HIRING WELL IS THE SINGLE most important thing any company can do. A bad hire in a key position can be devastating and have a long-lasting negative impact to the business in almost every aspect. Dr. Cameron Sepah said it very well: “Your company culture is who you hire, fire, and promote.” And I would add to that: company culture is not free snacks, arcade games, or company trips to exotic locations for team building. Who we surround ourselves with to represent us and our business defines the culture. Once you've figured that out you'll need to decide if it makes sense to hire someone full-time, outsource the role in some way, and decide whether to run the search internally, if you have talent acquisition, or use an outside firm.

As a start-up, you must focus on the details. What is your value proposition? Ensure every new role supports that until revenue is positive. Creating cybersecurity roles will be essential to protecting the business's current and future revenue and brand. However, creating titles for the sake of checking a box will do far more harm in the long run than thoughtful hiring. Many companies today are expected to have a chief information security officer (CISO) that reports directly to the CEO and has total visibility across the enterprise's cybersecurity posture and risk.

But simply bestowing this title on someone with no tactical security experience will be a detriment to your short- and long-term cybersecurity strategy. A brand-new hospital would not place someone in the role of chief of surgery that has never performed a single surgery in their career. So why would you install someone as the CISO that has never performed a penetration test, participated in incident response, or developed secure code?

As you scale, your needs will always change. This is where attention must be paid, because the person you need at 10 employees is different than the person you need at 1000 employees.

CATALYSTS TO HIRING

Internal and external drivers may exist for your specific organization that will dictate whether you should have a CISO full time or could benefit from contracting one out through a CISO-as-a-service provider or seeking experts to provide an advisory role compensated with equity instead of costly and limited capital. Internal drivers such as board members or even experienced employees may say you need one. External forces, such as your customers, may expect you to also have someone in complete control of your cybersecurity. You must trust the person in this role as much as you trust your co-founders.

Other external forces, such as government regulations, may even dictate it; for example, the New York Department of Financial Services Cybersecurity Regulation (23 NYCRR 500). This law, enacted in the state of New York in 2017, requires, among other things, that financial services appoint a chief information security officer. This was the first of its kind but most likely not the last. You can expect other states or even countries to look to copy this law for the financial sector and possibly others. This will certainly disrupt how you do hiring in the formation, validation, and growth stages of your start-up.

GET THE FIRST HIRE RIGHT

Your first security hire will vary from one stage of your company to the next. If, for example, you are in a highly regulated industry, your first security hire might best be someone with hands-on experience in that industry. If you have little to no regulations surrounding how your business runs beyond common law, then a highly technical individual contributor may be the best first hire. Understanding and navigating the highly competitive cybersecurity job market may be something you will want to engage an outside recruiter for and not attempt it on your own, especially if you have no human resource department or talent acquisition. Hiring should be absolutely your number one priority when you choose to add to your start-up team.

In many cases, if you have under 45 employees, or are in the formation or validation phase, an experienced individual contributor may be your best first hire. You will have a lot of technical tactical work to do as you scale, as you have seen from the previous seven chapters. Some key requirements to look for in a candidate at this phase are:

• Ten or more years of experience in cybersecurity
• Hands-on experience with your start-up needs in the next 18–24 months
• Previous start-up experience

You will almost want someone that will be a little bored at times in their job. Someone who has “been there, done that” will be able to come in and quickly analyze and understand what must be done, versus what should be done. Despite all the work with your recruiter to identify what your start-up needs in a candidate, you typically capture only about 80% of those needs. Once you have an expert in this field on your team, they will identify other gaps you did not think of, or even realized existed – which is why you are hiring them. Dean Williams tells a great story about Lee Iacocca, in his book Leadership for a Fractured World. When Lee joined Chrysler, the company was in shambles; he rebuilt it by hiring experts in every position around him and had them tell him what to do. Remember, you are hiring a cybersecurity expert to tell you what to do.

You can expect to pay someone in this role well over $150,000 base annual salary, and somewhere around $300,000 or more total compensation. Titles you might consider will start with principal, fellow, or distinguished security engineer. These are not hard-and-fast rules and compensation will vary depending on location as well as title. But these are both excellent starting points for your search.

Once you have more than 45 employees, or are into the growth phase, it may be time to consider hiring a cybersecurity executive to fill the chief information security officer (CISO) role for your start-up.

Location is another critical consideration. Most software-as-a-service (SaaS) start-ups born in the cloud can function and scale successfully with employees all over the globe. While you might be like these start-ups and are building a remote first start-up, you should at least consider time zones. You will need a high degree of communication with the critical first cybersecurity hire. This will be difficult if you are in New York City and your first cybersecurity hire is in Melbourne, Australia. If you are hiring in the US, your geographic locations will most likely be centered in the areas depicted in the heat map in Figure 8.1.

