Security culture is not something you buy. It is something you build. And in a 20-person startup where everyone wears multiple hats and moves fast, building security culture requires a different approach than what works at a Fortune 500 company.
You cannot mandate security culture through policies and training videos. You have to make it part of how people work every day.
Start with the founders
Culture flows from the top. If the founders treat security as a nuisance that slows down shipping, the team will too. If the founders visibly prioritize security, use strong passwords, enable MFA on everything, and talk about security risks in all-hands meetings, the team follows.
This does not mean the founders need to become security experts. It means they need to signal that security matters. When someone reports a security concern, thank them publicly. When a security improvement ships, celebrate it the same way you celebrate a new feature. When a security incident happens, lead the post-incident review without blame.
Make security easy
The biggest enemy of security culture is friction. If the secure way to do something is significantly harder than the insecure way, people will take shortcuts. Your job is to make the secure path the path of least resistance.
SSO everywhere. When signing into every tool requires a separate username and password, people reuse passwords. When everything goes through SSO, they use one strong password and MFA. Set up Google Workspace or Okta and connect every SaaS tool you use.
Password manager. Provide a team password manager (1Password, Bitwarden) and make it the standard way to share credentials. This eliminates passwords in Slack messages, sticky notes, and shared documents.
Automated security tooling. Install pre-commit hooks that catch secrets before they reach git. Run dependency scanning in CI so vulnerabilities are caught automatically. Use infrastructure-as-code so security configurations are version-controlled and reviewed in pull requests.
Train through doing, not slideshows
Annual security awareness training with a 45-minute slideshow does not change behavior. Instead, integrate security into the work itself.
Code review checklists. Add security items to your code review checklist: input validation, authentication checks, SQL parameterization, error handling that does not leak information. Every developer reviews every pull request with these items in mind.
Phishing simulations. Run a quarterly phishing simulation using a tool like KnowBe4 or GoPhish. When someone clicks, do not punish them. Use it as a teachable moment. Share results with the team (anonymized) and discuss what made the phishing email convincing.
Lunch-and-learn sessions. Once a month, have someone present a 20-minute talk on a security topic relevant to your business. Rotate presenters so everyone learns by teaching. Topics: how HTTPS works, common API vulnerabilities, what happens during a breach, how to read a security advisory.
Create security champions
In a 20-person startup, you probably do not have a dedicated security team. Instead, identify 2 to 3 people across different functions (engineering, product, operations) who are interested in security. Give them the "security champion" title, send them to a security conference or training course, and make them the go-to people for security questions within their teams.
Security champions are not responsible for doing all the security work. They are responsible for keeping security top-of-mind within their functional area. They review pull requests with a security lens, flag potential risks in product discussions, and escalate concerns to leadership when needed.
Make reporting safe
People need to feel safe reporting security concerns. If someone discovers they accidentally committed a credential to git, they should feel comfortable reporting it immediately, not hiding it and hoping nobody notices.
Create a #security channel in Slack where anyone can report a concern. Respond to every report with gratitude, regardless of severity. Never punish someone for making a mistake. Punish people for hiding mistakes.
The same applies to external security researchers. Set up a security.txt file and a responsible disclosure page. If someone finds a vulnerability in your product, make it easy for them to report it and respond promptly.
Measure and iterate
Track security metrics monthly: number of reported concerns, time to patch critical vulnerabilities, phishing simulation click rates, percentage of tools behind SSO, and MFA adoption rate. Share these metrics with the team and set improvement targets.
Security culture is not a project with a completion date. It is an ongoing practice that evolves as your company grows. The 20-person startup that builds strong security habits early will scale those habits to 200 people. The one that waits until 200 people to start will find it 10x harder.
If you need help building a security program and culture for your startup, reach out. We have done this dozens of times and can help you find the right balance between security and speed.