utilize the free resources that want to help and see your start-up succeed.

WHY WRITE THIS BOOK?

Cybersecurity is now a requirement for every company in the world, regardless of size or industry. Regulations and laws at the state, national, and international levels are being created at a faster rate. Constituents expect their elected officials to not only investigate the massive data breaches we've seen over the years, but also that those politicians do something about it. It is especially important for start-ups.

This book was written to be the go-to source for start-up founders, entrepreneurs, leaders, and individual contributors. There is no expectation for companies because of a lack of technical prowess or even experience as a cybersecurity professional. Accounting is an obvious part of all business, as is cybersecurity, and not everyone can be expected to be a certified public accountant (CPA) or an offensive security certified professional (OSCP).²

I will walk you through the sometimes chaotic and confusing world of working with cybersecurity professionals (and trying to be one yourself!), dealing with industry-specific regulations and the almost infinite supply of cybersecurity vendors.

I wrote this book because there are hundreds of books, studies, and white papers on cybersecurity and best practices but nothing speaking directly to founders and start-ups. There are even more books about start-ups and for entrepreneurs, yet not a single one mentions building your company in a secure way. The Kauffman Foundation estimated 530,000 new businesses were created every month in the United States during 2015,³ which translates to 530,000 new possible targets every month with no ability for them all to hire the experienced cybersecurity professional required to securely run a business today.

Many hiring reports indicate we are currently in a cybersecurity hiring crisis.⁴ However, that fact should not prevent any organization from developing and implementing a risk-based and right-sized cybersecurity strategy regardless of the industry they operate in.

This book won't create a new framework or standard, but will translate those that exist into a commonsense selection for entrepreneurs, business leaders, and individual contributors. There is no wrong framework or standard that you could select, but not adopting one will certainly spell disaster for any organization, start-up, or 100-year-old organization. A phrase I vividly remember from my time in the Army deployed to Iraq that sums this up is “get off the X”; regardless of the decision, not making one is typically always wrong.

This book is the culmination of my experience of over 20 years in cybersecurity at start-ups, global tech companies, the National Security Agency, and US military. Since I started this preface with a favorite quote I'd like to close with one that I feel sums up how this book came about. In Nassim Nicholas Taleb's book Antifragile he writes, “I write with my scars.” I cannot agree more. Without spending many years doing this work and without the support of many professionals that have helped me along the way this book would not be possible. I hope that my experience helps you start-up secure.

NOTES

1 1. A security incident and event management tool is a system that ingests, processes, correlates, stores, and sometimes takes action on security log events from your systems. These systems can be your laptop, servers running in your cloud infrastructure, or even other security tools.

2 2. The “offensive security certified professional” is an intense certification that requires hands-on testing of an individual's skills of advanced penetration testing techniques. It is one of the more difficult certifications to achieve.

3 3. http://www.kauffman.org/∼/media/kauffman_org/research%20reports%20and%20covers/2015/05/kauffman_index_start-up_activity_national_trends_2015.pdf

4 4. http://www.csoonline.com/article/3075293/leadership-management/cybersecurity-recruitment-in-crisis.html