editione1.0.0
Updated October 9, 2023🚀 As explained by Laura
There will come a time when managing all of this yourself or sharing it across your team doesn’t work anymore. Perhaps incidents are happening, you’re finding it hard to keep up with customer security questionnaires, or your company simply needs your time elsewhere.
Whatever brings you to this point, you need to know how to find your first security lead and what to look for in this person. In this chapter, we will discuss everything you need to know when making this crucial first security hire.
Of all the questions addressed in this book, this has to be one of the most difficult to answer but one of the most important to get right. Hiring in a growing company is challenging enough without the added complication of hiring a role that won’t directly add to your company’s bottom line.
The old hiring adage in this scenario is to “hire when it hurts,” and if we are honest with ourselves, we may complain that security hurts right from the beginning. But let’s avoid that temptation and really assess what our triggers are for hiring someone for this difficult role.
You have a strong understanding of the importance of security in your organization and have started to build your foundations.
You have established the start of recurring and triggered security actions, but keeping on top of them is beginning to become a challenge
You are now selling to an increasing number of companies and organizations that are asking you to answer a detailed set of security questions, and they need your answers to be accurate and show maturity
You may be required to comply with one or more regulatory or compliance frameworks. You need to coordinate both achieving them but also maintaining your current audit program
You are beginning to notice increased security activity in your logs or are struggling to manage and monitor the technology in your organization.
Your view of the world and which of the above is hurting you or your team the most will make a huge difference to how you approach hiring for security. Before we dig into the types of security roles you can look for and how to decide which is the best fit for your team, let’s take a look at some of the characteristics that are important to find in this person. (Spoilers: it’s much more than just the right qualifications and a well-crafted CV).
At this stage in your company’s journey, you have probably defined a clear set of psychological and cultural requirements for your new hires to ensure that new team members not only meet the educational and operational requirements of the role, but also to maximize the chance that they will understand your cultural ethos and share your overall vision. If you haven’t started to work on this set of requirements yet, take a pause here. These baseline requirements are the foundation of the next set of requirements we will discuss here.
Strong communication skills: The ability to explain complex situations in an understandable way is just the starting point for secure communication. Extra points here for someone who can speak as articulately and clearly with the most and least technical people in your company, your executive and board, as well as your customers. This role will require communication in every direction and in both written and verbal forms.
Ability to connect with others: The ability to form relationships with groups in your team or external stakeholders and manage these relationships over long periods of time is really important. It’s unlikely that you will be able to hire more than one person to begin with and, as you will have seen in this book, there is more than one person’s worth of work to be done. The ability to connect with others will help your new security lead find help and collaborate on security items across the team.
Understanding of or experience with organizations of your size and stage: Security in early-stage or fast-growing organizations is quite different from security in enterprise organizations. It’s important that your new security lead not only knows this, but can articulate this difference and help slowly navigate from where you are now to where you might one day be.
Calm and pragmatic under pressure: You don’t have to be a security professional to understand that risk is everywhere in an organization like yours. Moving fast and taking risks is the average day in an early-stage company, so the last thing you need is someone who cannot face risk in a calm and pragmatic way. Don’t get me wrong, being calm and pragmatic doesn’t mean that your security lead doesn’t understand the seriousness of risk or its impact on your organization, it’s just that they know how to prioritize those risks and save their adrenaline for high and critical issues—rather than behaving like the sky is always falling.
Willing to get their hands dirty: This has to be one of the most important characteristics you need in your new security lead. Similar to your executive team, your security lead will still need to be involved in day-to-day business operations. You don’t need a leader that needs a team, you need a leader that, with time, can build a team, and in the interim is willing and able to step into the gaps and get on with the job.
The list above is the ideal and, frankly, hard to find. Even if you don’t find that perfect person, you can still make a good hire. Think hard about the different security roles and profiles that exist, and what your organization truly needs right now.
Like every other professional field, security professionals are often bunched together as a single role category, when in fact there are many different types and only a few of these would suit your stage and security maturity. Let’s take a look at the five most common roles, their strengths and weaknesses, and what to consider when hiring.
