Of all the questions addressed in this book, this has to be one of the most difficult to answer but one of the most important to get right. Hiring in a growing company is challenging enough without the added complication of hiring a role that won’t directly add to your company’s bottom line.
The old hiring adage in this scenario is to “hire when it hurts,” and if we are honest with ourselves, we may complain that security hurts right from the beginning. But let’s avoid that temptation and really assess what our triggers are for hiring someone for this difficult role.
You have a strong understanding of the importance of security in your organization and have started to build your foundations.
You have established the start of recurring and triggered security actions, but keeping on top of them is beginning to become a challenge
You are now selling to an increasing number of companies and organizations that are asking you to answer a detailed set of security questions, and they need your answers to be accurate and show maturity
You may be required to comply with one or more regulatory or compliance frameworks. You need to coordinate both achieving them but also maintaining your current audit program
You are beginning to notice increased security activity in your logs or are struggling to manage and monitor the technology in your organization.
Your view of the world and which of the above is hurting you or your team the most will make a huge difference to how you approach hiring for security. Before we dig into the types of security roles you can look for and how to decide which is the best fit for your team, let’s take a look at some of the characteristics that are important to find in this person. (Spoilers: it’s much more than just the right qualifications and a well-crafted CV).