Executive Summary: Products need to think of security when they are developed. New companies need to know the security policies upon inception. New companies need to have a Chief Information Security Officer as one of the first employees.
Starting a new company or building a new product requires that your security components are the first thing to think of. The hiring of your executive teams also needs to put a security officer at the executive table as one of the first hires.
In the product that you create, all of the components and logic you use need to be assessed to confirm that you have built a secure product. Your product needs to undergo constant security scans. The logic needs to eliminate hard-coded usernames and passwords. The third-party components you use need to be analyzed to confirm that they are not adding vulnerabilities to your product. These components could add performance characteristics to your application. Due to the security items you are adding, you need to measure the performance with the implemented security components. While your investors are exclaiming the A-B-C of “Always Be Closing”, you should be exclaiming “Always Be Secure!”
Prior to adding new employees to your organization you need to establish the company security policies ahead of time. Consider implementing the most stringent security requirements you can find for your employees. Example guides can be obtained from: The National Institute of Standards and Technology, Department of Homeland Security and Department of Defense. They offer guides on everything from password standards, blocking USB keys/writeable DVD players, to the layers of encryption that you need for your links. It will be incredibly painful for you to implement this after the product has been released. Furthermore, if you let the employees run rampant without the security components, you have exposed your employees to malicious code that could be downloaded and corrupt your application.
While the implementation of security controls can be automated, the selection of them is a delicate balance. The trade-off between productivity and the amount of time to comply with the policies can impact your product rollout. Your first hire needs to be an individual that is a specialist in security. This individual can then grown into the role of Chief Information Officer or another CxO title. At the minimum, they will join your teams as the Chief Information Security Officer. This role needs to be funded for the tools they need to monitor the environment for breaches and respond to a breach.
Combining the human resources, security processes and continued thoughts that security needs to be the first thing in your product will allow you to create a secure and trusted product.