Year One Infosec Budget For Startups
It's budget time... here are some things to consider as you shore up your infosec program.
For some reason, Information Security gets the short end of the stick early on in the budgeting process. Although there are a LOT of items that can be remediated and addressed in an infosec program that don’t cost money (good coding practices, vulnerability management, secure documentation). The rabbit is quite deep from a tools and people perspective, so I’m go keep it on the light end and targeted for a 100-200 person SaaS startup. YMMV on whether you’re B2C, B2B, Fintech, or Healthcare.
TL;DR - Information Security Budget
In summary you will want to allocate $50-$200k towards Infosec, on the low end and not including consulting/advisory costs. Some of these decisions are a build-vs-buy decision and others are you just need to do kind of thing.
Full disclosure... I am a partner of some vendors listed below. Price listed are MSRP and do not include typical vendor discounts.
Security Awareness Training
Consistent training of your users is important, as they are the ones handling your data day-in and day-out. People inherently want to do the right thing, but if they don’t know how to do it, can be we blame them?
Approximate cost: $20/user/year
Note: There are free options. For example, you can goto training.cloudsecuritylabs.io and sign up for training for unlimited users. However, you won’t get drip campaigns, SSO, compliance content for example.
Annual Application Pentests
Whether you like it or not, you need to have a pentest done on your application annually to meet a lot of compliance requirements. Now there are shops out there that claim to do it for a fraction of the cost, but just like all things, you get what you pay for.
Before actually, scheduling one, check out my in-depth guide on it.
The cost of your pentest will vary depending on the size and scope of your application as well as the skill level of the shop. I typically allocated $25k per application for a test. YMMV.
Approximate cost: $15-50k per application
Also a must these days is a password manager. You will be surprised how many times I’ve found passwords and credit card numbers stored in Google sheets passed around. Or even sensitive environment variables in public slack channels (just search for password= or secret=).
If you don’t want to roll it out to your whole company, you can start by rolling it out to your Engineers, EA’s, and Executives, especially if you have SSO in place. Keep in mind though, you might be underestimating who is handling sensitive data in your environment.
Approximate cost: $24-48+/user/year
Single Sign On
Single Sign On is one of those rare security tools that improves security AND convenience at the same time (if it’s properly implemented). It really helps with user access, provisioning, and deprovisioning, so if you have sensitive information (who doesn’t 😅) it will be helpful.
Approximate cost: $96/user/year
Zero Trust Remote Access
You probably have an OpenVPN server sitting around.
You probably want to upgrade to a more dynamic and integrated VPN solution. There are a few vendors out there that are doing this:
Cloudflare Teams Access
Google Cloud Identity Aware Proxy
Moving to this model will give you the following benefits:
Access to only specific resources for specific groups and people
Directory linked access via LDAP or SSO
Simpler provisioning and deprovisioning
Approximate cost: $180/user/year
Bug Bounty Program
One of the most valuable tools in the security toolchest IMHO is having a good bug bounty program. That said, there is a certain level of effort required to stand one up and maintain it.
You can do it on your own by simply publishing a page with your policy or using Open Bug Bounty (never used it personally).
There’s actually a lot involved with a bug bounty program that’s beyond the scope of this article, but suffice it to say it’s a build vs buy question. Two big players in the space are HackerOne and Bugcrowd. If you are a government entity or need a specialized program, SynAck might be your cup of tea.
Here is a high level breakdown:
Bug Bounty Program (Unmanaged): $15-35k per year
Bug Bounty Program (Managed): $25-55k per year
Bug Bounty Payouts: $10-50k (Not included with the above)
Tip: Get your code in order a little bit by getting a pentest w/source code review done. Ask for tips during your readout to prevent any findings or vulnerabilities found in the future.
MDM (Mobile Device Management)
You have company laptops and devices out there all over the continent and globe. Do you have a way to guarantee all hard drives are encrypted? Can you wipe a computer if it’s lost or reported stolen? Do you have the ability to disable USB ports on your end user devices?
An MDM is a tool that will help you manage your device settings at scale. It’s necessary to help reduce IT management costs and ensure your security policies are enforced.
There are a whole bunch of vendors out there that do this. Some options might be included already with some plans, others not.
Approximate cost: $12-35/device/year
EDR / MDR
Endpoint Detection and Response or Managed Detection and Response are the new names for what used to be Anti-Virus and Anti-Malware software on endpoints. Not only do they use advanced methods for detecting and blocking malware on endpoints but they also give analysts the ability to triage, capture data, and conduct forensics on endpoints.
This software is essential on all company managed devices, especially those with admin privileges.
They vary in cost depending on whether you get managed response included or not.
Approximate cost: $15-65/device/year
Note: We offer MDR now as well at a very reasonable rate. Email [email protected] if you’re interested.
Fractional CISO / Consulting
Another build vs buy question. Whether you decide to hire a Fractional CISO (aka vCISO) firm like Cloud Security Labs, or you make the VP of Engineering or COO do it… someone will have to spend the time to do it. You can read all the guides here for free and implement it yourself.
They can be hands-off helping you and your engineers with expert guidance in security, or they can be hands-on with a budget and actually implement the items listed above and everything a good infosec program needs.
Approximate cost: $60-180k/year
You may need some software to help you identify and track vulnerabilities withing your code repos. Again this can totally be DIY or you can use some OTS software to help you. I recommend you go with OSS first and get your devs used to checking their code for vulnerabilities before check-in.
Approximate cost: $800+/mo for 20 developers
Infosec Budget for Startups Summary
There you have it. It’s probably a lot more than you thought or had anticipated, but at least you have some understanding of all the different components.
Of course, YMMV (Your Mileage May Vary) based on your organization, culture, and security needs.
Did I miss something? Did you find this helpful? Leave a comment below. Would love to hear from you.