How to hire and build your cybersecurity team
Netflix’s former InfoSec leader Jason Chan offers early stage founders six "green flags" to look out for when hiring and building cybersecurity teams that truly make an impact.
A founder knows building real traction for their business means cybersecurity and data protection are table stakes—and if you implement protections from day one, your business may avoid the hard reality of becoming a headline. Getting hacked isn’t a question of “if” but “when.” Rife with high-profile data breaches and geo-political conflict, today’s news cycle is a near-daily reminder of both the reputational and bottom-line risks businesses face when it comes to protecting digital products and customers’ personal information.
“When I started my career in security over 20 years ago, news about the industry rarely made the front page of The New York Times or The Wall Street Journal,” said Jason Chan, information security expert and operating advisor at Bessemer Venture Partners. “It just didn’t happen.” But Jason witnessed this shift during his tenure at Netflix and VMWare, as the threat landscape became more challenging in the cloud-native era.
So, how must a startup founder build a successful cybersecurity function? What’s the recommended approach to hiring and scaling these teams, especially if you’re not an expert yourself?
On Atlas, Jason shared his top “green flags”—characteristics, skill sets, and signals of success—to keep in mind when looking for a cybersecurity leader, building a strong security team, and incorporating security into your business strategy.
Although your founding team might participate in some early cybersecurity initiatives on a part-time basis, you’ll soon need a dedicated first hire—one who’s experienced and has a broad background in the field, Jason explained.
“Five years ago, you wouldn’t see a security person hired until even a couple hundred people [were hired] into the company. That’s not the case anymore,” said Jason.
“There isn’t a particular company stage or revenue benchmark that marks when it’s time to hire a cybersecurity leader. The right time to hire a cybersecurity leader varies based on your business model and needs,” Jason continued.
For example, a hypothetical data analytics startup that’s storing sensitive customer data might need input from a dedicated cybersecurity professional on day one. “This startup knows they need to have security input early on because it is essential to their product offering, and security is a key part of the sales procurement process, too. Today, it’s increasingly common for a prospective enterprise customer to do in-depth security assessments for compliance purposes in the later stage of the deal cycle.”
“Security is a key part of the sales procurement process.”
If you’re a founder and you still wonder if now is the time to hire for this role, Jason recommends asking yourself this key question: “If we got a request from a customer about security, would we feel comfortable answering?” If the answer is “no,” then it’s probably time to think about hiring a security expert, he answered.
The first cybersecurity hire is often responsible for a breadth of internal and external-facing initiatives, such as working closely with engineers, securing laptops, overseeing regulatory compliance, and talking with customers about contracts. “Just as important as it is to build security around your product, it’s prudent to build security into your product,” he shared.
When you’re interviewing candidates for your first security hire, one green flag to look for is a balance of talents: someone who has both soft and hard skills, and is comfortable liaising with internal and external stakeholders alike. If one of your customers wants to talk about product security, for instance, a sales leader can connect the customer with your security lead, and the security lead can distill customer feedback into actionable insights for product development. In order to find the right security leader, Chan suggests involving the CEO, CTO, the company’s technical leaders, and your company’s legal counsel in the interview process.
Before you begin interviewing cybersecurity candidates, make sure you’re bought in yourself. Last year, the average organization spent 21 percent of its IT budget on cybersecurity, up from 13 percent the year before.
Your first cybersecurity hire will drive strategies that protect all entry points of a product and customer data, including guarding the business from “weak” links across the business (e.g. email phishing campaigns targeted at unsuspecting employees, etc.).
“You need to start bringing value early on, ideally at both a strategic and tactical level, so that you can build trust with the team,” Jason said of first hires in cybersecurity. “I like the analogy of rowing a canoe across a lake. When you’re rowing, your back is toward the destination. You have to spend time rowing, but turn around and lift your head often enough to ensure you’re still on track.”
According to Jason, fostering trust within an organization and driving value at the same time are the two “oars” to get the work done. For a more tactical framework, he recommends any new cyber leader to follow the five security lessons for growing cloud-native companies. For instance, one initial program could focus on fostering a culture of cybersecurity through employee training.
Early-stage founding teams might want a first cybersecurity hire who comes from a startup background. Sometimes, large enterprise security experience isn’t anything like the startup experience. That’s what Jason found in his own career. “I remember, after I worked at VMware and Netflix all these years, and went to go help a few startups, I thought, it’s so painful to build a program from scratch,” he said.
