With deepfakers, fraud agents and identity thieves growing in numbers and sophistication, the landscape of cybersecurity technology is growing in parallel. These days, it’s not enough to add an exclamation point to the same password you use for everything (seriously, don’t do that).
The proliferation of global cybercrime and data security issues has drawn the attention of global policymakers, who have responded by issuing new regulation, from the California Consumer Privacy Act to the EU’s sweeping General Data Protection Regulation (GDPR) framework. Such regulation is updated periodically, and thus, I often recommend to founders that they employ security services to update data banks at least quarterly.
As co-founder of the open-source, cybersecurity startup Bridgecrew*, I came to appreciate the force of regulation on business opportunities and the importance of diligent regulatory compliance firsthand.
Bridgecrew, a cloud-based security platform, operates within the Cloud Native Application Platforms (CNAPP) ecosystem. Many of our customers, subject to compliance requirements like SOC2 type 2, ISO 27001 and CIS benchmarks, were very eager to continually monitor systems over time, both for security and compliance.
As regulatory oversight continues to expand, it is critically important that today’s IT and cybersecurity startups recognize the gravity of compliance oversight and the importance of cooperating with regulators. And this focus shouldn’t be hidden in the fine print! An organizational focus on regulatory compliance can be a powerful, positive signal from your business to your customers.
Building on my experience as a founder, and my time as a venture-capital investor working with early-stage cybersecurity startups, here’s what I suggest founders consider.
Stay Informed: Information is Power
If there is one important takeaway for startups regarding U.S. cybersecurity compliance, it’s this: There’s no single overarching U.S. cybersecurity policy. Instead, compliance is a multi-layered approach that considers the following:
- Industry regulations: Certain industries, such as healthcare (HIPAA) or finance (PCI DSS), have specific data-security mandates. Identify yours to ensure compliance.
- Data privacy laws: Depending on the type of data your business handles, laws such as the CCPA might dictate specific data privacy and security practices.
- National Institute of Standards and Technology (NIST) frameworks: NIST provides voluntary frameworks that outline best practices for securing data. These are a good baseline for any startup.
You can find the latest NIST and ISO (International Organization for Standardization) policies and and controls for IT security in the following official resources:
- NIST is establishing a Multi-Cloud Security Public Working Group (MCSPWG) to research best practices for securing complex cloud solutions involving multiple service providers and multiple clouds. It aligns with the White House Executive Order on “Improving the Nation’s Cybersecurity,” which highlights that “the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life by focusing“ the full scope of its authorities.
- The U.S. government is heavily invested in cloud computing as a key driver of its own digital transformation. This is a direct result of President Obama’s 2009 Open Government directive to federal government agencies requiring digital transformation as needed to enable next-gen cloud-based IT. In recognition of the growing adoption of multi-cloud environments, NIST’s multi-cloud security working group is focusing on researching and developing best practices for securing complex cloud solutions that involve multiple cloud service providers and cloud environments.
- NIST Special Publication (SP) 800-53 Rev. 5: This publication provides a comprehensive catalog of security and privacy controls for information systems and organizations. It covers a wide range of threats and risks, including hostile attacks, human errors, natural disasters and privacy concerns.
- NIST SP 800-171, SP 800-171A, SP 800-172, and SP 800-172A: Protecting Controlled Unclassified Information, which refers to nonfederal systems and organizations critical to federal agencies. The suite of guidance focuses on protecting the confidentiality of CUI and recommends specific security requirements to achieve that objective. The most recent updates were published Feb. 21, 2024.
- NIST AI RMF playbook – vs NIST RMF: NIST’s new AI playbook is informative and is a reaction to the EU AI act.
- ISO/IEC 42001:2023(E): While this regulation is not able to be republished (here is a preview), we can describe it as relating to security reference controls that provide an organization with a reference for meeting organizational objectives and addressing risks related to the design and operation of AI systems.
- Model Artificial Intelligence Governance Framework: This is a privacy governance framework advocated by Singapore’s Personal Data Protection Commission and adopted across the globe.
