How should early-stage startups handle security and compliance?

Buyers are asking startups for sophisticated security practices a lot earlier than before. Anecdotally, even startups with just 1–3 people sometimes need SOC2 compliance. Most startups don’t need to build out a security function this early. Here are 16 tips for early-stage CEOs who are trying to figure out their security and compliance strategy. If you have more questions, feel free to message me on Twitter: @reneeshah123

1. Ask your champion to introduce you to the security team early when selling. You don’t want surprises right before a close. Create security “packages” to use across sales processes
2. Stick to yes/no answers on vendor security questionnaires. Many enterprises get 50–60 security questionnaires a week. They have to decide quickly. Caveats create confusion
3. Determine your company’s risk profile. Are you collecting PII? Do you integrate with customers’ systems? And even small stuff: are you collecting customers’ product roadmaps?
4. Rules of thumb (tho depends on risk profile): no need for a security hire before 30 ppl. Hire engineers w/ security backgrounds for 30–100. Dedicated security person at 100 ppl
5. Design your MVP with security and data privacy in mind. This will help with headaches (like data deletion requests) down the road
6. Some companies are starting off by deploying to a customer’s VPC vs a SaaS product to mitigate security risks, but there is no right answer
7. Get a yearly pen test from a reputable source. Automated pen tests still don’t cut it with many enterprises. Pen tests are usually cheaper than bug bounties for small companies
8. But don’t do pen tests too early. First run free SAST/DAST solutions and see what they find
9. Start IaC early. Automatically documenting changes in your networking environment will help with compliance down the road
10. Create a vulnerability disclosure email address early. E.g. security@company.com
11. SOC2 Type 1 is a good start. You don’t need continuous controls in place immediately. But it’ll seem odd to buyers if Type 2 is delayed for too long
12. Auditors are your friends. Ask them for help. Their incentives are aligned to help you meet compliance requirements
13. Stick to boring technologies early on. Common infrastructure (e.g. AWS, GCP) is easier for auditors to understand
14. Nothing is worse than having an incident and not knowing what data was accessed. Make sure you have basic logging, so you know what data was accessed
15. Track what data internal employees are accessing. Most importantly, ensure proper offboarding when employees leave!
16. And finally, compliance is a sales function. Security can make you money after all.