How Not to Make Your First Security Hire
What startups can learn from ancient Sparta
“First security hire: Must be a DevSecOps guru, Red Team grandmaster, a GRC expert. Salary is well below market because hey we're awesome and who wouldn't want to work here? Bring your dog to work. And hey—free snacks!”
There comes a moment in every growing company’s life when it is time to make your first security hire. Over and over again I see startups do things like the above—and if you think I’m exaggerating? Not so much.
Hunting unicorns may be a fine game sport in some virtual reality Silicon Serengeti, but trying to make the “perfect security hire” is counterproductive, because they don’t exist—or rather, the few that do aren’t going to work for you.
Take a lesson from ancient Sparta instead.
When Sparta’s allies called on Sparta for military aid during time of war, Sparta did not send an army. No. They sent one man: A general. Someone who understood both strategy and tactics, and who was capable of organizing the allied city-state’s military forces.
One man isn’t an army. You don’t hire one man to be an army. You hire one man to be a general.
Your first security hire is a general who is going to organize your security strategy and lay out a roadmap for how to spend your limited resources of time and money to ensure maximum defense.
Yes, I know, you have an immediate burning need for any one of 1) AppSec testing, 2) DevSecOps, 3) secure cryptocurrency storage, 4) operational security, 5) compliance issues (GDPR, ISO certification, SOX, etc), or any number of the other tactical measures that need to get done. Like. Right. Now. Yesterday.
But these are tactical measures. You do not go into battle without strong leadership from a general who can see the entire battlefield, and you do not hire a specialist as your first security hire. You need someone who can see the big picture, not just the hyper-specific domain in which they are an expert.
Take a lesson from ancient Sparta. Make your first security hire a general.