Implementing Cyber Security and Why You Should do it NOW with Jake Miller

Jara Rowe: Gather around. As we spill the tea on cybersecurity, we are talking about the topic in a way that everyone can understand. I'm your host Jara Rowe, giving you just what you need. This is The Tea on Cybersecurity, a podcast from Trava. Picture this, you're a founder of a SaaS company and you understand how important cybersecurity is, but you don't necessarily understand how to implement that. Or you have additional questions like, " If you even have the manpower?" But this would not be an episode of The Tea on Cybersecurity if we did not answer some of those questions for you. And we will be talking about how do you implement a cybersecurity program early on, not only for a product but your company as well. And we also know that I am not the cybersecurity expert, so I have someone here that will be answering these questions for me. Jake Miller, the CEO of The Engineered Innovation Group will be joining me on this episode. Hey, Jake.

Jake Miller: Hi. How are you doing?

Jara Rowe: I'm fantastic. How are you?

Jake Miller: Great as well. Thanks for having me.

Jara Rowe: Yeah, for sure. I'm excited to get a better understanding on what it all takes to create a cybersecurity program early on. So one of the first questions I typically start off with my guest is, why do you think cybersecurity is such a foreign topic or so confusing for people?

Jake Miller: Part of it is, one, is just a foreign topic. I think there's a lot of confusion, the regulation and rules may seem like they change frequently. There are a lot of acronyms like GDPR, CCPA, SOC 2, ISO, and it just gets maybe overwhelming and intimidating in some circumstances.

Jara Rowe: I definitely understand that. And you mentioned SOC 2, which we've had an episode about that and it's been super helpful for people to better understand everything. So I skipped the most important part, letting you introduce yourself. So can you go ahead and introduce yourself and let people know why you are an expert and they should even be listening to you?

Jake Miller: My name's Jake Miller. I'm, as you mentioned, CEO of The Engineered Innovation Group. I have a long background, about 20 years in software engineering development and product development. Spent some time in Salesforce as a director of engineering there for the market automation suite of products. Worked at a company called Meta CX and was CTO there, which is where I really had my first foray and leading a security program from the ground up. And then I left that company to start EIG, where we specialize in building MVPs for startup companies. And the reason security is always top of mind for me is it's often not top of mind for our customers. 10, 15 years ago, it may not have been such a important topic. It may not have been so top of mind, but now it's pretty much table stakes to have a compliance, security and privacy program in place when you're building an MVP. Part of that is actually because of things like GDPR and CCPA where you need to be able to provide answers to questionnaires about security and your privacy practices and comply policies and procedures, all that fun stuff.

Jara Rowe: So you mentioned a term that I am not familiar with, which is MVP. Please explain what that is.

Jake Miller: Yeah, so MVP is the minimally viable product, and that is to say, what is the least number of features you need in order for someone to adopt and use your product?

Jara Rowe: Okay-

Jake Miller: There's a minimally marketable product, and that is what's the minimum amount of feature sets that you need have someone pay you money to use that product. There's this idea that the more expert you become in a certain domain, the more vocabulary you have. So if you are living in a area with a lot of snow, you have different words for snow. Eskimos do actually have different words for powder snow versus heavy snow versus wet snow. And so I say that because in the software development, product development, SaaS world, you also start developing those vocabularies. So we think of pre MVP as clickable prototypes, some low fidelity product that you're actually building. The MVP split into two sections. What's your steel thread? Meaning what is the feature set from end- to- end? Just that one thread is all you need to develop first. Then you build on top of that the rest of your MVP product. And then from that point you move what I call post MVP, which are things like the minimally marketable product and ongoing support and feature development and enhancements, that sort of thing.

Jara Rowe: Yeah, I can definitely imagine a lot of SaaS founders having that conversation. Kind of like the chicken and the egg, " What comes first or what is that one thing that we need to get people in the door?" So you mentioned a lot of things about SaaS companies and things like that, but why is it important to build security into a company and not only the product from day one?

Jake Miller: So I think one misconception, and I even had this when I was going through this process with a former company, is that security is just about the platform or the software itself. In reality, that's actually a smaller portion of what a good healthy security and privacy program looks like. The other misconception is that security is all that matters when in reality it's compliance and privacy that are just as important as the security. So it's important to build your privacy, security, and compliance programs early on because there's an expectation in the market, especially for enterprise graves, SaaS companies that are working with, let's say hospital systems, these big clients that you're trying to get into upfront, and there's just that expectation that you have at least started to take those programs seriously. As I was saying before, it's things like your corporate security policies that are really important, whether you have all of those things running or not, whether you've actually implemented them all, that's important to get to that point, but you really need to have a roadmap to get there. So don't wait until you're a year in to figure out what those things are because then you have a lot of backtracking you have to inaudible.

