Connect with us

Hi, what are you looking for?

Business

Start-ups and security: Tips for success, an interview with established security professional, Arun Chauhan

Chauhan has noticed a glaring issue in one prominent part of the IT world- start-ups

Photo courtesy of Arun Chauhan
Photo courtesy of Arun Chauhan

Opinions expressed by Digital Journal contributors are their own.

There is a unique perspective afforded by those who have experienced the full knowledge of lack of security. These people know what can happen if things go wrong. And they know that things will go wrong if proper preventative measures aren’t put in place. It’s a chilling prospect, but one the world cannot go without. Being prepared for the worst-case scenario is very useful after all. And one of the people who promote this preparedness is Arun Chauhan, an accomplished leader in Information Security, with a background in military cyber security.

Mr. Chauhan’s most recent career arc is in the private information sector, leading a security engineering team at one of the bigger tech companies in Silicon Valley. He has noticed a glaring issue in one prominent part of the IT world- start-ups. More specifically, their cyber security, or lack of it in the foundations of start-ups. And Mr. Chauhan has much to say about this oversight.

You have a storied career, Mr. Chauhan. But you started working in the private sector comparatively recently. When did you start working with startups specifically?

Chauhan: I’ve been working for start-ups for 8 years now. I’ve been involved with 4 of them, in varying domains like cyber security to connected cars. I’ve seen them at various growth stages, and their culture makes me concerned for their cyber security.

That’s quite interesting. How does start-up culture connect to their cyber security?

Chauhan: People in start-ups tend to focus on their product. They want to rush to secure their spot on the market as soon as possible. Which makes sense, as they don’t have time to drag things out. But the consequence of that is how little thought goes into securing their code- their crown jewels. Since most startups are born in the Cloud and often experience data breaches, it is concerning to witness. I have seen the result of cyber security not being on the agenda in the first 3 to 5 years. It is an incredibly important period for the new company, and not having a solid foundation leads to many complications down the road.

A solid foundation is truly a universal notion. What would you say makes it especially important for start-ups to have this foundation?

Chauhan: Start-ups scale up pretty quickly. For example, one could start with 10 cloud-based accounts. But, by their third year, they might have more than 30 accounts. They go from 1000 instances to 30,000 instances in a short amount of time. Managing and securing these accounts is easy if you have an asset inventory. But without one, you will always be behind the curb when trying to prevent data breaches.What you cannot see, you cannot protect. It’s impossible for your workforce to keep up without the inventory. It increases the window of opportunity for attackers. This is especially important because it is common in start-ups to not know what is important to protect. Legacy infrastructure, which is no longer managed actively and is exposed to the internet, could be an easy gateway to your network for the cyber attackers.

So, it is important to know what to protect and how to protect it.

Chauhan: Exactly. Risk assessment is a big part of that. As is awareness of security concerns. I’ve seen how security is handled with system administrators, who work on security as part of a dual hat responsibility. The lack of awareness  and the urgency culture lead to a belief that securing their assets is not a big loss in their initial years. But they couldn’t be farther from the truth.

When do start-ups usually realize that security is a concern? What do they do then?

Chauhan: Usually after the business grows to a certain point. Then, they have to follow regulations and laws, and might have to pay big fines if exposed to a data breach. When they realize this, they look back and see they don’t have a foundation of good security. The common reaction is to start putting a security plan in place, but it is too late to prevent data breaches. Especially when the investment in security comes after suffering a data breach. It’s one of the worst case scenarios for a new business vying for customer trust. 

Why is it too late? One would think it would be better late than never.

Chauhan: The issue with applying protections later on ties back into the lack of knowledge on how many systems the company has, and who controls them. The lack of proper previous security might mean unauthorized people could be controlling certain accounts without anyone the wiser. There is also the possibility that no one is managing certain systems due to the lack of the asset inventory existing and being updated from the beginning. It would lead to outdated software, another avenue for a data breach.

Let me give you an example. Think of voice over IP systems that used to be popular a while back. There was a change in preferred technology, and a switch to a different means of communication technology. But the hardware and software for the previous IP system still exists in the network. Without security measures in place, or even oversight of the system, it becomes the weakest link. From there, it is easy for attackers to access and cause mayhem.

And this mayhem would lead to regulations being broken and fines being paid. Have you seen this happen in your own professional interactions with start-ups?

Chauhan: I have. I have seen a company pay substantial costs in terms of penalties for data breaches and a subsequent suffering of brand image. It might even be a worse outcome than the start-up failing completely. It is why I am heavily involved in explaining the impacts of security vulnerabilities and how to remediate them.

It seems a lot of these issues stem from the culture of urgency in a start-up’s early stages. How does this occur, specifically?

