Cybersecurity, at its core, is about people. While it’s easy to get lost in the technicalities of securing a system, it’s important to remember security matters for protecting the data of real people and their businesses. And just how people grow and mature over their lives, their businesses grow and mature, too. As an organization scales, it’s critical for their security and compliance program to mature simultaneously.
If you’ve been following our blog series on security and compliance, part one explained why when security comes first, compliance follows, and part two discussed how to use security as a differentiator in a competitive market. In our third and final blog of the series, we’ll take a look at how security and compliance in the cloud shift as an organization scales.
When a security program matures, the practices that make up any security and compliance program become more complex and take the organization’s growth into account. For example, vulnerability scanning is a process that can be simple and affordable for a startup, but will involve much more complex processes for an enterprise. Let’s take a look at each stage of the business life cycle:
Many SaaS startups choose to put security and compliance on the back-burner because of a lack of time, personnel, or knowledge. This is a mistake—it’s much harder and more work to implement security down the line. It is the same concept many SaaS startups refer to as their own product technical debt. It’s also important for startups to define a role of accountability for information security, even if the person holds other roles in the company. By architecting your product and environment to be secure and ensuring someone within the company owns information security in this stage of your business, you’ll be set up for a successful security and compliance program in the future as your organization grows.
For a startup, it can be easy to get overwhelmed with compliance. There are many standards, regulations, and frameworks out there, making it difficult to know which ones to work with. In this situation, doing something rather than nothing is critical. For startups, this means taking a look at the baselines of different standards, choosing one standard to adhere to and comply with, and sticking to it. Instead of trying to comply with every standard or framework out there, a startup is more likely to succeed in complying with just one framework. For example, if you need something prescriptive for your technology stack, the CIS Benchmarks could be a great start to focus on. For a security program, ISO/IEC 27001 along with implementation guidance in ISO/IEC 27002 could be another starting point.
As for security processes, let’s take a look at the vulnerability scanning example. At this stage, partnering with another company or leveraging open source tooling to obtain a vulnerability scan for your system would be a step in the right direction. With the caveat that there are a lot of options in the market that can provide false assurances to organizations at this stage, obtaining a reliable vulnerability scan is a simple and affordable method to, at the very least, get visibility into your network vulnerabilities.
Remember that no one can do this alone. Startups, particularly those that lack specific security and compliance personnel, should reach out to partners who can understand their specific situation and provide insight into the best security and compliance practices for their organization.
For a small to medium-sized business (SMB), the security and compliance processes are not necessarily a whole lot different from their startup phase. At this stage, they might have different stakeholders to communicate with. This means thinking more about who they’re doing business with, the regulations they need to comply with, and how their practices align with speaking the language of external parties. This is also the time to consider having clear positions dedicated to security or establishing a security committee. For some businesses, it may make sense to hire a full-time CISO or a vCISO during this stage.
With the same vulnerability scanning example, an SMB will take things a step further from their startup days. After getting that initial vulnerability scan, they’ll look for improvement opportunities before the next scan. Perhaps they’ll get a vulnerability assessment, or partner with a penetration tester to get a better idea of their network security. These practices are still within the lens of vulnerability management, but the business is starting to step up their game—hitting the key elements of the process and moving forward to improve upon their findings.
At the enterprise level, security and compliance is a major component of their business. They have a well-oiled security team, a security first mindset, and have compliance officers to ensure they’re meeting all regulatory requirements and communicating their security posture effectively.
At this stage, the vulnerability scanning process has continued to walk the maturity line. In addition to everything they’ve done in their previous business stages, the enterprise may now conduct red team and blue team exercises, or take it a step further with a bug bounty program.
Netflix’s Chaos Monkey is one example of enterprise-level maturity with regard to overall system resiliency. The Chaos Monkey, designed and implemented in 2011, continuously “breaks things” in the Netflix system—allowing Netflix to identify current issues and prepare for potential failures ahead.
Many enterprises have the resources to build a powerful security program—and the most secure companies will know not to stop there. A culture of continuous improvement is important, even at this stage.
No matter what stage your business is in, contact us today for more information on security and compliance.