The hack that never happened: Building a robust information security setup

OCT 05, 2023

A fireside chat with Petko Petkov, CISO at Onfido.

At our latest community webinar, Balderton EIR Dan Teodosiu sat down with Petko Petkov, CISO at Onfido to explore how start-ups can build robust information security setups. The session dove deep into pivotal issues, including risk exposure, how and when to build a security team, and common pitfalls to avoid. We pulled together some of the highlights and answered your burning questions below:

When should start-ups begin thinking about information security?

Failing to invest in information security puts the entirety of your intellectual property and data at risk. It’s the heart of your business - so the sooner you start thinking about information security, the better.

Establish best practices early on and you will thank yourself later. There are incurring risks and costs to delaying information security, and if you leave it too late, you’ll have to pay with interest down the line. There’s no such thing as a free lunch.

What’s more, it will be easier (and cheaper) to secure security certifications early on, when you have a smaller team and scope. You can then recertify these annually, for a fraction of the cost, as your business grows. The later you leave security certification, the more complex it becomes.

How can start-up leaders establish a robust information security infrastructure despite limited resources and budget?

In the early days of building a company, founders are faced with countless priorities and limited resources - and information security may not always come top of the list. Nonetheless, there are steps you can take to build a strong security foundation.

For example, Petko recommends hiring exceptional people who are security-minded. You can do this by baking security-focused questions into your interview and hiring process for engineers. This will ensure security is at the heart of your culture and operations as your business grows.

What’s more, investing in the right tech and betting on the right software can take you a long way. Try to think about security when making fundamental decisions, such as which hardware and software to buy for your teams (e.g. Macs with Jamf provide most of the basics) or which cloud providers you can leverage (AWS, for example, invests heavily in security).

With the right people in place, building a security culture becomes organic.

Petko Petkov, CISO at Onfido

What are the fundamental elements of a strong information security approach?

  1. Take a zero trust approach to security. Always assume you are building in a hostile environment, rather than assuming everything is trustworthy. Assume every layer of your stack may be compromised, and do everything you can to mitigate and protect your information.
  2. Testing is king. You must constantly assess your security. This is a dynamic environment and things can change all the time. Bug bounty programs - while somewhat expensive - are worthwhile and often produce highly effective results. Once bugs are discovered, create a sense of urgency to ensure they are fixed in a timely manner.
  3. Monitor, monitor, monitor. You can’t manage what you don’t measure. Monitoring is essential to give you an idea of key trends and where things are headed. Don’t get lost in the numbers or focus too much on improving individual metrics, but instead use this data to help identify the cracks and find big picture solutions.

How should start-up leaders prepare for incident response?

A fan of the checklist, Petko recommends Atul Gawande’s book ‘The Checklist Manifesto’. While no two incidents are the same, they do tend to follow very similar patterns. Having an established checklist or framework, outlining the basic structure of the incident response process, key stakeholders, owners and reporting methods, is invaluable.

Degrees of complexity will vary, so there should always be an element of flexibility within your framework. The most important thing is to have your checklist or framework developed early on, so that if an incident arises, you are able to kick into action and follow protocol quickly and efficiently.

What are the most common misconceptions about information security?

Petko outlines two common misconceptions - first, that information security has to be hard, and second, that security is not a business enabler.

The truth is, information security is only difficult if you’ve left it too late, not done enough, or suffered a breach. By nature, people only tend to hear about information security when something goes wrong. Secondly, strong security practices can be a real business driver. Customers care about their security, so a robust system can become a real competitive advantage.

You don’t ever hear the success stories in the news. People don’t think about the hack that never happened.

Petko Petkov, CISO at Onfido

Stay in touch with Balderton

Sign up for our newsletter to stay up to date on news from Balderton, and our portfolio.