Stan Chang 0:00
Welcome, everyone. We're excited that you joined our talk this afternoon. We have two great guests that will be sharing their experience around startup security with you.
Chris Castaldo is the Chief Information Security Officer at Crossbeam and is also the author of Startup Secure: Baking Cybersecurity into Your Company from Founding to Exit. He's a transformational cybersecurity executive who creates innovative solutions to enable businesses to operate safely and securely. He's built cybersecurity organizations at Dataminr, 2U, IronNet Cybersecurity, and also worked at the National Security Agency solving some of the most challenging national cybersecurity issues. Chris is also a US Army Operation Iraqi Freedom veteran.
Kevin is the Director of Information Security at SafeBase and is overseeing our internal security program as well as having a direct role in the future of our product. Prior to joining SafeBase, he was a consultant in the financial services world and helped start the security programs at Jet.com and SeatGeek. So without further ado, let's get right into the discussion. Chris - you have an upcoming book, can you tell us a little bit more about what's in the book and why you decided to write it?
Chris Castaldo 1:37
Absolutely. And thank you for having this event today and having me on. So the book came out of a process of reading a lot of books that founders and startups are supposed to read right top 10 books every every founder should read. When I went through these books, almost none of them talked about cybersecurity, or any type of risk really. So it came out of that. I want to write it specifically for founder's something that was consumable by pretty much anyone and then actionable. So you read the book, and then do something with it. Do something with the knowledge you just gained. So yeah, happy to be here today.
Stan Chang 2:22
Awesome. And you want to tell us a little bit about Crossbeam?
Chris Castaldo 2:26
Yep. So Crossbeam is very interesting company, I just joined in January. And they work in the partnership space, and basically allow you to take your sales data and your partner sales data and find matches and help increase revenue and drive sales. Really cool platform and exciting company to be part of this type of rocket ship type startup.
Stan Chang 2:55
Got it, thank you. So open question to both Kevin and Chris, how does a small startup deal with evaluating vendors? Do you have any shortcuts that they can take?
Kevin Qiu 3:07
Great question. Yeah, I'll take a stab at this one. So this is a pretty common problem, especially with tech startups, right? Everyone uses a whole ton of SaaS products, G Suite, Slack, you name it. And I think one thing that people don't realize is that everyone has this problem, right? It's not just the small companies, the big guys have all these different tools to evaluate. And so how does a small team of let's say three or four people do this? Well, there a couple things to consider. And so first thing is, you know, have you used some of these tools in past jobs where other security teams might have already approved them? Or, do you know the security team there personally, right. So there are some things where it's probably not very realistic for you to do a full on evaluation with 1000 questions in a questionnaire. And so part of it is, if there are tools that you've kind of already been using, probably makes sense to keep continuing them. Chris, do you agree with me? for startups at least?
Chris Castaldo 4:08
Yeah, yeah. I would also add to that, from a tactical level, you as a founder or part of a founding team, right? Maybe you don't have that expertise. So you know, basic things like going to their website, looking at things like their privacy policy, do they have Terms and Conditions listed? That starts to give you a window into their maturity? There's things kind of a whole chapter I talked about this in the book, open source tools, like looking up their DMARC, right? Are they do they have email security in places or things you can look up externally, looking at the security headers on the website, there's a free website (securityheaders.com), throw any URL in there gives you I believe, the A plus through F grade, lots of things that you don't need to be a cybersecurity expert in but can quickly evaluate a company and say you know is this risky is this not risky should we push for stronger terms you know looking for things like do they have a DPA in place and that all goes back to what is this vendor going to do for you at the end of the day.
Kevin Qiu 5:19
Yeah I think a big part of it too is trying to understand what data you're going to share with them and so if you're trying to evaluate a vendor that let's say you're going to share customer social security numbers with you should probably spend a lot of time looking at them but let's say you're just thinking of getting a service to order snacks for the office probably not a big big deal end of the day right? If they get breached you can replace your credit card so you kind of also have to use your best judgment with stuff like this too.
Stan Chang 5:51
You guys both joined early-stage startups as the first security person and a common question I've heard from founders is when should a company hire their first security person in house? Do you guys have any views on that?
