I was psyched for Alex to post this here because I think it's a super valuable bit of understanding for startups that need to do vendorsec† that mostly gets hand-waved away in writing about startup security programs. The bit about the power differential in particular!

There's a startup vendorsec playbook that mostly revolves around SOC2 and security people increasingly call out how performative it is. This piece is about non-performative stuff.

† vendorsec: the part of your security program where you do something about all your third-party vendors