Building any kind of team is not easy. From hiring to managing and ensuring goals are met, it can make a founder's head spin. Adding the additional layer of finding a top-notch security team to ensure your "baby" is safe and sound adds extra stress to an already frazzled entrepreneur.
But there is hope.
We reached out to several industry experts who are in the know about security issues and asked what advice they had on building a strong technical team.
Here is what they had to say:
Security needs to part of the foundation of the company.
Security teams are the most effective when security is baked into the entire company culture. Founders may not have the luxury of hiring someone for whom security is their only job, but it does have to be someone’s job.
For founders working with lean teams, assigning different security channels to different groups can be a good strategy. For example, it makes sense for network security to stay with an IT resource, but enforcement of other security protocols -- like enforcing the wearing of ID badges and escorting visitors -- could fall to an administrative resource.
-- Cortney Thompson, Chief Technology Officer of Green House Data, an environmentally conscious data center service
Look for people who are part of the security community.
You want to hire people that are well connected to the industry, who will leverage established best practices and tools and who are comfortable leveraging services vs. trying to build everything from scratch.
Also make sure you validate the credentials of a potential hire. There are many excellent, technically-skilled people out there but also many who exaggerate their experiences and expertise. The security community is fairly tight-knit, though, so there’s a good opportunity to both validate and find strong candidates by reaching out to your network of companies.
-- Arne Josefsberg, Chief Information Officer of GoDaddy, an Internet domain registrar and web hosting company
Hire people who fit the company's current needs.
Most SMBs don’t have the resources for a dedicated security team, in which case the founder will need to look for technical experts who have some security experience. Seeking out this diversified background is important because security needs to be designed into the architecture and company’s solutions from the get-go, not added as an afterthought.
Once resources are available, the initial team has to be strong and trusted -- people preferably from your network. Quality is especially important at this phase, because they will develop the core product, which is critical for the company’s initial success. These people will be the leaders who will be responsible for growing out the team.
-- Pravin Kothari, founder and CEO of CipherCloud, an enterprise cloud security company
Culture fit matters.
Ensure a cultural fit, and you’ll be well on your way. Too often, security teams will be working at cross purposes with another team. Everyone needs to be at the same table with the same goal: the success of the business. If the security team is isolated, they will be less inclined to prioritize user experience and the effectiveness of revenue-producing departments will suffer. If security folks are grabbing drinks after work with sales folks, they will work better together on a day-to-day basis. The synergy will result in more user-friendly tools, higher transparency and increased security with little hindrance to top-line revenue goals.
-- Ray Potter, CEO of SafeLogic, a company providing security, encryption and FIPS validation products to applications
Turn to an architect.
Founders should build a security team around an architect. Contract one from a third party or hire one, if you have the resources. They will be able to dig into and understand your organization’s unique security concerns, create a plan to keep you safe and then execute on that plan. If you hire an engineer first, they can run the technical side of security but may not be able to see things holistically. Setting up a comprehensive plan that you can expand as you grow is key to maintaining security over the long run.
-- Greg Kushto, Director of Security Practices at Force 3, a network security company.
The fact is many businesses today are having to turn to outside security experts and resources after they have been hit with a serious and costly cyberattack. Rather than waiting for a ransomware or spyware attack to engage added security talent, consider leveraging outsourced security to bolster and support ongoing security as a preventative measure. Outsourcing IT security offers growing businesses a cost-effective way to engage proven talent and is far less expensive than hiring expert support in the midst of a security crisis when a business is more likely to “pay whatever it takes” to restore data, service and security. In addition, outsourcing allows you to ramp up security resources during key times, such as a product launch or migration, and cut back resources and costs during quieter times.
-- Anna Frazzetto, Chief Digital Technology Officer and SVP at Harvey Nash, an IT recruiting firm