Technical debt: the other innovator’s dilemma

Startups need to make tough decisions and ruthless prioritization of resources is absolutely necessary for survival. Trade-offs are continuously required, and there may actually be situations with strong incentives for founders to strategically de-prioritize security, such as to accelerate user adoption in order to hit growth targets required to unlock additional funding and keep the organization afloat.

Simple security requirements such as adding multi-factor authentication (MFA) can vastly increase the security posture of a new solution a startup is developing and bringing to market. However, the friction it creates for the user in accessing and using the solution will unfortunately also inevitably slow overall adoption numbers. Many new users will want to immediately access the product to try it out and may not stick around to deal with setting up MFA, resulting in a prospective new customer moving on to a less security-conscious competitor. This is a serious business risk for startups to weigh and consider, and a great example of the kind of multidimensional, strategic, competitive and ethical risk decisions that startups need to navigate every day.

Far too often startups over pivot towards short-term priorities, which then comes back to haunt them when real revenue is at stake.

Along with each decision, regardless of the outcome and results, comes long-term and unintended consequences. More often than not for startups, this results in the accumulation over time of significant security-related technical debt. “Move fast and break things” may sound bold and innovative, however, as a startup begins to take off, paying down this technical debt will become a high priority and at the same time be much harder and more expensive to do.

But while prioritizing security over availability may accelerate things like user adoption for freemium-based or trial offerings, it doesn’t have to slow down overall sales cycles. Having the right security controls in place, and the ability to communicate not only their existence but also their value as part of your marketing and sales messaging to prospects and customers can actually become a competitive advantage, allowing startups to close deals faster. While end-users may be the evaluator or early adopter of products and solutions, they are often only influencers to the sale and not the actual decision-makers who approve the budgets, purchase orders, and write the cheques.

If, for example, a marketing department wants to purchase a new tool developed by a hot new startup, there will likely be a risk analysis review of the solution required, and the CIO or CISO may need to approve the purchase before any real money changes hands. Preparing a package of pre-populated questions and answers to common security questions about your solution and your company’s security practices as part of a new potential supply chain can remove barriers and provide a great deal of comfort to customers allowing the procurement to proceed. This is also true in terms of consumer-focused solutions where a user may be easily influenced to adopt a new product or solution but will quickly abandon it at the first sign of a serious security or privacy risk.

Far too often startups over pivot towards short-term priorities related to adoption and growth, which then comes back to haunt them towards the end of the sales cycle when real revenue is at stake. And even if a startup beats the odds and survives its early stages of growth without experiencing a serious incident, retrofitting and playing security catch up later on will inevitably cost much more in terms of time, money, and reputation due to distractions such as overhauling architectures, re-writing code and re-platforming infrastructure. All of this catch-up work further jeopardizes future adoption and growth at an even more critical stage in the development of the business.

Securing your startup’s future

So why should startup founders prioritize security, privacy, and compliance to a much greater extent right from the very beginning of their new venture? The most concise answer is because it matters to customers, investors, employees, and trading partners.

Ultimately, in order to scale beyond the startup stage or secure a successful exit, the company must safeguard its intellectual property and trade secrets as well as protect customer data and privacy.

To learn more about the cost benefits of securing your organization and practices, click here.

Feature image courtesy Unsplash.

Kevin Magee

Kevin Magee

As Chief Security Officer for Microsoft Canada, Kevin leads the technical teams who are Microsoft’s architects, practitioners and stewards of trust. His team’s portfolio includes solutions that decrease the risk of cyberattack disruptions or IP theft, protect sensitive customer data, comply with global and local data privacy regulations and integrate security across hybrid and multi-cloud environments enabling and safeguarding the modern workplace. Kevin is also one of Canada’s leading authorities on cyber security, cyber risk governance and the convergence of cybercrime and cyberwarfare. He is an ICD.D certified Director with the Institute of Corporate Directors and has extensive experience advising and serving on boards including the Brant Community Healthcare System as well as several technology startups.