Gartner estimated that global security spending would reach over $150 billion in 2021. However, as ransomware and other cyber threats continue to spike — along with the average cost of a breach — many startups may be wondering how they can improve security practices without breaking the bank. After all, with security threats showing no sign of slowing down, there are only so many goals incremental increases to cybersecurity budgets can achieve. The answer? Creating a security-first culture in which all employees play a part in securing customer and company data.

Creating a security-first culture

In many traditional organizations, data security is considered a responsibility of the information technology (IT), cybersecurity and compliance departments. While security specialists are still essential, data security cannot be a siloed effort. And in startups, security leaders have the opportunity to do security differently by adopting a security-first culture.

Built upon the belief that protecting customer data is not a problem to be handled by the security team alone, a security-first culture requires cross-functional, company-wide collaboration reaching beyond solely technical teams. While a security-first culture is still possible (and should be encouraged) in larger organizations, newer startups have the opportunity to build a security program in a more collaborative way by starting from the ground up.

Practicing a security-first culture

How do startup employees create a security culture into practice in such an environment? Here are a few strategies for enterprise security leaders working at startups.

Security champions program: First, Aumni has developed a security champions program. This program requires each engineering team to have a product manager and one engineer identified as the security champion. These champions operate as an extension of the Aumni security team. They are the eyes and ears for security where security can't be or isn't always part of the conversation. 

Regular meetings with leadership: Security professionals should embed these engineering security champions and security specialists into decision-making processes. Standing meetings with divisional leaders and engineering squads allow businesses to review and plan how decisions affect security posture and keep them apprised of application changes relevant to security. This way, the engineering security champions and security specialists communicate regularly and provide insight and guidance to decision-makers.

Coordinate with all departments: While it is still vital to employ a strong security team in a security-first culture, security specialists should work directly with other groups to ensure security takes priority at every layer of the company. The most vigilant organizations follow the recommendations of their information security leadership teams, such as implementing tools and procedures for access control, asset management, risk assessment and mitigation and more. The ones that go above and beyond also train their team members in security awareness and best practices.

Security awareness training: At Aumni, security training is tailored by role, with all non-technical employees receiving general security awareness training both upon hiring and annually. Regularly updating company employees on the latest security developments can also bolster a security-first culture by incorporating information sharing into the organization, such as through programs like a “security tip of the week” presented by the information security team or highlighting “infosec ambassadors,” individuals who exhibited vigilance or adherence to company policy. Weekly recognition represents a unique opportunity in a startup’s security-first culture — making security collaborative and using it as a way to highlight the dedication of employees across the organization.

Automate security initiatives: Finally, whenever possible, automate or programmatically enforce security practices by leveraging zero trust and single sign-on to manage internal access to systems and data based on least privilege access. Even with a security-first culture, controls exist to ensure nothing slips through the cracks.

All hands on deck

With ransomware attacks increasing 151% in the first half of 2021 and data breaches growing steadily over the last year, cybersecurity investments protect and secure startups’ data. But without an “all hands on deck” attitude about security, bad actors can still slip through the cracks no matter how many security tools you’ve put into place. A security-first culture may make security more collaborative (and even fun), but it’s also critical to improve any startup’s security posture. After all, startups tend to have a more collaborative culture overall — why shouldn’t that extend to how security is handled?