The security of all the information in your company should be handled by an information security management system, which is normally under the supervision of a CSO or CISO. The ISM gets established by defining (e. g. through policies) roles, processes and requirements for many problems occurring related to information security.
The security of your infrastructure should also be supervised by some management position and your infrastructure should be designed in advance to fulfill your security requirements.
The security of your software should also be supervised by some management position and your the whole software process have to be designed to produce secure software.
I don't believe this can be handled by a CTO with a basic checklist, although it includes important points which should be supervised. This list also feels kinda incomplete.
I know very few startups that have or had a CSO/CISO. I would assume that most startups that have one, are in one of the following fields security/fintech/healthcare/education. Typically it falls on the CTO at early stage startups to ensure that appropriate security measures have been taken
Unfortunately, startups don't have this kind of resources (CIO/CISO etc.). What we see is that security is often handled by CTOs in Seed/SeriesA startups.
The security of all the information in your company should be handled by an information security management system, which is normally under the supervision of a CSO or CISO. The ISM gets established by defining (e. g. through policies) roles, processes and requirements for many problems occurring related to information security.
The security of your infrastructure should also be supervised by some management position and your infrastructure should be designed in advance to fulfill your security requirements.
The security of your software should also be supervised by some management position and your the whole software process have to be designed to produce secure software.
I don't believe this can be handled by a CTO with a basic checklist, although it includes important points which should be supervised. This list also feels kinda incomplete.