It can be both hectic and rewarding when starting a new venture. After being around startups since 2000, I know how you feel. While it can be overwhelming you need to know how security and privacy play a part of your success.
First of all you should not ignore security despite what many venture capitalist groups are preaching it is pure BS. By designing security and privacy into your solution you will be miles ahead of your competition.
Here is how you need to approach this complex problem (which is not complex by the way but people feel better when you tell how complex it really is).
1. Need to conduct a Risk Assessment against both your product and small company to determine the data you collect and the means of collecting, processing, storing and destroying this data. I would recommend to use ISO 27005 as the framework for this. As you step through this process you will need to consider all aspects of your solution including but not limited too, hosting, OS, plugins, modules, binaries, daemons, services, coding languages, authentication, logging, encryption, databases, etc. You get the point. You must focus on how each of the elements is going to be integrated and test each to confirm that you actually did not introduce any vulnerabilities.
2. Threat model your solution to determine how it can be attacked……because it will be. There are several frameworks for this out there. Get one and use it and make it part of a simple but efficient SDLC.
3. Know the laws and regulations that impact your product not just today but geographic regions where you plan to do business. These will be requirements for your product.
4. Unit testing for each of risks that you identify ensure that you create unit tests that will validate that you have identified and will ensure that each one is mitigated to minimum.
Here is the secret formula for security success (Sssshhh don’t tell anyone):
TRA + Regulatory + Threat Modeling + Testing/Verfication = Security Success
Some keys to success
1. Keep it simple but create a SDLC that drive security into your solution now. This will save you money down the road. If you have completely resign your software 2 years down the road to deal with security the costs will be prohibative. Trust me you will learn this the hard way.
2. Not all risks can and need to be eliminated. You need to determine how to get them to a level that you and the other founders are willing to accept. Keep in mind some privacy laws and regulations cannot be ignored you must mitigate the risks to a bare minimum.
3. Keep documentation of all your activities. These can be used if a partner or customer send in their auditors because you know they will.
4. Once you company is about 6-12 months old consider drafting some policies and procedures to drive new employees to better understand the culture of security you are looking to create.
Good luck and realize that you can simplify the security process but do it now! It will save you time and money down the road. I will also point out the 68% of SMBs that experience a data breach are usually out of business within two years. Hopefully, that is motiviation enough.