editione1.0.0
Updated October 9, 2023You may have guessed by now that young companies rarely need one of these roles full time, rather they often need at least a few of them on a part-time basis. Given the global shortage of skilled security professionals and the complex and evolving nature of your business, part-time help is not only very challenging to find but also more difficult to manage.
So what’s the solution? There isn’t a perfect one. (Sorry.)
As the leader of an early-stage, fast-growing company, this shouldn’t be surprising, nor should it be an insurmountable challenge. You have grown your company to this stage by navigating challenges just like this. Your organization is full of people who are adaptable and have learned to embrace and conquer roles and responsibilities that they had never encountered before. The person you choose for your security role will be another example of the adaptability of people and your ability to lead in a way that evolves with your company’s needs.
In short, you are going to need someone who is a hybrid, a generalist, someone who has enough experience to get started and get your program in place and running, and then has the potential to grow with the role as needed.
For many companies at this stage of their security journey, there is a logic to finding someone internally and training them into the security lead role. While this person may not have any direct skills, experience, or qualifications in security, don’t underestimate the value they bring to the role from their experience of your current technology, systems, and processes.
At least in the early stages, much of the heavy lifting in security comes from creating and socializing security policy, standards, and playbooks; implementing basic controls and systems; and handling security enquiries from potential customers. While some coaching may be required to get this all in place, your new internally sourced security lead will already be able to navigate the culture and systems of your organization, understand its risks, and recognize where security fits into current operations.
If you find someone on your team with a keen interest in security, a willingness to learn, and any of the skills described in our security professional roles above, hiring from within may be the path to take.
Before you run off and hire your lead engineer or experienced operations lead into a security role, however, there are a few negatives to keep in mind:
Moving existing people between roles will leave another gap in your organization—don’t overlook this.
Don’t use internal hiring as a reason to underpay your security lead, ensure this new role has an appropriate package from the start. Remember that once trained, security professionals are in very high demand and you don’t want to train your new security lead only to lose them due to a preventable gap in their compensation package.
Don’t mistake enthusiasm for ability. When choosing your internal hire you need to hold an interview process and look for the key characteristics above. Try to identify your biases and ensure you give this hire plan scrutiny.
Let’s jump ahead—you have a person who is a good cultural fit, a great communicator, and someone who’s not afraid of getting down into the daily operations to get the job done. You may have found them outside your business or have been lucky enough to have found them within your existing team. Whatever the story is, wherever you find them—you need a plan. Your new security lead needs support if they are to survive and thrive in this new role within your organization.
The following are some elements you will need to consider when planning support for your new security lead.
You need to be their champion. This role has not existed before—you (and the leadership team) need to publicly support the new security lead. You also need to reinforce to the wider organization why this role is important and ask for their cooperation as they begin to roll out changes. This support will provide this role with not just the accountability for security, but also a public sense of authority under which they can act.