[zmitri]

How did you maintain compliance and security before you could have someone full time on it? How did you deal with audits? Did you hire an engineer full-time dedicated to this, outsource it, or do it yourself? (I ask because I do this now but at 8 people it's starting to take up too much of my time as CTO)

How does it work at your size now?

[lylo]

I think either of your options would work. If you have in-house skills (yourself and/or another engineer), exploit them. If you have a trusted third party who can help, spend some time and money on them. If neither of those work and you feel you need to hire someone, do that (although I’d go with the other two options first). Also, as you undertake these audits, keep a solid record of documentation (questions and answers) as most due dil exercises will be made up of many of the same questions. Stock answers go a long way.

[etaty]

This video is about : "Finance as Strategy: When and How Startups Should Build a Finance Function" - a16z https://www.youtube.com/watch?v=ns9_OGz4SeE

But this could apply to any Function in the business.

[jiveturkey]

I would argue, you need a security specialist at about the same time as you need a build pipeline specialist.