• There are some beneficial timeframes for hiring.
    • Hire a team, not a person
    • Hire after task discipline is normalized.
    • Hire when they will have enthusiastic internal partnerships.
    • Hire when there’s more resources than just benefits / salary available for them.
    • Hire when self-organization has already started around security tasks.


  • Factors for enticing a security a candidate.
    • Money: Talented security engineers expect a premium for their specialization.
    • Recognition: Many expect to participate in the security community. (Speaking / Travel)
    • Curiosity: If you have fresh technology or innovation, show it off.
    • Challenges: If you have big risks and scary adversaries, show it off.
    • Altruism: Make clear what influence you want have on a mission, or society.


  • Timeframe considerations:
    • Some existing leadership relationships.
    • Prioritization of risks and mitigations need guided decision making.
    • Security is about to become a “Team of Teams”
    • Security is about to be fragmented by locations, products, or customers.
    • Longer-term, multi-person technical efforts begin.
  • Interview Considerations:
    • They confront skeletons. Not afraid to ask tough questions.
    • They can recruit talent and increase % that candidates say yes to offers.
    • They can guide solutions to fragmented, convoluted problems.
    • They can take risks, instead of saying “no” perpetually.
    • They can lead an incident response effort.
    • They can balance work to avoid toil.
    • They can guide longer term engineering efforts.


  • At least follows overall organizational growth.
  • Additional resource in outlier risk / growth areas.
  • Negotiating with security:
    • Are the risks legitimate?
    • Are the mitigations effective?
    • Are the costs reasonable?
    • Can internal partners share large budget areas?


  • Push it down to knowledge workers.
  • OKRs (Objective and Key Result)
    • Useful but not perfect.
    • Be clear about desired risk outcomes.
    • Find roots in risk, trust, governance.


  • Very difficult from objective measurement perspective.
  • High trust required.
    • Risk measurement fragile and easy to corrupt.
    • Push for independence.
  • Avoid strictly OKR based.
  • Rely on peer feedback cycles.
    • Unfortunately.
  • Critique ability to self-manage.