- There are some beneficial timeframes for hiring.
- Hire after task discipline is normalized.
- Hire when they will have enthusiastic internal partnerships.
- Hire when there’s more resources than just benefits / salary available for them.
- Hire when self-organization has already started around security tasks.
- Factors for enticing a security a candidate.
- Money: Talented security engineers expect a premium for their specialization.
- Recognition: Many expect to participate in the security community. (Speaking / Travel)
- Curiosity: If you have fresh technology or innovation, show it off.
- Challenges: If you have big risks and scary adversaries, show it off.
- Altruism: Make clear what influence you want have on a mission, or society.
- Timeframe considerations:
- Some existing leadership relationships.
- Prioritization of risks and mitigations need guided decision making.
- Security is about to become a “Team of Teams”
- Security is about to be fragmented by locations, products, or customers.
- Longer-term, multi-person technical efforts begin.
- Interview Considerations:
- They confront skeletons. Not afraid to ask tough questions.
- They can recruit talent and increase % that candidates say yes to offers.
- They can guide solutions to fragmented, convoluted problems.
- They can take risks, instead of saying “no” perpetually.
- They can lead an incident response effort.
- They can balance work to avoid toil.
- They can guide longer term engineering efforts.
- At least follows overall organizational growth.
- Additional resource in outlier risk / growth areas.
- Negotiating with security:
- Are the risks legitimate?
- Are the mitigations effective?
- Are the costs reasonable?
- Can internal partners share large budget areas?
- Push it down to knowledge workers.
- OKRs (Objective and Key Result)
- Useful but not perfect.
- Be clear about desired risk outcomes.
- Find roots in risk, trust, governance.
- Very difficult from objective measurement perspective.
- High trust required.
- Risk measurement fragile and easy to corrupt.
- Push for independence.
- Avoid strictly OKR based.
- Rely on peer feedback cycles.
- Critique ability to self-manage.