How to Build a Startup Security Team: Advice from Security Experts
With the rise of security threats comes an increased need for strong security measures, but it’s hard to know where to invest your time and money, especially if you’re a small startup. Who should own security when you first get started? Is it worth it to hire a Chief Security Officer (CSO) right away? Is it better to build out an internal security team or hire an external agency instead?
To help answer these questions, Ben Arent, one of our Developer Relations Engineers, sat down with two security experts to get their take. His conversations with Donnie Hasseltine (CSO at Xenon Partner and CEO at TeamPassword) and Luca Carettoni (co-founder of Doyensec) have provided insight into how teams can start building a strong security posture early on, even with limited bandwidth and resources.
When a startup needs a CSO
For most startups, having a CSO is a luxury. Yet as startups grow, tackling security challenges becomes inevitable — so at what point should a startup hire a CSO?
Cost, says Donnie Hasseltine, is naturally a main consideration: “In some ways, every startup needs a CSO. But in the early days before you hire someone, I think that getting the cyber hygiene right is key. And one way to do that is to put somebody in charge of security.” Hasseltine notes that what matters in a startup’s early days is for security to be assigned to someone — CTO, software engineer, or another team member — and for that person to be compensated and empowered with the tools to handle security.
Regardless of whether you’re able to hire a full time CSO or assign the responsibility of owning security to a team member, Hasseltine also recommends making security part of everyone’s role as a way to improve your overall security posture. He cites a practice where security can be assigned to an individual in every single business unit in the company since this creates a culture where security becomes a core part of day-to-day operations.
While delegating the task of security is useful early on, it’s important to consider bringing someone on when you start thinking about meeting security & compliance standards. “As you mature,” says Hasseltine, “as you start talking about a broader infrastructure, and about getting third-party audits like SOC2, that’s when you probably really need to consider having a CSO on your team. How experienced or what their backgrounds are can depend on your product and company.” He adds: “If you can afford it, jump in and get a CSO early and start building infrastructure early. But if it’s something you can’t do, put somebody in charge of security and then start building that security culture where people are at least asking those questions.”
Building an internal security proficiency
Once you’ve gotten to the point where security is important enough to either you or your customers to hire a devoted practitioner, you’ll want to start searching for the right type of candidate to fill the right type of role.
When you start to think about what role to hire for and whether you should go straight for a CISO or for a security engineer, Luca Carettoni says the answer depends on what needs are driving you to consider security.
He notes that many startups discover security as a request from customers for compliance. In that case where compliance is your first priority, the security hire should be someone who understands the technical aspect well enough but is also capable of talking to auditors and doing governance around the compliance aspect. For example, earning SOC 2 compliance involves lots of paperwork, and documentation of a company’s controls and processes.
As for product security, says Carettoni: “If you really want to do product security, which is actual security for the platform or the software you’re building, then my general recommendation is a strong security engineer — someone close enough to software engineering and able to recommend a good trade-off between usability, security, and product features. At the very beginning, startups often don’t have all the tools and might need a person capable of making those choices.”
Once the decision is made to make those first security hires, how should a startup go about finding them?
As a candidate evaluation tool, Carettoni considers security certifications (non-product-specific ones) to be generally useless. “It might be controversial for many,” he says, “but realistically, I don’t think there are very good certifications out there. While they serve a purpose as keywords for non-technical recruiters, certifications generally fail to represent the skillset of a person, especially for roles like a technical strong security engineer.”
Instead, Carettoni recommends looking at a candidate’s code written in open-source repositories or research that has been published or conferences or advisories, and expertise in software used to exploit vulnerabilities.
When to hire an external security team
What about hiring an external, rather than internal, party to manage security? That really comes down to your team’s specific goals and how built out your security is already.
Carettoni advises: “For a startup, there are primarily two main activities that they would have to perform: secure system design and secure implementation.” He says: “Startups who have some level of security maturity might want to do threat modelling around the systems they design. That’s where it would be best to have someone in-house who can review the overall design even before starting to code and implement.” If the startup doesn’t have that resource, he recommends looking for help even if that just means a day or two of someone reviewing the system design and thinking about its overall security model.
Carettoni adds: “When you’re onboarding the first customer or right before that, security investing is clearly an important part of securing an application. Very often, startups don’t have that level of expertise in-house, and that’s when they basically look for partners to help with their security testing. Time and resources permitting — I would recommend people in-house for both activities.”
The most important thing is to make a concerted effort to start building out your security posture early on, regardless of what that looks like for your team. While managing security in-house makes it easier to pick the processes and tools that are going to work best for your team, if it’s not feasible to have someone in-house, do your best to make security part of everyone’s job to ensure you’re building a scalable, security-minded product and culture.
Making an investment in security early on can be difficult — with so many competing priorities, limited time or resources, and numerous other important hires to make, planning for eventual security needs can feel like a waste of time in the early days of a startup. But this isn’t entirely true. In fact, the payoff of building a security-minded team from the get-go can be immeasurable when you consider the potential for hacks or data leaks that can be devastating for a startup’s reputation early on.
Building a security team doesn’t necessarily mean hiring a CSO right away. While having a dedicated security hire is useful, as long as you put someone in charge of managing security, you’ll be off to a good start. Once you start looking to partake in more serious audits or become SOC2 certified, it will be worthwhile to hire someone full-time. But until then, you should be able to manage security just fine in-house, so long as you build a team that takes security seriously.
- Preventing Data Exfiltration with eBPF
- Access Requests for Cloud Infrastructure
- Cross-Origin Web Sessions