You’ve raised your Series A, maybe your B. Customers are asking about your security practices. Your compliance checklist is getting longer. Someone on the board mentioned you should “probably have a security person.”

So you post a job listing, and now you’re drowning in resumes from people with certifications you don’t understand, claiming expertise in threats you’ve never heard of. Half of them want $400K, half of them seem suspiciously cheap. All of them sound confident.

I’ve helped startups hire their first security people for years. Here’s what actually works.

The Generalist vs Specialist Debate Is Wrong

Every hiring guide tells you to debate whether you need a generalist or a specialist. A “T-shaped” person, maybe, with broad knowledge and one deep specialty.

This framing misses the real question: what do you need done in the next 12-18 months?

For most Series A/B startups, that list looks something like:

• Get SOC 2 done (or whatever compliance your customers require)
• Implement table-stakes controls (EDR, MFA, reasonable access management)
• Not get breached in an embarrassing way
• Answer customer security questionnaires without lying
• Maybe run a pentest and fix the findings

None of this requires a former NSA operator. None of it requires a PhD in cryptography. It requires someone who can work cross-functionally, prioritize ruthlessly, and get things done in a resource-constrained environment.

Call that a generalist if you want. I call it a startup security practitioner, and they’re a specific type—not just “someone who knows a bit of everything.”

What Actually Matters in Candidate Profiles

Forget the certification alphabet soup. Here’s what predicts success in a first security hire:

Evidence of building, not just assessing. Consultants find problems. Your first security hire needs to fix them. Look for people who’ve implemented controls, built programs, shipped security features—not just told other people what to do.

Ask: “Tell me about a security control you personally implemented end-to-end.” If they can’t give specifics, they’ve been on the recommending side, not the doing side.

Comfort with ambiguity and incomplete information. Startups don’t have complete asset inventories. Priorities shift weekly. Your security person will operate with partial visibility constantly. Candidates from highly structured environments (big enterprises, certain government roles) often struggle with this.

Ask: “Describe a time you had to make a security decision without enough information.” You want to hear about calculated risk-taking, not paralysis.

Ability to communicate with non-security people. Your first security hire will spend half their time explaining things to engineers, executives, and customers. If they can only speak in jargon and threat-actor names, they’ll be ineffective.

Have them explain a security concept to someone in your interview loop who isn’t technical. Watch how they calibrate.

Pragmatism over purity. The “perfect security” people will drive you insane. They’ll block product launches, demand unrealistic budgets, and fight every trade-off. Your first hire needs to understand that some risk is acceptable and their job is managing risk, not eliminating it.

Ask: “What security risk have you accepted, and why?” If they struggle to answer, they haven’t operated in resource-constrained environments.

Red Flags That Seem Like Green Flags

Long tenure at a major tech company. Sounds great, right? Often isn’t. Security at Google or Meta is deeply specialized. Their “endpoint security engineer” has touched one tool, deeply, on a team of twenty people managing that tool. They’ve never had to be the whole security team.

This experience isn’t bad, but verify they can operate broadly. Many can’t.

Impressive certifications. CISSPs, CISMs, and similar certs mean someone can pass a test. Some of the best security people I know have no certifications. Some of the worst have a dozen.

Certifications matter for compliance roles (auditors want to see them) and for candidates without other credentials. For experienced practitioners, they’re background noise.

Prior CISO title. “CISO” means wildly different things. At a 50-person company, the CISO might have been a solo practitioner doing real work. At a 500-person company, they might have managed a team but not touched keyboards in years. At a 5,000-person company, they might have been purely political.

Dig into what they actually did. Titles deceive.

Security vendor experience. This goes both ways. Vendor experience teaches you how security products work and what customers care about—useful. It can also create a tool-centric worldview where every problem needs a product solution.

Ask about problems they solved without buying something.

Red Flags That Are Actually Red Flags

Can’t explain their work simply. If every answer involves jargon and you leave more confused than you started, this person can’t communicate with your team.

Dismissive of compliance. Yes, compliance isn’t security. Any experienced practitioner knows this. But if they roll their eyes at SOC 2 or call compliance “checkbox exercises,” they’ll fight you on the work that customers require. Pragmatic security people do the compliance work while also doing real security.

