[tguvot]

>As a startup CTO, I agree you need networking And cybersecurity. I am not sure if you need fulltime people specializing in this though.

highly depends on function of the service and it's scale

>I used to work for large companies with big on-prem footprint. Networking and security in that world is a different game and warrants dedicated people.

>But for a startup with two services running in the cloud, with so many out of the box tools? (IDS, WAF, log based monitoring, SDN and all the configurability that comes with it). That can go a long way, without dedicated people.

maybe for network. but in my experience most of engineering (starting with junior developers and ending with vp/cto level) doesn't understand cybersecurity specifically or security in general . so even if there is tooling available, people don't understand when, how or most important why to use them.

[neeleshs]

That's fair. It's a red flag in general if VP/CTO doesn't have the basics of security in place anyway. My experience in my peer group is that they are all fairly knowledgeable about security, if not experts.

Most startups don't have the scale, there are exceptions of course.

[tguvot]

i worked in variety of companies that varied from development of security products and were very security oriented to companies where security were driven by client needs (telecom industry for example), to "other places" where management grew with the company and it's case of "you can't teach old dog new tricks". there are always security departments, but unfortunately most of the time their thinking is "slap crowdstrike everywhere, it will solve all problems" and "here is sdlc that engineering must to follow" (lol)

[neeleshs]

Indeed, I've seen that latter behavior in large companies back in the days. A security department that refuses approvals to upgrade operating systems because it's too risky, a full-blown ops team that doesn't know how to do it without killing all services for days on, doesn't have recommendations on security patches, doesn't know if a CVE is actually exploitable in that setup or not - the list goes on.

[tguvot]

i work now on fedramp certification (essentially leading scoping and solutioning) and interaction with security department is both funny,sad and scary af. i discovered that they developed risk assessment policy for system components (in commercial environment) whose purpose to drop down risk level of components in order to remove need for security patching for SOC. and crowdstrike in monitoring mode (nobody knew that it's in monitoring mode) because they afraid of enforcing mode. and that temporary access from/to production network is actually permanent because there is no flow in ticketing system to remove it .