As we may all know "security is the hottest feature" because without it within your business infrastructure and/or within your product, rather than "if", it's only a matter of time before you end up with free publicity, albeit negative, on the news of security breaches of customer data and/or business intellectual property (IP). And this all means diminished brand value, litigation from all sides, customer loss, revenue loss, loss of integrity, loss of viability, etc to name a few.
I'll provide free advise to ANY startup interested in how they can secure their business infrastructure and operations as well as ANY tech startup wondering how they can secure their product. U
I can offer a free advice here -- if your startup plans to collect or process any regulated information, or personally-identifiable information (which, in various jurisdictions, includes things you wouldn't expect, like email addresses and IP addresses), get yourself a part-time (initially), or full-time (once you can afford) information security Governance/Risk/Compliance (GRC) employee that is technically-savvy to understand your product. That person will help you grow your business, navigate customer relations (especially in a B2B setting) and keep your security posture acceptably healthy until you grow large enough to hire infosec management and dedicated security engineers. Out-of context consultations will only provide general guidance and eventually end up giving you the above advice as every company's risks and information security needs vary greatly and must be aligned with the business to be effective and efficient.