Take time early in your security planning to prioritize your approach and make it clear to your team what you expect the organization to achieve and what will be added to the backlog for a later stage.
This process of reviewing your security needs and prioritization will need to happen at regular, key milestones for your business. These typically include:
annual reviews as part of planning and strategy
significant operational or product changes such as a pivot or diversification
significant market or environmental changes
significant financial change such as funding, sale, acquisition, or significant revenue growth.
When prioritizing your approach, consider the impact of the work you undertake and plan higher-impact work sooner than later.
The following outlines our approach to prioritizing early-stage security management.
Table: Suggested Security Management Priorities
|• Create the processes and plans needed to respond to and recover from security incidents and service disruption.
• Create basic awareness and monitoring to identify potential security incidents early.
|• Help your entire team understand why security matters for your business and your expectations as a leader.
|• Define the policy, standards and processes that allow you to reduce risk to a tolerable level. This will be the framework that defines how security should be implemented.
|• Create the controls that meet your defined policy and reduce the organization’s risk.
• Improve monitoring and alerting mechanisms.
Survival is first because there will always be the chance of a security incident. The following stages then help build culture and awareness—engaging the wider team in your security efforts, and defining and implementing the controls you need to reduce risk.
Implementation of controls may feel like the most urgent or important stage and leaving it to last can feel frustrating; however, keep in mind that the options for implementing security controls are wider reaching and include thousands of potential actions. By jumping straight to implementation you can lose focus, feel overwhelmed, and may focus time and limited resources on reducing the wrong (or less likely) risks to your organization.
Figure: The cycle of security management: survive, educate, define, implement.
Remember that when planning security for your startup, there is no room for perfectionism. There is no such thing as 100% secure. Be patient, prepare for the worst, engage your team, define your aims, and then start implementing; you will find you have more support and help, and a clearer idea of your achievements and risks.