Security & Compliance in the Fast Lane: Insights from the Latest nDeva CTO Gathering

Written By Aajay Cunningham

Staying ahead of security and compliance challenges is more important than ever for startup businesses. This crucial topic was the focal point of discussion at our most recent CTO Gathering in Sydney.

The evening featured presentations from three industry experts: Simon Raik-Allen, former CTO of MYOB; Hannah (Milborrow) Deveney, CTPO of Local Measure; and James Andrew-Smith, CTO of AssuranceLab.

For those who couldn't make it, don't worry—we’ve got you covered!



Walking the Security Line

Simon Raik-Allen

In his presentation titled "Walking the Security Line," Simon Raik-Allen, former CTO of MYOB, tackled the complex question of how much to invest in cybersecurity.

Simon argued that there's no one-size-fits-all answer to how much you should spend on security for your startup, and the ideal security posture depends on the value your company offers and the trust you've built with your customers.

For example, banks, which rely heavily on customer trust, must invest significantly in security to maintain that trust; if a security breach were to happen, users would likely flee. On the other hand, when big tech companies like Facebook suffer breaches, users continue to stay because of the platform's intrinsic value (connecting with friends, FOMO, etc.)

To help CTOs determine appropriate security spending, Simon introduced a practical framework he calls ‘The Simon Sanctioned Seven’:

  • Segregate systems: Limit the damage a breach can cause by compartmentalising data and access. This prevents lateral movement within your network by ensuring that if one system is compromised, others remain secure.

  • Encrypt at rest & in transit: Implement encryption both at rest and in transit to protect data even if the server is breached.

  • Keep off-site back-ups (ransomware): Safeguard backups against ransomware attacks by storing them separately and using unique passwords.

  • Don’t allow your APIs (or urls) to reveal all your users’ data: Don't expose user data through poorly designed URLs or APIs.

  • Don’t apply a one size fits all. You can’t afford it: Don't try to secure everything equally—focus on the most critical systems and data.

  • ABP - Always Be Patching: Regularly update and patch systems to fix vulnerabilities that hackers could exploit.

  • Find a better list: As your company grows, enhance security by hiring a dedicated security team, engaging external vendors, and conducting regular penetration tests.



Journey to SOC 2 Compliance

Hannah Milborrow

Next up, Hannah Milborrow, CPTO of Local Measure, shared her invaluable insights on achieving SOC Type 2 compliance.

Hannah detailed the compelling reasons Local Measure embarked on the journey to SOC 2 certification, including an expanding customer base, creating standout RFPs, and building a solid security foundation.

Here are her top tips for achieving SOC 2 compliance:

  • Get buy-in across the company: Encouraging employees to raise concerns and share ideas is essential. That’s why you need to cultivate a cross-functional team and integrate compliance into the company’s DNA and culture.

  • Be prepared for some initial upfront effort: SOC 2 compliance requires significant upfront effort so you’ll need to make sure you have adequate time and resources.

  • Pick a tool that can manage the initial and ongoing SOC 2 Process: Select a tool that fits your company’s needs and can manage both the initial setup and ongoing compliance processes through integrations.

  • Automate as much as you can: Automation is key to streamlining the compliance process. Automate wherever possible to reduce manual effort and increase efficiency.

  • Always take a continual improvement approach to SOC 2 Compliance: Compliance should be an ongoing effort. Continuously look for ways to enhance and improve your SOC 2 compliance practices.



Quick Win Tips for Startups

James Andrew-Smith

Last, but definitely not least, James Andrew-Smith, CTO of AssuranceLab, provided invaluable advice for new companies navigating the complex landscape of compliance and security.

Drawing on his experience, James highlighted common pitfalls and offered actionable tips to get your startup on the right security footing.



Quick Wins

  • Principle of Least Privilege: Avoid blanket admin access and assign permissions based on user roles—don't use privileged accounts for daily tasks.

  • Do Less: Focus on core functionalities and limit your attack surface. Consider outsourcing non-critical functionalities to other vendors and leveraging serverless solutions or platform-as-a-service (PaaS) offerings.

  • AWS Startup Security Baseline: This resource from AWS provides a checklist of best practices for configuring your AWS environment for optimal security.

  • Cloudflare for Free Security: Take advantage of Cloudflare's free Zero Trust offering for up to 50 users, which allows for device approval and posture control.



Common Challenges and Solutions

  • Avoid Control Decay: Integrate security practices into regular processes to ensure they are consistently followed.

  • Choose Compliance Automation: Use tools like Tugboat, Vanta, and Sprinto to automate compliance, reducing manual effort and speeding up the process.

  • Vulnerability Management: Implement a process to identify, prioritise, and remediate security issues. Tools like Nullify and Aikido can help in managing these tasks effectively

  • Disaster Recovery: Ensure backups are complete and reliable. Use infrastructure as code, managed database platforms, and multi-account or multi-cloud backup strategies to limit risk.

  • Training: Equip your team to identify and avoid security threats. Regular training is crucial in the fight against phishing attacks and other social engineering tactics.

  • Data Security: Be mindful of how data flows across your organisation. Reduce the risks associated with data moving from secure databases to spreadsheets and collaboration tools by using threat modelling and data flow diagrams to visualise your data journey and identify potential vulnerabilities.



Join us next time!

At nDeva, we’re proud to host such valuable information-sharing and networking events. As you can see, there’s much to be learned from engaging with other experts in the industry and meeting face to face in real time to share insights and solutions to challenges we all face.

From understanding the value-driven approach to security to getting SOC 2 compliance to practical security steps for startups, the key takeaway from the night is clear: security doesn't have to be a burden.

If you want to come along to our next CTO gathering, we’d love to have you there. To join our growing community of over 1000 CTOs, contact aajay@ndeva.com.au.

Aajay Cunningham
Previous

Understanding Technical Debt: Insights from the CTO of SafetyCulture 
Next

Startup Recruitment Strategies: Finding the Right Fit for Your Company's Culture and Goals