How should early-stage startups handle security and compliance?
Buyers are asking startups for sophisticated security practices a lot earlier than before. Anecdotally, even startups with just 1–3 people sometimes need SOC2 compliance. Most startups don’t need to build out a security function this early. Here are 16 tips for early-stage CEOs who are trying to figure out their security and compliance strategy. If you have more questions, feel free to message me on Twitter: @reneeshah123
- Ask your champion to introduce you to the security team early when selling. You don’t want surprises right before a close. Create security “packages” to use across sales processes
- Stick to yes/no answers on vendor security questionnaires. Many enterprises get 50–60 security questionnaires a week. They have to decide quickly. Caveats create confusion
- Determine your company’s risk profile. Are you collecting PII? Do you integrate with customers’ systems? And even small stuff: are you collecting customers’ product roadmaps?
- Rules of thumb (tho depends on risk profile): no need for a security hire before 30 ppl. Hire engineers w/ security backgrounds for 30–100. Dedicated security person at 100 ppl
- Design your MVP with security and data privacy in mind. This will help with headaches (like data deletion requests) down the road
- Some companies are starting off by deploying to a customer’s VPC vs a SaaS product to mitigate security risks, but there is no right answer
- Get a yearly pen test from a reputable source. Automated pen tests still don’t cut it with many enterprises. Pen tests are usually cheaper than bug bounties for small companies
- But don’t do pen tests too early. First run free SAST/DAST solutions and see what they find
- Start IaC early. Automatically documenting changes in your networking environment will help with compliance down the road
- Create a vulnerability disclosure email address early. E.g. security@company.com
- SOC2 Type 1 is a good start. You don’t need continuous controls in place immediately. But it’ll seem odd to buyers if Type 2 is delayed for too long
- Auditors are your friends. Ask them for help. Their incentives are aligned to help you meet compliance requirements
- Stick to boring technologies early on. Common infrastructure (e.g. AWS, GCP) is easier for auditors to understand
- Nothing is worse than having an incident and not knowing what data was accessed. Make sure you have basic logging, so you know what data was accessed
- Track what data internal employees are accessing. Most importantly, ensure proper offboarding when employees leave!
- And finally, compliance is a sales function. Security can make you money after all.