My honest opinion is that this is vacuous. I dislike being that critical but this is important. First, I don’t think it’s meaningful to segregate this list into divisions by funding milestones, and I don’t think it’s productive to have so many bullet points crowding one page for attention. Second, and more specifically, I think this list leaves a lot of the heavy lifting out of the problems to the detriment of solving them. For example:
> Encrypt all employee laptops and phones
You have two sub-problems here. Either you take endpoint security very seriously (which becomes its own much more important bullet point), or you trust employees to encrypt their devices on their own. This process should be entirely automated. My concrete criticism: mention this problem alongside endpoint security.
Accustom your team to locking their computers
This is another endpoint security problem. You should automate this enforcement across all employee computers. Even if people are fully on board with it conceptually, they will err because no one can have Constant Vigilance.
Centralize and archive your logs
Yes, but how? Provide examples. You linked to Elastic, but why not talk about tradeoffs between the Elastic stack and others? How about the tradeoff of paid infrastructure versus full open source? A build versus buy discussion is very useful here.
Evaluate your website’s basic security
There’s a messaging problem here. Your checklist doesn’t recommend bug bounties until post-Series A (!!!), partly because you have no qualified staff to review reports. Precisely how are your engineers reviewing “basic” security without basic qualifications? What defines “basic?” If they have the time and initiative to learn how to do this step, why can’t they do other steps you reserve for Series A or beyond?
Frankly, most of this list could be meaningfully reduced to prioritizing automation, endpoint security, formal processes and finding the right people to tell you your unknown unknowns very early on.
>You have two sub-problems here. Either you take endpoint security very seriously (which becomes its own much more important bullet point), or you trust employees to encrypt their devices on their own. This process should be entirely automated. My concrete criticism: mention this problem alongside endpoint security.
Do you have any recommendations for endpoint security? I'm setting that up now and finding a good vendor has been annoying.
>Precisely how are your engineers reviewing “basic” security without basic qualifications?
There are standards and checklists for this (ie: OWASP Top Ten). Being able to read and follow a simple checklist, that someone recommends to you, doesn't mean you're even close to an expert in that area. That said, the OWASP Top 10 includes "Logging and Monitoring" on it while this checklist punts it to Series A, so it's confusing.
> Encrypt all employee laptops and phones
You have two sub-problems here. Either you take endpoint security very seriously (which becomes its own much more important bullet point), or you trust employees to encrypt their devices on their own. This process should be entirely automated. My concrete criticism: mention this problem alongside endpoint security.
Accustom your team to locking their computers
This is another endpoint security problem. You should automate this enforcement across all employee computers. Even if people are fully on board with it conceptually, they will err because no one can have Constant Vigilance.
Centralize and archive your logs
Yes, but how? Provide examples. You linked to Elastic, but why not talk about tradeoffs between the Elastic stack and others? How about the tradeoff of paid infrastructure versus full open source? A build versus buy discussion is very useful here.
Evaluate your website’s basic security
There’s a messaging problem here. Your checklist doesn’t recommend bug bounties until post-Series A (!!!), partly because you have no qualified staff to review reports. Precisely how are your engineers reviewing “basic” security without basic qualifications? What defines “basic?” If they have the time and initiative to learn how to do this step, why can’t they do other steps you reserve for Series A or beyond?
Frankly, most of this list could be meaningfully reduced to prioritizing automation, endpoint security, formal processes and finding the right people to tell you your unknown unknowns very early on.