In the video below, Jeff Chin, Security Specialist at Microsoft, and Jason Green, Principal at HEXIGENT Consulting, lay out a dark scenario for Canadian startups not paying attention to the global regulatory shift towards greater transparency during data breaches.
“Most of those paying attention to these changes are the large enterprises,” Green says. “Because they’ve got shareholders looking at them to make sure they’re secure.”
“Don’t make [security] a separate stream; build it in early on so it becomes a pervasive part of the culture.”
– Jeff Chin, Microsoft
Startups less prepared than global enterprises to deal with changing regulations won’t see any leniency when it comes to compliance, however. Failure to comply with changes to Canada’s PIPEDA (Personal Information Protection and Electronic Documents Act) could cost Canadian startups up to $100,000. GDPR (General Data Protection Regulation) could cost Canadian startups holding the data of EU citizens up to €20 million or 4 percent of global annual turnover, whichever is higher, for non-compliance.
But Canadian startups appropriately horrified of the darkest timeline scenario where data breaches lead to loss of customers, a brand hit, and non-compliance fines still have work to do when it comes to building security into their processes. Chin indicated the decision point is as much cultural as it is technical.
“Getting the perspective of security into how you build things, how you educate, into the product early on is really key,” he says. “Without those mechanisms in place early on it becomes much harder. Don’t make [security] a separate stream; build it in early on so it becomes a pervasive part of the culture.”
Green agreed that culture is key, putting the responsibility on startup founders and the leadership teams to make security a core business decision. “They’re ultimately responsible for the information that flows through their company,” he says. “And they can set the tone from day one and make it an ongoing process.”
When it comes to setting the tone for the security, both experts agreed that flipping the script so closing security holes becomes as highly regarded as shipping product features is a great place to start. In fact, starting early can solve a lot of problems before they happen.
“The earlier you do it, the less of an onerous task it becomes,” Green says. “Because the more you mature, when you try to then embed security, you’re suddenly having to reinvent your processes.”
For detailed, tactical, proactive steps to make security part of your startup’s culture, watch the video below.