Jara Rowe: Yeah, you have to go back.

Jake Miller: Yeah. And I've seen this several times with companies where I've walked in, whether they're clients or not, and their head of engineering is saying, " Oh, my gosh. We're going through SOC 2 compliance. My entire engineering team stopped because we have to go back and we have to do X, Y, and Z, and it's just a pain in my butt." And in reality, if that had just been done from the beginning and partnering with someone, even like Trava, you can save yourself that headache and it's actually more than a headache. It's actually not fun at all.

Jara Rowe: Yeah. Marie Joseph, she's on the Trava team. I recently interviewed her for a podcast episode and she talked about how much time it really takes to then go back and do everything when it comes to getting a compliant certification. So you end up saving time and money if you start earlier on.

Jake Miller: Right. That's absolutely right.

Jara Rowe: Yeah. So one of the things you mentioned was a roadmap. Do you have any other advice for a founder when it comes to making security into the company and not just the product?

Jake Miller: Yeah, I would highly suggest partnering with someone that's been there, done that, and that could be, again, someone like Trava that specializes in it, or it could even be, shameless self- promotion here, someone like EIG that we start that process for you with your policies and procedures. So we don't just focus on the product, which is something I think special as us, as an engineering and development partner, we also focus on the organization. So a lot of times I'll see founders that will think, " I just need two developers and we're going to go hands on keyboard." In reality, you're not just building a product, you're building an organization and think about what would your processes be? What would your policies be? How are you going to introduce your team to security? All those things matter way upfront. Don't forget that you're building an organization, not just a product.

Jara Rowe: Especially earlier on, I would assume that a founder would just be so head into the product or even thinking about from a branding perspective, just not thinking about all of that in one bucket.

Jake Miller: Yeah. And I don't think I have an expert to comment on that either, but I'm going to comment on that inaudible. But we work with a lot of startups. I think it's been 12 in the past year that we've helped get off the ground. And fortunately, I think the CEOs that we work with are very business minded. They're thinking about runway, especially in this economic environment where inaudible being able to extend your cash and cash flow is just incredibly important to, it's an existential risk. But on the product engineering side, even when a technical co- founder comes on, very often, I don't see that they are product minded. They may be feature minded. And so all that stuff becomes, " Oh, well, we'll get to that. It's just a distraction. It's going to cost us money." And in reality, if you look six months down the line, you would've saved yourself a lot of headache if you'd done that sooner. In fact, we had a customer just this year, we started working with them at the end of July, and by early November, they had gotten through a security review with a major hospital system because they had thought about what those programs should look like early on. If they had not done that, it would've cost them another three months in order to get that very important first client on board. So I mean, you're talking impact time to market as well.

Jara Rowe: For sure. So you just mentioned money and revenue, so I would love to talk about budgeting. I understand that a budget is typically a big factor for companies, especially early stage companies. So what advice would you give? And is it possible to give a ballpark number when it comes to creating that security program?

Jake Miller: So I would say, and this is from experience as a CTO at a... Technical co- founder and CTO at a company where we did this and as now CEO of a company that helps startups get started, you should think about this in different steps. So your first year, I would estimate that you want to set aside between$ 20 and $40,000 for a SOC 2 assessment. That's your type one and maybe type two, and that's probably, in the US, the most important security or compliance framework to get certified early. I would also highly advocate that in order to get to that point where you can prove that you are following all the controls and those security frameworks, you have to have the policies procedures, you have to be able to prove that you're following them, and you need a partner for that. That is something where you're going to have to have someone dedicated or that is responsible for your security program. And that can be someone that's outsourced and it's probably going to be very cost- prohibitive to hire that person in immediately. Even a CTO, technical co- founder that doesn't have experience in this probably shouldn't take it all on their shoulders to begin with. I highly advocate that you partner with someone that's an expert in it, and by doing so you save a lot of money.

Jara Rowe: So now that we've talked about overall costs, I would like to get into the how, how does a company founder implement a security program from day one? I feel like you touched on it a little bit previously, but I would love for you to go into that a little more.

