Federal consumer-protection authoritieshave called on the entrepreneursbuilding tech startups to prioritize cybersecurity from the earliest stages of the development process.
[ Related:Tech startups need to get serious about security]
但是,因为各种各样的因素t, lack of technical expertise, rush to market, etc. -- can make security seem like more of a burden or an impediment to the startup's growth than anything else.
At a recent event convened by the Federal Trade Commission, industry insiders emphasized the importance of incorporating security as an integral part of any company's operations, not just the services or applications that it produces.
在特别是初创公司,这往往是由创始人/ CEO,其个性可能在很大程度上定义了组织的文化领导,至关重要的是,该公司的领导者确立的预期,安全是全公司的优先级。
“我认为公司的创始人,管理层对发展文化真正的关键,” Devdatta Akhawe,在Dropbox的安全工程师说。“以我的经验,已经反应良好,并认真回答了安全问题的公司往往在创始人正在推动这种文化和这些排序值的人。”
[ Related:Internet of Things Demands Security by Design]
It's worth noting that the idea that the founders should set the tone from the top on security is hardly confined to startups. Frank Kim, chief information security office at the SANS Institute, recalls the predicament of Microsoft in the late 1990s and the early part of last decade. In 2002, when then-CEO Bill Gates issued an all-hands warning about the need to prioritize security in the company's ubiquitous software, Microsoft was viewed as a "laughing stock of the security industry," Kim says. The result of Gates' warning was Microsoft'sTrustworthy Computing initiative,a concerted effort that considerably improved the company's security posture.
In part, security became a priority at Microsoft because the company's customers demanded it. And fledgling startups trying to carve out a slice of market share can ill afford a data breach or the reputational hit that comes from the perception that its applications aren't secure -- customers are likely to vote with their feet.
在启动一个高层次的目标,使安全
这似乎很容易指定安全问题的高级别目标,启动中,但应该如何在实际意义上的工作?
Window Snyder, CSO at Fastly and an experienced hand at security who has done stints at Apple and Mozilla, emphasizes the importance of starting from the earliest stages of the development process and training the engineering team on some basic tenets of secure programming.
[ Related:The 7 Deadly Sins of Startup Security]
然后,她建议公司实行同行评议过程,由此之前它向公众发布的安全专家和其他人有机会踢有关特定功能的轮胎,并指出,可以从把不同的团队出现的好处起来关注安全。
“这就产生了一种感觉,它是每个人的工作,”斯奈德说。
The argument for more clearly defined security roles
That maxim that everyone is responsible for promoting security on its face sounds simple enough, but not everyone is on board. Count among the dissenters Jonathan Carter, a veteran security professional and software engineer who argues for more clearly delineated roles within the development team.
"I take a slightly more controversial approach," Carter says. "Whenever I see something like 'security is everyone's responsibility,' that makes me cringe inside because, really, that means security is no one's responsibility. It's the diffusion of responsibility psychological principle, where suddenly it's on no one's radar and it's just this amorphous concept. So as a software engineer, I would say your responsibility is to identify issues and confer with your local security champion within your immediate team."
There was scant disagreement, however, on the broader point that startups and mature companies alike would do well to elevate security as an organizational priority.
And to the concern that a more security-intensive development process would carry more cost than a cash-strapped startup could afford -- to say nothing of the delay in time to market -- Akhawe urges firms to consider the alternative, the disastrous effects of a breach or the release of a product with glaring vulnerabilities.
"Security's much, much, much cheaper the earlier you do it," he says.
This story, "Why startup leaders need to set the tone for security" was originally published byCIO .