Talking Tech: When should startups hire a CISO and why?
By Sistla Vaishnavi. Sistla is an Associate Director at Zeren within the Talent Operations and Cyber Security division operating from our London office.
With the ever-changing high growth start-up and security landscape, one of the most important and sensitive roles an organisation can appoint is the CISO. Firstly, how do we classify a CISO? A CISO is an executive who is responsible for an organisation’s information, data, and overall enterprise security. Ideally, they have a robust understanding of technology and the ability to strike balance between innovation and security.
A common misconception amongst the start-up community is ‘security through obscurity’ – meaning that they believe the business may be too small to be targeted. This is considered to be a rather naïve mindset, as smaller businesses are equally at risk from cyber-attacks as larger businesses, and often have more to lose. A report by Verizon found that “61% of small to medium-sized businesses (SMB’s) experienced a cyber-attack last year” whilst a report by IBM, revealed that “SMB’s lose close to $2.5 million on average per attack” – which is significant, both from a financial and reputational damage standpoint.
A recent study by Naviste states that – “When evaluating the lack of cybersecurity leadership by the size of organization: the smaller the organisation, the more likely that organisation is operating without a CISO/CSO. Among the largest enterprises with 5,000 or more employees, only 10% indicated they did not have a CISO/CSO, compared to mid-sized organizations at 52% and small organizations at 64%.”
This does not come as a huge surprise as; start-ups tend to channel resources and funding towards go-to-market strategies and product/service development, with an aim to get it to market as quickly and efficiently as possible. Whilst this is understandable, delaying hiring a CISO into the business at the ‘right time’ can have a detrimental impact on the business.
So, the million-dollar question is when is the right time?
A CISO is usually brought into a start-up business, only when the enterprise environment is at a mature and complex stage, or when the business is preparing for an exit event (acquisition, IPO, etc). More recently, CISOs are brought in much earlier and are often the 3rd or 4th technical executive hire after the CTO or VP of Engineering. Whilst the ‘right time’ depends on the size, nature, and risk appetite of the business – if you are a SaaS business operating in a regulated industry or a firm in a highly data-driven environment, then it is critical to have a CISO early on, ideally between Seed to Series C rounds.
The benefits of hiring a CISO early:
- CISOs can work through necessary regulatory compliance and certifications such as PCI-DSS and ISO 27001 so that they do not become a sticky point when negotiating early deals.
- The presence of a CISO builds trust amongst customer and client base towards the product, service, and how their data is processed
- The pursuit of speed-to-market can cause technical debt and leave security vulnerabilities – a CISO can ensure developers are trained in secure coding, testing and incorporate best practices throughout the SDLC
- A CISO encourages a start-up business to build a culture of security from the ground up so that security intertwines with the organisation’s growth
Saying this, it is important to highlight that occasionally businesses hire CISOs a bit too early or even for the wrong reasons (i.e., to appear to have a compliant or secure enterprise environment) – these can be found out quite quickly and cause reputational damage.
A CISO is not a “tick-box” hire, he/she is an extremely vital executive for any business that is looking to have a bright and secure future. Personally, having worked with and interviewed multiple CISOs from a variety of industries, I find them to be some of the most passionate professionals, who aspire to work for a business that takes security seriously and gives them an opportunity to make a lasting impact.
Zeren specialises in recruiting for high-growth and investor-backed businesses. With a focus on technology, we connect with sales leaders globally. Our experience spans businesses from SEED funding to Series A-D, ensuring successful placements in this dynamic space.