Additional praise for Star-Up Secure: Baking Cybersecurity into Your Company from Founding to Exit"It's rare to see a cybersecurity guide of any kind that is relevant, current, and most importantly, cogent and accessible. Chris Castaldo has not only produced such a guide but has tailored it for an audience who has never before received such wisdom in a digestible manner.the startup community. Startups are notoriously fast-moving, and Castaldo's book keeps up with them, showing them the types of practical security controls they need throughout their rapid journey to whatever exit strategy they envision."--Allan Alford, veteran CISO and co-host of the Defense in Depth podcast"Start-Up Secure offers important insights and advice in an area that is often overlooked by entrepreneurs. Cybersecurity has emerged as a critical competency for businesses, and this trend will likely continue or accelerate. The guidance provided in these pages will save founders from making preventable mistakes in multiple dimensions, from technical security decisions to avoiding unreasonable contract language. The wisdom shared by Chris is hard-learned, and a valuable addition to any entrepreneur's thought process."--Paul Ihme, co-founder, Soteria"Cybersecurity is often thought of as too intimidating or complex for the layperson to comprehend. Chris Castaldo's book Start-Up Secure seeks to take the mystery out of succeeding at cybersecurity. His straightforward and direct approach serves as an essential guide to starting out on the right foot with your security program. It is accessible and actionable and I would recommend it to anyone seeking to tackle cybersecurity; the most important business challenge of our time."--Brian Markham, CISO, EAB Global Inc.

Foreword xvPreface xviiAcknowledgments xxiAbout the Author xxvIntroduction 1Part I FundamentalsChapter 1: Minimum Security Investment for Maximum Risk Reduction 7Communicating Your Cybersecurity 9Email Security 10Secure Your Credentials 12SAAS Can Be Secure 14Patching 15Antivirus is Still Necessary but Goes by a Different Name 18Mobile Devices 18Summary 20Action Plan 20Notes 21Chapter 2: Cybersecurity Strategy and Roadmap Development 23What Type of Business is This? 24What Types of Customers Will We Sell To? 24What Types of Information Will the Business Consume? 25What Types of Information Will the Business Create? 25Where Geographically Will Business Be Conducted? 26Building the Roadmap 26Opening Statement 26Stakeholders 27Tactics 27Measurability 27Case Study 28Summary 30Action Plan 30Note 30Chapter 3: Secure Your Credentials 31Password Managers 32Passphrase 33Multi-Factor Authentication 35Entitlements 37Key Management 38Case Study 39Summary 41Action Plan 42Notes 42Chapter 4: Endpoint Protection 43Vendors 44Selecting an EDR 45Managed Detection and Response 46Case Study 49Summary 50Action Plan 51Notes 51Chapter 5: Your Office Network 53Your First Office Space 54Co-Working Spaces 57Virtual Private Network 58Summary 60Action Plan 60Notes 60Chapter 6: Your Product in the Cloud 63Secure Your Cloud Provider Accounts 65Protect Your Workloads 66Patching 67Endpoint Protection 68Secure Your Containers 69Summary 70Action Plan 70Notes 71Chapter 7: Information Technology 73Asset Management 74Identity and Access Management 76Summary 77Action Plan 78Part II Growing the TeamChapter 8: Hiring, Outsourcing, or Hybrid 81Catalysts to Hiring 82Get the First Hire Right 83Executive versus Individual Contributor 84Recruiting 86Job Descriptions 86Interviewing 88First 90 Days is a Myth 90Summary 90Action Plan 90Note 91Part III MaturationChapter 9: Compliance 95Master Service Agreements, Terms and Conditions, Oh My 96Patch and Vulnerability Management 97Antivirus 98Auditing 98Incident Response 99Policies and Controls 100Change Management 100Encryption 101Data Loss Prevention 101Data Processing Agreement 102Summary 102Action Plan 103Note 103Chapter 10: Industry and Government Standards and Regulations 105Open Source 106OWASP 106Center for Internet Security 20 106United States Public 106SOC 106Retail 109PCI DSS 109SOX 111Energy, Oil, and Gas 111NERC CIP 111ISA-62443-3-3 (99.03.03)-2013 112Federal Energy Regulatory Commission 112Department of Energy Cybersecurity Framework 112Health 113HIPAA 113HITECH 114HITRUST 114Financial 114FFIEC 114FINRA 115NCUA 115Education 115FERPA 115International 116International Organization for Standardization (ISO) 116UL 2900 117GDPR 117Privacy Shield 118UK Cyber Essentials 118United States Federal and State Government 118NIST 119NISPOM 120DFARS PGI 120FedRAMP 120FISMA 122NYCRR 500 122CCPA 122Summary 123Action Plan 123Notes 124Chapter 11: Communicating Your Cybersecurity Posture and Maturity to Customers 127Certifications and Audits 128Questionnaires 129Shared Assessments 129Cloud Security Alliance 130Vendor Security Alliance 130Sharing Data with Your Customer 131Case Study 133Summary 135Action Plan 136Notes 136Chapter 12: When the Breach Happens 137Cyber Insurance 138Incident Response Retainers 139The Incident 140Tabletop Exercises 141Summary 142Action Plan 142Note 142Chapter 13: Secure Development 143Frameworks 144BSIMM 144OpenSAMM 145CMMI 145Microsoft SDL 147Pre-Commit 147Integrated Development Environment 148Commit 148Build 149Penetration Testing 149Summary 150Action Plan 150Notes 151Chapter 14: Third-Party Risk 153Terms and Conditions 154Should I Review This Vendor? 154What to Ask and Look For 155Verify DMARC Settings 156Check TLS Certificates 157Check the Security Headers of the Website 157Summary 158Action Plan 158Note 159Chapter 15: Bringing It All Together 161Glossary 167Index 181

CHRIS CASTALDO is the Chief Information Security Officer at Crossbeam, the world's first and most powerful partner ecosystem platform. Crossbeam acts as a data escrow service that finds overlapping customers and prospects with your partners while keeping the rest of your data private and secure. Chris is also a Visiting Fellow at the National Security Institute at George Mason University's Antonin Scalia Law School. He previously held cybersecurity executive roles at Dataminr, 2U, IronNet Cybersecurity, Synchronoss, and the National Security Agency. He is a U.S. Army and Operation Iraqi Freedom veteran.