Is Security Debt Hindering Your Business Growth?

Is Security Debt Hindering Your Business Growth?

Originally posted on

Building a strong security posture early on can project greater business maturity and serve as the competitive differentiator.

You know what can happen when security goes wrong, but do you know the competitive advantage it affords when you get it right? Denise Schroeder, VP of Product Innovation, Carbide shares how high-growth organizations can operationalize data security and privacy for business growth.

According to industry figures, three out of four startups fail; 70% of those failures will take place when the company is between just two and five years old. Startups face many challenges on their path to survival, but 20% of the time, they fail outright because of fierce competition. For SaaS-based businesses, this environment can be especially merciless. While the product-market fit is critical to success, the startup graveyard is littered with companies that have failed to come out on top despite having a superior product. In today’s security-conscious business environment, building a solid security posture early on can project greater business maturity and serve as the competitive differentiator needed to drive growth and fend off rivals.

Security Matters 

We hear so much about security gone wrong, the detrimental impact it can have on a business, and the expense to get it right, but conversely, security also has the potential to accelerate growth. Many organizations are looking to sell into massive enterprises or highly regulated industries like healthcare and financial services. Getting a foothold into those big brands and organizations can be difficult because they aren’t interested in taking risks with their customer or patient data. They must contend with a collection of data privacy regulations – like HIPAA, CCPA, GDPR, and more – and expectations around general security using frameworks like SOC 2, ISO 27001, NIST, and others – all of which are continuing to evolve. A recent study shows 10% of US companies are actively working to comply with more than 50 privacy laws, and an additional 26% are working on addressing between six and 49. These buyers need to know that any organization they do business with can handle that level of responsibility.

Here’s a common scenario that may have played out in your organization: Your SaaS platform is getting a lot of buzz. Existing customers are excited about its performance, and new enterprise leads are filling the pipeline. As you make your way through the sales process, everything is going according to plan, but you’re presented with a lengthy security questionnaire at the eleventh hour. It’s chock full of detailed questions about your security practices and compliance with GDPR. Your tech team is already busy making product modifications to handle such a request. You decide to complete the questionnaire on behalf of your security team, and your answers are incomplete at best. When you sit down for an inquisition led by the prospect’s security and privacy team, it becomes clear that your program doesn’t meet their expectations.  In the end, the prospect backs out and turns to your competitor. They were able to quickly swoop in and seal the deal because of their ability to articulate what they are doing to comply with security frameworks and privacy regulations.

In fast-growing organizations, optimizing for growth and feature development is often the priority. Just as with technical debt, decisions you make – or don’t make – today will affect your ability to meet the security expectations of your prospects quickly. While you’re fighting for deals, if you aren’t explicitly paying attention to security, the “security debt” in your organization builds. You’re left with unintelligible and often ad hoc privacy policies and application agreement terms that are confusing (and sometimes even conflicting!) and filled with legal or security jargon. That makes it incredibly difficult to manage and even more difficult for anyone internally to follow, putting all your deals at risk. In contrast, your competitors taking security seriously are flying through the procurement process without hindrance, growing their businesses at every turn. 

Three Steps to Check Security Debt

To avoid security debt choking off growth opportunities, startups need to operationalize data security and privacy by embedding into the core functions of their company. Here are three elements to consider when making that a reality:

1. Translate security requirements into day-to-day processes

The goal of a security framework is to reduce risk and protect the organization’s systems and data environment, but it won’t do anything if employees cannot follow the processes or remember the policies put in place to meet the requirements. Security and privacy policies and procedures must be understandable, applicable, and accessible to everyone. Many organizations need to follow multiple security frameworks and privacy regulations – both GDPR and ISO, which dictate similar but slightly different minimum requirements. If you’re independently addressing each of them, you’ll end up with overlapping controls and policies that will confuse your employees. On top of that, there are many components that need to be considered, but which apply to you? For example, only specific requirements are applicable if you handle financial data but not patient or sensitive data. By building the security and privacy requirements into day-to-day processes, the process becomes natural and habitual, seamlessly embedding security in the company’s operations to accelerate growth patterns.

2. Designate a security and privacy ambassador

Large organizations often have the luxury of employing multiple departments (legal, security, privacy, and compliance) to ensure security and data privacy rules and regulations are being met. Smaller companies with lean teams may not be as fortunate. When it comes to security compliance, organizations projecting growth should designate at least one individual tasked with looking at the technology architecture through a security and privacy lens. This provides an opportunity to address considerations proactively, understand trade-offs that are being made in favor of development speed, and avoid building up too much security debt.     

3. Map your data assets to reduce risk 

It’s not enough to simply take inventory of your critical systems and data; you need to understand how the data flows to/from the systems throughout the data lifecycle. Asset and data mapping is about collecting “the data”, it’s also about identifying the potential risk exposures throughout the lifecycle. Who has access to it? Where is the data stored? How is the data stored? What types of data are being collected?  How is the data shared?  In early-stage companies, data flows are often architected for speed and growth; few are constructed with privacy and security ramifications in mind. By mapping your system and data assets and maintaining them regularly, especially as things change, your organization can build policies and procedures that specifically minimize potential risks.

Driving Growth Securely

Gtmhub, is an example of an organization that has used security compliance to drive growth. The company provides a flexible platform that helps the world’s largest brands adopt, measure, and achieve their objectives. Since companies use the platform to align individual, departmental, and corporate objectives with overall business goals and strategy, the information held within the platform can be highly sensitive.

Prospects often require reassurance around Gtmhub’s security practices before deciding to move forward with a deal. Fortunately, the company proactively considered this and launched a security initiative to achieve and demonstrate both SOC 2 and ISO 27001 compliance. That effort has streamlined this key element of the vendor management process. Now, instead of going through a rigorous security audit with every customer, they simply present them with an already made attestation by an external third party that verifies compliance. As a result, Gtmhub can showcase critical security controls and close deals faster.

To be fair, security debt is common. Anyone who has worked in a startup can attest that things don’t always go according to plan, but organizations can consider the long-term impact of that debt and make a remediation plan. Seek opportunities to build accessibility and simplicity into your data protection and privacy processes from the start. You will have a foundation to support your organization as it grows.