Presenter: Brian Myers

Room: Ballroom, EMU 244, Level 2

Presentation: A Minimum Viable Security Program: The Critical Early Steps

Time: 4:15p – 4:50p

Security breaches don’t wait for your first compliance audit. Small companies face the same cyber threats as large enterprises but often delay security, viewing it as complex, expensive, and compliance-driven. In reality, basic security is essential business protection that requires less effort than a compliance audit. Security, like quality, must be designed into systems from the start—not retrofitted after you’ve built them.

While small-business guidance from authorities such as NIST and CIS usefully confirms the importance of critical controls such as access management and endpoint protection, their guidance also misses key risks such as remote work, BYOD, and governance. Your real starting point is identifying and systematically addressing your actual risks.

Using a typical SaaS startup example, this talk demonstrates a three-tier approach to Minimum Viable Security:
• Foundation: Asset inventories, data classification, and risk assessment
• Critical Controls: Identity management, access control, and endpoint protection
• Operations: Remote work policies, BYOD management, and governance structures
You’ll see real examples of inventories, risk registers, and policies that you can adapt for your own use.

Key Takeaways:
• A practical framework for resource-constrained security
• What “”minimum viable”” really means for security
• How risk-based prioritization simplifies decisions
• Why building security early protects more than compliance

This presentation aligns with “Secure By Design” by showing how to embed security from day one.