Scaling security for a growing business
Andrew Smeaton
Chief Information Security Officer @ Afiniti | CISSP, CISA, CISM, CRISC, CCISO, CGEIT
Security is not a project but a very dynamic, diverse, and continuous process. So, when businesses grow and expand, their security must evolve simultaneously.?
Security leaders need business knowledge and understanding of security processes with the right strategy and focus on business enablement. A competent security strategy separates successful organizations from those that will stagnate and stumble as they try to scale. The key differentiating factor between organizations that stumble and those that successfully scale is the ability to combine business acumen and an understanding of security processes and apply both to a strategy focused on business enablement.?If organizations don't evolve with a focus on security as they grow, they will have a challenging time successfully scaling successfully, enabling business opportunities to their full potential, or recovering from the possible effects of a cyberattack.
As businesses adopt new and emerging technologies to accelerate their growth, it inevitably creates a new avenue of business and cyber risks.?
Cyber Risks?
Let's get obvious; it's been written a thousand times... the addition of smart home devices, the internet of things (IoT), wearable devices, tablets, stand-alone devices, various security products, etc., will present several challenges to the organization as it increases the digital footprint.?
Moreover, due to the increasing complexity of IT systems, a lack of skilled resources, and budget constraints, it can be challenging to establish and maintain a sufficient level of security in the long run.?
Additionally, a static security solution cannot provide an appropriate level of security. So, to fulfill growing security needs, organizations must build scalable yet cyber-resilient security infrastructure.?
Scalable security requires constant adaptation and redesign, but it does not entail high investments in security products and specialized security experts. Scalable security must include:?
Cybersecurity management touches every aspect of business, from technical, infrastructural, and organizational, to personnel, making it an integral part of a business process. However, various factors need to be considered when thinking about scalable security.
Business Risks?
Now, the CEO and every senior management team should pay attention. CISOs quite often walk into organizations faced with security debt and a culture that is far from security-focused. Security debt can be addressed with a skilled CISO and adequate resources, and the security team will need additional resources for a period of time or outsourced help that can be expensive depending on the lack of investment/resources previously supplied to the security team. The culture change is as entirely different; the executive leadership team may never been exposed to mature security culture and don't realize the business value of security.?
Quite often, in my experience, the leadership team that genuinely understands the value of security and the competitive advantage it gives an organization is the chief revenue officer (CRO). Strategic CROs that understand the long-term benefit of security investment and the enablement and competitive advantage for the business can be the CISO's greatest ally in an organization. From a CISO's perspective, the partnership with the CRO can help educate the CEO and bring them into the light.
My advice to CEOs is to invest?early in security and enable the business while reducing your risk. Alternatively, pay double later stumble, scramble to catch up to competitors, and hope you don't have a breach! Bake security into your culture, don't bolt it on...
Management Support and Responsibility
Cybersecurity should be a top management priority.
The Board, CEO, and ELT are ultimately responsible for ensuring security and for practicing due care and due diligence. They make decisions on how to handle risks. So, management needs to define the security objectives, create prerequisites for implementation based on the business objectives, and ensure that information security management is integrated into organizational structures and processes.?
Moreover, maintaining an appropriate security level requires financial, personnel, and time-related resources. Therefore, management must acknowledge these requirements and make such resources available in sufficient quantities.
Still, for the management to make the right decisions, CISOs should update management about the information security status, results of reviews and audits, the latest cyber developments, risk of a breach and cyberattacks, and various other opportunities for improvements.
Information Security Policy
Maintaining security is an ongoing business. Thus, formalizing security efforts by developing and implementing documented information security policies will greatly reduce the chaos and complexity in an organization and produce a solid and reliable security infrastructure.
An information security policy defines the scope of security needed by the organization and outlines a strategic plan to implement security. It is often used as proof that management has exercised due care and due diligence.
领英推荐
However, security policy is not a static document. It must be regularly reviewed and audited to measure for efficient implementation, up-to-dateness, completeness, and appropriateness. Revision of security policy will help management determine, achieve, and maintain an appropriate level of security.
