How to create an insecure privacy-blind startup
Whether you thrive or just survive, YAGNI
When you are building something from nothing, you don’t need to secure it because nobody cares. Nobody creates a vault for their lemonade stand inventory. Startups are by default dead, and having a good security narrative is not a core need for most users. Or at least they won’t bring it up if you don’t bring it up. In fact, they will assume that their data is protected, and you should not mention it.
Security is sideways energy. If your startup survives into a future in which you have a security-focused customer, like the United States government, or anything to do with healthcare, or the general business-to-consumer market at scale, or the ever-increasing part of the population that cares about privacy, or anybody in Europe, or California, or states that want to be California, or you get a customer you care about like your mom: THEN you can add security in a few sprints, probably. Well, you’d need to estimate it first.
Plus, you are likely building with cloud technologies, so I think the security is already baked into that: using today’s tech stack, you are likely more secure than previous computer systems - the ones you know nothing about. Moore’s law and this and that. Software gets more secure over time, you think. That seems right.
Thinking about security is bad enough; could you imagine if you hired some people with experience in it? They would be so annoying. The compliance officers and security teams at other companies you worked for (those that make money and are still around) had this annoying group of people that were always causing people to rotate passwords, use MFA, and watch those awful training videos. They were playing defense, and a startup should be pure offense.
So just ignore security until you get big enough to be a target. In the worst case, if a customer asks you to delete their data or a hacker asks for ransom for that same data, pivot to see if you can create a marketplace to connect that consumer with that provider.
Paid subscribers view additional commentary about this post, with links to useful resources on handling the tension between building something and protecting it. If you are reading this and thinking, “well it depends,” or “this is a gross oversimplification,” or “what an idiot,” then you might be interested in Additional Commentary for this post.