Running Your Security Team Like a Startup
As someone who has run both security teams and startups, I’ve noticed a lot of similarities between the two. In many ways the problems you need to solve, and the objectives you need to achieve, are eerily similar. My goal with this blog post is to give security team managers and leaders a different perspective on how to effectively run their teams by following the development model of a startup.
How is a Security Team Like a Startup?
This concept hit me like a ton of bricks when I was working as the Director of Security for a tech company, and I was sitting in a senior leadership meeting trying to pitch them on funding a security project I wanted to move forward. Having just come out of a startup, I was hit with a strong feeling of Déjà vu, as just a few years prior I was doing a similar pitch for a venture capital (VC) group. The parallels between the two were strikingly similar. After that, I completely changed the way I managed security teams and executed my job role.
Once you identify the similarities between the two, a wealth of resources becomes available. For example you may want to consider reviewing Y Combinator’s Startup School videos for ideas on how to more effectively lead your team.
Align With VC/Management Goals
When you are looking to partner with a VC group, it behooves you to do your homework. Do they try to flip companies quickly or are they looking to build out their portfolio? What other companies have they invested in and can your organization bring additional value to them? Aligning with these objectives can make the difference between a mutually beneficial relationship and one that is adversarial.
The same is true when running a security team. The biggest mistake I see security leaders make is that they try to sell “security” to upper management. This quickly regulates the team to being “overhead”; that stuff a company does because it has to, not because it helps the bottom line. You need to align security with the organization’s objectives. Are they trying to sell widgets to other companies? If so, maybe security can implement security attestations so the marketing team can start targeting larger prospects. Maybe security can integrate with the sales team to handle security related questions, and thus shorten the sales cycle. Both of these activities would shift the security team from being overhead to being an investment in improving the organization’s revenue stream.
Speak VCs/Management’s Language
As security people, we tend to speak in the language of cyber risk. Senior management speaks in the language of risk to the business. While they are similar, they are not identical. This can lead to disconnects where we expect senior leadership to understand the importance of a vulnerability when in fact they may have no perception of the true risks. We need to ensure we are translating things in a way that they will understand and prioritize appropriately.
As an example, imagine I go to senior leadership and state “I need to hire more people to help resolve all of the CVSS 9+ vulnerabilities in our environment”. Senior leadership is going to perceive this the same way they would an insurance policy, and rate it against all of the other risks to the business like missing their sales numbers or not making payroll.
Now, let’s come at this from another angle. Suppose I phrase this as “If we achieve our PCI DSS and SOC II attestations, we will be more appealing to larger companies that will pay more for our product/services”. Achieving these attestations will obviously require us to address all critical vulnerabilities but notice what we’ve done. We’ve changed the conversation from being about insurance to being about increasing revenue. This is obviously more likely to get funded by upper management.
Understand Your Target Audience
The same way that a startup needs to understand their prospects and users, a security team needs to understand the needs and goals of the other teams in the organization. For example, earlier I mentioned that security could assist sales in their prospect calls to help reduce the time needed to close deals. You would not know that’s an option unless you had taken the time to talk to these “users”.
Your entire organization is your potential user base. Security is going to be offering services within the organization. To help identify the form this should take, you need to initially develop a Minimal Viable Product (MVP) and then iterate to improve its acceptance. The only way to do this is by talking to your users, understanding their pain points, and addressing them accordingly. This is exactly what every startup goes through.
Form Alliances With Partners
It’s typical for a startup to build partnerships to help amplify their messaging and improve their value proposition. This is also true for a security team within an organization. You want to partner with other teams that share similar objectives. Most security teams partner with IT and/or operations. This can seem like it makes sense, as these teams are responsible for implementing most of the systems we are looking to secure. However, I would argue that this makes them a better customer than partner.
Consider casting a wider net within the organization. As an example, the legal team is arguably more aligned with us than any other group, including IT and operations. A legal team’s objective is to reduce the risk to an organization. Sound familiar? One of the biggest benefits I’ve found with partnering with legal is that they tend to be integrated into senior leadership. This means you would now have a potential advocate within that group.
Leverage a Pitch Deck to Fund Projects
A common mistake I see is security leaders trying to push large efforts via email or hallway conversations. The same as you would not expect a VC firm to fund you based on a passing conversation, upper management is going to respond in a similar fashion.
Get time at a senior leadership meeting to pitch your idea. Imagine your security team is a startup and senior leadership is a VC group. Pull together a pitch deck to sell your idea. Many of the same techniques that work when pitching VCs are applicable here as well. Remember to stay in alignment with their goals and objectives.
It’s Your Domain, Own It
Within a startup, the Founders are responsible for creating the culture and setting the direction of the team. This is very much true for security teams as well. I see too many security leaders who do not take full ownership of their team. Decisions are deferred to others and culture is defined by HR. To an individual contributor on the security team, it can feel like their leadership is just along for the ride rather than truly “leading”.
Security is your domain, own it. A good founder will isolate their team from most of the stresses that can be experienced when working with VCs. A good security leader will provide a similar buffer between their team and upper management. There is essentially a social contract between team leadership and the team itself. Own your portion of this contract and your team will do the same.
Interested in threat hunting tools? Check out AC-Hunter
Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!
Chris has been a leader in the IT and security industry for over 20 years. He’s a published author of multiple security books and the primary author of the Cloud Security Alliance’s online training material. As a Fellow Instructor, Chris developed and delivered multiple courses for the SANS Institute. As an alumni of Y-Combinator, Chris has assisted multiple startups, helping them to improve their product security through continuous development and identifying their product market fit.