Jake Miller: Yeah. So the way I've approached it in the past and why I still approach it is start with a policy document. Actually, there's two prongs here from organizational operational perspective it is, what does a policy document look like? And you can get that from a partner, frankly, you could probably go out on the web and find a template that you want to start from. They're fairly standard, and then make sure you're checking those boxes. Do you have the ability to satisfy the requirements in each of those policies or not? Another thing that I advocate is for folks to go look at those security controls documentation because it'll often give you an idea of what are the things that you're going to have to do. For example, you need to have an acceptable use policy, you're going to need a password construction policy. These are things that aren't hard to implement but are just table stakes. Once you have that document in place, then it makes sense to say, " Now we're going to get a vendor or a partner or whoever it is, that's the expert in security and privacy to inaudible that,'Okay, this is a correct program that you're preparing to implement.'" So that to me is a scrappy way to start. But before you go to tell a customer, " Hey, we have a security program and I just stole a template off the internet." Make sure you're talking to the expert that's able to go through that and make sure it is meeting industry standard and that you are putting together a program to say, " Where are you in implementing it?" That's actually probably a really important point too. Don't get intimidated by whether you are actually implementing everything in your policies yet. Very early on. The most important thing is to have a policy, have procedures so you know what you're working towards. That's your roadmap. Because a lot of organizations, even big organizations that are working with startups, understand you're six months old, of course, you're not going to have a full business continuity, disaster recovery plan where you have a whole team that comes together that's just working and swarming a problem. You probably have one or two people, at least your baseline so that you can work towards implementing that in the future.

Jara Rowe: So you just mentioned roadmaps and you are already talking about important elements, but if there's like one thing that has to be included in a security roadmap, in your opinion, what is that?

Jake Miller: It would be your risk register. What are the things that are the biggest risk to your business and to the technology? And make sure that your board of directors and your executive leadership team understand and have approved that. That will also help you figure out... Because cybersecurity at the end of the day is about risk management. And what you want to figure out is what risks are you willing to accept and what risks are non- negotiable. And that can't be something done at a vacuum that is something done at a business level just as much as a technical level.

Jara Rowe: So when it comes to risks that you are willing to have, who owns those decisions? Is it the board or is it a mixture?

Jake Miller: Yeah, it's a really hard question to start up, especially when you have maybe three people, who's responsible for security? But I think it's important early on to decide, " Do you have the right people or the right person that can be responsible and held accountable?" And if not work with a fractional CISO or a partner that is an expert, which is cost- effective, but you have someone that's an expert that can be held accountable and responsible for it. I have also seen... In fact, this was the case at my last company. The end of the day, I as CTO was responsible for security, and I was going to be held accountable for it, which is why I decided to partner with someone. Because that's a big responsibility, and I was inaudible the expert. We were also fortunate enough to have a DevOps person that had some security background that could own and manage a lot of the paperwork, the documentation, the rollout and implementation for us. I will say the risk register is something that the board should approve and should be curated by the executive team because there are components that risk register that are financial components. So your CFO, whoever your acting financial advisor is, should be part of that. There are business continuity. If you don't have a plan for multi- region backups, which probably shouldn't be a problem this day and age with cloud technology, but set that aside, there could be a financial pack there that the CEO probably should have a say in whether the investment should be made to address that problem or not. So I don't think the responsibility for making all the decisions necessarily is on the shoulder of a CTO, but I do think there should be a person that's named the person accountable. In fact, security programs in every questionnaire you will get would require that you have one person named as the responsible party. So you have to pick.

Jara Rowe: So what is the right approach and timing for a founder and a company to invest in cybersecurity?

Jake Miller: I frame this as, " At what point do you have a product people are using in entering data?" If you're building an MVP and you don't have anyone entering data, they're no customers on board yet, you're still in development mode, that's the time to start thinking about the operational side. What would your policies, procedures for the organization look like? And then at the point that you have software for the MVP that you're deploying to a production environment, that's the point in time to start doing your internal audit, your vulnerability scanning, your risks to the board and your internal executive team. That's the point that really it's the execution point of your security program, in my opinion. The reason for that is up until that point, things are changing a lot very quickly. For startup, that's kind of the point of MVPs to figure out how can you get to market traction as quickly as possible, along the way pivot, if you said, " I'm going to do a SOC 2 audit in month two." And you don't even have your architecture laid out, you're just going to burn cash. There's no point in doing that.

Jara Rowe: Definitely. So Jake, if you could give one piece of advice to someone starting a SaaS company when it comes to a security program, what would it be?

Jake Miller: The most important piece of advice I could give a founder starting their company regarding compliance, security and privacy is to... I hope this doesn't sound silly or just too repetitive, but, think about it now, even if you are... Look, I'm not the expert in to find someone. Talk to them. They don't even have to necessarily be a partner. It could be someone that's been through it before. At least get some sort of education on what you're looking at and what lies ahead so that you can well arm yourself and prepare yourself and your organization for what lies ahead on that journey.

Jara Rowe: Yeah. So listeners, even if you don't think you're susceptible to breaches or attacks, it's still very important to build a security literally from day one.

Jake Miller: It is. And there is something that I failed to mention in this whole conversation because I focus a lot on getting past security reviews, but that's really not the most important thing. The most important thing is that you actually are protecting your customer's data, protecting your customer's privacy, because at the end of the day, one, it's just the right thing to do, in my opinion. It's ethical and moral implications, but it also has a bottom line impact. You can very easily tarnish your reputation and bankrupt your company very quickly if there's a data breach or a privacy breach, it's not worth that risk.

