Hackers of India

One Person Army – Playbook on how to be the first Security Engineer at a company

 Kashish Mittal 


Presentation Material


How often have you heard that ‘Early stage startups don’t care much about Security because if there is no product, there is nothing to secure?’ Although there is merit in the argument that startups need to build product so as to sustain and grow, it often puts the person in charge of securing them in a tricky position. For most startups, this person is the first Security Engineer who can be somewhere between the 10th to 300th employee. By the time the first Security Engineer is on-boarded the attack surface has usually become quite large and he or she faces an uphill battle to go about securing the organization. In such cases, the Security Engineer needs to perform as a ‘one-man army’ keeping the attackers at bay. In this talk, i will present a playbook on how to perform as one.

In this presentation, i will talk about the Startup Security methodology which has served me very well in starting, building and growing Security teams at various startups. The focus and goals include :-

I will also recount war stories from experiences including mine from when I was the first AppSec Engineer at Duo Security (acquired by Cisco), was founding engineer at Elevate Security and started the Security team at MileIQ (acquired by Microsoft) and those of my colleagues who have been in similar shoes.