Recently I stumbled upon a blog post with a title starting with the words “Do security like a start-up…”. That rang my inner alarm bells! When reading the post I became relaxed again. It was about the need for business and IT to work together and the recommendation to look for more generalists rather than specialists – both aspects I fully buy in to even while acknowledging that good generalists are a rare species.
But coming back to the title…
Interestingly the post was published just around the discussion of the severe security issues of WhatsApp. WhatsApp is just another example of a start-up which failed in providing a secure implementation. And WhatsApp is just another example in a long series of start-ups which greatly failed in security.
If “security like a start-up” would be about having all people - business and IT - security-trained, that wouldn’t happen to such an extent. The problem is that start-ups typically don’t act like they are described in the other post, at least not when it comes to security.
Probably the better title would have been: “Start-ups should also apply the strengths of start-ups to security…” Until that happens, you better be careful when it comes to security when evaluating start-ups or actually using their software and services. I have seen too many of them (outside of the security-related start-ups) with a horrible lack of knowledge about security and thus ending up providing inherently insecure software. And these days, where security has become a major concern of everyone from the end-user to the enterprise, that has to change.