It’s exciting to read about the numerous Internet companies popping up, getting VC funding or preparing for an IPO. Many observers are quick to point out that these dynamics are reminiscent of the dot-com bubble of late nineties. As more companies rush to take advantage of the entrepreneur-friendly market, can we expect the new market entrants to pay attention to information security? I doubt it.
The New Tech Bubble
A recent article in The Economist notes that “irrational exuberance has returned to the internet world,” making Silicon Valley feel like a boomtown:
"Corporate chefs are in demand again, office rents are soaring and the pay being offered to talented folk in fashionable fields like data science is reaching Hollywood levels. And no wonder, given the prices now being put on web companies."
The latest crop of hot start-up seems to incorporate buzzwords such as personalization, mobile, cloud, geolocation, cloud and social media. Many of the new companies fuel growth through private investments; some have sights set on IPOs.
Information Security and Tech Startups
A startup derives its energy from the desire to manifest its founders’ ideas into reality. The culture associated with such activities is about creating the product as quickly as possible. It focuses on features that will drive growth. None of these attributes encourage a proactive approach to information security.
Furthermore, information security is a luxury that few startups may be able to afford. When a company is short on cash, the available money needs to flow towards paying software developers, acquiring customers, looking for more funding and covering the essential expenses to keep systems and applications running.
Even if the company recognizes the need to protect sensitive customer data, it will likely do the bare minimum just to get its product off the ground. It will also look for ways to minimize the need to implement its own security, perhaps by adopting cloud-based services that include some element of security or outsourcing sensitive transactions such as payment processing.
This is not irrational. There might be a chance that a data breach will put the startup out of business or will otherwise derail the company from its pass. Yet, there is a chance that this won’t happen. In contrast, spending money on security has a much higher certainty that a crash-strapped startup won’t have the money for other critical expense.
A Ray of Hope?
Fortunately, information security is more accessible to today’s startups than it was to the participants in the original dot-com bubble. In part, this is because cloud makes security more affordable to small companies. Also, security is easier to incorporate into products now than ten years ago, because many programming frameworks include modules security modules.
Information security not outside of the startups’ reach. However, whether they will have the incentives, money, time and  knowledge to take advantage of security products and features is another question.