The Essential Security Checklist for Seed-Stage Startups
A founder recently asked me: "We just closed our seed round. Do I need to hire a CISO?"
Answer: No.
You don't need a CISO, and you don't need enterprise-grade security appliances. You need to cover the basics that prevent 90% of automated attacks and negligence.
Here is the minimalist security checklist I give to Seed/Series A startups.
Identity & Access (The most critical layer) #
- Enforce MFA Everywhere: Hard keys (YubiKey) or App-based (1Password/Google). No SMS MFA (sim-swapping is real).
- Use a Password Manager: 1Password or Bitwarden. Enforce it company-wide. No sharing passwords in Slack.
- SSO (Single Sign-On): If you use Google Workspace, enforce "Log in with Google" for all SaaS tools (Slack, Zoom, Jira).
Infrastructure (AWS/GCP) #
- No Root Accounts: Lock away the root user credentials physically. Create individual IAM users/roles.
- MFA on Console: Enforce MFA for anyone logging into the cloud console.
- No Public S3 Buckets: Turn on "Block Public Access" at the account level.
- No SSH to Production: Use AWS Systems Manager (SSM) or GCP IAP to access servers. Don't manage SSH keys.
Device Security #
- Disk Encryption: FileVault (Mac) or BitLocker (Windows) must be on.
- Auto-Updates: Force OS and browser updates.
- Screen Lock: Set to 5 minutes.
Code & Pipeline #
- Branch Protection: No pushing directly to
main. Require 1 reviewer for PRs. - Secret Scanning: Enable GitHub's native secret scanning or use
gitleaks. - Separate Prod/Dev: Production data should never live in a development environment.
Legal & HR #
- Background Checks: For anyone with access to production data.
- Offboarding Checklist: When someone leaves, have a scripted process to revoke access immediately (Identity provider first, then individual accounts).
That's it. #
If you do these things, you are more secure than 90% of your competitors.
Don't waste time on "Advanced Threat Protection" or "AI-driven anomaly detection" until you have MFA enforced on your email.
Need a deep dive on your specific infrastructure? I offer a Cloud Security Assessment that covers this checklist and your K8s configuration in detail.
Nikita Mosievskiy
Security Engineer & AI Researcher