Rockstars are those hotshot employees that founders and investors crave. They are the unicorn CRO, CMO, or Product Managers that promise big ideas, big connections, and big sales to the company.

“Do I need to hire rockstars at this point?” pondered my founder friend.

“Fuck no!” I exclaimed with usual tact. “They are way more trouble than they are ever worth,” I continued. This kicked off a lively discussion (with fewer f-bombs.)

Rockstars are distractions. They feed egos not growth. What startups need are experts.

Rockstars vs. Experts

When you are in that tenuous early phase of a startup, you need people who are agile, creative, and can execute effectively against less-than-ideal plans. You want experience. However, many of the people who sell themselves as experienced startup rockstars, are merely frauds cashing in on a single success years (or decades) ago.

What startups need are experts who have experience sans the attitude.

How do you differentiate rockstars from experts?

• Rockstars are always telling stories about their amazing accomplishments of the past as a method to impress you. Conversely, experts use the past as an example of when they learned something.
• Rockstars routinely drop names of all the big shots they know. They will become especially name-droppy when under stress. Experts are more interested in ideas and goals, than personalities.
• Rockstars show minimal interest in the company’s plans or vision. Experts want to discuss the plans and goals all the time. They want to make sure they are meeting expectations.
• Rockstars demand a big compensation package and a lofty title. Experts want fair pay and a reasonable title that reflects their role, duties, and authority.
• Rockstars believe they are exempt from the company’s hiring practices, policies, or procedures. They expect “short cuts” on the way to getting an offer. Experts may not like all the procedures, but respect them as a necessary part of running a business.
• Rockstars tell you they know everything and have “been there done that.” Experts are quick to tell you what they do not know and want to learn.
• Rockstars ignore the founder when it suits them. Experts challenge the founder when it makes sense.
• Rockstars are overqualified. Experts are slightly underqualified.

Rockstars are not necessarily arrogant, self-absorbed jerks. They are usually quite personable and likable. They are after all, selling you on themselves. Difficult to do that if you are unlikable. Likewise, experts are not all humble, self-aware monks. They often have coarse personalities. The difference is how these two candidates approach their role. Rockstars coast on their previous success, experts want to build new success.

Rockstars Feed the Ego

Why are startups so enamored with rockstars?

When a startup is in its early stages, it is desperate for credibility. This is especially true in the early funding rounds. The founder(s) and investor(s) want to validate that the company, its products, and its market are all viable. They are desperate to get the company on the map and make a name for themselves (so they can all exit with big paydays.)

The responsible way to do this is to focus on building a great product, creating loyal customers, and cultivating valued partners. Those are all “heads-down” activities that take time. They are not sexy. They are the nuts and bolts grind of everyday.

Rockstars promise a shortcut. They are the Billy McFarland’s of Startup world. They make promises of great successes using their huge network and vast experiences, in exchange for a giant comp package. Foolish founders and weak investors fall for this, as they are desperate to validate the business. As such, the rockstars feed the egos and make everybody feel important.

Of course, the same thing always happens. These rockstars waste time and money, dancing and waving their hands, constantly telling everybody of what a genius they are. Eventually the walls close in and they jump ship, to the next startup desperate for credibility.

People do not magically give a company credibility. Those people must be able to execute the company’s mission. If they cannot do that, then it does not matter who they know or what successes they had in the past.

What About All Those Startup Rockstars?

They did not start as rockstars. The people who become real rockstars, started out as experts. They applied themselves, stuck to a vision, and generated success iteratively. Also, most rockstars had tremendous help on their path to fame. You do not build the next ChatGPT alone in your garage. It takes the contributions of numerous people, united around a set of common goals.

Think Past Your Ego

The rockstar issue is one of the many issues you will face as a founder where you must think past your own ego. The ego-centric thing to do is to hire rockstars, as they will make you feel good about your company. The intelligent thing to do is to hire people who will challenge you and bring creativity to the company. These people may not always make you feel comfortable, but they are much more likely to execute against the company’s vision and mission.

The post Do Startups Need Rockstars? appeared first on Zenaciti.

There are numerous articles out there which discuss this issue. Here is a small sample:

• Harvard Business Review: Boards are Having the Wrong Conversations about Cybersecurity
• CNBC: Cybersecurity Experts Have Become Targets for Board Seats
• Mimecast Blog: Boards of Directors Rising to Cybersecurity Challenge

Many companies have elevated their CISO (or CIO) to report to the board.  This can provide the board with regular insight into the security posture of the company. While the CISO and board both share a governance responsibility, that governance differs in some important ways.

Some of the challenges of having a CISO report to the board include:

• Communication barriers. Board members seldom possess security expertise. They are unlikely to engage the CISO in a meaningful conversation about vulnerabilities, risk management, or compliance.  This communication gap makes it difficult for the board to effectively hold the management team accountable.  It also makes it difficult for the CISO to effectively inform the board on complex security issues.
• Divergent focus. Boards are strategically focused while CISOs must remain operationally focused.  This creates a natural divergence between these two groups, which can further exacerbate miscommunications, misunderstandings, and missed opportunities.
• Reputation bias. Employees of the company, such as the CISO have a vested interest in protecting their reputation. They will overemphasize their accomplishments while downplaying their failures. Do you really think a CISO will come to a board meeting and report that security is a mess and he is failing to do his job?  Probably not.
• Lack of context. Security is dynamic and volatile.  To build an effective strategy, a board must look beyond the company into broader industry and threat landscape trends.  A CISO working at a single company will struggle to bring such perspective to the board.
• Stress. Increasingly, boards are making demands of CISOs they are unable to fulfill.  This is causing a dramatic rise in CISOs resigning to find less stressful environments.

