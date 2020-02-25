At BSides San Francisco, Bryan Zimmer, head of security at Humu, delivered a talk on how to create a security program and develop a security-centric culture as the organization’s first security hire.

“So you’re the first security hire,” began Zimmer. “You’re going to need social skills.” Zimmer advised that being humble and building relationships with key stakeholders, department heads, and various teams around the organization is critical to getting ahead as a security leader. “It’s not just about tech and tools,” he said. “It’s about security culture.”

Zimmer suggested that being approachable and thankful and parking the jargon will all contribute to your success as a communicator. “Collaborate, don’t dictate,” he said. Additionally, social skills will get you executive buy-in early, which is very important in terms of securing budget and making a name for yourself. “Identify the major stakeholders and engage one on one with them.

“Ask for feedback, have empathy, and always send the elevator back down,” continued Zimmer, explaining it means “using your power to help others below you. Find and hire minorities, invite graduates to industry events, offer career advice.”

Strategy

Zimmer noted that one of the most important things to establish when starting out in the role is the organization’s priorities and strategy. “Find out what matters most to the business, determine what needs protecting and what it considers to be its crown jewels. Ask about budgets and time frames and goals. You need to establish if the company is just ticking a box or whether it deeply cares about security.” But, importantly, added Zimmer, “Protect customer data, because it’s the right thing to do.”

Next up, he advised, “find out what laws you have to comply with and establish policies and frameworks in line with these.” His advice is to “outsource as much of the compliance stuff as you can.”