Chris Castaldo 6:14
To start, you know everyone's favorite answer, it depends. Maybe you're a mobile game developer, you're probably not going to take in a lot of sensitive information maybe you know username and password probably, you don't need a security team right out of the gate probably can outsource a lot of things. But there's things you can look at internally, you've got the advantage of knowing what data you're going to eventually take in what customers you're going to try to sell to, is it a B2B business, is it a B2C, where are you operating? Are you in the US? Are you going to sell to European customers? GDPR implications there. So looking at those types of things internally can pretty quickly tell you do we need a security team right out of the gate. Let's say you're a pharma biotech startup, you're developing some new disease treatment - that's very lucrative right to to advanced attackers, nation states what have you. So you're probably going to want someone earlier on, maybe you know in that initial founding team. Other places could go years without having in house security, so again, it depends.
Stan Chang 7:41
We hear a lot about SOC 2's and Pen Tests, this external validation. Can you first of all explain what a SOC 2 and Pen Test is for everyone that doesn't know and then speak to when in the startups lifecycle do you suggest getting these external validations on their security program.
Kevin Qiu 8:07
For those of you that aren't familiar, SOC 2 audits are a way for customers mostly on the B2B side to get assurance that a company is doing most of the right things around security. So you get a third party auditor that comes in inspects your internal processes, looks at your policies, things like that. This is becoming an increasingly common ask by larger enterprise customers and even some cases medium-sized companies and the reason why is because as I'm sure you see in the news, there's all of these articles and headlines about data breaches, every other week you see a new one. And so, B2B companies are more cognizant of this and they're basically holding everyone to a higher standard and security.Pen Tests are more for your application and your networks so they're very technical and so a Pen Test is where an external party will try to find security bugs in your app or try to get inside of your network and access the internal servers and things like that. This applies to both like B2C and B2B companies because you know consumers themselves might not ask for Pen Tests but you also want to make sure that even if you're a consumer company that your app is pretty hardened and that there aren't huge gaping bugs that you should be fixing. In terms of a timeline for when to start getting them, I'll defer to you Chris on your thoughts.
Chris Castaldo 9:41
Two different threads there. SOC 2, definitely if you're B2B pretty early on can be very valuable, it can be a huge sales tool. Because if you're selling into organizations unless you're a cybersecurity company you probably not selling into the cybersecurity team there. So making sure you kind of understand what that procurement process looks like what they're going to ask for; SOC 2, ISO, tons of certifications out there. SOC 2 being the most popular one that I've seen in my career. On the pen test side, it depends what you're building. Are you building a SaaS app? Are you building something that's going to be on prem and in someone's data center? What type of data is it going to be accessing? Typically, when you pass those lighthouse customers, right, you're not selling into design partners, you've got a full kind of go to market team. That's probably a good time prior to that to start thinking about getting a penetration test, because you're going to start getting those questions. When you're at that initial foundational formulation phase, you're working with design partners that understand you're an early-stage startup, you don't have a giant team in place, there's going to be give and take there. But when you start selling into enterprise, not friendly customers, people you're not as familiar with, that's probably a good indicator when you need to have those reports ready to go.
Kevin Qiu 11:23
I've actually had some cases of enterprise customers asking, like me, as a vendor, can we pen-test your app? Have you also seen that as well?
Chris Castaldo 11:43
I have seen that. Typically, most most legal teams will strike that language from those documents, or change it in a way to give audit rights. That's a really great way to make sure you're baking in some type of security into your deal to say we'll agree on a mutual third party that will do this penetration test at either your cost, or our cost, or shared cost. It really depends on the relationship.
Stan Chang 12:31
I personally have heard a lot about cyber liability insurance recently. Can you guys explain how that works? And if you think that's necessary for early-stage startups?
