Access the full text logs of this transmission for compliance and review purposes.
Actual (00:00)
Welcome to status secure. Today we’re talking to the disruptors, the coders, the startup founders who move fast and break things. However, in 2026, if you break the wrong thing, you don’t just lose a user, you lose the company. So in the tech sector speed is life. want to ship features, fix bugs and deploy five times a day. And there’s a podcast I listened to recently. Actually, I’ve been listening to it since 2015. It’s called startups for the rest of us.
The host Rob Walling, was the tech founder of the platform drip, which was an email marketing platform, which was eventually bought out by lead pages. And now he runs an accelerator program called Tiny Seed where they advise mentor and invest in bootstrap startups. And he gave advice on a recent episode, which was number, ⁓ 808, where there was a question asked about SOC 2 compliance. And his advice is probably similar across maybe some of the venture field.
which would be, you know, let’s focus on the product. Let’s focus on sales and marketing, right? Let’s, let’s, let’s go, let’s grow. Let’s get customers. and really don’t, we don’t really think about compliance certificates essentially. Right. But if you listen to the full episode and you listen to the rest of his statement in context, he caveats that by saying, however, if you’re a startup,
company, tech startup serving enterprise clients, especially in industries like finance, you have to account for compliance and security. think SOC 2 for example, which can feel like putting your foot on the brake pedal. If you’re in that startup world. So CISO ⁓ be honest with me, even though it might feel like you’re slowing down, ⁓ does security really kill velocity or in other words, can we just get to it later?
The CISO (01:36)
I mean, if you patch it later, you create security debt. It’s like building a skyscraper and deciding to check the concrete foundation after you built the 50th floor. To fix it then, you have to tear the whole building down and any construction company worthwhile does not do that. And you can see it. You can see. I don’t know if you’re familiar with the building in San Francisco that is leaning, right?
Actual (02:02)
Yeah.
Isn’t that the one that, was a Joe Montana had a suite in or something like that, right?
The CISO (02:03)
Yeah.
Yes, yes, and it’s leaning because they didn’t architect it well. They didn’t plan for the foundation well. And so now it’s leaning and it’s costing millions and millions of dollars and they’re trying to figure out how to fix it. So it’s, you know, they’re paying later and they’re paying a lot because it’s taking a long time. It’s been leaning for quite some time now and people aren’t wanting to, they’re selling or they’re not buying or they’re, you know, it’s costing them a lot.
So that’s a prime example of waiting until later and not getting your foundation right. So the new reality, move fast and break things worked for Facebook in 2004. It doesn’t work today because it will break user trust or violate privacy laws like GDPR or CCPA in California. And the regulators will break you. However, with AI, you should be able to move fast without breaking things.
The era of the Wild West development is over because the sheriff has been hired, but he’s only as good as the folks allow him to be. So remember the Wild Wild West? If you remember, there was the Homestead Act. So the government said, go find land, make it your own. There’s plenty of opportunity. So a lot of folks moved out and found their land, built their farms.
had their cattle, and then what happened? The bad people came, started stealing cattle, started coming and just stealing land from people. And then what happened? Then you had to bring the law in, right? The sheriff started coming, but the sheriffs of those towns were only as good as the people. So it’s the same thing. We’re no longer the beginnings of Homestead. We’re now at bad people, bad actors, and the sheriff has to come in.
but you don’t want to do that afterwards. People have already lost their land. People have already lost their cattle and their livestock and their livelihood. So if you could bring in the share first and then have the homesteaders, right? Hindsight’s 2020. That would have been better. That would have saved those people a lot of heartache and a lot of financial suffering. So same thing here. You know, with AI, just tell AI to build, to build a, you know, build it, it.
with security in mind, tell it that OWASP top 10 needs to be included in their development, in their code, and it will do it. So do it in the beginning, not when your code starts to lean later.
