At any high-growth start-up or entrepreneurial company, there are many focus areas for the business going on simultaneously; all of which are growing rapidly. People are moving fast; there is too much to do, and not enough time to do it. In these situations, security often plays a unique role in that everyone now knows it is important, no one is exactly sure what it is, and senior leadership is telling everyone that it needs to get done because customers want it. If this is you, here are some tips.
Tip #1 Define-Security
Security is nebulous and is defined in the eye of the beholder. This is not a good thing and should be the first area that is corrected in early security program development. The best way to define security in any business is through establishing a solid suite of security policies, standards, and associated security processes. Custom policies are better than ones copied from the last company that you worked for. However, believe it or not, even reused policies are better than none at all. Any documentation suite enables a benchmark for comparison, which allows the ability to have conversations about your current environment and what it should be.
Tip #2 Establish Security Accountability
Two key aspects to security accountability for a high growth start-up:
Measure Current State
Someone should be assigned for security for the organization: This can be any person in the business, though it should be defined in writing in a security program charter. Further, this role should have one key objective: This person is responsible for building a list that represents the gaps for what security should be in your environment (defined in your security policies) against what it is. This should be a centralized list that has all gaps, as well as reasonable estimates for what it will take to fix those things. If the assigned resource responsible for security does not have the ability to perform this assessment, then they should schedule a board meeting and say they need funds to have it performed. If they can’t get that senior leadership or board meeting or the funds, if it were me, I would either not take the security responsibility or quit if that is not an option.
Push Accountability Up
Once a measurement has been performed, and the required remediation has been identified with scope, schedule, and budget, this information should be presented to the board of the organization so they can make an active decision on what to fix. If they want to fix everything, great, if they don’t want to fix anything, great, the accountability for the program is now with the highest levels of the business; exactly where it should be. If they don’t want to fix anything, the next tip becomes very important to business success.
Tip #3 Start the “Why” and “What” Campaign
Now that you have defined security, you need to explain to the business what it is for your organization and why it is important. This is best done early by having an enterprise-wide security fundamentals training that is mandatory for all employees early in your program effort. If you received funding for active remediation from tip 2 then this training should include what changes are coming and why they are important. If you did not get funding, then you need to explain why active change is still needed and get more advocates for your cause. If your why makes sense, you will get them on your side, just be patient and continue to articulate your message.
Tip #4 Establish a Communication System for Security
Since security touches all aspects of the business, you will need a repeatable way to communicate this information across the whole business, both horizontally across it and vertically from the board down. For the vertical aspect, I would create a regular meeting with senior leadership at least every two weeks in a format that gives them enough information to make active decisions. For the business as a whole, I would create a regular security awareness program, so people know who the security program is and how to reach it.
Tip #5 Fake it while you make it
All the tips identified above are associated with building a foundation for your security effort, which will improve security at your organization over time. This is critical, but there are also quick wins like using SSL on customer login pages that can be done quickly and considerably will improve the way in which your organization is perceived from a security perspective.
In conclusion, you can do all these items for your business on your own, or feel free to reach out to us. We specialize in implementing these five tips in high-growth entrepreneurial companies. Until next time…