Awesome People - Ep 54

Cybersecurity, Audits, Designer in Residence, Matchmaking

Hi founders and fellow VC Friends!

Each week we deliver one awesome person to your inbox. These are the people you need to know—the marketers, sales gurus, engineers, ops wizzes— who give your startup superpowers 🚀. The best part is, everyone is hireable on a part-time basis.

Please meet Kevin Qiu, Your Cyber Security Consultant ✨

You may be thinking: We’re a startup. Why do I need a cybersecurity consultant?

Well, if you sell to enterprises, at some point, you’ll be asked to do a security audit. Enterprises want to know that your software is secure before buying it. Your CTO and team will scramble to prepare. You’ll likely waste insane amounts of time and money (if you hire an expensive firm to help). I’ve seen this happen too many times. For most startups, this happens around Seed or Series A. 

Kevin was referred by Cheryl Sew Hoy, an entrepreneur and investor who I trust and worked with Kevin.

Kevin has helped tech companies pass critical security audits for enterprise sales and conducted security assessments for highly regulated Fortune 500 financial services firms. He was a key contributor to’s high profile bug bounty program before the company’s $3.3 billion acquisition by Walmart. He's trusted by engineering leaders at SeatGeek, UnitedMasters, and Waypoint Building. One little known fact about Kevin is he’s an avid powerlifter and can squat 2x his body weight 💪. He’s super kind, thoughtful, and thorough. 

You can hire him to decipher complicated requirements for security questionnaires, prepare for security audits, and review your product to ensure that it’s in tip-top security shape.

Most founders don’t know much about security (totally fine!). Thankfully, Kevin compiled a handy security for startups checklist. Most of the items here can be done for free or at a very low cost. 

Need security help? Let me know and I’ll connect you to Kevin!

Kevin graciously shared some tips to keep us all safe and secure 🔒

If you’re thinking this will be boring AF, I promise it’s a surprisingly interesting read. And yes, even if you’re non-technical 😀.

When and why do companies need security audits? 

You might be wondering what’s the deal with all the LinkedIn posts you see about “SOC 2” or “ISO 27001” audits. 

In the past (pre ~2017), security audits were mostly done by companies in highly regulated environments like finance and healthcare. Over the past couple of years, audits have become a requirement for enterprise SaaS companies. 

It seems that every other week there is a headline in the news about yet another data breach or ransomware issue from a big company. These breaches often come with serious reputational and financial damage

As a result, enterprises are now requiring their third party vendors to fill out long security questionnaires to prove that they properly protect data. These are often long Excel spreadsheets with tens or even hundreds of questions and usually require SaaS companies to undergo SOC 2 audits. Security is now a sales enabler rather than a cost center like it was seen as in the past. 

In fact, there are a bunch of startups focused on helping companies with security and the enterprise sales process. 

What does the security audit process look like? 

Preparation: It usually takes 3 weeks to 2 months to prepare for a security audit. Team members across IT, Finance, and HR will need to get involved. It often requires a few hours a week from each person. You’ll be required to implement best practices such as using strong passwords, applying system updates in a timely manner, and having playbooks for security incidents. As a warning, some of these items might not feel very startup-y, such as making guests wear badges when visiting your office. 

Audit: After the preparation period, an independent, accredited auditor will spend 2-4 weeks reviewing evidence of security controls. This might include reading your security policies, interviewing key stakeholders, and inspecting systems for proper configuration settings. Once they are confident that your company is compliant, they will provide you with a signed report that you can share with prospects. 

To set expectations, these audits are not cheap. Expect to spend anywhere from $15k to $30k for the process depending on your company’s complexity. 

Security issues will happen and it’s important to have a plan

You can hire the best security team and buy the fanciest tools in the world and security incidents will still happen. Almost every incident I’ve seen is due to human error. Humans, even the smartest humans, aren’t perfect. For your enjoyment, here are some war stories I’ve seen personally and heard from peers: 

  • An IT help desk person was tricked into giving a hacker a link to reset the IT Director’s company email password and 2FA phone number. 

  • An internal server was taken over by a bitcoin mining virus because a DevOps engineer accidentally left it accessible on the internet. 

