Working in organizations on the steep ascent from startup to established player, CISOs need to determine how best to enable the business, how to partner with go-to-market teams, and what to prioritize. We spoke with security leaders who have experience leading security teams at rapidly growing businesses to understand best practices for prioritizing and building a security program at each stage of a company’s growth.
What are the first steps in building the foundation of a security program?
Establishing the foundations of a security program at an early stage start-up means understanding the business, its growth playbook, and target customers. According to Quincy Castro, CISO at Redis, once security leaders achieve that understanding, they can ask the following questions:
What levers are available to me?
What do I want to influence?
How can security help scale the business?
What aspects of security are a drag on the business?
David Cook, CISO at Sequoia Consulting and formerly at Databricks, says that because early-stage businesses don’t usually allocate large budgets to security early on, practitioners will partner with go-to-market teams. This makes the security team an enabler, adds Ryan Kazanciyan, CISO at Wiz. Identifying how each partner team interfaces and engages with the security team is also crucial to the initial development of the security program. “And then, a good way to start structuring your program is by figuring out what you standardize based on your capacity at that point in time, and what you invest in based on business need,” says Kazanciyan.
An important early step is to create a decision-making body that makes the calls needed to deliver growth, and ensures business and security priorities align. Omer Singer, Head of Cybersecurity Strategy at Snowflake, says that giving product and engineering teams a seat at the table helps ensure the right decisions are made during the early stages of product development, such as baking security into a product from the get-go.
When you inherit a security program, how do you decide what to do next?
According to Singer, establishing culture early is crucial to security organizations. “As a security leader, being able to hire people that think like engineers and work like engineers was important,” Singer says. “Now, several years later, you can see that culture of engineering permeating a much larger security organization.”
For Kazanciyan, “You need partners to be an extension of the security team. That comes from empowering them to have the information, tools, and process to make good security decisions autonomously, without always needing to loop in security.”
Castro notes that a federated model that pushes accountability for security out to the business is the best approach for a fast-moving organization. “[As a security function], you're saying, ‘what do you think the right answer is here? How will you get security right for this offering, product or service?’ And then, ‘here's what I’m offering to empower you and help you get that right’. This model helps infuse security throughout a business from the bottom up.
What are the key challenges security teams juggle working at hypergrowth companies?
For Kazanciyan, the rate of change is at the root of the challenges security teams face at this type of company. Managing the trade-offs between speed and security “is the hardest part of driving security and governance functions in a hypergrowth business,” he says. Doing this effectively means working with partner teams to establish priorities and understand where the security team can deliver the greatest impact on the business.
Castro emphasizes the importance of focusing on the biggest security issues, noting that “at the end of the day, we care about the things that have the potential to kill the business or that couldcause us to lose trust with our customers.” If a security team concentrates on those issues, and decision-making bodies and individuals buy into that approach, the broader business will see that the security team is there to build and protect business value.
How can you validate your security team in a hypergrowth environment?
In a hypergrowth environment where product and sales teams might feel like a rocketship, security leadership should take steps to give their organization the sense that they're making meaningful progress too- not just fire-fighting, but building and innovating. “To give a security team a sense they are moving quickly, like everyone else at the company, set objectives that span quarters or even years, and then see measurable progress towards these objectives,” says Singer.
Castro agrees: “I love the idea of getting into an agile model of running a security program where you say we’re making incremental progress and here’s the North Star. Once you start to frame the team as builders and creators of value and capability, setting objectives and key results, and having a target to aim at, you can really energize and motivate people.”
Watch the full discussion here for more insights and commentary about how leading CISOs addressed the challenges of prioritizing security in fast-growing business environments.