Here are some key points for founders to consider:
- Focus on protecting your most valuable data assets. Not all regulations apply equally, so prioritize controls based on your risk profile.
- Cybersecurity shouldn’t be an afterthought. Implement strong practices from the beginning and scale them as your company grows.
- Compliance can be complex. Consider consulting cybersecurity professionals and using automation platforms to assess your risks and develop a plan.
You Can Participate in the Establishment of New Regulation
In some cases, the regulation and working committees’ recommended best practices have leapfrogged what the market’s available mainstream solutions have to offer. Those recommendations, if widely adopted, can be a launchpad for innovation by new startups that have a creative way to help enterprises to comply with the latest best practices.
This has happened in the past. Alongside government activity in the encryption space, companies such as RSA and Verisign have been part of the discussion on best practices, have grown alongside the bureau’s recommendations on encryption and have been part of the discussion that enabled a safer internet.
With cloud and container workloads booming, companies such as Twistlock (acquired by PANW) have been involved as authors in the creation of NIST’s guide for container security. Checkov (a tool I helped build at Bridgecrew) was recommended by the CISA, and as part of those activities, helped to gain mindshare via thought leadership and helped make the cloud a more secure space.
Now, with the AI revolution in place and regulations – such as NIST’s new AI playbook as a reaction to the EU AI act – creating new recommendations to handle AI workloads, cybersecurity and governance startups have a golden opportunity to participate in regulatory discussion and assist in automating some of the best practices.
We continue to see infrastructure startups within the Battery portfolio take advantage of this opportunity: from MineOS*, which has created AI governance models to assist organizations in governing and complying with the EU AI Act; to Contrast Security*, where the company’s security core team has been part of the Open Source Foundation for Application Security (OWASP) Top 10 for LLM Security; to Normalyze Security*, which assists in detecting drifts of cloud infrastructure and data repositories from compliance controls; and beyond, we are thrilled to see founders and leadership teams apply technical solutions to these challenges.
Here’s How to Get Started
From my perspective, IT and cybersecurity startup founders can very well create a future where innovation in business thrives alongside next-generation digital defenses. But the journey begins with informed awareness.
Founders can stay ahead of the pack by familiarizing themselves with cybersecurity regulations and industry standards, such as those noted above. Attending workshops and industry events focused on policy discussions is an additional step toward becoming informed and engaged.
But founders can, and should, do more than listen. Startups, often at the forefront of technological advancement, can serve as vocal advocates for policies that nurture innovation; share knowledge with policymakers on emerging threats and propose potential solutions; and participate in government initiatives, such as working groups and pilot programs.
Founders can also lead initiatives that bridge the gap between startups and cybersecurity experts by co-hosting workshops or facilitating knowledge-sharing events, creating a space where both sides can learn and grow.
The benefits of this collaboration are far-reaching. Proactive engagement with policymakers can lead to adaptable policies that keep pace with the fast-moving startup landscape. Startups, in turn, gain valuable insights into future regulatory directions, allowing them to plan their security measures strategically.
Ultimately, by sharing expertise, both sides — founders and policymakers — can contribute to building a more secure and innovative digital ecosystem for everyone involved.
The information contained herein is based solely on the opinions of Barak Schoster Goihman and nothing should be construed as investment advice. This material is provided for informational purposes, and it is not, and may not be relied on in any manner as, legal, tax or investment advice or as an offer to sell or a solicitation of an offer to buy an interest in any fund or investment vehicle managed by Battery Ventures or any other Battery entity.
This information covers investment and market activity, industry or sector trends, or other broad-based economic or market conditions and is for educational purposes. The anecdotal examples throughout are intended for an audience of entrepreneurs in their attempt to build their businesses and not recommendations or endorsements of any particular business.
*Denotes a Battery portfolio company. For a full list of all Battery investments, please click here.
Back To Blog
“Battery Ventures is an American technology-focused investment firm. Founded in 1983, the firm makes venture-capital and private-equity investments in markets across the globe from offices in Boston, Silicon Valley, San Francisco, Israel and London.”
