
Ask HN: How do startups value security? - chasemiller
I was recently reading Jason Lemkin&#x27;s &quot;It’s Time For You To Make Security a Core Feature — Not a Tax&quot; (https:&#x2F;&#x2F;www.saastr.com&#x2F;its-time-for-you-to-make-security-a-core-feature-not-a-tax&#x2F;) article and it made me wonder how security is valued in startups. I realize that it is hard for most startups to justify spending cash on security and then I started to wonder:<p>-What equity would you give up in exchange for dedicated security audit services? (.1%&#x2F;year or something)<p>-Do you perform security audits? If so, do you do them in-house or outsource them?<p>I would love discussion from both startups and consumers.
======
rajacombinator
Probably just like end users - ie. not at all, until SHTF.

------
brudgers
The idea of getting paid in equity suggests an unsustainable business model
since startup equity tends to be illiquid. This suggests that the business
providing the service may not be around in a year or two or less. In addition,
transferring equity to contractors will also have significantly more overhead
than a cash transaction.

The real question is what is the value proposition of the security services?
That's necessary for sales.

Good luck.

~~~
chasemiller
The equity questions was mostly theoretical to get a better idea of how
startups value security among their early employees. I completely agree that
the business model would likely be unsustainable.

------
dsacco
I run a successful security firm, so I feel fairly qualified in saying this:
your equity proposal is not financially sound. It's a creative idea that has
been considered before, but it's not something I would consider, and it's not
something most (any?) of my clients would consider. Frankly, software security
services are closer to insurance than they are to contracted software
development. You have a variety of obstacles to making this successful.

First, investors would be concerned that the founders are offering equity for
"non-employees" and "non-core" consulting services. Investors don't like to
see independent contractors getting equity to begin with - the only case
they'd be okay with this is if the founders need help building the company's
fundamental software.

Second, your shares would be the first to be diluted when it comes time to see
whose shares are not as important. 0.1% equity for a year's retainer? That
usually amounts to 12 weeks of actual work, maybe less. This is an amount they
will eventually offer to full-time employees over a period of several years.
How would you vest it?

Third, consider that if your firm is providing security audits for equity, you
are self-selecting for startups which have poor business acumen (in that they
accepted this deal). Your already poor chances for any equity return at all
just became poorer. How long can you provide security services on a "I'll take
a hamburger today and gladly pay you tomorrow" basis before you run out of
money and need to actually charge market rates? It's not sustainable.

Finally, you are basically a de-facto investor, in that you need to select
startups you believe will be winners, otherwise your equity will be worthless.
You'll have to be both an excellent angel investor with your startup bets and
an excellent security provider, and this will be further complicated by the
fact that only inexperience or bad founders will be likely to offer equity in
return for security.

In other words, it's a bad deal, most people won't take it and you'll probably
be burned by those that do. It's not sustainable and if you're doing this
because you want to get rich, consider that running a successful security firm
and doing good work for fair market rates will get you there.

To answer your (easier) second question - most startups care a lot about
security once users start asking them difficult questions. Then they turn to
firms like Sakurity, NCC Group, Optiv, Bishop Fox or my own and outsource an
audit, because they don't have the resources for an in-house security team
just yet.

To answer your other question, startups will start getting audits once they
reach their second or third round of funding, though the savvier ones might do
it once they have substantial enough seed funding. There is a sweet spot where
startups know they need security but won't bother with an in-house team -
that's where you market yourself. Alternatively, you can market your services
to enterprise companies with both an in-house team _and_ regular independent
audits, but that's harder for a beginning firm.

That's just the broad strokes though. Some startups need to prove security
competency earlier on; some try to hire security teams quickly.

More importantly, how much security experience do you have? What is your
network of potential clients like?

 _edited for formatting_

~~~
chasemiller
Hey dsacco, thanks for the great reply! I am a security guy on the outside of
the startup world looking in and I was just trying to get a better feel for
what the security landscape looks like.

 _You 'll find that startups between seed funding and Series A are most likely
to care about security. They have the funding to pay external firms for audits
but they won't want to invest in a full-time security team just yet. After
that, if they eventually get to "enterprise" level they'll care more about
security and have both an in-house team and external reviews._

I figured this was the case. Pre-seed startups are too concerned with getting
something to market and most who raise (and have something worth owning equity
in) would have the funds to outsource to you.

 _As for your proposal of equity, I would never do this. Frankly, security
services are closer to insurance than they are to building positive value. I
have interacted with many startup founders, and most would not take an equity
proposal like that for this reason. There are several obstacles._

The equity for security question was mostly hypothetical to get a better
understanding for how security is valued among early employees. When I read
the title of Jason's article, "It’s Time For You To Make Security a Core
Feature — Not a Tax" all I could think of is what a hard sell that would be to
both founders and customers, and you confirmed my assumptions. I completely
agree that the business model is not sustainable.

Thanks again!