Kevin Qiu 12:47
For those of you that aren't familiar, most businesses have some form of liability insurance in case something goes wrong. And so cybersecurity is a newer domain that more insurance brokers are offering. They're basically a way for your company to have support in the event of a really big public data breach. You can file a claim and get some money because of financial loss. The thing that's a little underrated is a lot of them are offering PR support, and also just general incident response. So coalition is one where if you're a coalition policyholder, you actually get access 24/7 to a security hotline, where you can call up their team, if you think you have a breach, you can talk to them, they'll walk you through some steps to take. The answer is it depends. So if you're just starting out your company, and you don't even have like a real MVP, yet, probably too early. But when you're starting to get more and more customers, and especially the bigger ones, you'll actually start to see language in some of the contracts, requiring you to have some form of insurance. And so honestly, the cost isn't really that high. And so I would suggest maybe getting it when you're in your seed stage or a little later, just to be prepared, especially if you don't have dedicated in house security. It doesn't hurt to have the insurance, as "insurance", pun intended.
Chris Castaldo 14:24
Yeah, I have to double down on that. 100% agree. You know, as you're building your organization, it's a lot speedier, to get a cyber cybersecurity insurance policy in place than it is to build out a program. Deploying tools, deploying solutions, getting pen-tests remediating findings, the policy is really your final backstop and a worst case scenario. I definitely agree with Kevin, it's very cost effective. There's lots of great brokers out there, I would highly suggest starting with your broker. If you're at seed stage, you probably already have some type of policy in place but your broker should really be able to walk you through the options, walk you through the different parts of that policy as well because it's it's not always a blanket coverage of cyber. Some will break out phishing, some will break out ransomware coverage so it's really important to know those finer details and also their process of filing a claim. Some brokers like you to go through them first before you call the carrier. Talking to your general counsel is also highly important in those scenarios, making sure you talk to talk to them first before you call anyone if you have inside or outside counsel. I definitely agree there is a huge value to have that in place very early on.
Kevin Qiu 15:54
One thing to think about is, if you're a B2C company sometimes you see in the news after a breach, so and so retailer that accepted credit cards is now offering credit monitoring to all users and if you have 100,000 users or a million users that's $70 a month x 12 x total number of users. The cost can actually run pretty high and that's just credit monitoring. There's also other stuff like hiring a forensics person, potentially getting sued by some of your customers if they find found that you were negligent. So yeah, look into insurance, it doesn't hurt.
Stan Chang 16:35
Chris, you've always been a big proponent of transparency during a sales process when when security comes into play. Can you talk a little bit about your best practices around sharing with your customers how that all works. What benefits that come out of that?
Chris Castaldo 16:55
Yeah, I really try to put myself in their shoes because I have been in their shoes. I've been on both sides of being the buyer, being the selle. Depending on the organization size,you know if you're selling a new to an enterprise, those teams are looking at deals constantly. They might have an entire vendor risk team just to look at things that the business is buying. Putting yourself in their shoes, trying to make their lives easier, that that serves two purposes - it builds trust with those teams, they feel comfortable that the business is buying something that's that's not going to create more risk. Maybe it'll even eliminate risk, so that's one huge value proposition for that. And then on the other side, is just the deal itself. I've seen these types of procurement processes that involve legal, cybersecurity, privacy, add days/weeks/months to deals sometimes. Especially when you're in your startup, when a deal closes is very important. So making sure you're you're thinking about that customer not just like oh we want to make a great product that that they're going to love, but also the part that no one really likes negotiating terms. That isn't the fun part of going to buy a car. You want to buy the car, get home, and drive it, you don't want to deal with all the red tape. Looking at it from that standpoint, self-service as much as possible. As long as there's some protection around what you're sharing, transparency is key. I really think at the end of the day, it makes their job easier, it makes my job easier. Especially being at a small startup when I'm reviewing vendors and that's that's part of my my job. I just want to find the information I want to find and help the business make that risk determination. Just because something looks risky, doesn't mean the business should use it. There's other places to mitigate that risk, maybe in your terms on the contract. Put yourself in their shoes and try to make it as easy as possible.
Stan Chang 19:19
As a follow up question, one of our guests is asking: they're saying that getting a SOC 2 is a way to bypass conversations, but we're pushing this alternative with the security status page. Can either of you talk about these alternative means of proving security value as a follow-on to transparency? They're saying that they're pre-populating questionnaires and sharing those ahead of time. Are there any other things that people can be doing?
