Small startup vs big enterprise in the field of security

In my career, I have been exposed to a huge number of companies of all sizes and industries. Often people ask me for advice on where to start their careers or how to progress, and which one do I like most, massive corporations or small nimble startups?

When it comes to security, enterprise and startup companies have different approaches. Security is often seen as a burden for startups, while enterprises see it as a necessary evil. This difference in mindset can be traced back to the different priorities of each type of company.

Enterprises are typically large organisations with a lot of money and resources. They can afford to invest in comprehensive security measures, such as hiring expensive security consultants and building secure infrastructure. Startups, on the other hand, are typically smaller organizations with limited resources. They often prioritise growth over security, which can lead to them taking shortcuts and risks when it comes to security measures.

This difference in approach can have a significant impact on the overall security posture of a company and can also influence its culture. In this post, let’s go through the main points that can help define which option makes more sense for your career.

Business culture

The culture of a company plays a big role in its priorities. Enterprises are typically risk-averse and prioritise stability over growth. This means that they are more likely to invest in security measures, even if it means sacrificing some speed or agility. Startups, on the other hand, are often more willing to take risks and prioritise growth over security. This can lead them to cut corners when it comes to security measures, which can put them at a higher risk for cyberattacks.

Small companies tend to be fast-paced, and some of them even brag about their speed and have this dynamic environment where they can look unrecognisable in just a few months’ time. Those companies won’t have a lot of structure and hierarchy so any role is very fluid and changes as the business move. Experimentation and finding creative approaches are often highly regarded and creative people tend to strive in this environment. However it is not just good things, it is very common to see some disturbance in the work/life balance and stress levels, going from minor things like wearing multiple hats or aggregating multiple roles in one all the way to the glorified overwork. Individual contributions have a big weight in the organisation for good or for worse.

On the other hand, large corporations are known for operating slow and not being up to date with the industry trends, even if they were the ones that created those trends in the first place. They have a lot of legacy systems and protocols that they are not willing or able to change. Their rigid structure can lead to compartmentalisation and people only caring about their own little piece of the puzzle without understanding or caring about how it impacts the rest of the company. This can often lead to stagnation and a feeling of being stuck in a rut. A team or department contribution is perceived as greater value as opposed to individual contributions, quoting a very common saying “you are just a small cog in a bigger machine”. Enterprises do have some good points as well, work/life balance is usually prioritised, they have big pockets so usually can pay better, and provide better stability. While a startup can mutate and evolve in a short span you can see the same role in a larger company for decades.

Security budgets

Another big difference between enterprise and startup companies is their security budgets. Enterprises typically have much larger budgets than startups, which allows them to invest in more comprehensive security measures. Startups, on the other hand, often have to make do with limited budgets.

Although the budget for security in an enterprise is considerably higher it does not necessarily mean that those are in better shape than smaller organisations, more complexity tends to create more misconfigurations.

It also can be expected to have a lot more exposure to vendor products and security solutions as opposed to minimal and very lightweight solutions in small companies.

On one side you may need to go through a lengthy process to justify the acquisition of a new tool that has everything ready out of the box, and on the other side, you have some freedom to experiment with open source and add any hacky bits you can find to work for your use case.

Team size and distribution

The size of the security team can also be a defining factor. Enterprises typically have large teams of dedicated security professionals, while startups often have smaller teams or even no dedicated security team at all. This difference can impact the overall security posture of a company.

The enterprise path is focused on specialisation. Everyone has a clearly defined role and there are entire departments or teams dedicated to a specific goal, for example, a big bank may have a SOC team for incident response, a GRC team handling all compliance and risks of the business, a penetration test team doing red teaming and even some bug hunting sometimes and so on.

The saying “jack of all trades, master of none” fits small companies really well. Very often you will see one single multidisciplinary team handling all that and wearing multiple hats, one day doing compliance, the next day doing engineering, and the following one responding to an incident. It is really good for being exposed to the most diverse areas of security and fast track building a very desired skillset that even large organisations would kill to have. It is also not uncommon to see a single person being the entire security team or not even, for example, a security-minded developer guiding the team on basic countermeasures.

Learning and Experience

Last but not least and following the previous topic, bigger organisations are the place to enter the desired specialisation field and build expertise in that area while smaller companies will give a platform to learn a bit of everything and get decent on it, either to pick a specialisation field or be a generalist.

In enterprise, you will likely have to do the same thing over and over again but with different data and maybe under a different compliance framework. You can automate 90% of it but the last 10% is always going to be different.

Big companies tend to move very slowly which gives you time to learn things in depth. In general, they do not mind if you make some mistakes as long as you don’t repeat them.

In startups, SME learning is also favoured but in a very hands-on learning-as-you-go way. As there are fewer people in the company, when something breaks, usually someone has to step up and fix it regardless of their job title or responsibilities. The best part about this is that you learn new things all the time, and you get to wear many different hats.

The security posture of an enterprise will usually be better in theory than that of a startup, but in practice, sometimes could be the other way around. This is because enterprises have more resources and can dedicate more to security, but they also tend to be bureaucratic and move slowly. Startups don’t have as many resources, so they have to be more creative in their approach to security. But this also means that they are more likely to take shortcuts, which can put them at a higher risk for cyberattacks. As long you manage and are comfortable with the downsides you can enjoy the upsides regardless of the path of choice.

So, when it comes to security, there are pros and cons to both big enterprises and small startups. It really depends on what you’re looking for in a company.

Hope this blog post helps in the evaluation of possible companies to work for. :)