editione1.0.0
Updated October 9, 2023Of all the questions addressed in this book, this has to be one of the most difficult to answer but one of the most important to get right. Hiring in a growing company is challenging enough without the added complication of hiring a role that won’t directly add to your company’s bottom line.
The old hiring adage in this scenario is to “hire when it hurts,” and if we are honest with ourselves, we may complain that security hurts right from the beginning. But let’s avoid that temptation and really assess what our triggers are for hiring someone for this difficult role.
You have a strong understanding of the importance of security in your organization and have started to build your foundations.
You have established the start of recurring and triggered security actions, but keeping on top of them is beginning to become a challenge
You are now selling to an increasing number of companies and organizations that are asking you to answer a detailed set of security questions, and they need your answers to be accurate and show maturity
You may be required to comply with one or more regulatory or compliance frameworks. You need to coordinate both achieving them but also maintaining your current audit program
You are beginning to notice increased security activity in your logs or are struggling to manage and monitor the technology in your organization.
Your view of the world and which of the above is hurting you or your team the most will make a huge difference to how you approach hiring for security. Before we dig into the types of security roles you can look for and how to decide which is the best fit for your team, let’s take a look at some of the characteristics that are important to find in this person. (Spoilers: it’s much more than just the right qualifications and a well-crafted CV).
At this stage in your company’s journey, you have probably defined a clear set of psychological and cultural requirements for your new hires to ensure that new team members not only meet the educational and operational requirements of the role, but also to maximize the chance that they will understand your cultural ethos and share your overall vision. If you haven’t started to work on this set of requirements yet, take a pause here. These baseline requirements are the foundation of the next set of requirements we will discuss here.
Strong communication skills: The ability to explain complex situations in an understandable way is just the starting point for secure communication. Extra points here for someone who can speak as articulately and clearly with the most and least technical people in your company, your executive and board, as well as your customers. This role will require communication in every direction and in both written and verbal forms.
Ability to connect with others: The ability to form relationships with groups in your team or external stakeholders and manage these relationships over long periods of time is really important. It’s unlikely that you will be able to hire more than one person to begin with and, as you will have seen in this book, there is more than one person’s worth of work to be done. The ability to connect with others will help your new security lead find help and collaborate on security items across the team.