[Kalium]

This reads like your standard issue security-team-in-a-box JD. You might find the T-shaped candidate of your dreams, but anyone capable of delivering the combination of cloud admin/netadmin/IT/SOC II/HIPAA/software arch/devops is going to know they're a substitute for a team. They'll expect to be paid significantly above what you're offering because they're going to be doing the job of a director and a team of six on an engineer's authority. This doesn't even touch on policy or IR, but they'll inevitably wind up in there too.

Speaking as a security professional who is the T-shaped person you want, this JD is bad news. It reads less as the expression of a hopeful young company and more of a giant red flag warning that this company does not understand security or take it seriously enough. You may want to rethink it if you wish your company to have a reputation as taking the security of your customers' data seriously.

The advice to consider a consultancy is sound and well worth careful consideration.

[jiveturkey]

I'm gonna go ahead and disagree.

This is an early stage startup, and they are very clear in describing that. I also like the clarity in their business model. And the conciseness. In 2 sentences they've told me everything I need to know. The founding team is also exceptionally on point. What I read into all this is that they are good to great at execution, at communication, and very well versed in the problem space. There aren't all that many medical doctor, strong compsci, startup founders.

The money on offer is very much on par with this kind of position at this size of company. I have to believe that the equity will also be respectable. Surely, they will find out soon enough.

I also think it's admirable that a company of this size isn't just winging it with security. I don't work in the space, but having been adjacent I can tell you that even in the healthcare startup space, few are treating security properly. (Hence the HIPAA in a box startups! Some occasionally advertised here on HN. I see far more ads for such startups than actual medical data processors hiring for security internally.)

I very much understand where the cynical take is coming from, but I think it's unfair. Security should be a core competency of such a company and they are trying to make it so. That's to be applauded not scorned.

[Kalium]

I have a dear friend who was the T-shaped person responsible for security at a early stage health care startup with medical doctor founders. This friend ranked as a VP (required for the kind of tooling spend needed and authority required internally) and got a chunk of equity measured in multiple whole percentage points. Their story is an excellent illustration of what a company making security one of their early core competencies looks like.

This company is possessed of the rare and wonderful opportunity to take feedback to heart and show that they do indeed understand the importance of security. They can do that by doing something different from the security-team-in-one-person JDs that we security specialists see a dozen times a month. They all want netadmin, cloud admin, compliance, policy, governance, patching, software architecture, and IR in a single engineer's role, authority, and paycheck. Fortunately, a company with four years of runway can afford to take a better approach!

Thank you for bringing optimism and hope to HN. It's often in short supply. That's to be applauded.

[jiveturkey]

I agree with you 100% that the position as advertised is critically under-leveled. `Senior` amounts to a joke posting. But it's just an ad, like a car for-sale ad. The candidate that can fill this role properly will negotiate upwards. Far upwards.

The 4 years runway feels like a lie to me. Certainly they mean, if we don't grow and don't hire. Startups should be running out of money as fast as they can, not slowly eroding. I am not faulting them for that statement though. It is what it is. A well versed candidate will understand that.

I do believe that a single person can fill the role, at this stage of a company. That person is obviously (?) going to outsource some of the work, not handle it directly. Their job is to see that the task is done, not necessarily to do it.

Did your friend's startup did make it to an exit? Or to the next round of financing even?

[ilc]

Yeah, but why deal with anchoring in the negotiation.

If you got the level of skills this position wants... you'll have plenty of places to go.

[jiveturkey]

I will add this, unrelated to security:

> making healthcare costs lower

That's a laugh. Any cost cutting in billing function will absolutely not translate to lower patient costs. It's highly attractive for hospital and group provider profits of course!