Beg, Borrow, and Steal: Growing a Security Program From 1 to n
2021-06-12, 10:00–10:45, Track 4

For a startup, hiring the first security engineer is a big deal. It's often an even bigger deal for the engineer themselves if they haven't done it before. You're essentially a team of one, serving as your own manager. Congrats on the promotion! Fast-forward a year or three… You've found and fixed some vulnerabilities and managed not to piss off the engineering team too much. But how do you grow the security team and program from 1 to... n?

Drawing on my previous experience building a security program from 0 to n at an acquired startup, as well as experience as a security engineer at two other businesses, I'd like to share some lessons learned for others who are in the position of established first security professional looking to grow their program. I believe this will be useful to both individual contributors and those with managerial titles but no direct reports. Explicitly non-Machiavellian or empire building in my approach, I continue to build on themes developed by others of improving information security from a collaborative, risk-managerial, and business-focused approach. I divide my approach into three categories: Beg (ask your boss), Borrow (find partners on other teams), and Steal (find coworkers who want to move to security). Additionally, I share some resources I found useful and avoid too many war stories.

Senior security engineer at a rapidly growing startup focused on application and cloud security. Previous roles include building a security program from the ground up and working at a satellite telecommunications company. Previously worked in product management. Degrees from Texas A&M and (soon) Georgia Tech.