EXECUTIVE VERSUS INDIVIDUAL CONTRIBUTOR

Let's look at when to hire an individual contributor versus an executive. Very early stage start-ups can benefit from both and you may find yourself hiring both, but as every company is different, so are your needs. In an engineering-focused company that is building a product, having someone that can dive in and execute on work is important to start with a secure product from inception. This hire could keep things going up to around 45 employees. Also remember that, on average, large organizations (1000+ employees) have a ratio of 1:150 of security engineers to employees. As sales begin to ramp up and depending on what industries you sell into, business-to-consumer (B2C), business-to-business (B2B), etc., you will most likely find that the skills of individual contributors don't apply to business logistics. This can be an inflection point when it is time to bring in a level of management for cybersecurity.

Whether it is “head of cybersecurity” or “chief information security officer,” a strategic thinker who is part of the executive team will allow your business to continue to scale securely. Just as individual contributors run the gamut from right out of school to distinguished engineers with 20+ years of experience, so do CISOs. While your company may be very good at hiring individual contributors, a new member of the executive team is not a decision to take lightly or speed through. It is highly recommended to find a firm such as Hitch Partners.¹

Your recruiter will guide you through this process, and some specifics you should be looking for in candidates are that they have done some or most of what needs to be done. Someone that has experienced building a cybersecurity organization and strategy, especially at a start-up, will be able to understand your unique needs. Certainly, someone with 15 or more years of experience in cybersecurity with a large portion of that in leadership or executive roles. Titles that are either chief information security officer or head of cybersecurity are very common. However, if your first security hire is titled differently, this can signal to candidates that you are not actually ready to hire a cybersecurity executive and that the role is not a priority. Reporting structure is also important, as discussed earlier, because cybersecurity is now a business risk. Who the role reports into can signal either that this position is business critical, or that you are just checking boxes and have no plan to give the role any business authority. These roles should always report in the CEO with some type of accountability to your board. You can expect to pay a CISO anywhere from $600,000 to $1,000,000 total compensation for a mid to late stage start-up.

RECRUITING

Working with a recruiter, whether internal or external, is just that, work. Hiring is not something you just hand off to another individual to do it for you. This should be a collaborative process with you and that individual to help find the best fit for your start-up. This means working together to determine the business needs, translating those needs into a job description, conducting source searches, and interviewing. The steps are mostly the same if you have a talent acquisition team or if you have a retained firm to help in the search.

You'll want to meet with your recruiter to discuss your needs. What types of skills does this person need? Will they be an individual contributor, hands-on middle manager, or executive? Where should the person physically be located? Your recruiter should help you work through this discussion as well if you've never been part of the hiring process before. Once you've developed the requirements and have a full understanding between you and the recruiter of who you need, you'll need to build the job description. A job description is important regardless of hiring an individual contributor or executive.

Lean on your VCs, board members, or advisors to leverage their networks to find the best well-vetted talent to join your team.

JOB DESCRIPTIONS

Writing the job description should be a collaborative process. From the output of your requirements discussion with the recruiter you will either build a draft or they may create a draft for you to then work through the parts and pieces. It's important to remember, the job description might be the first thing your unicorn candidate reads and that is how they are introduced to your unicorn start-up. It's important to be honest and transparent in what you put out as the first touchpoint for possible candidates. It should be inclusive and truthful so individuals can both self-select in or out. Someone reading the job description should be able to tell quickly if this is a job they would want or not. Of course, you'll get the folks that are applying for everything, but you want to make sure those that do apply understand quickly what they are applying for.

Your job description basically needs to be a sales slick sheet. You are in selling mode. You are the one that needs to hire someone. The cybersecurity job market is extremely competitive and will continue to experience that talent shortage well into 2030. It is important to keep this in mind when both writing the job descriptions and interviewing; you need them more than they need you. This is simply the fact of the matter we face as cybersecurity hiring managers.

The job description should be no more than a couple pages at the very most. As hiring managers we always tell people to keep their resume to two or three pages, and this goes for you as a hiring manager and your job description. Starting with a description of the type of person that fits into this role is a great way to clearly and cleanly explain the hard and soft skills needed. Following up with what they will actually do day to day will attract higher quality candidates because they can see exactly what type of work they might be doing each day. I cannot stress enough the importance of being honest and transparent. For example, if you are hiring an individual contributor and they will need to review security logs every day, you should clearly say that. There are many people that like this type of work; there are also many that don't.

Keep the bulleted list of skills, requirements, education, and certifications to a minimum. Don't list every single type of vendor for a specific solution. If you want to say something like Amazon Web Services (AWS) experience is required, that is fine. If you want to make it more general such as “cloud infrastructure-as-a-service (IaaS),” that will cover that type of vendor. But whatever you do, don't just list out every IaaS as a requirement. Even the largest organizations aren't multi-cloud and your start-up most likely is not either.

