>What if management hires incompetent security team?
That's harder to do because you have to establish competence,
which has led to a bunch of hazing rituals via whiteboard for general software development and a lot of other insecurities. Being a security professional isn't regulated by law, so you can't check the law to determine if someone's competent. So who's opinion do you trust, and why do you trust their competence? An expert witness, maybe?
>Great so you just made it illegal or impossible to create a start up, congratulations.
All of this is under the context you'd be handling a lot of PII or sensitive information, in which case, yes, I don't want just any start up to work with PII without some kind of security team.
If you're handling sufficiently private data, then there shouldn't be a low barrier to entry. Starting a medical startup without the requisite expertise would be negligent; I don't see why certain classes of private information should be different.
