Sometimes compliance feels like a nuisance.
Startups have limited time, limited cash, and seemingly unlimited pulls on both. The founder is right to focus on product, customers, and the next fundraise. But the founder and the leadership team need to resist perceived compliance shortcuts.
You've heard about Delve — the $300M startup expelled from Y Combinator earlier this month. Possibly some founders were looking for a shortcut when they signed up with Delve. Possibly not. I don't know.
What I do know: I applaud the incorporation of modern apps and tools in the tech stack. Eliminate manual work. Automate extensively. Use agentic tools with care and within guardrails. But Delve is a cautionary tale in that sense — your tech stack needs to feature reputable, proven apps and tools. Vet the vendor as hard as you'd vet a hire.
And to the extent any founders saw Delve as an info sec compliance shortcut: info security isn't optional, and you shouldn't be looking for shortcuts. Company-building includes many things that need to be done properly — not always fun, perhaps not an obvious use of the company's scarce resources. But they are. Bad on you if you forgot the compliance line item in your budget. It isn't optional, no more than insurance.
You need to avoid a hack or a breach at all costs. Partner and customer trust takes years to earn, but can be destroyed in an hour. So actually put the controls in place — not to pass the audit, but to avoid the breach.
If you need help figuring out which controls to put in place, or how to implement them, find a consultant who specializes in this. SeriesOps can hook you up. There are also good tools that help collect and organize the evidence — they really do make the audit go more smoothly.
With the controls in place, you'll pass the audit easily. More importantly, you'll sleep better at night — because you'll have reduced the chance of an event that will kill your company.
Controls, not certificates.
Do the work.