How much faking it is ok?

I worked for a startup as a data scientist, where I built and managed one of our data measurement/reporting systems. The company would routinely overstate how well their product worked, but I largely chalked it up to "fake it until you make it" -- but, they also never really worked on the "making it" part. So, our metrics quarter-after-quarter were spun and contorted to make it seem like we were still doing well. It got to the point where there were three of us that knew the real numbers, and our c-level was the only one allowed to share numbers both internally and externally. I stopped going to all company meetings because I started getting physically ill seeing/hearing the lies being told to the company, and having people comment or ask me questions after.

A new employee came in to my team, saw what was happening, and reported it internally. They did an "investigation" (but, somehow didn't interview me or anyone else who would have backed up what they had reported). The investigation found no wrongdoing and the reporting employee was told to leave.

Then, suddenly, the company decided to IPO. And those horribly misleading numbers made it into our S1, the investor decks, and continue to be routinely repeated on quarterly earnings calls. I left the company because of these issues, and now vacillate between reporting it to the SEC but figure they'd likely do nothing except burn my bridge with one of my longest employer tenures.

Anyway, you made the right decision to leave. Companies like that will never prioritize the right things, even when they're in more stable places. There are always trade offs to be made in early stage companies, but there are some things that you still should be doing regardless... there are other companies out there that take this stuff more seriously and act more ethically, but this kind of behavior is shockingly prevalent in the startup world.

If it's an SEC regulated company then they will likely fail regulatory requirements or audits. Or maybe be found negligent in the event of a breach. Maybe, but hard to say for sure depending on details.

Basically, anything short of fraud or negligence is "ok". The world is built on what things look like, not what they actually are. It's sad so much of the world is run on opinion instead of fact.

Interesting side story, I work for a large financial company. I brought up a vulnerability and wanted to have it addressed (too big for just me to fix). The system had SQL injection vulnerabilities throughout it with schema owner privileges. Luckily it was an internal app, so not as likely to be exploited. How did management respond? They said it's fine since we have a real time or near real time DB backup. My next question was if this has even been tested... nope. Is there even documentation on the steps to take? Nope. Insane...

As bad as that sounds, I think it's backed by economics. With so many companies competing in the space, each one has to move faster and get noticed or else disappear in obscurity. Only the ones that get some attention have to actually work well. Now that's something I've understood with regular startups trying to get MVP to product-market-fit, something else to hear it about fintech. Fortunately that's an area I avoid as it's too close to misaligned incentives.

It’s impossible to gauge the level of security it deserved and the level of security that was implemented.

Security is a tradeoff. You didn’t think they did a good choice, they think they did, that’s all we can say.

For most companies, security is about securing the border. Making sure nobody can get in.

Once someone gets in, it’s actually really hard to stop them, so people tend to favor what makes development faster rather than what makes security tighter…

> if we get hacked we’re fucked anyways

Even if that is a true statement, using it to justify not taking security seriously adds risk into your business operations and shows a distinct lack of focus on potential impact to your customers. Knowingly slacking on security because of an attitude like this (IANAL) sure smells like negligence or fraud to me, which is exactly when it is not OK legally.

Security isn't only about getting hacked. According to the security firm UpGuard, a startup made a database backup publicly available on S3 -- which contained plaintext user passwords. Basic security practices could have prevented this or mitigated its impact. Yet, they became one of two companies in one of the largest-ever data breaches.

Too much security will fuck a company over in the early days just as badly as weak security.

In taking up the team's focus, in adding friction to getting stuff done, etc.

Early stage companies need to be relentless in trying to find product market fit, anything that's not that is a distraction.

That's unusual and unethical. You were right to leave the job. I also suggest you (anonymously) name-and-shame that company, maybe to a reporter. I would argue it is your ethical responsibility to protect those users.

It is one thing to believe that, it is another thing to say that.

I wouldn't want to be like Theranos.

So that's one guideline.