Actual (04:29)
Yeah. You know, like, and like, I mentioned earlier 2, you know, looking at the industry you’re in and what makes sense for your, your startup. Right. And it’s in your example, you gave it reminded me of another actually same, you know, startups for the rest of us. Another episode of theirs where, somebody asked a question about, know, can I build my startup out of AI, you know, vibe coding or, know, can AI build my code for me? And I love the example they gave because the example they talked about was.
That’s like, Hey, we can go build a shed in the backyard and it would be fine. But that’s like AI vibe coding. But if you want me to go build the house and pour the concrete, put up the framing and the electrical and all this other stuff in the roof and whatnot, like it’s not going to happen. The house is going to fall apart because I’m not a contractor. Right. And it was on that same thing of like, if you’re going to build a real company in that space, then you need to develop the software properly. And you know, you can’t vibe code that. And so taking that same sort of analogy.
If you know your clients or enterprise clients, you know your clients are in the finance space and you have a platform that they’re using to make these, let’s call it transactions. You probably need to have that security from the beginning. It’s probably crucial to your platform and to actually like these clients actually using it. and so, okay. So let’s say I have investors breathing down my neck and I need to show progress.
I need to be moving, right? We’re startups, we’re moving fast. And I can’t wait two weeks for a penetration test every time I want to release an update. So how do I move fast without being reckless?
The CISO (05:57)
Well, you shift left. Everybody talks about that. But now you can actually do it. You can do it quicker. You stop treating security as a gate, and you treat it more as a guardrail. And you do it at the beginning. We call this shifting left. You don’t need a human to the code, every line of code anymore. You use automated tools. And they’ve been around. So it’s tried and true.
use those automated tools for in your pipeline. Hey, it’s like a spell check for security. The developer gets alerted while they are trying the code. I mean, there’s, there’s so many tools. They’ve been around for a long time now where you can’t even compile if there’s vulnerabilities in your code. Also with AI, tell it to code it securely. So now instead of having the developer write the code,
then have the automated tools like checking while they’re developing and while they’re trying to compile. Cause now they got to go back and review their code and fix the vulnerability. But you start at the beginning with AI, you have it coded and you have it write the code for you with security and you know, with security. And then you have the developer review it really quickly because it’s already written and the tools that you have them there again as a guardrail. Now when you run your automated tools to check,
it won’t find vulnerabilities and it will compile. And that’s how you move faster. This actually increases velocity because you aren’t spending your next sprint fixing bugs from the last sprint. You ship clean code the first time around. This actually speeds up delivery, your customer satisfaction, and you can actually release more functionality versus trying to fix bugs.
Actual (07:40)
All right, so you’re saying security is actually a quality control issue. It’s bug squashing, right?
The CISO (07:45)
Yes.
Actual (07:46)
Okay. So let’s talk about revenue. because my sales team is telling me they can’t close the deal with big enterprise client because we don’t have a security packet ready. and you know, we, ran into this recently where we have, a client who we have, we had a couple come through the door who were based. One of them, let’s put it in reality. They’re going, I want to close these big clients. I have, I have a big opportunity for my business and I’m growing.
And these, this new echelon of my clientele, it’s like a baseline requirement that I have like SOC 2 type 2 right? It’s like these security, compliance certificates or what have you are almost like a, a gate for me to even do business and they want to do business with me, but I can’t. Right. And so with that in mind, now we’re thinking is security also a product feature?
The CISO (08:34)
Yeah, exactly. Right. I mean, a vulnerability is just a bug that hurts people. Right. So if you, you know, if you wouldn’t ship a, an application that has a user button and that user button, when they click it doesn’t work, you know, you wouldn’t do that. You wouldn’t ship that to a client, right. To a customer. So why would you ship, you know, a product that doesn’t have a secure database connection, for example, right.
