Summary
Technology startups must balance the need to deliver customer value quickly while being severely resource constrained. To help address this challenge, consider applying the principles of Product Management's concept of Minimum Viable Product (MVP). “An MVP has just enough core features to effectively deploy the product, and no more.” (Wikipedia)
In a similar context, the idea of Minimum Viable Security (MVS) is to implement just enough critical security controls to enable the company to balance between the efforts dedicated to the business pipeline and security. These baseline controls will foster an environment that is pragmatic, agile, and suitable for companies who may not have the resources to (or made the decision to not) launch a fully robust security program.
This presentation will explain how the MVS process works to minimize the accumulation of security debt while enabling the company to grow rapidly and to deliver ever increasing customer value.
Speakers
George Pajari was the Chief Information Security Officer at Hootsuite, one of the largest SaaS cloud providers in Vancouver. He is now consulting to a range of startups, using the principles of MVS to balance an appropriate level of security with the risk tolerance and resource constraints of his clients. He is a co-author of the Official (ISC)² CISSP CBK textbook. See https://fractionalci.so for more information.
Theresa Azari was the Head of GRC (Governance, Risk Management, and Compliance) for Vancouver technology companies, including Cogeco Peer 1, Hootsuite, and Visier. She is a Chartered Professional Accountant (CPA) and business professional by trade, but has found her passion with compliance and cyber security. She is now an independent advisor to organizations which require expertise with assessing and deploying compliance and cyber security programs, enterprise risk management, operational transformation, internal controls, and auditing.