The answer to these and other challenges is to appoint an independent cybersecurity expert to the board as an observer.  This person can serve as a liaison between the CISO and the board.

Let’s assess how an independent expert can benefit the board.

1. A Strategic Approach to Cybersecurity

Cybersecurity cuts across multiple dimensions of a company.  It is a both a technical operational challenge as well as a strategic issue as well.

Including a cybersecurity expert on the board ensures security concepts are integrated into the strategic planning process.  When an executive is championing a new product or feature, the board advisor can weigh in on the potential security implications.

For example, right now many startup CEOs are fascinated with AI.  They all saw the meteoric rise of ChatGPT and want to get a piece of the action.  The problem is that AI opens the door to numerous security challenges.  Any strategic plan must address issues such as data governance, sanitization, and provenance.  Without a clear understanding of these security implications, the board may greenlight a project while also greenlighting a massive data breech.

A security expert on the board can provide context for these issues.  Mostly, they can ask the executive team tough questions about these plans and hold them accountable.  This is a good segue to the next item on this list.

2. Accountability and Independence

Company boards are responsible for overseeing governance of the entire company, not merely sales or finance.  This means oversight of cybersecurity, risk management, and compliance as well.  Unfortunately, board members (such as investors) are seldom skilled at these concepts.  As such, they are highly susceptible to being misled into complacency.

Independent advisors can ask tough questions that a CISO or CIO may be reluctant to ask.  Moreover, an advisor is more likely to point out flimsy excuses.  In my experience, when technical people are struggling to deliver results, they routinely resort to avoiding scrutiny or blaming others for their problems.  An independent advisor can identify these and hold the team accountable.

Independent advisors have greater freedom to uncover truth, thereby allowing the board to hold them accountable.

3. Wading Through Compliance

If you have ever spent time doing security compliance work, then you know how profoundly difficult it can be.  Compliance is an impediment to progress.  It is expensive, time consuming, and fraught with misinformation.  It is also absolutely necessary.  Failing to meet regulatory requirements can severely restrict a company’s opportunities as well as expose them to fines.

Most boards wave off compliance as an irritant.  They task the CISO with the job without an appreciation for how difficult that job can be.  Moreover, the pedantic nuances of compliance create an impenetrable communication barrier, which both employees and auditors can exploit to avoid accountability.

An independent advisor breaks down these barriers.  They can interact directly with auditors and employees to ensure compliance initiatives remain on track and do not squander company resources.

4. Strengthened Incident Response

When a serious security incident happens, the entire organization as well as partners, vendors, and customers will be looking to the executive team for leadership.  Invariably, those parties are going to want to know the board’s involvement.

A security advisor to the board can play a crucial role before, during and after an incident.  Before an incident, the advisor can ensure resilience planning and automation are being integrated into every business function.  During an incident, the advisor can liaison with executives, authorities, and the public to present a united front among the leadership team and the board.  After an incident, an advisor can facilitate a “blameless postmortem” process to ensure the company does not repeat the errors or oversights of the past.

Lastly, advisors can provide valuable contextual guidance with emerging resilience technologies.  For example, one such solution is Moving Target Defense (MTD), which can dramatically improve operational resilience to attack.  However, MTD is still a nascent technology.  An advisor can provide the board and executives with valuable insights from other companies on the capabilities of these new technologies.

5. Building Trust

After years of leading a security company, I discovered a simple truth about security sales: credibility creates trust.  If you want to build trust with security practitioners, you must demonstrate you understand their profession.  A nerdy conversation about PKI or Palo Alto Networks reassures a practitioner you understand them.  When people trust you, they tell you the truth.  Such as how vulnerable the company is to attack.

A board member who calls the CISO to discuss security will only spark panic.  Both their position on the board and their lack of experience fosters a credibility gap with the CISO.  This leads to clumsy conversations that fail to uncover the truth.

Independent advisors with a background in security can credibly interact with the organization’s technical team.  They can gather useful insights and report these back to the board.  When organizations deal in truth and trust, they can address problems more effectively and accelerate strategic plans.

What to Look for In an Advisor

If you are ready to appoint an advisor to the board, there are five key skills you should seek.

1. Executive Experience. The person must have experience as a c-level executive in the past. Preferably as a CISO, CIO, or even a CEO.
2. Hands-on Security Knowledge. The advisor must possess operational security expertise.  They must be able to engage technical people in credible conversations based on their experiences.
3. Listener. The ideal advisor listens first and then provides meaningful, relevant feedback.  Do not hire a pontificator who masks their insecurities and inexperience with bravado and blather.
4. Communicator. The advisor must be comfortable and articulate in front of an audience, especially investors.
5. Network. Good advisors have a network of fellow security professionals whom they can turn to for insights that fall outside their expertise.  Moreover, they can call upon that network for recommendations for vendors or auditors.

Conclusion

There are numerous benefits to appointing a security advisor as a board observer.  Moreover, there are ample professionals who can fill this role.

Obviously, Zenaciti offers these services, so we are biased to the value of such advisors.  However, I have watched numerous startups flounder as they ignore the security landscape, sinking deeper and deeper into delusions of “we got that covered.”  Do not allow your company to be run on the whims of hand-waving and hope.  Put a security expert on your board and run the company based on truth and trust.

The post The Imperative Role of Cybersecurity Experts on Company Boards appeared first on Zenaciti.