Global cybercrime is on the rise, with the potential to inflict meaningful damage on the global economy – to the tune of $10.5 trillion by 2025, according to industry estimates.
As the threat of cybercrime increases, a robust cybersecurity program is an essential defense for businesses of any size. We recently invited two cybersecurity experts from Battery portfolio companies – Cassio Goldschmidt, the chief information security officer (CISO) of ServiceTitan*, and Daniel Schwalbe, the CISO of DomainTools*, to discuss how companies can build a strong cybersecurity posture. On a webinar, the two also shared share their broader security insights and expertise with other members of the Battery portfolio.
From how to start a cybersecurity program to improving cybersecurity readiness, here are four key takeaways from the discussion:
1. It is easy to get overwhelmed building a cybersecurity program, but don’t let that discourage you from trying.
Schwalbe called this out as key advice, citing his preferred approach of “Due Care,” a concept that originated in the legal realm. When applied to cybersecurity, it means that companies should take reasonable steps to protect their information and manage risk. Doing “nothing” is not an option, but large investments are not a requirement to get started. Though your initial budget may be modest, as you set things into motion, you can focus on your main goals and improve your cybersecurity posture through incremental steps.
There are several high-impact areas your team can focus on as you kick off a cybersecurity program. Both Schwalbe and Goldschmidt agree that single-sign on (SSO) and two-factor / multi-factor authentication (2FA/MFA), particularly for email, are essential, for a few reasons. The first reason is somewhat obvious: Business email compromise is a substantial threat. The second is perhaps less well-known: Many cyber-insurance companies will require that you have these controls implemented before they will issue a policy. And third, these features can act as a quick line of defense when an employee account gets compromised, or when employees leave your company – turning off one key credential can ensure that all their access to corporate systems is turned off. Schwalbe and Goldschmidt also recommend implementing basic log aggregation with alerting capacity. This will prevent your systems from bombarding team members with alerts, which will reduce the likelihood that you miss a cyberthreat needle in the haystack.
2. Consider having defense in depth: not just the right programs but the right user education and empowerment as well.
There’s no question that your first cybersecurity hire is going to wear a lot of hats. Recalling his time in this role, Goldschmidt served as both security evangelist and practitioner. “I was preaching security, I was teaching people about security, I was the cheerleader trying to motivate people to think security is fundamental to their business. And at the same time, I was the police there, trying to tell people what to do and not to do,” he recalled.
This first security hire should also have the technical skills to handle any needed investigations and, in the case of SaaS companies, serve as an engineer, as well. As a rule of thumb, consider hiring one cybersecurity employee for every 100 to 200 employees. Cybersecurity engineers should account for about three percent of your total engineering headcount.
Cross-team coordination is also critical. For most companies, it isn’t a matter of if but when a breach will occur. Make sure you have a plan of action in coordination with your legal team, especially if they aren’t in-house. Knowing your plan in advance can ensure that the stage is set for action when a breach occurs, and all initial discovery is taken care of. This will save precious time and resources.
As you coordinate with your team and board, it’s worth reviewing the Harvard Business Review article “Seven Pressing Cybersecurity Questions Boards Need to Ask”, too.
3. Constantly assess gaps in your program, knowing your key points of exposure–especially your company’s “crown jewels.”
Schwalbe defines a company’s “crown jewels” as things that, if compromised by a breach, could lead to a company-ending event. Any process of assessing gaps in your program should pay extra attention to the crown jewels. The Center for Internet Security (CIS) Critical Security Controls framework can walk you through how to assess various areas of your business, generating a score that can help you focus and prioritize efforts. Data backups (and regular testing of these backups) can be a simple starting point to protect key assets and IP, as highlighted by Schwalbe.
As companies mature, they should continue to reevaluate their cybersecurity posture and investments. At ServiceTitan, Goldschmidt uses multiple anti-spam and anti-scam tools. On top of this, he recommends endpoint detection and response (EDR) as well as managed detection and response (MDR) solutions, to catch the inevitable incidents bypassing those tools. It’s also important to have a good behavior-based solution for your endpoints, he notes.
Goldschmidt is also an advocate of “microlearning” for users. This type of interactive and immersive education can not only teach users how to report incidents, but also give them an awareness of the latest types of cyber-attacks as well. One technique is herd immunity, where one user marks an email as a potential threat, notifying everyone else who has also received the email in the process. It takes a village to defend a village.
Planning can go a long way toward identifying and quantifying your security gaps and help you put together a plan for investment. Remember: You can work towards your goals incrementally, but you need to have a clear plan of what you’re working towards.
4. And last, but not least, don’t underestimate the importance of mentorship as you’re building out your cybersecurity program.
Everyone on the internet is a cybersecurity expert, which means there’s no end to the ideas and recommendations–often competing–you can find online. Rather than chasing advice on Google, try to connect with someone who has been a CISO for a while or connect with a CISO roundtable group. The Battery team is always happy to help broker these introductions for portfolio companies as well.
As global cybercrime continues to ramp up, a robust cybersecurity program with the appropriate tools and cross-team collaboration will help you and your organization to ward off threats. We continue to work closely with our portfolio to prepare them for potential cybersecurity challenges ahead.
This material is provided for informational purposes, and it is not, and may not be relied on in any manner as, legal, tax or investment advice or as an offer to sell or a solicitation of an offer to buy an interest in any fund or investment vehicle managed by Battery Ventures or any other Battery entity.
The information and data are as of the publication date unless otherwise noted.
Content obtained from third-party sources, although believed to be reliable, has not been independently verified as to its accuracy or completeness and cannot be guaranteed. Battery Ventures has no obligation to update, modify or amend the content of this post nor notify its readers in the event that any information, opinion, projection, forecast or estimate included, changes or subsequently becomes inaccurate.
The information above may contain projections or other forward-looking statements regarding future events or expectations. Predictions, opinions and other information discussed in this blog post are subject to change continually and without notice of any kind and may no longer be true after the date indicated. Battery Ventures assumes no duty to and does not undertake to update forward-looking statements.
*Denotes a Battery portfolio company. For a full list of all Battery investments, please click here.
A monthly newsletter to share new ideas, insights and introductions to help entrepreneurs grow their businesses.