Even though they can’t see it, see, these are things that the user can’t see, but they’ll feel it. They’ll experience it later in the form of breaches, their data being exposed. So I remember when I was a developer and to me timelines, you have to de-scope, Project managers love using that to get projects back on schedule. So you start de-scoping, right? But you should never de-scope security.
That should be one of your fundamental requirements in a project. users can’t see it, but they will feel it later. And so from a project’s perspective, you should never compromise your security to meet timelines.
Actual (09:42)
Got it. so, okay, so let’s give founders their marching orders, right? If a CTO is listening to this and let’s say they know their code base is a bit of a mess of spaghetti and like strapped together with duct tape, like what’s step one for them?
The CISO (09:56)
Well, if you want to sell to Fortune 500, if you want to sell to Fortune 500 or the government or healthcare, you have to be able to pass a SOC 2. And that’s your foundation, that’s your fundamentals. If you can’t even do the baseline, how can you do anything else? That’s what customers are thinking. And so if you want to play in the…
If you want to play if you want to swim in the big pool and you want to get out of the kiddie pool You have to show that you can swim. Hey, so that’s basically what it is. But ⁓ you know your marching orders, you know immediately what you can do is you can do an assessment You know do an assessment find out where you are do a pen test, you know hire a ethical hacker to break into your app before the bad guys do
Right? Use AI, because honestly, one bad, one big data breach, one security incident, and your company has a reputation now that nobody will want to work with. Right? So start the SOC 2 journey now. You need to assess, even though you may not think that you’re ready or that a customer wants it, because I see a lot of startups. So what happens is
they get a big client and the big client wants the SOC 2 And that’s when they do it. But if you do it now before a client wants it, you can actually use that to advertise, to market, put, you know, some, some like RFPs require that you have a SOC 2, right? Some big, big clients require that you have a SOC 2. So just go ahead and do it now, at least now, if you do it and you don’t.
and you have what’s called a qualified report, which means you didn’t pass, you can fix it. And it’s still good because you don’t have to give this to anybody yet. It’s just for yourself.
Actual (11:43)
You know, that’s great advice and something that reminds me of in the venture space. You’ll hear this, especially with young startups, young founders, or that’s just them at the time. And maybe they’re not even, they don’t have a product builder. They’re not selling anything and they’ll be out there asking for money. Give me money, give me money, give me money. And this is kind of this advice you’ll hear a lot is ask for money when you don’t need it. Right? Let’s say you got the product.
bill and you’ve started getting customers and you have revenue coming in and you, may not actually need the money. That’s the time to go get the money. Right. Cause it, and it, guess it feels maybe backwards in our minds, but people aren’t going to want to give you money if you aren’t making money or there, maybe I should say they’re not going to feel as inclined to, but if you’re showing growth, like you’re showing velocity and speed and
then you come in and say, I’m making money, I’m generating users, right? It’s been building, building, building. Now’s a good time to ask for money. But if you come in and you say, I’ve been losing users, I’m losing revenue, my bank accounts are depleted, like things aren’t looking good. Now can you give me money? Right, it’s like you’re too late. You know, I’m not as excited now. I’m not motivated as motivated as I would have been if you would have come to me this time last year where you were crushing it and where the money could have helped you.
not fall into that, that downward, you know, slump, right? And that’s what this sounds like. It’s like when you need SOC 2, cause you had your, client of your dreams show up and you’re like, yes, this is it. Right? This is perfect. This is what we want. This is what we need. And then they say, yeah, you need to do this thing. This thing that might take you three, depending on what it is, six, 12 months. That’s a killer. Like that sucks.
And then, and then you got to sit there you got to hold off on that opportunity to get that done. When you know you’re in the space, you know, you’re going to get those kinds of clients. So let’s get it ahead of time when you don’t need it. Right. So then when the opportunity is there, you can go, you can move fast. So velocity does matter. but direction matters more, Right. So we want to build it fast. We want to build it secure.
Mission success is about sustainability, right? And so on that note, that’s it for today’s episode and we’ll see you guys next week
