The Case for Start-Ups to Invest in Operational Security

Start-ups need to increase their OPSEC, or operational security, and investors need to employ due diligence to better protect themselves, their customers, and the U.S. economy.For years now, “Build in Public” has been a powerful concept and marketing tool for start-ups and entrepreneurs eager to show off their work and provide transparency. It helps them gain credibility but also to highlight their uniqueness as a new entity or offering. Many showcase their tech stack, the apps that will be aggregated to constitute the solution they will roll out.Any who do this, I would suggest, do so at their own peril. You should at least take a measured approach to providing insight into your algorithms, tech stack, or intellectual property (IP), rather than simply provide complete transparency. Detractors can take the opportunity to attack you publicly, creating a distraction for you—and time is valuable. Also, when you “overshare,” adversaries are taking stock of what goes into your recipe for success. They are paying attention to known vulnerabilities, jotting down digital notes of what to expect when you go live, and stealing IP anywhere they can. The risk is that they now know what applications will be deployed and can work to mimic them in future phishing attempts, leveraging the insider information to replicate email and other client outreach schemes for their own scams. In a sense, they are putting on your employee uniform and trying to defraud your customers.It is a longstanding and spirited argument among tech entrepreneurs which has leaned into favor where transparency and credibility are valuable, specifically in Silicon Valley. Others I have met coming out of suburban Maryland and Fort Meade tend to lean more conservative in their sharing, only providing what is necessary rather than showing all their cards. How much should we share with the public? How open should our collaboration space be? Where do tech start-ups and investors draw the line? These are all great questions. Find the balance: provide what is needed to showcase your product, but not so much that you give the store away – check your ego and keep your your crown jewels safe to protect your IP.Similarly, when a VC investment firm asked me to apply security insights to one of their engineering start-ups, I started with only a handful of questions. Unfortunately, it took almost no time to discover that the entrepreneurial leadership team had no concept of operational security. Their entire R&D effort was stored in the cloud, fully open for collaboration, and entirely available to engineers working for a firm in mainland China with little history and dubious connections (think state-sponsored/monitored). There had been no due diligence, there were no security protections, and in short order, we assessed with some confidence that their IP had likely already left the building. The start-up wasn’t building in public, but they were absolutely clueless about the threats of state-supported corporate espionage. They were more than a year away from fielding their first product, which now I would say was well on its way to being duplicated in a Chinese firm, with little legal recourse for the start-up. The investors, of course, found this disturbing as they were about to drop millions into the fledgling endeavor.More and more, we need our intellectual property to stay inside the United States.  We need the "build in public" effort to be more conservative, so our brilliant entrepreneurs don't give away the secret sauce. We need VCs and PEs to spend more on due diligence before writing large checks to entrepreneurs who have no or weak operational security. Investors should demand better operational security to help protect their investments. The speed of the deal is important, but as we often say on the shooting range: “Some people just can’t miss fast enough. Slow down to speed up the accuracy.”For example, a $100M is speedily invested in a start-up before any real due diligence is conducted. The start-up builds in public, which results in its failure of the startup when its IP gets stolen and the product that does finally make it to market gets actively stalked and disrupted. To avoid this, take the time to invest in those ventures who conduct the necessary due diligence and encourage conservative publication of their build. The speed to market doesn’t have to slow, but investors and entrepreneurs should be more thoughtful, proactive, and deliberate by implementing strong OPSEC and IP protections. This path is better for the investor, the entrepreneur, and the U.S. economy.If you need an assessment of your OPSEC and due diligence, protective consultation for your IP, or investigative support, contact Red Five today. Our subject matter experts in intelligence, investigations, state-supported threats, and operational security are available to help.