Finally, the right cybersecurity leader is like “a step-down transformer,” said Jason. “In electricity, a step-down transformer takes something high-voltage and moves it to a lower voltage. The analog for humans is, you come into a situation, you lower the temperature, relative stress, and anxiety of the situation. It doesn’t mean that you have no emotions or no stress. It just means relative to the rest of the room, you can calm things down.”
“Security issues can be tense and filled with uncertainty, and the function’s leader needs to be able to use their expertise and experience to help their organization navigate these situations calmly and confidently,” Jason added.
“Not only do you want your customers and the general public to have faith in your security practices, but it’s also important that you foster a climate where other stakeholders at your company feel comfortable coming to you and including you in important conversations,” Jason shared. That’s why it’s a green flag if a candidate for a leadership role in cybersecurity is someone who is not just “easy to talk to” but approachable to teams across the organization.
“We get this bad reputation of always asking other people to do work, or always saying no to things that they want to do,” Jason said. “So you have to find a way to sort of undo your colleagues’ past experiences with ‘bad’ security people so they’re not avoiding you.”
Many security leaders come from technical backgrounds, but the talent that surpasses expectations are often those that lean into their communication skills and create strategic alignment amongst the many team leads. By understanding different teams’ pain points and priorities, cybersecurity leaders can co-create plans that accomplish both sets of goals so it’s a win for security initiatives and a win for business goals-at-large.
“Eventually, the first cybersecurity hire has to figure out when they’ve reached their limit and need to start building a team,” Jason said.
“And there isn’t a clear-cut if/then decision-tree for what types of cybersecurity hires to prioritize after your first,” Jason explained. “To figure out what functional hires to make, start by considering the question from two angles: How are you protecting your customers? How are you protecting your company?”
It’s a green flag when additional cybersecurity hires have expertise in one of two areas: customer security or company security.
- Customer security includes not only the software you’re building, but also the cloud infrastructure on which you’re building it, like Amazon Web Services (AWS) or Google Cloud Platform (GCP).
- Company security accounts for everything that’s needed to enable the business to operate, ranging from day-to-day productivity and communication software, like Google Workspace and Slack, to your intellectual property, like your source code.
And those are just the initial considerations. As you scale your company, you’ll eventually need to specialize in each of those areas, Jason explained.
In your product organization, for instance, you’ll likely need application security (AppSec) people. These are cybersecurity experts who work with engineers to design, build, and operate secure software and applications.
You’re also going to have to hire detection and response specialists, who function as your go-to resource for cybersecurity crisis management. These professionals identify cybersecurity threats and ensure the company’s operations can continue as smoothly as possible while they’re addressing the problem.
As your organization gets larger, you’ll want to hire governance, risk, and compliance (GRC) experts to, among other things, provide transparency to your customers about your security program and processes.
Still, there isn’t a clear-cut path for how to build out your cybersecurity team. “You’ll rarely see two security org structures that look exactly the same,” said Jason. “There are different things you could optimize for, and you could be organized by function or vertical. Regardless of org design, you want to make sure you’ve articulated the principles that you want your structure to be aligned with.” Even a few years in, many early-stage startups’ security teams will likely have a pretty flat structure with a leader and several functional leads, but not multiple teams within the organization.
The mark of a successful security team isn’t necessarily high visibility—instead, it’s better when security professionals get things done while blending into the broader organization.
“One way to think about your cybersecurity team’s impact is to evaluate how smoothly your company is otherwise running, and the extent to which cybersecurity is enabling that,” Jason explained. “That’s because there aren’t always clear metrics to measure the success of cybersecurity, unlike functions including sales, marketing, and talent acquisition.
For a company to run smoothly, it’s a green flag when a cybersecurity team can be both proactive and reactive for the protection of business assets and even a driver of revenue.
For example, a proactive measure that your cybersecurity function can take is to use its expertise to provide a tailwind to your sales organization. Providing clear, externally-facing descriptions and explanations of your security program’s design and operations, through compliance standards like SOC 2 and ISO, is a common way for security teams to partner with go-to-market teams to accelerate sales and drive customer satisfaction. Whether you opt to undergo a SOC 2 examination or ISO 27001 certification, you’ll be showing your customers that your security controls meet a high standard of assurance. And that stamp of approval from an outside assessor is bound to generate trust among customers.
