Security startup confessions: Limited funds and their impact on security

My name is Kai Roer and I am a co-founder of a European security startup, and these are my confessions. I hope you will learn from my struggles, and appreciate the choices startups make when security matters. I will share experiences from my own startups (my first was in 1994), and things I have learned by watching and advising numerous other startups around the world.

Today I will share with you the pain of limited funds and the impact that has on security.

A startup, just like any other organization, has a limited budget. Since CLTRe is bootstrapped, i.e. funded solely by the two founders and the revenue we generate, we need to be very creative with our growth.

This means that tough decisions have to be made. At the very beginning, this could be a choice between buying an SSL certificate instead of traveling to see a potential client to promote the tool, or the choice of me coding instead of hiring someone who could do it in half the time. These are choices that in the future, when our accounts are filled and our team is large and specialised, will seem funny. Still, when these decisions were made, they were tough.

It all boils down to this: can we afford to loose the client tomorrow because we made a shortcut when it came to security?

This question is a common one, and I have heard it in companies of all sizes. For example, some years ago, I had a support mission on behalf of one of my legacy clients (a selected few who I have kept over the time, due to personal connections, special issues or other reasons).

This particular client runs a guesthouse, rather popular too, and they have no understanding at all of computers and technology. When they have any issue at all, I am their saving angel (or so they keep telling me). I think it was in 2009, they had just installed a new hotel management system that covered billing, room management and accounting. This was a significant upgrade from what they had before (mainly paper based), and since this was not, according to them, a technical thing, it was a compliance issue mainly, they had chosed not to involve me in the process.

Some time later, they needed assistance on some issue (I do not recall the trivial matter itself), which involved me visiting, trying to fix it based on the poor manual, then calling the software company who had developed the tool, and hosted it on their premisses.

Again, I do not recall the details of the issue. What I do recall was that the software required its users (receptionists and other non-computer-friendly employees) to access the computer with administration rights (in 2009, this should not have been a requirement, in my opinion). I happend to give this opinion to the developer on the other end of the phone line, and he took it personally. The call ended quickly, with the other guy calling me names, and telling me “you security people think you know it all”.

It turns out that the developers had no clue about security, and the same was true about the management. I do not know how they can still be in business.

I guess you can treat your customers like that when they are ignorant about security, and are more concerned about their day-to-day business than about still being in business tomorrow.

At CLTRe, on the other hand, we are concerned about security as a part of our culture. That means that when we have to choose between security and something else, 9 times out of 10, security wins. The only time something else wins, is when security is a nice-to-have with low priority.

We have pushed our releases in the past due to security concerns. I am sure we will do that in the future, too.