“Early stage startups have very little money and even less time,” explains Antti Vähä-Sipilä, Principal Consultant at F-Secure.
Recognizing it may be difficult for startups to utilize traditional security consultancy services, F-Secure is offering lean and targeted security and privacy services to Maria 01, the Nordic’s leading startup campus.
Neglecting cyber security or privacy now may result in unnecessary hurdles later on, possibly when the company is on the verge of achieving key goals.
“At some point, you’re going to seek more funding, or you may be acquired,” Antti says. “That’s when you’d not want it to become a stumbling block. And a major data breach may be an existential risk to a mid-stage startup. You don’t have to invest a lot of money. But you need to know which steps to take and what not to take, in architecture, technical design, and compliance. If you look at it early enough, changes will be easier.”
The following two case studies are examples of F-Secure successfully advising startups.
Case Study 1: How to become the example that auditors use for other startups
What Antti Laatikainen, Senior Security Consultant at F-Secure, remembers most about walking into Noona Healthcare for the first time was all the enthusiasm.
“People were excited,” he says. “It sort of infects you.”
This was 2016. The startup brought in Antti and his colleagues to take its cyber security out of the startup phase.
Having developed a mature cloud-based mobile service focused on cancer treatment, Noona was ready to pursue the ISO 27001 industry standard for certified security management—an ambitious goal for an ambitious company. The employees had built out their security systems, but needed guidance to prepare for full compliance.
“We provided them with a team of experts according to their needs” Antti says. “The goal was to build them up to readiness for assessment.”
Noona’s experience working in healthcare, one of the world’s most regulated fields, gave the effort a head start.
“The culture of quality was already there, so people were already accustomed to working towards compliance. Practical steps to make infosec management clear to all stakeholders were what we brought into the table.’”
Antti says that Noona was “a small shop with a big vision,” but the mentality that makes for a successful startup often isn’t compatible with auditable cyber security compliance.
“People are so focused on the product. Security stuff and regulation and compliance are seen as boring. And it is boring, and repetitive. But it still needs to be kept on the table with a good humor.”
He finds that addressing security compliance is challenging when a startup needs to be agile and responsive to client needs.
“Either you need an outsider who will be able to build up trust, or an insider who takes it as a role,” he says.
With F-Secure’s help, Noona eventually had both.
Soon the company was ready for its ISO 27001 certification.
“They passed it with the first try.”
Since then, Noona has been audited and passed two more times.
“The auditors said that they use Noona as an example for other smaller companies.”
Over the last two years, Antti has transitioned from a coach to what he calls “a CISO-as-a-service.” He works on site three days per month, talking with developers and engineers, coaching, guiding, and checking development tickets.
“Basically, I drink coffee and answer questions.”
Late in 2018, the largest player in the field acquired the company. And cyber security didn’t hold up the sale. Instead, it was another reason for people to be excited about Noona Healthcare.
Case study 2: Turning cyber security into an asset
The startup had a product whose market completely depended on the acceptance by large financial organizations. Unfortunately, concerns about cyber security were delaying the deal.
The company’s founders decided to call in a trusted advisor. Laura Noukka, Senior Risk Management Consultant at F-Secure, and her colleagues answered the call.
“The pressure was high,” Laura says. “The schedule was so demanding.”
The challenge was to meet the requirements set by large financial institutions without impeding the progress of the product launch. This is like building a viable airplane while it’s already taxiing down the runway.
“Everyone would like ‘one IT security’ in a nice box,” Laura says. “That we couldn’t provide, however, working with their experienced professionals we were able to come up with a threat model in order to prioritize the efforts.“
“Different industries have different requirements,” Laura says. “While industries like gaming might focus more on technical security, compliance-orientated industries, like the financial sector, require evidence on a comprehensive management system.
Laura and her colleagues worked on site on a part-time basis, focusing on establishing policies, including the IT security objectives and responsibilities and coaching the team to take over as much of the process as possible.
“The other track that was equally important was the development and operations (DevOps) practices – we wanted to ensure the security was taken seriously throughout the software lifecycle,” Laura says. “All in all we helped them prioritize the security work to support the release plan and then created a long-term security roadmap. Every step was documented to make their expertise visible.”
This gave the financial institutions confidence that the team was on the right track.