Founders: Learn From Apple And Make Cybersecurity Strategic

By William Kilmer

As startups become better funded and deal with more valuable data and transactions, they are more vulnerable than ever to the risk of data breaches. Here’s the upside: I think that startup founders can use this to their competitive advantage.

First, the unwelcome news. I have seen firsthand how badly cyberattacks can hurt startups. Here are two of many examples I am familiar with:

• Company 1 successfully raised a Series A investment round. Subsequently, it had a vast amount of data that was inadvertently and very publicly breached. Losing customer and investor trust, it has not been able to raise additional funding.
• Company 2 was planning an IPO. Prior to the IPO its customers expressed concerns about anomalies in the company’s software. Leadership attributed it to poor security practices by its users and failed to investigate. Later it discovered a nation-state actor had breached its network, triggering a massive and difficult incident response and platform evaluation that was expensive and delayed the company’s IPO.

To thwart these threats, founders, boards and startup leaders need to change their approach to cybersecurity. For years they have forgone investment in secure software development, compromising on data security, and putting things in the cloud without concern. They need to start thinking strategically, like Apple.

Be like Apple

In April 2021, Apple made the unprecedented move of launching App Tracking Transparency (ATT) which gave iPhone users the ability to opt out of allowing apps to track and share information. Early indication is that most users are using it and, as a result, companies including Meta (Facebook), Snap and Peloton have reported that Apple is actually impacting their revenue.

More importantly, App Tracking Transparency allowed Apple to be seen as the most secure and private mainstream phone in the market. And positioning matters.

Apple’s position as the most secure solution will continue resonating with customers. In a recent informal poll conducted on LinkedIn, 50 percent of respondents said they would be most likely to trust Apple to maintain their privacy and security in the metaverse. Only 2 percent voted for Facebook.

How to make cyber strategic

As a startup leader, how do you make cybersecurity and privacy strategic for your organization?

First, treat cybersecurity as a capability, not a cost. This small difference moves you from the mindset of minimizing cost to optimizing investment. This is about what processes and data sets you need to protect and differentiating yourself.

Second, if your head of engineering or COO is your “acting CISO,” it’s time to hire a real chief information security officer. Giving that role to your VP of engineering is insulting. It’s also unrealistic to expect their expertise to extend to cybersecurity. If you need to, hire a part-time CISO. There are many organizations that will provide one on a fractional basis.

Third, define and set cybersecurity strategic objectives at the board level. Create goals, not a dashboard of security metrics that you will achieve to build your capabilities. Define what it means to be the most secure and private solution and set those as your objectives.

Fourth, step up to write security into your value proposition. Start outlining and distinguishing exactly how your solution is different, and help your sales organization understand how to position security as a tangible customer benefit.

Finally, make security a product feature and incorporate privacy and security into your product roadmap. For too long security and privacy have sat as a tradeoff for time to market. It’s time for your development team to treat it as a requirement, not an option.

William Kilmer is the managing partner of C5 Capital, a specialist venture capital firm that invests in cybersecurity, space and energy security. 

Illustration: Dom Guzman

Learn More