Education is a tricky topic. Lately there has been a push in the technology sector to remove this requirement to open up the number of possible candidates to a larger, more diverse pool of individuals. You'll have to use your best judgment and work with your recruiter to understand if this is something that should even appear on your job description. If you are asking for a principal security architect with 15 or more years of experience, would a bachelor's in computer science from 15 years ago really be that necessary? The same question can be asked if you are hiring a CISO – do they really require an MBA if you need them to interface with customers, redline customer contracts, and build your cybersecurity program? Give it some thought, but the answer is most likely no.

INTERVIEWING

I'll keep repeating myself in this chapter to drive home this point: when you decide to hire, this needs to be your number one priority. Whether it is the recruiter or you personally that does the first initial phone screen, this is possibly the first experience this person will have with your company. And if you've read any books about building a successful start-up you will know that customer experience is critical to your brand. That experience starts with how you interact with candidates. You are interviewing them, but they are also interviewing you. As a founder, if this gives you even a moment of pause, you should have someone other than yourself conduct the first initial interview. You need to be in sales mode, and if you know you are not the right salesperson to sell this unicorn hire on joining your start-up, have the right person do it.

Have a process, even if it is just on the back of a napkin. Even if it is as simple as a phone screen with the recruiter, a phone screen with the hiring manager, and then an all-day onsite to meet the rest of the team. Having something documented, even if informally, makes it easier to repeat. Keeping the same process for each candidate helps to truly equally evaluate each person that wants to join your start-up.

Be respectful of the candidate's time. Remember you are selling them on your start-up just as much as they are selling you on themselves. The tech industry trend of marathon interview days, sometimes lasting six or more hours, is simply out of hand. This is in large part due to the trend of one-on-one interviews, where the candidate interviews with multiple people, one at a time over one or more days. This interview strategy can lead to bias in interviews and frustration and annoyance on the candidate's side. Panel interviews capped at two hours in length are far better at fully evaluating a candidate. Rarely will someone ever work one-on-one with individuals in a start-up. It is nearly all teamwork, and so should your interview process be. If you do interview debriefs, you only have an individual's perception to base your judgment on. However, if you were in that interview with your co-founders, you might perceive the answers to questions differently than them.

Be on time. This is the easiest thing you can do for the interview. I've heard too many times from friends and colleagues about an interviewer showing up late to an interview. This is just as important for you as the hiring manager as it is for the candidate. A less experienced individual might just brush it off since they may feel they have less power in this relationship, but somebody with 20 years of experience, an individual contributor or executive, will see this as a red flag. Don't lose out on a great candidate because you couldn't manage your own time properly.

Always ask the same questions in each round of the interview. This is the best way to have an unbiased result at the end of the process and find the best candidate for your start-up. Keeping a structured format is difficult but highly rewarding, as you will increase the possibility of hiring better and more diverse candidates. Unconscious bias is a natural human trait; we all have it, we all do it, and we can all acknowledge it. Having a defined process for interviews ensures we address that head on and guarantees the long-term success of our business. You want someone that is going to see problems different than you and bring different solutions than you would. A great leader is able to source a diverse set of ideas to push their business to the next level.

After each stage of your interview process you should continue to collaborate and meet with your recruiter. They may probe you with questions but you should also share why someone was a great fit or not. This will help your recruiter continue to source candidates that are exactly what your business needs today and into the future.

FIRST 90 DAYS IS A MYTH

It takes well over 90 days for an individual, regardless of experience level, to get fully up to speed in a new job. To completely understand your start-up in and out as well as build political capital will take longer than 90 days. Your only expectation for the first 90 days should be that they get a quick lay of the land and develop a plan based on what they learned in that first 90 days. In a start-up, you are building and moving fast. Enabling this new teammate to do that will be critical to their success as well as yours. If your job description was accurate and your interview process was transparent, they should know exactly what needs to be done when they walk in the door.

SUMMARY

When you decide to hire your first role for cybersecurity it must be your number one priority. Not only are your first strategic hires important when you are in the formation phase of your start-up, they are even more critical in the validation and growth phase, when the impact of this individual is even greater. There is less room for error with a bad hire, and making sure you and your recruiter are on the same page is an important first step. Defining a hiring plan that includes how interviews will be conducted and ensuring a diverse candidate pool will ensure your start-up moves smoothly from formation all the way to the growth phase.

Hiring is a collaborative process and shouldn't be done in a bubble. Ask for help from your recruiter, peers, network, VC, and co-founders. This decision impacts all of these stakeholders.

ACTION PLAN

• Define your needs for the candidate.
• Determine if those needs are for an engineer or executive.
• Engage with your talent acquisition partner or recruiting firm.
• If you don't yet have a recruiting firm, begin interviewing recruiting firms that specialize in the type of candidate you are looking for. Not all firms recruit engineers or executives.
• Go back to Chapter 2 again and add hiring plans to your roadmap.