Chauhan: It is the idea of speed over security. The urgency culture also includes a belief of allowing a free hand for developers in order to aid creativity and shorten production time. The result is a lack of clear cloud security policies and the means to implement them. Security policies and controls make developers feel like their hands are tied. It is one of the main security-based risks start-ups face.

What are these other security-based risks?

Chauhan: Security misconfigurations, which are a result of speed over security. It is, by far, the most prevalent reason for data breaches. Since developers do not want to go through lengthy processes to obtain permissions or submit to security reviews, they simply  don’t implement that infrastructure. Most are not even aware such an infrastructure can be put in place. It is not uncommon to find exposed storage buckets that have been left unattended after its creation. It used to be that the default configuration for these buckets was insecure. It took a few data breaches for the default mode to be secure by default. However, new cloud-based services are all about adding new features, and are, once again, less secure by default.

It seems that a lot of the onus is on developers. What do you think about that?

Chauhan: Applying security patches in the cloud is hard. I’ve seen that businesses want to avoid the downtime that results from such activity. Simply, it’s a lack of vulnerability management, another major risk. If they just started out with a good vulnerability management system, it would be easy to implement security patches when assets have increased. But since start-ups don’t do that, there is an increase in downtime issues, making the then bigger business scared to implement security updates. But the lack of action would combine with the security misconfigurations to expose assets to the internet, which is a short walk away from data breaches.

Circling back to these default configurations. Are they widely implemented by start-ups?

Chauhan: Cloud services have actually made it easier to implement automation which can contain and remediate exposure resulting from security misconfiguration within seconds of its happening. It’s a very effective strategy. Unfortunately, there is not much investment into improving it, despite the potential to save costs long-term. There is also a perception that implementation of automation would disrupt normal business operations, despite them being easy to do. Developers tend to focus on automation that helps them increase their speed of operation and efficiency, and very little on automation that increases security. It exists, and start-ups need to start taking advantage of this useful resource, especially the ones who do not have adequate security staff.

It seems that everything leads back to a lack of awareness of the importance of security.

Chauhan: For software developers, security vulnerabilities might not always make much sense. And most companies do not invest in secure coding practices. Some I know of do not even have quality assurance teams that specialize in security evaluation of production ready code. It is a spiral that has led to a dearth of knowledge on how to remediate vulnerabilities in code. Remediation of a code in production is very complicated and time consuming. Not to mention the impact of business operations. Once the company falls into the pit, it is hard to climb out of. And awareness will make sure they don’t fall in the first place.

There is a lot to consider. What advice would you give to those who want to understand these issues better?

Chauhan: I would suggest reading a document created by the Cloud Security Alliance called “Cloud Security for Startups”. It details much further than what I have discussed here, and is an excellent resource.

On a similar note, what other challenges have you faced getting people to understand these risks and work towards mitigating them?

Chauhan: The biggest challenge is getting people to understand the long-term advantages of investing in security. Most people think security is something you can just buy and implement, like an antivirus or firewalls. That is not the case. It is an infrastructure that supports the company, not just a simple tool. Even if a start-up doesn’t want to or cannot invest in a sizable security team, they should at least have a smaller, qualified team to put a security foundation in place from the beginning. The team can grow as the company grows. I’ve rarely seen it happening, but I hope the practice spreads.

Companies that only implement security to comply with government or third-party regulations is another challenge. Compliance and security are not the same thing. Compliance is a point-in-time checklist. Security is a holistic process and is consistently evaluating and making changes to a system with a good foundation. It is not something you put into place and forget about for other concerns. Security is a long-term investment that will bring about good results even if you don’t always see it.

How have you overcome these challenges?

Chauhan: I have noticed that communicating the value of security in business terms helps. As well as actually demonstrating the impact of the lack of security. It drives home the point to decision makers more than anything else. Implementation of training helps, especially for developers. Other simple things like training common employees about subtle attacks like phishing is also an important strategy.

It seems like a lot of work. How do you view the journey towards improving security for start-ups?

Chauhan: I’ve actually realized that the process is not so hard or costly as it is perceived to be. Being part of a security team should be portraying yourself as a business enabler rather than an obstacle.

I truly believe start-ups can implement good security from the beginning with minimum costs using even open source security tools. They just need to be ready to invest in hiring the right security talent and building a pro-security culture. And all that starts with knowing how to go about it. Awareness is the key to greater heights.

Avatar photo
Written By

Jon Stojan is a professional writer based in Wisconsin. He guides editorial teams consisting of writers across the US to help them become more skilled and diverse writers. In his free time he enjoys spending time with his wife and children.

You may also like:

Business

Every day in a simple temple in an Indian village, Hindu priest Subhramanya Sharma prays to his god for JD Vance to become vice-president...

Life

On an improvised pitch in war-ravaged Gaza, a young player and goalkeeper block out the boisterous crowd and focus solely on the football as...

Business

Traders are shifting cautiously as they weigh the outlook for US policy post-election.