3 min read time

Reimagining Cyber Podcast: Aligning Cybersecurity with Startup Business Goals

by in Cybersecurity

They say you have to parent each child differently, and approaching a new role or company is no different, particularly in the cybersecurity industry. Joining an enterprise organization or start-up requires a nuanced approach. This week’s guest on Reimagining Cyber, “Aligning cybersecurity with startup business goals.” Ty Sbano, CISO for Vercel, shares his unique perspective on running the security business in the start-up space, from how to approach the interview process, how to gain trust early, and how to remain focused on the right priorities. 

Reimagining Cyber - Episode #37- Ty SbanoDo Your Due Diligence

Out of the gate, Sbano recommends asking a lot of questions during the interview process to understand if you’re starting net new, with a team of 300, or picking up the pieces of a predecessor.

“I think you have to start during the interview process to ascertain, ‘What am I actually going to do?’,” Sbano says.

“The best CISOs out there start building their plan before they even get there for their first day, which is something I highly recommend.”

Having a straightforward and upfront conversation during your interview to understand the current state, gaps, and desired state, allows you to be better prepared for day one. Building your security plan before day one gives you a leg up, so you know where the pitfalls are and where to focus your time.

Jack Be Nimble, Jack Be Quick

On Day #1, Sbano recommends understanding the lay of the land, like what the security controls are and why you were brought there in the first place. The start-up space is often fast-paced and requires nimbleness and “failing fast”.

“But in reality,” Sbano says, “Your first act matters so much to building or destroying the confidence of what you're going to do there.”

Sbano reiterates the importance of having a plan and while being agile is essential, having a flexible plan that allows for necessary changes is also important.

Understanding the Lay of the Land

Next, Sbano recommends understanding key changemakers, champions, and constituents, or will you be an army of one in an ivory tower?

“I'll be honest, in startup land…that does not work. You need to be integrated, you need to find the forums, you need to be invited to the forums, you need to be kept invited to the forums…you can't be kicked out,” he warns.

He also recommends having conversations about why security is or is not working. By understanding what’s wrong, you can find gaps and request to be invited to meetings where you can better integrate into problems and processes.

Also, Sbano suggests meeting with executives and tying security processes to business outcomes. For example, building on sales enablement, so security questionnaires can be filled out faster, increasing the number of deals that can close.

Focus On What’s Important

Communication is key. Confirming the correct priorities and that everyone is moving in the direction is critical. Sometimes, knowing where to focus and what things to tackle out of the gate can be overwhelming. By confirming with everyone that you are going in the right direction, you can make sure everyone is all on the same page and driving towards the same goals.

While focusing on data is essential, Sbano recommends also focusing on value.

“When you're in startup land, or you're starting a security program, if you start with metrics, I think they can be inspirational, but you're going to lose your audience because you're typically in a fast-moving shop that wants to realize value,” he says.

Where do you start to focus in a new role? Have you tried any of these tips? Share in the comments below.

You can find the latest episode of Reimagining Cyber on Apple, Soundcloud, Google, Stitcher, and Spotify. Give it a listen, and let me know what you think. Log in or register to comment below.


CyberRes is a Micro Focus line of business focused on helping companies protect, detect, and evolve their security framework and helping organizations become more cyber resilient. To learn more, visit CyberRes.com.