  • My personal favorite is when a company had to reset 300 shared LastPass passwords after a user opened a keylogger-infected Word document. The user ignored all the “Are you sure you want to open this?” warnings from G Suite and Office. These warnings exist for a reason!

The lesson here is that issues will happen no matter how prepared you are. What’s important is that you have a plan and contain incidents before they become big issues. 

Also, 2 quick tactical items: 

  1. If someone emails you regarding a bug or vulnerability on your website, don’t ignore it. In most cases, these folks are trying to help and aren’t out to scam or scare you. Verify their findings, collaborate on a fix, and reward them properly for their hard work. Check out this article about a well-known company’s unfriendly stance towards security researchers and the resulting backlash from the industry. See Bugcrowd and HackerOne for more information on the world of security bug hunting. 

  2. Buy a cyber liability insurance policy. If your company has a data breach, an insurance policy will provide PR assistance, financial support, and peace of mind. In addition, many customer questionnaires actually require this as a part of the vendor review process. At-Bay and Coalition are popular startup insurance options. 

Looking for a security consultant? Respond to this email and I’ll connect you to Kevin!

As always, let me know if you have any questions and if you want an intro to any of the folks in this email (including the PS section 🎉).

Stay awesome,

Julia Lipton

Founder of Awesome People and Awesome People Ventures

If you liked this, ❤️ it below. If someone forwarded this to you, sign up here 💌

P.S Section

Awesome People Under the Mistletoe 😘

I promised Li Jin and a few of my founders that I’d host a community matchmaking event next week. After all, we do have the most awesome people.

Stay on the lookout for a once-in-a-lifetime special edition newsletter tomorrow.

Separately: Is this what they mean by value add? Am I doing this right 😂?

Equity crowdfunding for an Awesome People Ventures port co 📈

In October we invested in Didactic, the online platform for cohort-based learning 🙏. Didactic was co-founded by Gagan Biyani and Wes Kao. Gagan previously built Udemy, a $3B online education company. Wes previously co-founded AltMBA and was the leading cohort consultant. Didactic opened up a crowdfunding campaign to allow more people (like you!) access to the deal. You can apply to invest here. You can read more about it here.

Founders, this is a SUPER interesting model if you want to allow your friends to invest. Small checks are welcome and you don't have to be an accredited investor. They’re running it through Republic. It’s a great way to diversify your cap table and allow more people access.

Disclaimer: This isn’t investing advice. Please remember early-stage investing is super risky and you should expect to lose all your money... My nonexistent legal team is smiling about this disclaimer.

Open Consulting and Freelance Roles 🤩

  • Freelance short-form copywriter - A dear friend, Amber Glaad, Growth Marketing Lead at Plaid, is looking to hire 3 short-form content writers to help with digital, direct mail, podcast, and online event-related content. 

  • Freelance “out of box experience” and industrial designer - One of the most innovative companies in mental health and psychedelics, Mindbloom (backed by Founders Fund), needs someone to design their box and unboxing experience. FWIW, everyone I know who has tried Mindbloom said it was life changing. 

  • Awesome People Ventures UX Designer-In-Residence - A few of my portfolio cos desperately need some UX TLC. These founders are incredible to work with, but are not designers 😉. If you want experience working across multiple pre-launch products, and have a stellar design portfolio, please send it my way! We’ll try to make something happen! Moonlighter and freelancers welcome. The role is flexible, ~10-40 hrs/week. 

Feel free to forward all these opportunities to friends. And if you’re interested in applying to any of them, send me your LI or portfolio, and I’ll connect you (  

Most Recent Awesome People 🙏

Jasmine - Blog post writer and contract strategist. She's trusted by marketing leaders at Zapier, Patreon, and Shopify for blog content and copy. Marketing Brew named her a top marketer to follow.

Sriram - GTM and growth advisor. Sriram is a well-respected investor and runs growth teams. He scaled Spotify from 5 to 60+ markets, HeadSpin from $0 to $15M ARR in 4 years, and increased Tinder’s international market share to account for > 50% of rev.

AJ - Product advisor and coach. AJ is currently a Director of Product at Facebook and coaches founders on the side. Previously, he sold his start-up to Dropbox and worked at Twitter where he grew Vine to 350M MAUS.

Want intros to anyone here? Lmk and I’ll connect you!

❤️ ❤️ ❤️