A reactive measure could be how quickly your team resolves incidents and issues and creates a postmortem reflection and plan. If there’s a possibility your company has experienced a security incident, a typical response from an in-house cybersecurity team would be to open an investigation, pull in the right stakeholders, and trigger a number of simultaneous processes, such as creating a timeline of events, starting a technical investigation, exploring legal implications, and preparing for any external communications that may be required.
If you’ve confirmed there was an incident, the person managing the investigation, referred to as the incident commander, would ensure that your company is making progress on those parallel steps. That’s because “the clock is ticking on any number of regulatory schedules, where you have to disclose the incident in a certain timeframe,” Jason explained. “Even though you might not have all the details, you want to be able to be as upfront and transparent as possible and balance the needs of all impacted stakeholders.”
When the incident is resolved and you’re “in cleanup mode,” as Jason calls it, your security team would conduct a post-mortem: a review of the incident where your team identifies action items to improve, assigns them appropriately, and gets them executed.
All the while, you’ll want to ensure that the incident doesn’t take away from your company’s day-to-day operations. “You’ll know your security function is adept at reacting to problems if the team allows your company to operate ‘with as little distraction as possible’ when faced with a security incident,” Jason explained.
In order for a cybersecurity team to drive both proactive and reactive strategies across an organization, its employees need the right mindset and interpersonal skills to get the job done.
First, it’s important that cybersecurity professionals know how to communicate and prioritize, and that they have a strong sense of values. While security experts are often judged on their technical skills, their ability to set strategy and gain consensus and alignment internally are equally important. That’s why it’s a green flag to hire leaders who not only know how to foster this team culture but also attract and hire people who can meet the bar.
“Don’t fret if you’re thinking of hiring a candidate who has the technical chops but isn’t the world’s best public speaker. It’s often unrealistic to assume that all of your cybersecurity hires will be ‘unicorn people’ with the perfect blend of soft and hard skills,” Jason said. Some of your hires need to be superb communicators, especially those interacting with customers on a regular basis, while others need to have technical expertise. This is where prioritization comes in, too. Additional skills that are important here include program and project management—that’s because there are a lot of action items in security work that warrant unique workflows and execution timelines.
“You can never do it all in any field, and security is no different,” Jason said. “So you have to choose, what are the right investments? What are the right building blocks? Because you could do 1,000 things. You probably only have time to do ten. What are those ten, what’s the expected impact, how did you make that decision, and how are you going to communicate that to the rest of your colleagues?”
Finally, it’s important that you assess your potential cybersecurity hires for a strong sense of ethics and integrity. “In the same way that a CFO has a responsibility to look after their shareholders, security professionals have a responsibility to protect their stakeholders,” Jason explained.
Some ways to measure a security candidate’s sense of ethics and integrity is to ask interview questions that touch on self-assessment and judgment. “I’d want to see how self-aware they are,” Jason explained. “I might ask them about difficult decisions they’d made in the past that they’d learned from, as well as cultural elements they both liked and disliked from past employers. In terms of judgment, I’d ask about their decision-making process, and I’d see if they can disagree with people above them in the org chart.”
Together, these skill sets and characteristics—communication, prioritization, and integrity—can help your company develop a culture of transparency and openness around security. It’s a green flag when companies are transparent and open about their security practices because it helps generate trust, both inside and outside the company.
“In our industry, we have, for some time, thought secrecy is kind of important—like there’s some secret sauce about how we’re protecting data or systems. In fact, that’s not often true,” Jason explained. “Instead, it’s a better sign when a company is clear about how it secures its code, systems, and operations, and if it’s had external firms validate its security.”
It’s especially important that security teams regularly test their controls, and it’s even better when they publicly disclose their confidence in the systems they have in place, Jason added. “You don’t want the only time you get exposed to evaluating how strong your controls are to be when something’s actually happening,” he said.
“When a team operationalizes transparency and openness, it’s a leading indicator of solid security practices,” Jason shared.
Ultimately, you’ll know you’re doing security right when you see your security team’s efforts reflected in your company’s leadership and priorities. “Cyber and data security impacts so many aspects of the business that this leader isn’t just a technical person who gets socked away to handle the mishaps—cybersecurity leaders are drivers of business strategy, revenue, and reputation.”
Want to get more venture insights that matter to founders? Subscribe to Atlas today.