VCs love TAM slides. Users love not being breached.
Why Startups Under-Secure
- MVP pressure, scarce resources, misaligned incentives
- Lack of security expertise on early teams
- Investor pressure to scale fast
Investors Waking Up
- Some VCs now include security diligence checklists.
- EU accelerators and Horizon programs require security roadmaps.
- Compliance overhead from AI Act + NIS2 makes neglect unsustainable (European Commission).
Diligence Questions
- Threat model?
- Training data integrity?
- Drift detection?
- Audit trails?
- OTA security?
- DPIA performed?
Minimal Security Stack
- IAM with least privilege
- Encrypted storage/transit
- ML provenance tracking
- Logging & audits from day one
- Version gating
- Light adversarial sweeps
- Incident response playbook
Secure runway beats growth at any cost, especially in health.