How much should startups spend on information security

When you have little to no budget, how do you start spending on information security in a startup to protect customer data and operations? I was asked to comment on this via email by Zack Whittaker for a story he was doing on TechCrunch, and in responding, I found myself getting writer-mad, so I knew I had something to say. Here’s his original article (it’s paywalled as an Extra Crunchy article).

And here are my original thoughts, slightly edited to remove unnecessary emoji and “I know, right???”s from the text.


This is a fascinating question, and in fact, my good friend and longtime collaborator Liz Dahlstrom and I did a talk on this at SOURCE Seattle 2013 on “Implementing Security In A Pre-Investment Startup.”

The biggest thing startups need to recognize is that fractions of a role are a thing. If you have a ten person company that stores no or very little user data on prem, your fraction of infosec (responding to phishing or prepping for potential ransomware spillover effects) is going to be less than one. Like, one person in that company is going to be doing IT all together, and maybe 1/4th of that person’s time will be infosec as opposed to IT contracts management, setting up environments, handling domain issues while collaborating with marketing and sales (which are also often the same person in a small company).

The biggest thing I’ve seen is that if you’re going to have that fractional component in someone’s job, then the leader of that company must jealously guard that person’s fractional commitments. If you as the CEO of a small company have an IT human, and you have told them to dedicate 1/4 time to infosec, take that seriously. That quadrant of the person’s job will grow as the company grows, and when IT needs to hire another person, then the first person might have 1/2 their time on infosec with the second person wholly in IT. Then infosec will grow again, and somewhere around 50 people, you’ll hire the first infosec engineer and generalist who can do things like make sure there’s a corp VPN, or dedicate a day of training to the company each year, while monitoring a nascent SOC and perhaps around 100–200 people, starting to get a SIEM put together. No company under 2000 people without dedicated financial information really needs a fully built-out internal red team with all the skills; that’s simply too expensive compared to the company’s appetite for consuming their results and implementing changes.

The first dedicated person a company should be hiring is the person managing a third party monitoring service that is a SOC in a box. They’re fundamentally blue team. That’s why blue team is so much more important initially. I have found, anecdotally, that you need about one red teamer per ten blue teamers, depending on the company’s business. Basically, after that, red teamers will provide so much fixable data that blue team can’t keep up. That’s the offensive advantage you’re always hearing about in corporate environments.

The smartest thing a startup can do is have their risk person (usually whoever is running finance) figure out their risk profile and threat model, and allocate resources according to that…but very plainly, I’ve never seen the need for a dedicated offensive security pro inside a company until that company is at least 500–750 people. It’s just too easy to knock over targets before that, and you can buy those assessments for much, much cheaper than a FTE salary of one of the most desirable, hottest skillsets in the world right now.

Sometime around 250–500 people, you’ll have that fractional time from one of your infosec people in doing network pentesting/red teaming, and then it will start to expand out, just as I described when moving from IT to a fractional infosec role that will eventually grow. Then the infosec role will start to split from 100% blue team (SOC management) to security awareness. If the company’s big enough to have a real office and real money and real grups on the board, they’re big enough to get phished, to be burglarized for their laptops, to have their data breached. That’s a security awareness pro’s job.

dark server hallway

No company too small to have a person with skills in risk profiling and financial management of liability should be storing customer financial data on-prem. Outsource that liability and responsibility to AWS; it’s what they’re there for. Buy at least one security assessment a year, and it should be more like once a quarter, if you can get to continuous integration and automation of security improvements (which is incredibly hard to do and I’ve almost never seen done well).

Change my mind.

Leave a Reply