When should start-ups hire a CISO and why?

With the everchanging high growth start-up and security landscape, one of the most important and sensitive roles an organisation can appoint is the CISO.

Firstly, how do we classify a CISO? A CISO is an executive who is responsible for an organisation’s information, data, and overall enterprise security. Ideally, they have a robust understanding of technology and the ability to strike balance between innovation and security.

A common misconception amongst the start-up community is ‘security through obscurity’ – meaning that they believe the business may be too small to be targeted. This is considered to be a rather naïve mindset because smaller businesses are equally at risk from cyber-attacks as larger businesses, and often have more to lose. A report by Verizon found that “61% of small to medium-sized businesses (SMB’s) experienced a cyber-attack last year” whilst a report by IBM, revealed that “SMB’s lose close to $2.5 million on average per attack” – which is significant, both from a financial and reputational damage standpoint.

A recent study by Naviste states that:
“When evaluating the lack of cybersecurity leadership by the size of organization: the smaller the organization, the more likely that organization is operating without a CISO/CSO. Among the largest enterprises with 5,000 or more employees, only 10% indicated they did not have a CISO/CSO, compared to mid-sized organizations at 52% and small organizations at 64%.”

This does not come as a huge surprise; start-ups tend to channel resources and funding towards go-to-market strategies and product/service development, with an aim to get it to market as quickly and efficiently as possible. Whilst this is understandable, delaying hiring a CISO into the business at the ‘right time’ can have a detrimental impact on the business.

So, the million-dollar question is when is the right time?

A CISO is usually brought into a start-up business, only when the enterprise environment is at a mature and complex stage, or when the business is preparing for an exit event (acquisition, IPO, etc). More recently, CISOs are brought in much earlier and are often the 3rd or 4th technical executive hire after the CTO or VP of Engineering. Whilst the ‘right time’ depends on the size, nature, and risk appetite of the business, if you are a SaaS business operating in a regulated industry or a firm in a highly data-driven environment, then it is critical to have a CISO early on, ideally between Seed to Series C rounds.

The benefits of hiring a CISO early

1. CISOs can work through necessary regulatory compliance and certifications such as PCI-DSS and ISO 27001 so that they do not become a sticky point when negotiating early deals.
2. The presence of a CISO builds trust amongst customer and client base towards the product, service, and how their data is processed.
3. The pursuit of speed-to-market can cause technical debt and leave security vulnerabilities – a CISO can ensure developers are trained in secure coding, testing and incorporate best practices throughout the SDLC.
4. A CISO encourages a start-up business to build a culture of security from the ground up so that security intertwines with the organisation’s growth.

In saying this, it is important to highlight that occasionally businesses hire CISOs a bit too early or even for the wrong reasons (i.e., to appear to have a compliant or secure enterprise environment) – these can be found out quite quickly and cause reputational damage.

A CISO is not a “tick-box” hire, they are an extremely vital executive for any business that is looking to have a bright and secure future. Personally, having worked with and interviewed multiple CISOs from a variety of industries, I find them to be some of the most passionate professionals, who aspire to work for a business that takes security seriously and gives them an opportunity to make a lasting impact.

Zeren exists to empower the world’s change makers. We do this by building high-performing teams in the world’s most innovative businesses, to accelerate growth by connecting visionary leaders and ambitious talent.

We are a leading global Executive Search & Recruitment firm with teams and offices in San Francisco, Houston, New York, London, Berlin and Frankfurt.

We partner with both high-growth, VC/PE-backed businesses and ambitious Corporate brands placing senior leaders, building exceptional teams, or providing critical interim and consulting talent.