No evidence of shipping anything. “I advised on…” “I recommended that…” “I developed a strategy for…” Strategy is free. Execution matters. What actually got implemented?

Combative in interviews. Some security people cultivate an adversarial persona—it’s the job, right? In practice, combative people create friction with engineering teams, alienate stakeholders, and burn out. You need someone who can push back without making enemies.

Overconfidence about their ability to secure everything. Security is a probabilistic game. Anyone guaranteeing security either doesn’t understand the field or is lying. Look for confidence paired with humility about limitations.

The Fractional/Consulting Question

Maybe you’re not ready for a full-time hire. Honest assessment:

Consider fractional/consulting if:

• You need less than 20 hours/week of security work
• Your primary need is compliance (SOC 2, etc.) rather than ongoing security operations
• You’re pre-Series A and can’t afford a real salary
• You have a specific project (pentest response, incident) rather than ongoing needs

Hire full-time if:

• Security questionnaires are consuming significant time across your team
• You’re handling sensitive data (healthcare, financial, personal data at scale)
• Customers are requiring security capabilities, not just documentation
• You’ve had a security incident or near-miss
• You’re growing fast enough that security decisions need to be made weekly

The hybrid approach works well for many startups: a fractional advisor or vCISO who provides strategic guidance, paired with a more junior full-time person who executes daily work. The advisor helps the junior person grow, and you get both strategic thinking and execution capacity.

What to Pay

Compensation varies wildly by location and company stage, but here are rough anchors for 2024:

First security hire (individual contributor, generalist): $150-220K total comp in major tech markets. Lower in other regions. Remote roles trend toward the middle of this range.

Security lead/manager (still hands-on): $180-280K total comp. These folks can do the work themselves and eventually build a team.

Fractional CISO: $200-350/hour, typically 10-40 hours/month engagement.

Below-market offers attract below-market candidates. Security talent is scarce, and your first hire sets the tone for everything that follows.

Equity can offset lower cash, but be honest about the trade-off. Some candidates prioritize cash; others bet on upside. Know your company’s risk profile and find someone whose preferences align.

Structuring the Interview

A template that works:

Screen (30 min): Culture fit, communication ability, basic background verification. Have a non-security person do this if possible—can they explain themselves to a generalist?

Technical deep-dive (60 min): Walk through their past work in detail. Ask them to explain one security project comprehensively: what was the problem, what did they do, what decisions did they make, what was the outcome? Go deep on specifics. Practitioners can handle depth; pretenders fall apart.

Practical exercise (take-home or live, 60-90 min): Give them a realistic scenario—”here’s our architecture, here’s our compliance requirement, build a 90-day plan” or “here’s a security questionnaire, how would you respond?” Assess their prioritization and communication.

Stakeholder interviews (30 min each): Have them talk to your CTO, a senior engineer, and someone from the business side. Assess whether they can calibrate to different audiences.

Founder/exec conversation (30 min): This is about fit, values, and whether you can imagine working with this person through stressful situations.

The First 90 Days

Set your first hire up for success by being clear about expectations:

Days 1-30: Learn the environment. Inventory assets, understand the tech stack, meet stakeholders, identify what’s already broken. No major changes yet.

Days 31-60: Quick wins. Fix the obvious gaps that don’t require cross-team coordination. Document current state. Build relationships with engineering.

Days 61-90: Strategic planning. Based on what they’ve learned, what’s the 12-month roadmap? What’s the proposed budget? What will they need from the rest of the organization?

If you expect them to “just figure it out” without context, support, or authority to make changes, you’ve set them up to fail.

One Thing Most Startups Get Wrong

You’re not hiring someone to make security their problem instead of yours.

Your first security hire will fail if leadership treats security as delegated and done. They need executive support for hard decisions, budget for necessary tools, engineering cooperation for implementation, and the authority to say no when something is genuinely risky.

If you’re not willing to provide those things, you’re not ready for a security hire. You’re looking for a scapegoat.

Hire someone good, give them what they need, and get out of their way. That’s the formula.