How good is good enough?

When you’re working in a startup, how good is good enough?

A startup’s size and culture gives it the ability to move quickly but it also means they don’t have the resources to dive deep into every single area.

Deciding where you spend your time and money is one of the most important things you’ll do as a startup leader and this holds even more true when you’re in security.

You still have all the same concerns as a larger company - secure development, vulnerability management, infra and cloud security, corporate applications, detection and response, and mobile devices but you’ll often be doing it with a team that fits comfortably in a Corolla.

Without the luxury of a team dedicated to owning specific functions, understanding where to focus and how far to drive maturity is of far greater importance. That makes 80/20 the name of the game - Where can I put 20% of the effort to get 80% of the benefits before moving on to the next area to nab more gains?

Ensuring you’re spending time on the right things effectively requires  an ongoing and evolving awareness of the overall risks and exposure alongside any strategic priorities you’ve identified.

Risk assessments are vital to provide the overview of what the big buckets of risk are. While in startups, they often end up neglected, this is due to the way that many end up as an overdone, giant spreadsheet of potential risks, treatment plans, etc. that someone signs off on before tossing it onto a Google Drive to show the auditor at the end of the year.

Again, 80/20 here - You don’t need to capture every risk possible. Chances are you can fairly easily identify your top 10 without too much fuss. As with most things, there’s diminishing returns on the time you spend getting granular. You’re likely better off spending that time fixing the big issues you’ve already identified.

It can be easy to focus solely on your platform’s security but don’t forget to interview other departments to understand their processes, data flows and potential risks. This helps shore up blind spots and builds bridges with other key teams like HR, Finance and Support. They’ll usually have 2 or 3 that are top of mind and when combined with the others, will drive more than enough work for the foreseeable future.

For each of those risks you’ve identified, there’s often a way to tackle another 80% of the problem with 20% of the work.

Sometimes, there isn’t a way around - you really do want to ensure you offboard 100% of your employees that leave. Often though, you can tackle a big chunk of the problem to the point where your limited time will be better spent improving the next problem area rather than continuing work with diminishing gains.

Contrary to popular belief, it’s called good enough because it can in fact, often be considered, Good Enough.