> Checklist item 1: Hire an outside security auditing firm to report on the state of this checklist quarterly
Security auditing firms cost a lot of money. Money you don’t have when you’re a small startup. Besides, an auditor audits and the hard part about this list is implementing it. Until you can afford to hire someone to take care of security, it’s usually the CTO’s job to make sure security is not an afterthought.
> I don't see any value in relating anything to the financial stage of the company because it's irrelevant.
It is extremely relevant, for at least two reasons. The first one is that the company’s financial resources dictate what you can or cannot do (e.g. hire a dedicated security resource, pay for pen testing). The second is that some recommendations just don’t make sense before a certain size (e.g. there’s no sense in setting up an AD and GPOs when there’s just 3 of you in the company).
How lucrative is security work? It’s a direction I’ve been considering moving towards but the salary info I’ve seen is not great. Am I looking up the wrong terms/titles?
As an employee, application and infrastructure security work pays somewhat better than normal product engineering work (there are good jobs and bad jobs, of course).
There are lots of security jobs that don't pay especially well and are career dead-ends --- enteprise IT security isn't a good place to end up, nor is sales engineering ("security engineer") for security product companies, nor is malware analysis.
My feeling is that software/application security consulting is a reasonable route to go, if you want to work for a consultancy, but I'd be wary of any other kind of security consulting.
Security auditing firms cost a lot of money. Money you don’t have when you’re a small startup. Besides, an auditor audits and the hard part about this list is implementing it. Until you can afford to hire someone to take care of security, it’s usually the CTO’s job to make sure security is not an afterthought.
> I don't see any value in relating anything to the financial stage of the company because it's irrelevant.
It is extremely relevant, for at least two reasons. The first one is that the company’s financial resources dictate what you can or cannot do (e.g. hire a dedicated security resource, pay for pen testing). The second is that some recommendations just don’t make sense before a certain size (e.g. there’s no sense in setting up an AD and GPOs when there’s just 3 of you in the company).