Common job titles for this role: chief information security officer (CISO), VP of security, director of security
This is a senior leader in security, someone with many years of experience across a range of roles (though probably in larger organizations). This person is an expert at communicating with both internal and external stakeholders. They may be used to assessing and presenting a risk to fellow/upper senior management, as well as maintaining a complex security program.
This is a role (and title) that commands respect and will make an impact on your organizational chart. However, remember our key characteristics from above. Ensure when hiring this type of person that they are willing (and able) to get their hands dirty and that they have experience with early-stage companies. Without this experience, they may struggle to manage a program without the larger team size, budgets, and selection of tools they are used to.
Common job titles for this role: head of risk and compliance, security and compliance lead
Risk and governance don’t have a reputation as the most rock and roll of security domains, but don’t underestimate someone with this background, particularly if you are in a highly regulated space like finance, health, or government.
Risk professionals may have a background in finance or audit, and often gravitate towards the more detail-oriented, policy-focused elements of your security program. These are the people who make sure your program is comprehensive and that you meet the letter of the requirements you are held to.
This may mean your risk and governance specialist has less hands-on implementation skills than other types of security roles, so when hiring, be sure to openly discuss the required implementation parts of the role and what support they may need in these more technical areas.
Common job titles for this role: security engineer, application security specialist
Where risk and governance specialists often move into security from audit or finance roles, security engineers often migrate from other engineering specialisms such as network engineering or software development. Some people choose to transition from these roles into security engineering roles consciously or as part of their career development; many end up in security through more unconventional paths—finding an affinity or natural talent for security and falling into it.
Your engineers are a force for good when it comes to the implementation phase of your security program. They are the people who can build controls, configure systems, and understand the architectural complexity of your organization well enough to defend them. They are natural bridges to the engineering teams in your company and often have strong empathy for these groups.
Though they shine in implementation, you may find they have no appetite for policy and governance. While they may be able to get the job done if they needed to, many of them would not enjoy this element of this work and may not want to be engaged in it long term. You may find that providing ad-hoc support with the more governance-heavy part of the role reduces this stress.
Common job titles for this role: security analyst, SOC (security operations team)
These are not the most senior of security professionals as a rule, but they are nonetheless crucial to our companies. Security analysts are the front line of our defensive teams. From carrying out the recurring and triggered security activities to monitoring our defensive tools, analysts keep the wheels turning on the day-to-day security operations that most companies need to stay safe.
As critical as these roles are to our daily security operations, they are often isolated from the larger team and may not have a lot of experience with the overarching program design and management needed to manage the entire organization’s security program. While all of this can be learned with time and coaching, you must be prepared to provide this training and support if you want your analyst to thrive as you push them into a more leadership role.
Common job titles for this role: penetration tester, red team
This is the security role we see in mainstream media, movies, and TV. The ethical hackers that join our team to provide an internal provocateur and find our flaws before our enemies. While more common in outsources or specialist security assurance companies, there is an increasing number of companies that hire these roles internally as part of a continuous assurance program. This not only saves money compared to hiring external specialists, but means that systems can be tested more frequently throughout the year.
While it is undeniable that these roles have an important place in more mature organization security teams, this is rarely the first role that companies hire. Like engineers, they are probably quite capable of getting the more administrative and process requirements done with the right support and coaching, however, this is like asking a fox to play the role of the farmer. While they may be able to pull off the role, they will be fighting their base instincts and not using the skills that make them valuable. Remember, whether the role is in security or elsewhere in your business, asking someone to go against their base tendencies isn’t a sustainable plan, and neither you nor your team member is likely to be happy in the long run.
You may have guessed by now that young companies rarely need one of these roles full time, rather they often need at least a few of them on a part-time basis. Given the global shortage of skilled security professionals and the complex and evolving nature of your business, part-time help is not only very challenging to find but also more difficult to manage.
So what’s the solution? There isn’t a perfect one. (Sorry.)
As the leader of an early-stage, fast-growing company, this shouldn’t be surprising, nor should it be an insurmountable challenge. You have grown your company to this stage by navigating challenges just like this. Your organization is full of people who are adaptable and have learned to embrace and conquer roles and responsibilities that they had never encountered before. The person you choose for your security role will be another example of the adaptability of people and your ability to lead in a way that evolves with your company’s needs.
