Why Your Startup Doesn't Need a Full-Time CISO (Yet)
Expectation setting on how much you should be spending on cybersecurity
There is a transition point in every company’s life, after which they must have dedicated [cyber]security staff. However, this almost never happens at the very beginning of company’s lifecycle, and, predictably, often happens, reactively, too late to avoid major issues.
So when should companies plan to hire security staff? While certainly domain specific, security hiring is more acutely needs based than other roles. If a company hypothesizes that a marketing hire might improve demand gen, they’ll experiment with such a role. Yet most see security hiring as a “just-in-time” role to be hired.
This usually is for one of two reasons:
Founders have had bad experiences with security teams in past companies and are afraid of how their company’s agility will be handicapped by bringing on such a function.
Founders don’t believe that there’s proactive value to be added by security teams, that they’re only needed to secure enterprise deals.
The first reason is painful, and is slowly improving, thankfully, as a newer generation of cybersecurity operators is cutting their teeth. The latter is foundational incorrect, and belies a deep misunderstanding of the benefit that security can bring across all functions, including go to market.
So today, let’s talk through the framework that we use clients that we consult with to help frame what the core security needs a scaling company has and how to effectively address them, ideally without needing to hire an expensive CISO.
Core security needs
A friend recently told me that every SaaS company needs SOC 2 to sell to anyone nowadays. It is a valid point, no matter how frustrating (don’t get me started on the weakening of security practices through the commoditization of security certifications, in particular SOC 2).
However, it is essential to detangle SOC 2 as a capstone output of security practices from the beneficial functions underpinning the spirit of SOC 2 (and its more impactful, yet less famous cousin ISO 27001).
Security can be broken down as serving three primary domains:
Securing the company (i.e. staff)
Securing the platform
Securing the customers (via securing the product)
These can be then broken down into second level categories.
This set of secondary core needs applies differently to different domains (fraud and platform abuse have to be addressed from the onset of a company in fintech), and some are wholly unnecessary for companies at difference stages (a seed stage company with no product does not need to spend months securing their infrastructure).
This gives us a loose framework of what needs are most relevant to different stages of a company. Reminder, this framework must me modified depending on the domain and level of founding team’s development maturity (if you balk at this, this is even more relevant for you).
Before your finance cofounder chokes on their coffee, this doesn’t mean go out and buy Crowdstrike (honestly, don’t do that at most stages - there are better options).
It does mean spend money. At these stages, there are good, cost-effective solutions. You can go buy Okta for $60/year per person, which shouldn’t be breaking any budget forecast. For your five person Seed stage company, those $300 are beyond worth one of you getting phished and all of your documents stolen.
Seed stage
At your Seed stage, you need to secure you and your team, full stop. This will also instill a level of security, and financial rigor w/r/t software, in your culture that will continue to pay as your scale. Cost-wise, you’re typically looking at a few more software licenses, that shouldn’t be peaking more than $100/year for each staff member (relevant acronyms - EDR, SSO, SCIM).
Series A
At Series A, your focus needs to be on getting the security of your product right. This needs to happen before it becomes unwieldy as you dabble in being a feature factory for nine months, before you realize that mistake and frankenbuild a tangential product within your original one. This will help protect you from making the holes that have impacted to many other companies, making them vulnerable. This does get a bit more expensive, but as before, is worth it. Some of the costs you should be looking at:
Training for, at least, one of your developers to become security fluent - (one-time) $2k - $4k
Vulnerability management (software, machines) - (recurring annually) $2k - $5k
Security assessment / pen test - (recurring annually) $10k - $80k (range depends on number of clients and size of codebase, e.g. web+mobile+IOT)
Cloud security tools - (monthly COGS impact) $500 - $5k (again, really depends on your infrastructure’s footprint)
There’s cottage industry of other niche tools, but this is a foundational set of tools to address the Series A core needs (relevant acronyms - CNAPP, ASM).
Series B
At Series B is where we most often begin to see the need to hire staff members focused on security, and is because this is when we hitting hit a tipping point and there’s enough work to justify a full time security operator role. If you’re in an industry that is more ripe for abuse (e.g. payment processing, communications), you’ll also need to begin to invest in security systems that detect and protect against such fraud. If you’re not aware, this is often the stage that hacking collectives have news alert triggers set up for (yes, they watch for companies raising capital to know who best to target, and, yes, they’re checking if you have security staff on hand). It’s nigh impossibly to estimate an expected cost here, but typically assume you’ll be hiring one or two security operators. A mid-level hire will typically run ~$100k and a senior hire ~$150k for a security operator, so minimally budget $300k/year (plus benefits).
Aggregating all of the above:
Seed stage company - expect to spend $100/year per person
Series A - expect to spend $20k - $100k a year (if you want a tighter range, connect with us!)
Series B - expect to be spending an additional $300k a year.
Should you have just hired a CISO?
Knowing that the average CISO compensation package is going to range between $300k and $650k, probably not at these stages (again, there are exceptions, usually based on your domain).
Instead, focus on addressing each of the needs that are outlined above in a systematic process. Does this mean that you shouldn’t hire someone with security expertise if you want to? No, they’re experts, you’re not. But there is a fine window of when you should make your first security hire, which you can delay by instilling security best practices (often with a fractional CISO or security firm).
Looking for help with cybersecurity for your company? We consult!
If you need help understanding:
What the ideal startup security stack looks like
How security can supercharge go to market
How to handle Enterprise security reviews
Leave a comment below!