editione1.0.0
Updated October 9, 2023At this stage in your company’s journey, you have probably defined a clear set of psychological and cultural requirements for your new hires to ensure that new team members not only meet the educational and operational requirements of the role, but also to maximize the chance that they will understand your cultural ethos and share your overall vision. If you haven’t started to work on this set of requirements yet, take a pause here. These baseline requirements are the foundation of the next set of requirements we will discuss here.
Strong communication skills: The ability to explain complex situations in an understandable way is just the starting point for secure communication. Extra points here for someone who can speak as articulately and clearly with the most and least technical people in your company, your executive and board, as well as your customers. This role will require communication in every direction and in both written and verbal forms.
Ability to connect with others: The ability to form relationships with groups in your team or external stakeholders and manage these relationships over long periods of time is really important. It’s unlikely that you will be able to hire more than one person to begin with and, as you will have seen in this book, there is more than one person’s worth of work to be done. The ability to connect with others will help your new security lead find help and collaborate on security items across the team.
Understanding of or experience with organizations of your size and stage: Security in early-stage or fast-growing organizations is quite different from security in enterprise organizations. It’s important that your new security lead not only knows this, but can articulate this difference and help slowly navigate from where you are now to where you might one day be.
Calm and pragmatic under pressure: You don’t have to be a security professional to understand that risk is everywhere in an organization like yours. Moving fast and taking risks is the average day in an early-stage company, so the last thing you need is someone who cannot face risk in a calm and pragmatic way. Don’t get me wrong, being calm and pragmatic doesn’t mean that your security lead doesn’t understand the seriousness of risk or its impact on your organization, it’s just that they know how to prioritize those risks and save their adrenaline for high and critical issues—rather than behaving like the sky is always falling.
Willing to get their hands dirty: This has to be one of the most important characteristics you need in your new security lead. Similar to your executive team, your security lead will still need to be involved in day-to-day business operations. You don’t need a leader that needs a team, you need a leader that, with time, can build a team, and in the interim is willing and able to step into the gaps and get on with the job.
The list above is the ideal and, frankly, hard to find. Even if you don’t find that perfect person, you can still make a good hire. Think hard about the different security roles and profiles that exist, and what your organization truly needs right now.
Like every other professional field, security professionals are often bunched together as a single role category, when in fact there are many different types and only a few of these would suit your stage and security maturity. Let’s take a look at the five most common roles, their strengths and weaknesses, and what to consider when hiring.
Common job titles for this role: chief information security officer (CISO), VP of security, director of security