Announcing Our Startup Program
A few years ago, IronCore Labs went through Boulder’s Techstars program, and since that time I’ve been at least partly involved in the community (though less so since the onset of COVID). Through one thing and another, I get to talk to other startup CEOs and CTOs on a pretty regular basis, and one thing haunts me: the “we’ll deal with security later” mindset.
Even when the CTO has a bias to build secure apps, they feel unable to justify time or expense unless absolutely forced to do so. They want and need the fastest things they can do — tick some checkboxes in an AWS or GCP configuration screen and then call it good.
I understand this all too well. Startups out-compete large companies in part because they are forced to have laser focus. They don’t have the resources to do everything, so they have to choose the one or two things that will make the biggest impact on their success. The tyranny of having limited resources never feels like a blessing, but a big organization’s luxury of having resources to follow processes that ensure high quality, security, scalability, and other benefits can hamper the organization’s ability to execute and learn quickly from experiments.
In many ways, then, it’s absolutely rational for a startup to pick just one thing that will move the needle and then focus on that to the near exclusion of everything else. This defers scalability, quality, security, and other concerns until after some degree of success brings the luxury of more resources.
The dark side of ignoring the important in subservience to the urgent is what comes later. There are many articles on the “trough of sorrow” where a startup has initial success and growth and then stalls out. There are a multitude of causes, many related to finding product-market fit as you shift your market to find more users. But on the technical side, there’s also the tech debt problem. I’ve seen over and over again how tech debt can lead to a roadmap trough of sorrow as all new features are put on hold while core elements of a product are re-plumbed to fix the expedient choices made early on.
I’ve seen over and over again how tech debt can lead to a roadmap trough of sorrow
Some forms of security can be added later with relatively little impact to product development. An Ops team can begin addressing vulnerability management, credential management, access rules, and adding web application firewalls and similar network perimeter technologies.
But external, network-oriented security measures are only part of the puzzle. These days there is a patchwork of privacy and security laws and regulations, and unless you build your application with data security and privacy in mind, you’re going to have a very hard time selling in certain markets like Europe, or to mid-sized or larger businesses.
Unless you build your application with data security and privacy in mind, you’re going to have a very hard time selling in certain markets
Unlike network-oriented approaches, application-level security can’t easily drop in later. Your technology choices and how you build your app might paint you into a difficult corner. If you tackle these issues up front, you’re far less likely to fall into a pit of rewriting code and revisiting assumptions about how things work.
There are many aspects to this problem, ranging from how you handle access permissions to how you encrypt or pseudonymize personal data.
For those who know they hold sensitive data of individuals or businesses, it behooves you to figure out how you’ll protect that data upfront. It’s an ethical choice as well as a strategic one. And starting today, it’s one you can make without worrying about the cost.
Today we’re announcing IronCore Labs’ Startup Program. Qualifying startups will get two years of free access to IronCore’s product line. To see the details of the program, visit the Startup Program page on our website.
In conjunction with the new startup program, we’re also launching our brand new community. We’ll use this as a way to support those who are trying to understand how they can or should responsibly hold private data.
The community currently consists of a Discord for live chat and forums for deeper discussions and questions. We’ve also open-sourced large parts of our platform, and we’ve added ways to reward community members who contribute in various ways to help us make this world a bit more secure.
If you’re in a startup and you hold or are planning to hold private or sensitive data in your cloud app, come check us out or say hello. We’re pretty good about pointing you at other technologies if they’re a better fit, and we’re always happy to meet security- and privacy-conscious people.