Scaling Security: From Startup to Unicorn

Building a small company’s security team is a unique challenge. Budgets are tight. Hiring is difficult. And security typically rests on the shoulders of one individual...and it might not be their only role. 

At Security@ 2019, Jon Evans, columnist at TechCrunch, interviewed three security leaders who joined companies at various stages and have now seen their security teams grow along with their organization. They talked about how their approach to security has changed as their companies have grown — and how bug bounty programs have served as a core component of their security efforts from day one. 

The panelists for this “From Startup to Unicorn” session were Aabhas Sharma, Director of Engineering at Postmates, Andrew Dunbar, VP of Security Engineering and IT at Shopify, and Kelly Ann, Product Security Engineer at Slack.

Each panelist had a different perspective on security with respect to company size and growth, with Aabhas starting at Postmates before they had a dedicated security team, Andrew starting at Shopify as their first security hire nearly 8 years ago, and Kelly starting at Slack just 2 years ago as a pentester on a larger security team. 

One common thread, however, was their use of bug bounty programs. For early-stage startups, the attractiveness of a bug bounty program goes far beyond just the security aspects, especially given the tight controls on budgets and hiring. It’s a tool that has obvious benefits and an obvious connection to budget, and that’s important in smaller companies.

“When it comes to bug bounties, clearly there’s a very good relationship just between the impact and what you pay,” said Andrew. “You’re not wasting any money, ever, because you’re only paying for things that are valid and you’re only paying for things that have impact. So we never had any questioning of how we spent money in that area.”

Aabhas agreed, adding that the ease of explaining bug bounty program effectiveness makes it more attractive to those controlling the cash. “As long as (finance) understands why you need that money and how you show ROI, they’re amenable to giving you some amount of money.”

The panelists also discussed the customizability of bug bounty programs makes them ideally suited to startups, as does their easily scalability as your company grows and your security needs change. And, as the demand for experienced security professionals continues to increase, bounty programs also offer both a pool of on-demand security talent and a conduit for potential future hires. That’s especially true for smaller startups who might not have the name recognition to attract job seekers.

“We actually hired our first security engineer from HackerOne,” said Aabhas. “It was a bug bounty researcher who was finding a bunch of issues for us, so we reached out to him and he started working for us.”

No matter your company’s size or stage, however, it’s important to demonstrate the impact a security team is having. Kelly mentioned tracking metrics around performance, reliability, quality, and service level agreements, and connecting them all back to security. But even when executives are totally bought into security, which Kelly mentioned as something startups need from day one, the conversation always comes back to cost. 

Costs define the ROI of a security program, and bug bounty programs make that connection pretty compelling: you’re only paying for valid vulnerabilities. It’s easy to understand and the results are crystal clear. Even more, showing ROI starts to put security in financial terms executives are more likely to understand and appreciate.