What happens if you introduce network stack and invest millions of dollars at this third party vendor to monitor the ingress/egress flow of traffic and then after several months, your IT decides to bring their critical servers in-house? You will have to again scale, re-scope this exercise and perform thorough gap analysis to fix this.
As a startup security engineer, you will wear multiple hats and it's your responsibility to be part of the architectural review board, voice your opinions and ideas with IT, vendor management, HR and any other critical functions.
3. Lack of security governance on third party vendors
Do startups need to care about protecting their data first before evaluating the third party vendors who store their data? This is not always true.
Most of the startups run their servers and infrastructure hosted in a third party public cloud (such as AWS, Google Cloud, Rackspace etc). With the amount of cloud security breaches happening, it's important to select the right hosted solution for your organization who cares about customer's data. And there are these third party email ticketing solutions & other vendors who manages company's payroll, staffing solutions and the list goes on. Your role as security assessor is critical when startups establishes relationship with these third party vendors. Seek to establish cloud assessment criteria (BITS, CSA, ISO etc) and ensure that these cloud hosted vendors meet your standards.
4. Continuous deployment lacks security checks
Startups cannot afford to have extensive change management process and only deploy the code on a weekly or bi-weekly basis as big companies do. The ability to continuously deploy the code to production (multiple times daily) with minimal QA checks and peer review has become part of the code deployment process and there is no time to perform secure code review, threat modeling etc. As security engineers, it is important to develop secure coding framework but still be able to educate developers about secure coding practices without hindering the deploy process. It's not easy to integrate security into the code review process and have developers validate improper exception handling, XSS, XSRF, verbose errors etc but this is something that can be managed through education, training the developers and have proper stage gate review process.
5. Bad investment on unnecessary security tools
For some companies, availability might be more critical than security. Invest more time in selecting the appropriate DDoS solutions, CDN providers than investing in centralized SSO solutions, for example.
As a startup security engineer and lead, you set the tone for security across the organization and it's important that you invest in the right tools for the organization as you cannot afford bad investment.
Sign up for Computerworld eNewsletters.