Kenneth G. Hartman bio photo

Kenneth G. Hartman

Security Consultant,  
Forensic Analyst & 
Certified SANS Instructor

Email Twitter GitHub

The following excerpt is a thread from a discussion on Linkedin in the Information Security Community group.


How can a young professional convince startups that InfoSec is needed? And then get them to hire him? I am currently studying InfoSec Management and I am looking to get a job at startups as this will provide me room to grow and experiment with less of an impact. How can I convince them it is needed and that I am their guy?

Ken Hartman:

Great topic and great discussion so far. I have a different perspective to add to the mix. Find a startup that is in a regulated industry so that it that must have a security management program to be in compliance. Clients of this type of business WILL have it built into their contracts. Make sure the management team understands business management and not just their technology. Security is all about managing risk. Startups are constantly faced with prioritizing risks—so make sure that you have the appetite for that.

I joined what became a successful startup 10 years ago ( and we understood “brand” was everything. It was very clear to us that we had to protect the trust our clients were placing in our brand. Good security controls are good management. The best companies bake security into their way of managing business, just like they bake quality in. This does not happen by accident, it takes a sustained top management commitment to organizational process maturity—but this is exactly what it will take the startup to survive. Various security frameworks can provide you with a roadmap (and hence ideas that you can contribute to the company).

So here is my advice: Remember that YOU are also interviewing the company. Look for a company that “gets it.” And yes, be prepared to wear many hats…but that is what makes it so fun.