Jara Rowe: I don't remember the actual statistic off the top of my head, but I do remember that a lot of small companies, small businesses, that when you do have a breach or an attack, it typically shuts the entire business down and you won't be able to build up your reputation again to move forward.

Jake Miller: Yeah, there's one zone professional reputation on the line as well.

Jara Rowe: All right, Jake, so now we are getting into one of my favorite sections of the podcast, which is our lightning round questions.

Jake Miller: I'm ready.

Jara Rowe: When you hear cybersecurity, what's the first thing that comes to mind?

Jake Miller: Risk.

Jara Rowe: Risk. Why is that?

Jake Miller: Your cybersecurity program is just as much about risk management as it is security. And that's why when someone says, " Cybersecurity program." To me, it's risk, risk mitigation, risk management.

Jara Rowe: Perfect. Okay. So I know what my answer is to this next question, and at this point it's slightly embarrassing, but it's the truth. So when it comes time to change your password, do you come up with an entirely new password or do you just tweak the one that you used previously?

Jake Miller: Yes. This is where a password manager becomes very important so that you are able to easily generate a password that meets the password construction policy in your policies and procedure documents. And that's what I do.

Jara Rowe: I have to admit, previous to Trava, I would just add a 1 or a 2 at the end of the password because I didn't want to come up with an entirely new password. But now I do use those password managers as well just to come up with whatever it is.

Jake Miller: Yeah, it's also why a single sign on options really helpful. So if you use Google Workspace or whatnot and you have a single password to access or to authenticate for the other systems, then there are less passwords to manage.

Jara Rowe: Yeah. All right. So what is the craziest attack you've heard about seen, worked on?

Jake Miller: Yeah, so this is actually a very close to home one at a former role. I won't mention which one. It was a long time ago. I was a software engineer on a new product, I was like, " I'm just going to go test and see if I can break anything." Now, one of the things I was able to do that fortunately had not been found, I was able to delete, or actually I was able to export all the data from a different table in a database than I wasn't supposed to be able to do. That's crazy that that was possible. And we were able to fix it very early on, right before it went out to production. So I would say that's like the most close to home and scariest because our software could have been affected.

Jara Rowe: All right. So give me a cybersecurity prediction of yours that you think we may see over the next five years.

Jake Miller: I think as much hype as there is around artificial intelligence and machine learning, we are going to find that those tools in those paradigms are put in place to find vulnerabilities quickly and more easily than humans can. AI, machine learning is particularly good at pattern recognition, and I think that we're going to see more white hat hackers, but also malicious actors using those sorts of tools to find vulnerabilities.

Jara Rowe: So final question of this section, which I think is the perfect question for you, what do you wish people would ask when it comes to cybersecurity and risk management?

Jake Miller: My answer to that is, I just wish people would ask. I think that's the thing that concerns me the most. In fact, a lot of times when I'm working with prospective clients and we provide them a statement of work, we always include a security and privacy aspect inside that always, it's just non- negotiable. And a lot of times, in fact, most of the time we'll hear from those prospects. " Wow, none of the other development partners even mentioned security." I think that just asking what the dev team, the software engineering team, whether it's in- house or outsourced partner, how are they going to manage that?

Jara Rowe: Yeah, we've talked previously about that sometimes people just stay away from topics that they aren't too certain about. But when it comes to cybersecurity and from a early start of a company that's the wrong approach, do you want to ask those questions that you may seem that are silly, but you really want to ask those early on. Thanks for tuning in to another episode of The Tea on Cybersecurity. I hope that you were able to get your questions answered. If not, find a way to reach out to me and I will be sure to ask them for you. I don't know about you, but I found the information that Jake gave us during this episode was extremely helpful. And now that we've filled the tea, it's time to go over the receipts. The first receipt that I took away is security is definitely more than just the product. So as you are creating that program, it's important to think about your organization as a whole and how everything works together to keep your product, company, customers safe and secure. The second thing I took away was how you implement this program. And the first thing that Jake said is, " You need to create a document or checklist, and there may even be one on Google for you to then go through and make sure that you satisfy some of these things that a compliance like SOC 2 may need from you." And two, which could be the most important, is that, " Especially early on, you may need to find an expert or a partner that can help guide you through the entire process of creating a roadmap, creating your program to also make sure you satisfy those compliance measurements as well." And the final thing I took away is that when it comes down to the roadmap, your risk register is the most important, and that just allows your company to see what risks you are susceptible to and then you can talk to your board and figure out what you are willing to accept and then what you don't want to accept, and then you are able to figure out the prioritization of how you remedy these risks. Thanks for tuning in to The Tea on Cybersecurity. If you like what you listen to, I would be greatly appreciative if you could leave me a review if you need anything else from me, head on over to Trava Security. Follow wherever you get your podcast.