What if your security program was your best sales tool? Most B2B SaaS founders treat security as a cost center, something to minimize, budget around, and deal with only when it bites them. Jon McLachlan has spent years making the case that this framing is exactly backwards, and the founders who get that earliest tend to scale the fastest. This episode gets into the real mechanics of scaling SaaS companies with security embedded from the start, not bolted on. For technology CEOs and operators weighing build versus buy decisions, the conversation around fractional security teams versus in-house hiring is one of the most honest you will hear on the topic of B2B software scaling. Jon McLachlan is the CEO and co-founder of Ysecurity.io, where he helps SaaS companies build practical embedded security and compliance programs without slowing down product development. He also leads Cyberbase AI, focused on the intersection of AI and cybersecurity, and co-hosts the Security Podcast of Silicon Valley, now over 90 episodes deep. Jon started Ysecurity almost by accident, helping founder friends who needed security guidance, and grew the team to more than 45 people through referrals alone. Key Takeaways Bootstrapping a security firm through referrals is possible when trust is the product: every client at Ysecurity has come through word of mouth, a signal that founders are handing over the keys to people they already believe in. The fractional security team model solves a real gap in B2B software scaling: founders can rent an entire embedded security function, from vCISO to red teaming to GRC, without the complexity of building an in-house team from zero. Checkbox security is a floor, not a ceiling: SOC 2 Type 2 and ISO certifications matter for sales cycles, but the real return on investment comes from integrating security into marketing, sales training, and product positioning so it opens new business. Chasing enterprise clients when your DNA is startup-focused is a costly detour: Ysecurity tried repositioning for large publicly traded organizations, landed a few deals, and found the red tape incompatible with their speed and culture, a pivot that clarified everything. Founder mental health deserves more airtime than it gets: with depression rates among tech founders estimated around 43 percent compared to roughly 9 percent in the general population, protecting personal recovery time, whether running, cycling, or scheduling unstructured space, is an operational decision, not a luxury. Jon McLachlan said, "Security is not just this little box on the side that we should think of as a cost center. The right way to do this stuff is really to integrate it into the entire organization. It is an investment in every sense of the word, and you should expect it to pay off." Host Scott Shagory said, "Sell security without selling security, to overgeneralize. If you can do that, it is just such a potent message, and to be able to really enable gains that are more challenging and yet at the same time provide genuine security, it is not just a checkoff list." Timestamps 00:00 Welcome and guest introduction 01:05 Why Jon and his co-founder Sasha started Ysecurity 02:50 ICP focus: organic growth toward B2B SaaS and AI-enabled companies 03:33 Why ideal customers sometimes still say no, build versus buy 08:47 Scaling from 2 to 45 people: culture, remote work, and staying connected 12:38 Decisions that created disproportionate leverage, and the enterprise pivot mistake 15:17 Selling security as a growth engine, not a cost center 18:19 Where the market undervalues or oversimplifies embedded security 23:43 What work founders must protect: running, biking, and personal recovery 27:22 Silicon Valley pressure, 996 culture, and how Jon navigated a difficult personal period 34:49 What the next 12 to 18 months look like for Ysecurity and Cyberbase AI 37:42 Networking effects, trust, and why referrals are the whole game 42:11 Conviction, authenticity, and what the best founder relationships actually feel like 44:25 Where to connect with Jon and closing thoughts Connect with Jon McLachlan LinkedIn: https://www.linkedin.com/in/jonmclachlan Ysecurity: https://www.ysecurity.io Cyberbase AI: https://www.cyberbase.aiS ecurity Podcast of Silicon Valley: available on major podcast platforms