Startup security starter pack

Inspired by Steve Weis - his version on Google Docs

Start Here

  • Starting Up Security: From Scratch: High level principles to inform your program
  • Prescriptive The SOC2 Starting Seven, Latacora: Latacora is a consultancy that helps build security programs for startups. While this post is stuctured around SOC2, it contains a set of tactical controls that you should implement early and will provide a solid foundation for your security program.
  • Prescriptive Early Security for Startups, Dev: Dev has been down this road, and helped scale security for hypergrowth companies. He goes so far as to call out specific tools and vendors - something we often elide but can be high-leverage if you trust his judgement. You should.
  • Minimum Viable Secure Product: A "minimalistic security checklist for B2B software and business process outsourcing suppliers"

Read More


  • Ryan McGeehan's Enough to get through the first two years of a security program. Structed as both a book and a collection of topical article. I recommend Foundations and Fundamentals, to start.


These posts are interesting to show where your program can go, but can be elided if you're treading water as the first person responsible for security.

Conference Talks (war stories of starting security):