Announcing Tim Olshansky's field guide for startup CTOs running security

Security at a startup almost always falls to whoever already owns the engineering. Until the company is big enough to hire a dedicated security leader, the CTO is the de facto CISO. They build the program themselves while building the engineering team and shipping product, without a security team or a security background to lean on.

Today, our co-founder Tim Olshansky is publishing the field guide he wishes he'd had back when he was running security at Zenput. As CTO there before co-founding Fencer, he built the program himself: integrated the tools, led the company through SOC 2, and dealt with the operational reality of holding it all together by hand.

Startup Security: A Field Guide for CTOs is drawn from that experience. It's written for the CTO who's just inherited security and isn't sure where to start.

What's inside

• When security gets serious. The day-one cases and the moments that tip everyone else's program into a priority.
• Where to start. Discovery first, then anchoring to a framework that fits the business.
• The fundamentals worth doing early. The baseline tooling every startup needs, plus the lessons Tim learned the hard way at Zenput.
• Running security without burning out. How to size the security budget, set a prioritization threshold, and avoid the everything-is-a-fire trap.
• When the duct tape starts to wear. The friction patterns that show up in every stitched-together stack, and what to do when you see them.

From the guide:

What I didn't see at Zenput until I was deep in it: 90% of my security hours went into figuring out what to fix. Only about 10% went into the fixes themselves.

The guide skips generic best practices and stays specific about the work, the trade-offs, and what Tim did at Zenput. If security is on your plate as a startup CTO, you'll want to give it a read.