Recently, we sat down with Sercan Esen and Serhat Cillidag, CEO and CTO of Intenseye, respectively, to discuss developing robust security programs for startup environments. Read on to learn about Intenseye’s pen testing experience with Rapid7 (including the full case study), see how they came to view security as a company investment, and get their advice for other startups on how to create a strong security posture.
Assessing your security ROI
Before Intenseye was founded in 2018, Sercan and Serhat were working at Sony developing AI and web platforms. Since then, they’ve developed the Intenseye business, leveraging existing manufacturing and warehouse facility cameras to analyze health and safety use cases, with an eye (no pun intended) toward incident prevention. In the age of COVID-19, cameras also help enforce social distancing and contact tracing protocols, while thermal camera integrations measure body temperature at the entrance of the facilities.
Since customers may associate surveillance equipment with “Big Brother,” Intenseye makes user privacy a priority, aiming to respect anonymity while ensuring all is secure. This means making data anonymous, developing a strong code of AI ethics to prevent information misuse, providing clients with AI ethics resources from independent third parties, and refusing to accept or record sensitive biometrics, such as facial recognition and detection information.
Intenseye’s emphasis on security is unusual among fledgling organizations. Startups aren’t known for funneling resources toward building robust security postures prior to launch. Intenseye originally initiated penetration testing to satisfy the requirements of enterprise customers, but they’ve since come to view security investments as worthwhile for startups more generally.
For one, investing in security protects developers. Among organizations operating in a cloud environment and managing multiple cloud services, adopting in-house security services is part and parcel of best practices. You needn’t feel compelled to invent a cryptography, but code reviews and regular testing aren’t enough. It’s important to look to outside organizations to implement web application tests and conduct these regularly.
Best practices and beyond: Advice for other startups
The good news for startups looking to benefit from Intenseye’s experience is: startups generally don’t need to invest lots of resources toward a strong security posture right from the start. It’s not that most startups neglect best practices in pursuit of other priorities (or simply wish to tack them on at the end), so much as most startups remain insufficiently attuned to realistic security demands. Which is to say, adhering to best practices isn’t a particularly onerous task. Thanks to their previous work at Sony, they were able to translate their security mindset toward their work at Intenseye.
So, how can other startups learn from the Intenseye approach? Serhat recommends seeking out insights from security professionals outside your organization. He notes the value of following up with Rapid7 on their pen testing experience, and translating external information to security improvements beyond the scope of the pen test itself.
Security also offers startups a chance to differentiate themselves and find inroads with big companies. Sercan notes that on the business side, he includes not only health and safety teams but IT directors in client conversations and preview calls. Foregrounding penetration testing demonstrates a commitment to ethical security to customers. It also helps clarify the roadmap for security teams.
To attract enterprise clients who won’t be persuaded without documentation, tests, and certifications, a demonstrably robust security posture becomes crucial for B2B startups to stand out from the pack. In addition to acquiring certifications, Sercan emphasizes the importance of continuing education to fill in knowledge gaps.
The Intenseye pen testing experience
When it came to selecting a pen testing company, Serhat sought vendors who could deliver the professionalism and brand recognition he needed. He came across Rapid7 as a university student dabbling in Metasploit, which allowed him to get on other people’s computers. Though he shopped around the vendor marketplace, realizing Metasploit was a Rapid7 product gave him the confidence he needed to pen test with Rapid7.
Prior to pen testing, Intenseye devoted most of their time and efforts on research and development. The turn to pen testing was made in the interest of serving customers, to provide assurances of top-notch security in everything. Though the Rapid7 pen test was Intenseye’s first—and for their first clients—Serhat expects to make regular testing a feature of IntenseEye’s security posture. He believes in a policy of continual self-defense since, after all, you can never be sufficiently prepared. Additionally, proactively pen testing shortens Intenseye’s sales cycle, as the team has a proofpoint for their security to assuage prospects’ concerns and meet certain criteria.
We would like to thank Sercan and Serhat for sharing their time and security insights, startup and otherwise. Hear more about their pen testing experience in the full case study.