What does a Head of Security actually do?
People underestimate all the things a security leader has to do, let's clarify
Many founders and startup leaders know cybersecurity is an important thing to address, but how they go about it actually varies tremendously.
This is due in large part because often they don’t know what they don’t know. Additionally they have various acute needs at the moment that is driving the sense of urgency, but usually doesn’t embody the full scope of a security leader.
Combine these two items and you encounter uncalibrated job descriptions or worse, hiring a contractor or dissolving the position.
Not only that, but from a security pov, there is so much coming around the corner as the company grows that they are not aware of.
Company Background
In this post, I will go into ALL the things that a Head of Security does and manages at a pre-IPO startup.
Your mileage may vary of course based on a few factors:
Company size
Number of people (eng vs non-engineering)
Revenue
Funding Stage
Company culture
Types of customers
B2C
B2B
Niches
Crypto
Healthcare
Finance
Rate of Growth
For the purposes of this article, I will be talking about Series B-D companies, that have product market fit and growing rapidly, in the B2B space, with about 100-150 people currently looking to double headcount in the next year.
Some baselines
The company is probably using Rippling for MDM but doesn’t have an IT expert/person managing it.
Translation: Likely don’t have automatic updates configured and various controls enabled like USB blocking for starters
They’ve never had a security person or they had a compliance person in house or outsourced
They’re not sure if they should have an Engineer or an Engineering Leader
They have SOC 2 Type II and/or ISO 27001, but are not sure if they are actually security.
You don’t know how often I hear this!
Surprisingly I come in and find so many controls not in place. Very curious how an auditor did not ask for these things
What A Head of Security Actually Does
Here is a quick list of all the things a Head of Security does in no particular order:
Manage compliance program (SOC 2, ISO, PCI, etc)
Conduct security architecture reviews (ad hoc and planned)
Function as Incident Response Lead and make informed decisions based on experience (this matters probably the most)
Conduct investigations
Manage and secure IT and SaaS systems
Builds and promotes a security culture at the company
Implements Zero Trust controls across the company
Conduct quarterly access reviews
Answer security questions from employees
Presents security to the board quarterly
Provides input to exec or leadership teams on company wide initiatives and planning
Guides Product Security features to meet enterprise customer security expectations
Takes meetings with customer security and compliance teams
Completes security questionnaires
Hire and build the team (as needed)
Infrastructure Hardening
Application Security Reviews
Setup and manage security operations
Respond to phishing and malware alerts
Many times the Head of Security is the company’s first security hire. They are often running solo for 3-9 months, until they can expand the team. They often have engineering background experience and are expected to be hands-on in their day-day. They’re essentially a swiss army knife.
The first time they are in the role they are usually coming from a variety of positions such as:
Deputy CISO
Security Architect
Security Engineer - Lead
Security Engineering Manager
Difference between Head of Security and CISO?
This is a good question. For some background, CISO’s have not been around for a long time compared to the CTO position. In any case, the CISO, at least how it should be, is a top level executive position that reports to the CEO and has influence across the company. In many cases though the CISO may report to the CFO, GC, or maybe even the COO. (Highly recommend not reporting to the COO)
The Head of Security (HoS) is a position that came up over the years and originated in startup land as the Head of Engineering role evolved. Often the Head of Security is first reporting to the Head of Engineering, until they are “trusted” long enough to be outside of Engineering and report to another function.
At this point there are a few ways the position can go. The Head of Security can remain as such and be equivalent to the Head of Engineering role. Another option is to hire a CISO, reporting to the CEO and the board, and have the Head of Security role reporting to the CISO. Essentially you have the Deputy CISO position.
What is a Deputy CISO?
A Deputy CISO handles much of the day-day security work at the organization, including technical initiatives, whereas the CISO will handle executive communication, client interactions, and possibly even sales/marketing motions as well. The Deputy CISO is often the one defining roadmap and strategy working with the CISO to sell it and make it official. You can’t underestimate how much work the Deputy CISO actually does in an organization.
What Makes A Good Head Of Security?
