It doesn't answer the question except in the last sentence "Gold Fig can help with the basics, and beyond! Talk to us about getting an assessment of the next steps to take"
What's way more important than being smart about security is consistently not being dumb about it.
Knowing about the most important dangers (OWASP Top 10) and avoiding them while picking up some best practices on the go yields much better results than being completely oblivious on the topic and then try to "pay back" half a decade of neglected security that has not been baked into the architecture by then.
In the end though, later is usually preferable to earlier. I know less companies being killed by absolute lack of security (heck, even Equifax is still around) than companies having failed to achieve product-market fit because they focused too much on something else than their core mission.
Ha! I've has the chance to be in charge of technology (including its security) in two different start ups.
The first one was B2C (60+ ppl post Series A). My CEO just did not care about security even though we (myself and our internal security expert) warned about it. No dev cycles had priority for security improvement. For me it was always an uphill battle to sell the need of security .
This all changed in the 2nd startup. This was a B2B. That was the blessing: as sales go upmarket, larger prospects questioned sales about our security, soc2, pci, gdpr, ccpa, etc .
As the tech head it is A PLEASURE that I dont have to fight for that. The Sales team fights for it because otherwise they lose deals.
I've also run tech for a 60 person startup, run security for a 300 person company, and worked closely with security & compliance at a 6000 person company.
What I will say is there is a lot of waste and overhead in the tech security industry overall. You can pay a vendor any amount of money you can afford, and they will add some incremental value via automated scanning, pentests, compliance reporting, but the value has no correlation to the money spent unless you have no baseline security awareness to begin with, and if you don't have that then no amount of money will save you (eg. Equifax breach).
IMHO the right way to do it is: make sure your tech and infra leadership have baseline understanding and do the fundamentals right (eg. use bcrypt, put your infra in VPCs with private subnet and bastion only access, use IAMs with least privilege, etc). The incremental cost of those things is negligible if you know what you are doing, so make sure you have at least one person on the early-stage team who knows what they're doing. Next step up (if you are consumer app) do a bug bounty and minimal scanners (prioritize infra scans). Eventually you'll need more, but it should be a function of success where you have hundreds of engineers, are making tons of money, or have specific compliance requirements as a result of lucrative enterprise sales.
> For me it was always an uphill battle to sell the need of security
60+ ppl is pretty far along where other security aspects besides infosec also start showing up (e.g. securing employee computers, etc). Was this because tech-debt in general wasn't a priority or security specific improvements weren't seen as important?
Definitely. Focusing on security before your first data breach or security assessment is called premature optimization, and it's a serious anti-pattern, because it wastes valuable resources that could be spent increasing the threat surface.
(This is sarcastic, as I assume the original comment was)
It doesn't answer the question except in the last sentence "Gold Fig can help with the basics, and beyond! Talk to us about getting an assessment of the next steps to take"
Flagged