You have no firewalls. You have no encryption. There’s not a policy or procedure to be found. In fact, there’s very little in the way of “security” anywhere in the company. That’s ok! Because you’ve hired a highly-qualified security professional and stressed in the interview process that security is the new priority. That they will bring about a change in the enterprise and start a new era of a secure culture where everything is done with a security mindset. Sounds fantastic! The opportunity to mold a security program from the ground up with executive support. What security professional would pass up the opportunity to build and run a security program the way they’ve always dreamed?
The 30 days following this hire become crucial. What happens when the professional you hired to hit the ground running actually does it? They start building governance framework. They start getting vendors on the line and developing a relevant and cost-effective security stack. They draft a security training regimen. They do all the things necessary to start developing that framework you hired them to build. How do you respond to this?
The Best Way To Respond
The best possible thing you as a leader can do is to encourage this. Get out of their way. Provide guidance in the way of incorporating business strategy and business culture and let them do what you hired them to do. Give them feedback when asked. If the final product needs fine tuning in order to get full executive buy-in, then by all means! Polish away! Make the governance shiny and pretty and executive digestible. Make sure it fits within the overall strategy of the IT department and the corporate vision as a whole. You hired this individual because they were the best of the bunch and you had the confidence that they were up to the task. So let them take the task and give them the leeway to perform.
The Worst Way To Respond
Closing lines of communication. There is nothing worse in the security world than to see communications cease from your leadership. No comments on document drafts or replies to pricing quotes can make your newly hired security asset feel isolated. Furthermore, diminishing the role from what was advertised in the interview can be demoralizing. It can leave them feeling untrusted and frustrated. Hiring a highly-experienced security professional and taking their job down to that of an entry level analyst is, at the very least, insulting.
When it comes down to it, the lesson here is to not promise more in the interview than what you can really give. You can paint an optimistic view of your open position without setting unrealistic expectations. Be forthcoming with the challenges involved and transparent about what the journey ahead will look like. It sets the tone for their entire experience with your organization and can ultimately make the difference in whether or not they succeed… or stay.