Remember the list of all the things above? Well, that’s good and all, but can one person do all this? Yes and no.
While one person can do all of the things mentioned above, don’t expect them to be an expert in ALL of the areas. The only exception is that they need to have good Incident Response experience. Other than that, say out of the 5 major areas (Application Security, Infra/Cloud Security, IT Management, Security Operations, and GRC), they should have experience in all segments but be an expert in 3 out of the 5. This will give you a very well rounded HoS to handle and grow security at your company.
For the areas they are not an expert in, they can leverage AI, as long as they have an advanced understanding of the concepts. When they grow the team, this is where they would hire a person to handle the day to day.
For example, I’m an expert in Cloud Security, GRC, and Infra/Cloud Security.
For appsec, I leverage my experience as a pentester at NCC, conducting white box assessments of code, my experience building and securing applications, my incident response experience, staying up to date on incidents post-mortems, the latest zero days and vulnerabilities, engineering best practices, and LLMs for language/environment specific reviews to fill in for Appsec. Do I have experience as a full-time SWE? No. Do I help companies secure their code from vulnerabilities, yes for sure!
Engineer or Engineering Lead?
This is often where startups get stuck. They will err on the side of the engineer so they can fix all the (currently) broken things, but then throw the engineer into meetings with customer CISO’s, fill out questionnaires, and are also expected to handle incidents properly as they come up. After a short time, they burn out, and can’t get anything done. Or worse - they say the wrong thing to the customer and/or the customer loses confidence in the company because they don’t have a leader in the seat for the role of security.
The right answer here is to hire a player coach Engineering Leader - aka Head of Security. Paired with the right AI tooling or the right engineer in the future, this person can really be successful. A lot of times it comes down to whether the person has the can-do attitude that a startup requires to get things done and the EIQ to handle the right people (engineers, employees, execs, and customers) at the right time.
The Importance of EQ
We all know EQ is important, but I think many underestimate how important it really is in security leadership. This person has to weigh in on a lot of tough decisions, and could be responsible for leading an incident at ANY moment. They need to be cool under fire, as well as easy to work with as changing human behavior is not easy.
Not all parts of the things that a Head of Security has to do requires a tremendous amount of EIQ, but it’s something important and is hard to train or brush up on.
EQ vs Technical Acumen
So what about technical abilities and acumen? Imho that’s super important. Some background CISO’s have had a bad rap of not being technical, leading to bad security decisions. Sometimes they come up via the compliance or legal route as well, so tend to have a very black vs white look at security management, when in reality it’s 50 shades of gray.
Heads of Security tend to be more technical given their previous experience (see above). Personally, I encourage everyone to always stay technical as much as possible, as it will keep you relevant.
Now in the age of AI, builders are building again. PRs can be reviewed in half the time, although on the flip side there are SO many more PRs.
Incident Response is one of those key areas that require BOTH high EQ and high technical acumen.
Conclusion
At the end of the day, hiring for security can be a hard decision, but it doesn’t have to be. I’m finally seeing companies hiring security earlier and earlier, but also seeing them struggle to define the role or find that right person. This guide is born out of seeing this firsthand.
At the end of the day, you need to find the right fit for your organization. Hopefully this guide will save you weeks of time spent calibrating for the role.
Interesting perspectives and glad to hear perspectives from someone who has seen many startup example!
Can you say more about how the Security team size and needs change in relation to some of the metrics at the top like company size?
How do you define success for a Head of Security? Are they actually doing all the things or prioritizing among that list? Is it truly reasonable for 1 person to do all? Vuln managent for example: are they training engineers, entirely outsourcing to AI or doing it themselves? Are they also making strategic security plans? What outcomes should startups expect from the in 3, 6 and 12 months in addition today to day operational activities? How would you break down an HoSs time on deployments versus ops like vuln management, detection, and incident response?
At what point should the team expand?
Who should the HoS report to?
Why should companies promote their HoS to CISO? When should they hire a CISO instead?
For HoSs what should they do to continue advancing to CISO?