Tag Archives: Open Source economic models

Practical security management for startups

We normally associate the term “small business” or SME (small to medium sized enterprise) with commercial operations that buy and sell, manufacture products or provide services – lawyers, plumbers, accountants, web developers etc…

However – there is an important class of small business operations that is often overlooked when it comes to information security and is the technology startup.   A high tech startup is an SME by all definitions – usually less than 50 employees but it doesn’t buy and sell and neither does it provide professional services.   Unlike other small businesses, a high tech startup is almost purely focussed on product research and development. Almost all startups have a very high percentage of software development. Even if the startup develops hardware – there is still a strong software development focus.

Intuitively – one would say that a primary concern for a startup is IP (intellectual property) protection and that starts with protecting source code.

Counter-intuitively this is not true. There are two basic reasons why source code leakage is not necessarily a major threat to a startup:

1) If the startup uses FOSS (free open source software), there is nothing to hide.  This is not strictly speaking correct – since the actual application developed using FOSS has immense value to the startup and may often involve proprietary closed  source code as well.

2) A more significant reason that source code leakage is of secondary importance is that a startup IP is invariably based on a combination of three components:    Domain expertise, implementation know-how and the implementation itself (the software source code).   The first two factors – domain expertise and  implementation know-how are crucial to successful execution.

The question of how to protect IP still remains on the table but it now is reshaped into a more specific question of how best to prioritize security countermeasures to protect the startup’s domain expertise and  implementation know-how.  Prioritization is of crucial importance here, since startups by definition do not generate revenue and have little money to spend on luxuries like data loss prevention (DLP ) technologies.

Software Associates works exclusively with technology and medical device developers and I’d like to suggest a few simple guidelines for getting the most security for your money:

The startup management needs to know how much their information security measures will cost and how it helps them run the business. Business Threat Modeling (TM) is a practical way for a manager to assess the operational risk for the startup in dollars and cents. The advantages of the business threat modeling methodology are:

  • Threat modeling places the focus on asset management and Value at Risk reduction before acquisition of information and security technologies.
  • Threat modeling helps select  the right countermeasures often prioritizing monitoring before active data loss prevention (for example)
  • Threat  modeling, when done right, quantifies risk in dollar terms. This is particularly important when reporting back to the investors on exposure to data loss of IP.
  • Threat modeling helps justify investments in security, compliance and risk management to the management board – simply because it puts everything into financial values – the value at risk and cost of the security portfolio.

These are similar objectives to GRC (Governance, risk and compliance) systems.

The problem with most GRC (governance, risk and compliance) and ERM (enterprise risk management) systems is that they don’t calculate risk, they make you work hard and they’re not that easy to use.

I think that we can all agree that the last thing that a hi-tech startup needs is a system to manage GRC activities when they’re working to make the next investor milestone.

Startup management needs a simple security management approach that they can deploy themselves, perhaps assisted with some professional consulting to help them get started and get a good feel for their exposure to security and compliance issues.

How does a practical security management methodology like this work? Well – it works by using common language of threat modeling.

You own assets – for example, expensive diamond jewelry stored at home. These assets have a dollar value.

Your asset has vulnerabilities – since you live on the ground floor and your friendly German Shepherd knows where the bedroom is and will happily show anyone around the house.

The key threat to the asset is that an attacker may break in through the ground floor windows.

The countermeasures are bars for the windows, an alarm system and training your dog to be a bit less friendly around strangers with ski-masks.

Using countermeasure costs, asset value, threat probability of occurrence and damage levels, we calculate Value at Risk in financial terms, and propose an prioritized, cost-effective risk mitigation plan.

That’s it – adopt a language with 4 words and you’re on a good start to practical security management for your high tech startup.

Tell your friends and colleagues about us. Thanks!
Share this

Open Access publishing

The GM of a prospect recently asked me how to control disclosure of internal research documents prior to publication.  It had come as a revelation to him that anyone can post on a blog without permission from a central secretariat.  I asked him how they control face-to-face information exchange with colleagues or competitors outside the company?

Regardless of the hype around virtual reality, social networking and user-generated content; peer-reviewed research requires (in my experience), face-to-face meetings as a basis for a relationship to get started and continue to develop. Regarding the GM’s concern – I explained that there are ethical issues of disclosing trade secrets that can be addressed with appropriate discipline and training and enforced with data loss prevention technologies from companies like Fidelis Security and Verdasys.

Still – open access publication seems an extremely good idea.

I was not familar with BioMed central until recently – although the idea of open access publishing, funded by the research is quite similar to the core idea behind many open source software projects, where the development is covered by commercial or research organizations and the software is published for free.

BioMed Central’s open access publishing model treats publication as the last phase of the research process where the cost of publishing is piggy-backed on the cost of the research. From the Web site:

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

Teachers Matter More Than PCs

Just as I was wondering how pumping trillions into banks will solve the GFC (great financial crisis) – along comes Craig Barrett (former CEO of Intel) and tells us that Teachers Matter More Than PCs

“We’re bailing out Wall Street, we’ll be bailing out Detroit soon, we’re bailing out the agricultural sector with high subsidies at a time of record crop prices,” Mr. Barrett said. “Where is the public outrage that the U.S. education system is failing our kids?”

This is a particularly cogent point for someone like me who lives in Israel. The Israeli Ministry of Education has been installing massive quantities of PCs in classrooms from kindergarden to 12th grade high school.  The lip-service to PC and Microsoft Windows usage in the classroom has reached new levels of absurdity when I heard from my niece, who is a  first grade teacher, that they teach computer literacy and how to use Microsoft Paint.  It is no accident that achievements of Israeli High School students in international math tests have fallen from the top 10 to the bottom 50 in less than 20 years.

Schools should take a lesson from best practice risk management of large software engineering projects:  increasing the number of programmers in the middle of a failing project is a very bad idea.  Less is more in programming and less PCs are more in the classroom.

Give the classroom back to the teachers.   Invest all that money in better salaries.   Our kids live and breathe Internet and computers – its part of their life and just as there is no reason to teach children how to use a phone, there is no reason for a first grade class to learn how to use Paint.

Tell your friends and colleagues about us. Thanks!
Share this