Latacora is not a great fit for every startup. We take on just a few clients, and work with them for a long time. We try to be careful about who we work with.
Most startups don’t. That’s a good thing. If that’s you, enjoy it while you can!
The obvious sign that you need full-time security is “you’re trying to put together a hiring req for a security engineer”. Some subtler signs:
Your customers are demanding security assurance as a condition of doing business. You’re burning time filling out questionnaires.
You’re burning so much time securing systems and code that your engineers are having trouble getting features done.
An acid test: we don’t work much longer than 5-6 quarters with anyone. When we’re done, we’ll need to hand the security practice over to someone. Are you ~18 months from hiring that person?
We’re software security people. If your company doesn’t do much software development, we’re not a great fit.
We help with the “boring” policy and controls stuff, too; we want to own the whole security practice. But to get value out of us, your security problems should be definable in code.
Lots of companies are itchy about giving access to remotes and contractors. That concern makes sense. But we’d be your security team; we’ll need access to things.
We can talk in detail about how we manage authentication and secrets, and we can be flexible. But we don’t work well with startups that expect to cordon us off with other contractors.