Plan, Do, Check, Act
Every organization is subject to constant change. In the same way, attackers, and their attack sophistication, continuously evolve. Therefore, it is necessary to actively maintain, manage, and improve information security on a continuous basis. For this, it is essential to regularly examine security controls to ensure their effectiveness. If security vulnerabilities or room-for-improvements are identified, the security controls must be adapted and improved.
Following a continuous improvement process like PDCA is essential.
Identify, Classify and Harden Assets
To appropriately protect the information system, the organization must first identify its importance. So, determine the most valuable assets and their location, assess access criteria and the likelihood of compromise and attack propagation and prioritize protection based on your organization's risk tolerance.
So, design and execute a cybersecurity program that considers cyber-attacks. Apply stringent security controls to protect susceptible and critical assets. Deploy various techniques to protect assets such as zero-trust architecture, SDN and micro-segmentation, tokenization, encryption, identity and access management, etc.
Reduce Organizational Complexity
Disorganized security solutions and products with loose integration can pose a serious cybersecurity risk. And as the network grows, organizations add more products to their technological stack, which expands the attack surface.
Hence, organizations should re-evaluate the cybersecurity strategy, retire products no longer relevant, and reduce product clutter/complexity.
Invest in the advanced automated tools
Once an organization grows, it might be difficult to ensure the same scale growth of the security team and resources. As a result, security professionals want to automate as many tasks as possible.
Thus, invest in breakthrough innovations that can make a difference, i.e., solutions that do many different advanced things, rather than a single vendor that does one specific thing. For example: AI-powered solutions like AI-driven IAM tools, SIEM with SOAR/XSOAR and UEBA integration, next-generation XDR/DLPs/IDS/IPS, etc. Such products will help maintain a competitive edge and also guarantee the highest level of information system protection.
Involve employees in the security process
The successful implementation of security requires changes in employees' behavior to comply with the organizational standards. Here, the goal is to create awareness and bring security to the forefront and make it a recognized entity.?
As humans are considered the weakest link in security, cyber-awareness throughout the organization is a must.
Educate employees on the security policy, latest trends and threats in cybersecurity, legal issues of information security related to their work, data privacy, the purpose of security controls, etc. Employees are always on high alert with the proper training and awareness, armed against wily cybersecurity attacks.
Documentation of formal procedures
As organizations scale, a lack of well-developed formal procedures and documentation is a recipe for disaster.
Thus, to get everyone on the same page by setting high standards and clear guidelines, it is essential to document all the security processes. This ensures the continuity and consistency of the entire security efforts. It also ensures that similar tasks are performed in the same manner every time, making the process measurable and repeatable.
Finally, cybersecurity should be the highest priority for all businesses. It may seem difficult at first, but scalable security offers great benefits. A little pain at the early stage is much better than a lot more in the future.
SaaS Demand "Automation & Scale" | Strategic Initiatives | Solution Engineering |
2 年Security is a continuous process that should be strategized as per the situations & scenarios
Zero Trust Facilitator Speaker ZTX|ITIL|xBTGlobal|xIBM|xMicrosoft|xBMC Founder/ CEO Chief Excitement Officer| Mentor | Vendor Agnostic
2 年What a great article Andrew. I felt like I was snuggling into a well designed leather armchair in front of a cozy fire . I am so pleased that we are finally engaging the CRO CEO and Ciso in the same breath. The business must understand it no longer can be competitive and scale with out the strong support of security. As a strategist one of the challenges is to shift the mindset. With digital transformation top of mind and remote work here to stay to retain the talent. The bridge must continuously be shortened to close the gap.
5x Transformational CISO/CSO/CSA | 10x Startup Advisor w/1x IPO, 2x acquisitions, 5x funding rounds | 5x Cybersecurity Instructor | 4x Mentor | DDN Board Qualified Technology Expert (QTE)
2 年Very well articulated. Do you find a lot of ELTs understand this dynamic prior to CISO joining? Should this be discussed during the CISO hiring process?