AWS Startups Blog
Crucyble and Liscio: Security Is Just a Matter of Habit
Like a dentist reminding you to floss and come in for a check-up every six months, Brian Johnson shows his clients that good habits and regular check-ups are the best defense against future suffering. “You can clear out 80% of potential bad days just by doing a small amount of work,” says Johnson, co-founder and general partner at Crucyble, a cybersecurity consultancy that focuses on up-and-coming cloud-based businesses. But “startups spin up so quickly now, and there’s such a pressure for features” that what he refers to as “security hygiene” is often neglected.
Just like most people only call the dentist only when a tooth really starts to ache, Johnson says the majority of his clients initially contact Crucyble after “a bad day” (i.e., getting hacked) or as they’re preparing their platform for its first major user. “They’ll say, ‘Acme Company in New York wants to send their auditors in and make sure we’re doing it right. They want to make sure I am doing everything I’m going to do to secure their data. How do I make sure it’s there?’”
Crucyble addresses that question by first sitting down with the company’s founders and engineers to get a clear sense of “what the business is and what they’re trying to do,” which provides “a good POV of where sensitive data lies.” The next step is to “figure out what they’re going to do over the next 18 months or two years to build security natively into those products.”
Johnson says that while companies are generally well aware of the repercussions of a potential data breach, they often aren’t familiar with many of the simple measures they can take to protect themselves from any attack. In the cloud space, “We see lots of default things. We see ports on the internet being left open because they didn’t know that they were left open,” Johnson says. “Ease-of-use is a big thing we want people to adopt. But sometimes that leaves doors open that you don’t want. So, we’re just making sure those are closed. It’s super easy to do TLS and encryption these days, so we make sure you’re using it everywhere you can.”
“And we really want to help them make those steps repeatable,” he adds. “I want to make sure that your team is just doing this natively. It’s coming out every time. Infrastructure’s code, right? So we want to make sure this infrastructure is fixed in the code, not fixed after it’s been deployed.”
But that doesn’t mean that Crucyble’s clients are on their own: “We also leave our stuff behind to make sure we’re that last line of defense,” Johnson explains. “If you’ve pushed out a deployment and we see it, that means all the controls ahead of us have failed.” In a situation like that, Crucyble can connect with the engineering team and help them fix the problem.
Johnson’s comprehensive approach to security is what prompted Liscio co-founder and CTO Sekhar Madathanapalli to reach out to him as he was launching his company. (The two met years ago through Andreessen Horowitz.) Liscio is a platform that allows professionals who work with sensitive information, such as CPAs and attorneys, to safely and efficiently communicate and collaborate with their clients. Madathanapalli’s background is in compliance and he shares his thoughts on security when building Liscio, explaining that “We made a very conscious choice: security is not an afterthought, it’s part of the game. I took it as far as could, then I realized I need to have a real security expert to really build the platform very securely.” But instead of hiring a full-time CISO, he decided to partner with Crucyble, reasoning that Johnson and his team’s presence in the wider security landscape would provide a more useful perspective than that of a person who would spend all of their time thinking exclusively about what was going on at a single company. “The security posture is changing so fast,” Madathanapalli says. Crucyble is “not only catering to my platform and my needs, but they’re also working with a broad portfolio of companies”—and the lessons and insights gained at those businesses can help strengthen security at Liscio, too.
“We are entrusted with sensitive client data,” says Madathanapalli. “We can’t compromise on security, so the investments were making internally and externally are easily justified.”
After Liscio began working with Crucyble, Madathanapalli instituted a standing security check-up: “Typically what engineers do on a scrum call, we do weekly on a security call.”
Unsurprisingly, Johnson thinks that “having security be a piece of what you talk about every week” is a great routine. “Start building that telemetry, so you know what to expect and you can see an anomaly,” he says. “It’s really being educated about what you’re using and how you’re doing it, so if there is an incident, you can respond accordingly and quickly.”
Johnson predicts that more companies—particularly smaller ones—will transition from employing in-house CISOs to working with external security services. “I think it’s advantageous to the business,” he says. “The business is in business to service customers, not to be an expert in security. Just like we used to have payroll, all internal—somebody in the basement would turn out payroll twice a month. Now, we’re using the ADPs and the Workdays.”
According to Johnson, cybersecurity will likely become more standardized—and, eventually, less challenging. “It’s still in its infancy, right? We’re all figuring out what the best way to approach this and do this for businesses. Now, what’s the right amount of compliance versus security? What’s the right amount of external, legal pressure on companies to do things? I don’t think it’s going to get easier in the short run. But I think the arc definitely gets easier.”
Just as Johnson hopes to instill good habits in his clients, Madathanapalli hopes to do the same with his. “We just launched a series of webinars working with Brian’s team to educate our end customers to teach them about best practices. It’s important because even though we as a company might say, ‘Hey, you should use multi-factor authentication, we cannot force them to use it. So, there has got to be a lot more education. I would say to the end users, yeah, it’s an additional step. But you know what? It’s going to actually secure you as well as your data. It’s a partnership, right?”