#BSidesSF: How to Create a Security Program and Culture as the First Security Hire

Written by

At BSides San Francisco, Bryan Zimmer, head of security at Humu, delivered a talk on how to create a security program and develop a security-centric culture as the organization’s first security hire.

“So you’re the first security hire,” began Zimmer. “You’re going to need social skills.” Zimmer advised that being humble and building relationships with key stakeholders, department heads, and various teams around the organization is critical to getting ahead as a security leader. “It’s not just about tech and tools,” he said. “It’s about security culture.”

Zimmer suggested that being approachable and thankful and parking the jargon will all contribute to your success as a communicator. “Collaborate, don’t dictate,” he said. Additionally, social skills will get you executive buy-in early, which is very important in terms of securing budget and making a name for yourself. “Identify the major stakeholders and engage one on one with them.

“Ask for feedback, have empathy, and always send the elevator back down,” continued Zimmer, explaining it means “using your power to help others below you. Find and hire minorities, invite graduates to industry events, offer career advice.”


Zimmer noted that one of the most important things to establish when starting out in the role is the organization’s priorities and strategy. “Find out what matters most to the business, determine what needs protecting and what it considers to be its crown jewels. Ask about budgets and time frames and goals. You need to establish if the company is just ticking a box or whether it deeply cares about security.” But, importantly, added Zimmer, “Protect customer data, because it’s the right thing to do.”

Next up, he advised, “find out what laws you have to comply with and establish policies and frameworks in line with these.” His advice is to “outsource as much of the compliance stuff as you can.”

The session was summarized with these visual notes, by Kingman Ink
The session was summarized with these visual notes, by Kingman Ink

Finding out what level of risk the business is comfortable with establishing should also be at the top of a security leader’s agenda, Zimmer said. “Find out where your data is and where it is going and turn on whitelisting from the beginning. Take an inventory of your applications and integrations and create a basic risk spreadsheet.” Further, he advised digesting and using threat report data.  


Zimmer is a big proponent of simplification. That includes language. “Speak English, not techie,” he said. “Technical language alienates people, and they won’t want to talk to you again, so always tailor your level of techie to your audience. Be friendly, say hello to people, increase your visibility in the business, and collaborate with different departments.”

Zimmer believes it’s a security leader’s job to set the culture, not just the technology. “Set principles of transparency and tell people what you’re doing, assure them and build a rapport with staff.” Giving employees tools and the education to use them makes staff self-reliant, he said, which is good because “you can’t possibly be involved in every single security decision.”

People hate hearing no, said Zimmer, so “don’t hold up business unless it’s critical. Always assume good intent, people are just trying to get their job done, and that will make you wanted, not feared.”

Create a positive security culture by avoiding complex policies and procedures, he advised. Security training too, he added, should not be complicated. “Don’t over-communicate, because people will ignore it after a while.” Zimmer shared examples of awareness campaigns he used in his last role at Netflix, using humor and cute animal photos to attract attention. “The head of legal loved the hedgehog poster,” he recalled. “Security is a dry topic, so be creative and make it fun.”

Finally, he gave a nod to physical security. “Who else will do it?” he said, suggesting this may fall into the security leader’s remit for the first year or two. “Consider authentication, access control, and monitoring,” he concluded.

What’s hot on Infosecurity Magazine?