I'd add to this that there is also a culture of security that is being created from day one. It is unrealistic to purposely let things slide security-wise with the idea that you'll care about it later, and expect a healthy culture to emerge.
Going back to layer on security can be challenging, but it's even harder to retroactively layer on a way of thinking about and prioritizing security. For instance, it literally has to be that every engineer is thinking about the security implications of every design/implementation choice with the same urgency as the product features themselves. And there has to be a sense of standards, accountability and direction coming from the top.
Equifax is a good example of a company that failed in this. You look at the original incident, then consider how they made it so much worse in their response. At a certain point you start to think "is anyone even thinking about security there?" and you realize their culture is fundamentally broken in such a way that their entire organizational mindset will need to be clean-sheeted. That's a tough road.
The thing that became evident to me with this breach and the long-delayed response from Uber about their breach was the the following is one way to look at a company's ability to deal with the reality of the internet.
First, there is the overall company culture. If employees, top to bottom, care about the company, its mission, and what they are doing day to day, it makes it feasible to introduce a security culture.
Secondly, technical competence, top to bottom. Not understanding the importance of patching (didn't they tell congress that it was too hard?), or the fact that that your customer outreach web site should be part of your already existing domain, as opposed to a totally independent easily spoofable domain that can even fool your social media guy.
Third, a serious security team. Penetration testing, security awareness training, logging/monitoring. But a crack security team is hard-pressed to overcome weakness in the other two.
Going back to layer on security can be challenging, but it's even harder to retroactively layer on a way of thinking about and prioritizing security. For instance, it literally has to be that every engineer is thinking about the security implications of every design/implementation choice with the same urgency as the product features themselves. And there has to be a sense of standards, accountability and direction coming from the top.
Equifax is a good example of a company that failed in this. You look at the original incident, then consider how they made it so much worse in their response. At a certain point you start to think "is anyone even thinking about security there?" and you realize their culture is fundamentally broken in such a way that their entire organizational mindset will need to be clean-sheeted. That's a tough road.