In an article entitled, 15 Ways Infosec Pros Turn Tech Talk into Business Language, Mike Dahn (@mikd), co-founder of Security B-Sides, admitted that he had initially failed to impose proper security principles when working with a startup. At the Security B-Sides conference in San Francisco, I followed up with Dahn in person to get some greater understanding as to why "security best practices" don't work for startups, and which processes do work.
"Best practices don't work or scale for a lot of startups," admitted Dahn. Startups are agile and they move fast, evolving every 3-6 months. Anything they write down will change tomorrow.
Instead of putting something in place that may be a long drawn out procedure, Dahn had coworkers implement different aspects of checklists, using the book Checklist Manifesto as a guide. The checklists were far more flexible and malleable. They're put on wikis that can change quickly.
"Checklists often start with just three things. And you're not going for 100% correct. We're going for consistency first, accuracy second. And accuracy second, because things are going to change," realized Dahn.
Big thing though is to get ownership and buy-in from the people who are going to be completing these tasks. Stay in touch with people and what they're doing. To be successful with getting people to stay on a "checklist task" requires security people to stay connected to the heartbeat of the startup culture.