How Your Early-Stage Company’s Security Posture Factors into Investor Diligence

It’s a cold, hard truth that cybersecurity is essential for any company in any industry. But for earlier-stage companies, it can be an extra-large challenge and one that goes overlooked in favor of other, also necessary tasks and work. Think of the adage: the squeaky wheel gets the grease. For many companies, cybersecurity isn’t a problem – until it is.

And amid all of the myriad reasons why cybersecurity is important, here’s another one – it can play a role when the time comes to seek investors. While most venture capitalists (VCs) aren’t scrutinizing the security posture of the companies they are evaluating for potential investment – at least not yet – that’s not to say it can be ignored.

Where security and governance come in

As mentioned, investors and VCs aren’t really looking for a solid governance policy plan during the evaluation period, particularly if it’s an early startup. In fact, with the exception of certain highly regulated industries – think financial services or healthcare – it’s probably not even in the top 10 things they think about.

In the beginning, the good news is that everyone knows now that compliance or security issues can get sorted out later – so it’s not a pre-qualifier for getting funding. The VC acknowledges this, which is helpful initially. The problem is that the compliance and security issues often get kicked down the road – if it even gets identified or flagged as an issue – to be worried about at some undefined future date. And therein lies the problem.

Understanding the Special Sauce

While investors may not be putting “security and governance” into their top 10 lists, it does pertain to something that is very much on that list. This is especially true when it comes to AI – and that’s the issue of whether there’s really net new innovation in your company.

Are you really doing something uniquely different? And where are you pulling data in from? How are you using data? How are you tracking people? This immediately introduces privacy and regulatory concerns, particularly if your solution is an app that gathers a lot of personally identifiable information (PII) or customer data.

So then, particularly if your solution uses AI, what the would-be investors will want to understand is: how dependent is the algorithm or the model that the AI is using on third party data or via an API from a platform vendor?

For example, imagine that you’re building a Salesforce automation app that plugs into Salesforce.com or HubSpot and gathers user  data from that platform via APIs. Are you processing or enriching that data? Do you have permission from the platform vendor or its users to modify or analyze that data?  Is the data actually coming from the APIs, or are you pulling in the data directly from users? Are you following the terms of service of that data platform? Is your solutions’ entire value dependent on highly available access to that third part data? In this case, will Salesforce or the CRM vendor object or not object to what you’re doing with that data? All of these are essential questions that you will need to ensure you’re addressing in the here and now.

APIs and integration

The issue of data collection leads directly into matters of integration and APIs. RapidAPI noted in its latest Developer Survey Report that developers have grown increasingly reliant on APIs

during the pandemic. The company forecasts the trend will continue to increase this year. For instance, 61% of developers used more APIs in 2020 than in 2019, and 71% plan to use even more in 2021.

However, experts have long worried about the security risks associated with the widespread use of APIs – and Gartner has predicted that by 2022, API abuse will become one of the most common attacks seen by security teams.

Many companies rely heavily on APIs for that aforementioned “special sauce” – they’re not using just the API from a third party but the data coming through it – and not all companies are processing or using said data in the same way. In fact, too often it’s easy to overlook it – which can ultimately bite them in the backside in a big way – including on the investor front.

Early-stage security

As mentioned earlier, many times compliance and security issues keep getting pushed to the side as startups focus on what seem like more immediate issues. Companies take the “We’ll deal with it later” approach – and investors tend to share that viewpoint. But the reality is that such a strategy can have major blowback and serious repercussions.

Even the smallest, earliest-stage company needs to start thinking about their security strategy and giving it priority. Begin by documenting your processes and developing your IT infrastructure plan to incorporate the risks of a data breach or even the potential loss of API access to key data sources  Failing to do so could send the whole house of cards crashing to the ground if the business idea can’t stand up to security scrutiny. The potential impact on their ability to garner investments is just one more reason in a thousand. And another perk – having a well-documented infosec program in which you can show a proven track record can also help you negotiate a lower holdback fee. Consider your differentiators and how you will use APIs as a starting point for creating a business that rests on a solid security foundation.

Commentary by Ray Kruck, CEO and founder, Tugboat Logic.

This report/news/ranking/statistics has been prepared only for general guidance on matters of interest and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, CEOWORLD magazine does not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.

Email Address*

Name