A short series of advice for individuals in cross-functional teams at scaling startups.
Beyond some questions about organizational structure and infrastructure, there might be some caveats that you want to identify and detect early. Questions that may be obvious to us security folks may not be obvious to your soon-to-be manager. Especially if the startup is small, you may be umbrellaed under a team that has never worked with a security person before.
The tough part of security at startups is having limited technology, people, processes, and money, yet operating as a large corporation with adequate people, money, etc. Therefore being the first security hire means having great people skills, being creative, and being highly knowledgeable in IT, Security, and Compliance.
Here are questions I did ask, and I wish I would have asked when becoming the first security hire:
- Are there policies and or guidelines around company-wide communication?
- Are HR and IT processes already in place?
- Is there a defined strategy and business goals for this year?
- Will I receive a proper introduction to the entire company?
- Will I be introduced to have the ability to speak to business stakeholders across each team?
- Who will be responsible for ensuring I am integrated into the security review process?
- Is there a sales strategy, and is it documented?
- Is my position customer-facing? What percentage?
- Does the company have an IT person? If not, will the company hire an IT person soon?
- Is a ticketing system in place? If not, will there be immediate approval?
- Are company devices already managed?
- Are software applications already managed or inventoried?
⚖️ Governance, Risk, and Compliance
- Has the company invested in compliance software? If not, is there a budget to do so? If there are no plans to expand the team.
- Is there an experienced individual assigned as the data protection officer?
- What are the company culture and overall morale towards IT, Security, and Compliance?
- Are employees are that the company must comply with [insert ISO, SOC, GDPR, etc.]?
- Will I be introduced to and have access to business stakeholders?
- Will there be a designated person or team for answering SIG questionnaires?
💰 The Million Dollar Question
Have you actually implemented the controls you tell your customers you have completed, at least partially?