I feel like a small scale startup needs internal infosec and audit teams even more. Unlike the incumbents, who are "too big to fail" and therefore are able to get away with blatant insecurity, a startup's in a much more vulnerable position, and any security breach is significantly riskier in terms of corporate longevity.

If I was running a financial services startup, those groups would be near the front of my list in terms of internal hiring.