March 19, 2021

Hiring Your First Security Leader

Hiring Your First Security Leader

If cybercrime were a country, its GDP would be the third-largest in the world, and its economy would be one of the fastest-growing.

I know that sounds far-fetched, and to be honest, I wish it was. But in 2015, the World Economic Forum estimated the total economic impact of cybercrime to be approximately $3 trillion. Cybersecurity Ventures estimates that in 2021, this cost will double to $6 trillion, trailing only the GDP of the U.S. and China. By 2025, it is projected to nearly double again to a whopping $10.5 trillion.

After spending 12 years as a cybersecurity leader and practitioner, I’ve spent the past 3 years helping founders, CEOs, and senior executives earn customer trust and leverage it to accelerate their growth. And while security is obviously a critical building block, there’s an even more fundamental piece that needs to be in place first: accountability.

As a startup or growth-stage company, the single most effective thing you can do to build and protect customer trust is to build out an effective cybersecurity team and give them the tools and influence they need to be successful. But if you’re like most founders, you’re not sure where to begin. I’ve helped numerous companies in this exact position, and today I’d like to share some of my learnings to help kickstart your cybersecurity journey.

Getting Started

The most common trap I see CEOs fall into is the false sense of security that comes from being a small business. After all, who would really want to target them when there are so many larger enterprises with more valuable assets?

But the reality is that nearly half of all cyberattacks target small businesses. And while a large enterprise can sometimes absorb a multimillion-dollar data breach, it can easily bankrupt a small business. Many of these attacks are targeted, but others cause massive collateral damage. For example, the recent WannaCry ransomware cost businesses running vulnerable Windows versions an estimated $4 billion.

One trigger to be especially aware of is when your company makes the news, especially when the story references millions of dollars. Cybercrime is a business, and these types of articles, unfortunately, act as advertisements. In the past couple of years, we’ve seen multiple situations where we or our companies have announced new rounds of funding and been immediately targeted by hackers looking to “participate.”

Timing is Everything

Another common objection is that it’s simply too early to hire a full-time cybersecurity leader, and if you’re a seed-stage startup just looking to get your first product out to market, that might certainly be the case. You might start thinking about hiring a security leader after your Series A. By the time you get to around $5 to $10 million in revenue and are raising a B round or later, you’ll likely be seriously looking to hire a leader and building out the team. I’ve seen hundreds of B2B SaaS companies with that profile, and I have yet to meet one that didn’t either already have a cybersecurity leader in place, or that didn’t sorely need one.

The growth stage is where companies, having proven product value and market fit, build out the broader platform to take them towards a strategic acquisition or even IPO. This is the right stage for a proven cybersecurity leader to work closely with your engineering teams to make the right long-term strategic architectural decisions. It’s also the right stage for this same leader to work with your internal HR, Legal and Operations teams to create processes, policies and training to scale with your organization.

Title and Reporting

Once you’ve decided to hire a cybersecurity leader, the next question is what title to give them and who they report to. This depends on your internal structure, but here are a couple of general rules to follow:

  1. Cybersecurity leaders need the ability to influence change within the organization. Ideally, there should be a healthy tension between the Product, Engineering and Security teams, with each team bringing forward ideas but ultimately prioritizing what’s most valuable for the company.
  2. Trust is often a board-level discussion, so it’s important not to put too many organizational layers between the leader and upper management.

From that standpoint, the ideal structure is to hire a CISO and have them report directly to the CEO.

You may agree that this makes sense long-term, but you might also worry this is a big commitment to make so early on. If that’s the case, do what feels right for your company. If that means hiring a VP of Security, Director of Security or Head of Security and having the leader report to the CTO or CFO, go for it. As long as you follow the two simple rules above, you’ll be in great shape.

Sourcing and Recruitment

Many stories have been written about the cybersecurity talent shortage, and unfortunately, this starts from the top. Experienced leaders are in extremely high demand, and there simply aren’t enough qualified candidates. While you can post the role on your website, you can also assume that you’ll need to do a fair bit of outreach to hire a top-notch leader.

Internal recruiters can certainly help with this, and the key here is to clearly define the role, skill set and experience you’re looking for (more on this below). Some external recruiters specialize in cybersecurity and typically charge around 20% of the candidate’s first-year salary. While this might sound like a lot, it’s worthwhile if those recruiters give you access to candidates you couldn’t find independently.

In my experience, the most effective way to hire cybersecurity leaders is through your network. The cybersecurity community is relatively small, and if you reach out to senior leaders, there’s a good chance they’ll be able to recommend people through their network. You can also use this to validate a senior candidate’s influence and track record discreetly. Done right, this can reduce the time to find qualified candidates and also the risk of hiring a candidate that won’t be the right fit.

Skills and Interviewing

A major reason for the lack of qualified cybersecurity leaders is the breadth and depth of skills required to be effective in the role. A great startup CISO should be as comfortable presenting a business case to the Board as they are working with Engineering to deploy and configure technology securely. A modern security leader needs to be equal parts technical leader, business leader and people leader.

As with any role, no candidate will be perfect, and there will always be trade-offs. You’ll obviously want someone who understands cybersecurity, which can be difficult to assess, especially if you don’t already have that skill set in your company. My advice again is to leverage your network and find someone who does. I often do technical interviews for companies that we’ve invested in, and once you start digging into the details, it usually becomes apparent which candidates really know their stuff.

In terms of experience, I would look for evidence that the candidate has a technical background, ideally having done things like penetration testing, incident response, IT or DevOps. Leaders that come from primarily legal and compliance backgrounds can be effective in the right environment, but I’ve seen situations where their lack of technical experience can limit their ability to build trust with Engineering. You’ll also want someone who has either held leadership roles or can demonstrate the ability to communicate and influence others effectively.

Onboarding and Next Steps

Once they sign the offer, you’ll want to do thorough background and reference checks. Have them take the first few months to settle into the role, meet the key team members, learn about the systems and create a high-level plan for the next year. Ask them to map out the current cybersecurity architecture, build a threat model and provide a list of recommendations for quick wins, medium-term improvements and long-term goals. Once you feel like they’ve settled in and they’ve earned your trust, give them the keys to the kingdom and let them fly.

I hope you found this short guide interesting and practical for your business. Over the coming months, I’ll share some more of the lessons I’ve learned from working with dozens of companies like yours. We’ll discuss how to build out your first security architecture effectively, how to scale it as your business grows, and even how to leverage technologies like Machine Learning to deliver practical value. Until then, stay alert, stay safe, and most important of all stay healthy.

Growth insights
in your inbox

Join our community of thousands of tech entrepreneurs to get actionable insights from our monthly newsletter.