In short, you are going to need someone who is a hybrid, a generalist, someone who has enough experience to get started and get your program in place and running, and then has the potential to grow with the role as needed.
For many companies at this stage of their security journey, there is a logic to finding someone internally and training them into the security lead role. While this person may not have any direct skills, experience, or qualifications in security, don’t underestimate the value they bring to the role from their experience of your current technology, systems, and processes.
At least in the early stages, much of the heavy lifting in security comes from creating and socializing security policy, standards, and playbooks; implementing basic controls and systems; and handling security enquiries from potential customers. While some coaching may be required to get this all in place, your new internally sourced security lead will already be able to navigate the culture and systems of your organization, understand its risks, and recognize where security fits into current operations.
If you find someone on your team with a keen interest in security, a willingness to learn, and any of the skills described in our security professional roles above, hiring from within may be the path to take.
Before you run off and hire your lead engineer or experienced operations lead into a security role, however, there are a few negatives to keep in mind:
Moving existing people between roles will leave another gap in your organization—don’t overlook this.
Don’t use internal hiring as a reason to underpay your security lead, ensure this new role has an appropriate package from the start. Remember that once trained, security professionals are in very high demand and you don’t want to train your new security lead only to lose them due to a preventable gap in their compensation package.
Don’t mistake enthusiasm for ability. When choosing your internal hire you need to hold an interview process and look for the key characteristics above. Try to identify your biases and ensure you give this hire plan scrutiny.
Let’s jump ahead—you have a person who is a good cultural fit, a great communicator, and someone who’s not afraid of getting down into the daily operations to get the job done. You may have found them outside your business or have been lucky enough to have found them within your existing team. Whatever the story is, wherever you find them—you need a plan. Your new security lead needs support if they are to survive and thrive in this new role within your organization.
The following are some elements you will need to consider when planning support for your new security lead.
You need to be their champion. This role has not existed before—you (and the leadership team) need to publicly support the new security lead. You also need to reinforce to the wider organization why this role is important and ask for their cooperation as they begin to roll out changes. This support will provide this role with not just the accountability for security, but also a public sense of authority under which they can act.
You need to know that change is coming and you need to help. Rolling out a security program impacts almost every element of the business in some way. As a leader, you need to be aware of this and factor it into your strategies. You need to make room and budget for security to operate—without it, it will waste away behind blocks and conflict.
You need to provide coaching and training. Whether you hire an experienced professional or hire from within, security is a constantly evolving field and they will need to keep their skills sharp. Ensure they have options for training and development in both security and any associated leadership or communication skills they may need.
You have to be willing to listen when they need you. Hiring for a security lead is easy, the more challenging part is making it possible for that leader to raise serious issues to the executive team. They should know that they will be listened to and considered with a view to taking the appropriate action to protect the organization, its data, and its people.
You need realistic expectations. Your new security lead has a lot to do and you need to understand what their success looks like. Success is never a complete lack of security vulnerabilities or incidents, instead, it is the creation of policies, processes, and behaviors that gradually reduce risk over time. It is the formation of operational practices that mean when incidents happen, the organization is able to recover quickly and learn from its mistakes so that similar incidents don’t happen in the future. Ensure that your performance management processes are built to measure this version of success, and that your internal processes are built to support your security lead in the event of an incident, rather than penalize them.
important Whether you promote someone from within or you find the perfect security hybrid from outside of your company, this is one of the most significant hires you are going to make for the security of your company. This role sets the expectations, tone, and approach to the people, systems, and processes that are going to protect your organization through thick and thin.
confusion Remember, it’s better to have an empty seat than the wrong person in it. Take your time, don’t rush this, and be prepared to change your approach as you learn what works best for your team. After all, if there is one thing you should be well prepared for by now, it’s adapting to change and new information.
🚀 As explained by Laura
Change is not just inevitable, but frequent. As your organization grows, there will be complexity. Hopefully you operate long enough to emerge from this chaos with a range of policies and processes that help you reign this in, but for many companies this takes a long time and a lot of effort from the wider team.
While not all changes to your business or operating environment affect the security of your data, people, and systems, there are some events and changes that you need to watch carefully for.