Kevin Qiu 19:57
Regarding the questionnaire question, there are things like the SIG, there's the CAIQ, the VSA core. One thing that I've started suggesting to some of our customers is all of these questionnaires, their frameworks, templates, they have a fixed number of questions. And at some point, you're gonna have things in your security program that aren't addressed in those 300 questions. And so one thing that you can do to really show that you are proactive is talk about things that aren't normally asked. A lot of the common questionnaires like the CAIQ, they don't really go into a big deep dive on your product security features. They might have something like: do you scan your code with a static analysis tool? But they don't really allow you to explain like how your infrastructure is set up or why your zero trust solution really works for you, and why it's better than a traditional VPN. Like, I would go above and beyond, and really show people that you care about security, and you're going farther than just a SOC 2. And that you're doing things that you're doing for the sake of doing them and not just to check a box. A lot of CISOs talk about how a lot of these compliance standards, they're great, because they're a bare minimum. But there's so much that they don't cover. If you think about food labels, there's not necessarily like a legal requirement for all meat to be organic. But when people see organic, they're like, yeah, probably higher quality, right? That's why one of the reasons we have a Product Security card in Safebase is that I found a lot of these questionnaires don't allow you to express your product security in an efficient way and so we encourage people to do it.
Chris Castaldo 21:42
I 100% agree on that. I just want to add on real quick, I know we're coming up on time. But if you look at those vendors out there that are really forward on what they're willing to share. You can you can make assumptions that the inside is even more robust. Everything might not be public, mayybe there's some stuff you need to get an NDA in place to get access to. But when an organization's that forward on what they're willing to share, it makes my job much easier to figure out if this is a risk or not. And that's really our job at the end of the day.
Kevin Qiu 22:23
Yeah, Chris, I don't know if you've seen Gitlab's security handbook. It's basically their internal security policy, all of their information. It's fully public, or at least most of it is. And as a security person, when you look at it, you're like, wow! They're not messing around here, and they really don't have a lot to hide. And that's a good thing.
Chris Castaldo 22:41
Yeah, exactly. They're a great example.
Stan Chang 22:47
Another question we have from the audience is: for startups selling to enterprise, is there a reasonable way to "rent a CISO"?
Kevin Qiu 22:58
Great question. Before I joined SafeBase, I was actually a consultant for a little over a year where I was working with smaller startups, helping them establish basic security. There definitely are a lot of small consulting shops like the one I had that do this for you. And one of the reasons you want to rent the CISO in the beginning is because in a lot of cases, there isn't necessarily 40 hours of security work to do at the beginning of a company. One of the first things that a lot of these consultants help out with is to help you figure out: what is your actual risk profile? What are some policies you should have in place? They're really there to help you set the foundations, they're not going to be your security person all the way through your Series E. If you search for V-CISO, which is a pretty popular term, virtual CISO, you'll see that there are a lot of folks who maybe were see CISOs for 10 or 20 years, and now they kind of work with smaller companies part-time to provide general advice for a few hours a month because sometimes that's all people need. Some of them will be full-time. But most of them are very flexible and most of them also offer free consultations. Ask for some recommendations from folks you know and have a conversation with them to see how they can help.
Stan Chang 24:19
I have a question come in about repeating the resource, Chris, that you mentioned for checking domain security and email encryption settings. Do you mind just going over that again?
Chris Castaldo 24:35
For website headers:, securityheaders.com. For email security checking, like DMARC records. MX toolbox is one. There's a lot of vendors that sell DMARC solutions - they provide a free search on their website. Another great one is DNS Dumpster. It gives you a little more granular detail into an organization's DNS environment - do they have dev things exposed to the internet? Do they have RDP exposed to the internet? Lots of free resources that you can take advantage of.
Stan Chang 25:22
Thank you very much. To wrap it up, I just want to talk a little bit about SafeBase. We're a tool for companies to streamline their security assessment workflows during the sales process. We offer a security status page product that enables you to organize your security program information in one easily accessible place. It makes it super easy to share with your customers and track how they're interacting with the page. You can check us out at safebase.io or by getting in touch with us. Thanks a ton to the panelists and for the audience for joining the webinar. This is a continuing series, where we will be having CSOs as our guests. So please, stay tuned, more information to come about for our next webinar. And we'd love to have you guys join us for more exciting talks in the future. Thanks, everyone. We'll see you guys all soon.
