This blog post is just an ad for Gold Fig.<p>It doesn't answer the question except in the last sentence "Gold Fig can help with the basics, and beyond! Talk to us about getting an assessment of the next steps to take"<p>Flagged
What's way more important than being smart about security is consistently not being dumb about it.<p>Knowing about the most important dangers (OWASP Top 10) and avoiding them while picking up some best practices on the go yields much better results than being completely oblivious on the topic and then try to "pay back" half a decade of neglected security that has not been baked into the architecture by then.<p>In the end though, later is usually preferable to earlier. I know less companies being killed by absolute lack of security (heck, even Equifax is still around) than companies having failed to achieve product-market fit because they focused too much on something else than their core mission.<p>Opportunity cost is real.<p>For a pragmatic guide on striking a good balance, I've found this one helpful:
<a href="https://www.sqreen.com/checklists/saas-cto-security-checklist" rel="nofollow">https://www.sqreen.com/checklists/saas-cto-security-checklis...</a>
Ha! I've has the chance to be in charge of technology (including its security) in two different start ups.<p>The first one was B2C (60+ ppl post Series A). My CEO just did not care about security even though we (myself and our internal security expert) warned about it. No dev cycles had priority for security improvement. For me it was always an uphill battle to sell the need of security .<p>This all changed in the 2nd startup. This was a B2B. That was the blessing: as sales go upmarket, larger prospects questioned sales about our security, soc2, pci, gdpr, ccpa, etc .<p>As the tech head it is A PLEASURE that I dont have to fight for that. The Sales team fights for it because otherwise they lose deals.