Over the past quarter, I’ve had conversations with a handful of engineers working at French software companies — from early-stage startups to more established players. Companies with thousands of users and millions of euros of revenue.

During the conversation, what struck me wasn’t what they were building or how they scaled. It was how little attention and seriousness many of them gave to security.

Some of these companies handle critical user data. Others operate infrastructure that powers thousands of customers. Yet, their security posture often amounts to… vibes. A bit of MFA here. A few random VPNs there. But very little that would pass as security maturity by any professional standard.

And yes — I get it. Security is not easy. It’s thankless. It doesn’t generate revenue. But here’s the deal: ignoring it isn’t neutral. It’s dangerous.

What’s going wrong?

From what I’ve seen and heard:

• No MDM (Mobile Device Management): Engineers using unmonitored laptops, often their own machines, with no control over OS updates, disk encryption, or even if a password is required. The reason is sometimes that engineers are doing a heavy push back on this for convenience and have too much weight in the decision making process for security, without having a clue.

• No endpoint visibility: If a machine is compromised, there’s no way to know. Worse, there’s no way to do anything about it.

• No SOC 2, no ISO 27001, not even a roadmap: These aren’t magic bullets, but they’re a minimum bar—a starting point. Yet many companies either dismiss them or postpone them indefinitely.

• Weak privilege separation: Developers with production access “just in case.” CI pipelines that can destroy environments. You get the picture.

This isn’t just a case of companies not being “mature enough.” This is willful neglect disguised as pragmatism.

One of the reasons: developers often act like divas. Many of them refuse to make even minor trade-offs in convenience for the sake of better security. They don’t want to lose their admin rights, install an MDM agent, or be told they can’t SSH into prod “just in case.” Security? That’s someone else’s problem—until it’s not. The bigger issue is that in many early-stage or engineering-led companies, devs hold disproportionate decision-making power, and there’s no one truly responsible for security. Without pushback, security becomes optional. This isn’t about lack of maturity. It’s about a complete lack of incentives, accountability, and understanding.

“We’re not a target” is a myth

Many of these teams believe they’re too small or irrelevant to be attacked. That might be true—until it’s not.

In France, we’ve recently seen crypto entrepreneurs attacked physically. That’s one end of the spectrum. But digital attacks? They don’t need to be targeted. They can be opportunistic. You leave a port open, someone finds it.

Security hygiene isn’t about paranoia. It’s about respecting your customers, your users, and your own future.

What should change?

I’m not a security expert. I run a bootstrapped software company, and I’m just one of the gears in our security. But here’s what I’d like to see as a baseline across every SaaS company:

• MDM. For every laptop.

• Disk encryption. Mandatory.

• Admin access? Logged. Monitored. Reviewed.

• Least privilege policies by default.

• CI/CD pipelines with auditable change control.

• Security reviews baked into product releases.

• A roadmap toward certifications like SOC 2 or ISO 27001.

Not because they’re trendy, but because they force discipline.

Why I’m writing this

Because I’m genuinely worried. I think we’re going to see more breaches, more leaks, more “oops we exposed production DBs for a month” stories. And when that happens, saying “well it was complicated” won’t cut it.

Security is part of the job. It’s not an add-on. It’s not the CISO’s problem. It’s yours. It’s mine. It’s everyone’s.

Let’s raise the bar.