The right “Head of Security” doesn’t need this job description, and won’t wake up in the morning with the thought “I am the Head of Security at Invisible,” but with the thought: “Have we taken over the world yet?” The right person already called me, and told me these words:
You should bring me on as a partner, because without me, your data is not safe and you will fail. Here's what I will bring to the table.
Threat Modeling. You need to know all the potential threats to your operations and your tech. You need someone who thinks like the bad guys and is not afraid to get their hands dirty. I will find all the existing weak spots in your armor, and proactively safeguard against new ones.
Risk Assessment. Once the potential threats have been identified, you need someone who can estimate the relative likelihood of those threats happening (nearly 100% given a long enough time horizon), and the potential impact. I will appraise these threats so that we can decide what to do about them, in a ruthlessly prioritized order.
Building Your Round Table. I am but one knight, protecting your kingdom. Eventually, I too will need to build an army. You can count on me to attract like-minded individuals to fill out our elite security team.
Processes. Security is not something you bolt on to your current operations. Security is a mindset, and it is part of everything we do. You need someone who gets that, and is willing to do the hard work to integrate that mindset into your existing tech and operations.
Policies. The best security tech cannot defend against social engineering or poor personal security hygiene. You need someone who deeply understands this and can craft security policies for all your employees and educate them on how to protect themselves should an attacker circumvent our other safeguards.
Monitoring. Your operations run 24/7, all around the world. The bad guys don't sleep, either. You need someone who can work with the tech team to build robust monitoring and alerts, so that we can catch potential problems before they happen.
Incident Response. In the rare occasion that shit hits the fan, you will need someone who can assemble the troops, isolate the problem, prevent further damage, and ultimately clean up the mess so as to prevent future incidents.
Speed. Security is like armor, and at a startup you want the lightest possible armor so that you can move the fastest. I will provide you armor that is both strong and light. I will take a layered approach and go for the easiest wins first that give us the most protection.
The Will to Lead. Finally, you need someone who is obsessed with security and will push their agenda through. At a fast-moving startup, I understand that the security team is going to be unpopular. In some cases, I will have to tell people what they can and cannot do. It's OK, I'm used to getting what I want, because I know how to craft the narrative to get everyone aligned. Your team will understand the importance of what I want to accomplish, and they will follow me willingly.
Skills We’re Looking For:
Qualities We’re Looking For: