Adapting to Change

🚀 As explained by Laura

Change is not just inevitable, but frequent. As your organization grows, there will be complexity. Hopefully you operate long enough to emerge from this chaos with a range of policies and processes that help you reign this in, but for many companies this takes a long time and a lot of effort from the wider team.

While not all changes to your business or operating environment affect the security of your data, people, and systems, there are some events and changes that you need to watch carefully for.

Rather than fearing the chaos itself, let’s take a look at some of these complexities and how they can affect your security. Not all chaos is bad so long as you understand and anticipate the impact.

A Bigger Team Means Bigger Challenges

The more successful your company, the more people you need to keep it moving. Not only will the number of people increase, but also the range of experience levels, skill sets, and roles.

While you may have started as a small group of friends or early employees who knew each other well enough to trust deeply and quickly, before long you will struggle to remember the names of your new team members and may even no longer be involved directly in hiring them.

This can introduce the following security challenges:

• Hiring risk. Without consistent processes and checks, you may hire someone who poses a risk to your organization. Whether they are willfully malicious or just not very good at what they do, ensuring that all new team members have background and reference checks can reduce this risk.

• Oversight risk. The more people you have the harder it is to keep track of what is happening around the company. This can introduce risk from common insider crimes such as fraud, as well as more complex risks from bad decisions. Ensuring you have robust checks and processes for your key financial systems and those storing highly sensitive data is crucial, as is encouraging and embedding feedback and review processes in significant decisions.

The Faster You Move, the More That Can Go Wrong

You are selling more, you are serving more customers, and there are way more “things to do” in your world that you could possibly imagine. The more you grow, the faster you go. Whether that is truth or perception, it doesn’t matter—your world is not slowing down anytime soon.

This can introduce the following security challenges:

• Monitoring and spotting issues. Have you ever been working so hard and going so fast that when you finally come up for air you are surprised by how far you have come? That’s common when we are pushing hard and scaling. This focus (required to succeed when growing) can also lead to a tunnel vision where we don’t notice what is going on around us. As the team grows, this problem gets worse, as it’s now more and more difficult to get to all the meetings, meet with all the project teams, and understand what is getting done around you every day. All of this means that issues can crop up unexpectedly and you may not notice—including security ones.

• Cutting corners, inconsistency, and shortcuts. Ever been trying hard to get something done and found yourself slowed down or frustrated by the process you need to follow? Of course you have, it’s human nature to try and find the easiest way to get a job done (and not in our nature to always choose the path with the best quality outcomes). Securing our organizations often involves introducing more processes. Even when very carefully done with a focus on enablement, these can cause frustration. There will always be times where people (including you) cut corners and avoid processes. There will also always be times where you or your team are distracted, and make bad decisions or make a mistake. The more you grow, the more this will happen.

  Fighting human nature is a terrible idea. Rather than trying to stop people from making mistakes or cutting corners, make the secure path to getting something done the easiest path to take. Reinforce this by monitoring as much as you can so that if something does go wrong, you can respond quickly.

Scaling Technologies and Systems with Technical Debt

There isn’t a tool or product on earth that meets every customer’s needs the first time, so you are likely to be iterating quickly to get to the ideal product-market fit. The things we don’t get around to doing on the way, we call technical debt.

As you iterate, your product will grow and become more complex. There will be compromises made and technology decisions that seemed like a good idea at the time.

This can introduce the following security challenges:

• Software vulnerabilities. As we have discussed in previous sections, every software and technology can have security flaws and vulnerabilities. The more technologies we use or build, the more chances these will impact the confidentiality, integrity, and availability of our systems.

• Architectural and design flaws. The more complex our systems are, the harder it is for us to keep their complexity in our heads. It can become literally too hard to understand, assess, and protect. Finding ways to examine your architecture and designs will be key to managing this risk. There are some amazing books and resources on this subject but you can’t go wrong by starting with Threat Modeling: Designing for Security by Adam Shostack.

• Process issues. It’s easy to think that, when you are a product company, the system you develop is the extent of your risk. Sadly, it’s not that simple. Remember that the code we write is only part of the overall system. Our complete system includes all of the non-technical elements and interactions with every human, and other tools and systems, involved in getting it to work. The more complex the process flow and the higher the number of moving parts, the more likely it is that security issues will develop somewhere within it. Document your complete end-to-end processes and systems, and look into tools such as threat modeling to systematically identify risks and potential security issues.

Going Global

When you started selling to customers close by, it was likely fairly simple, operationally. You understood the operating environment, the people, the laws, and the culture.

If you are a company that has expanded outside of your immediate local area, this certainty in your context will fade. The further you get from home, the harder this gets, and some of the risks introduced are far from your normal world.

This can introduce the following security challenges:

• Change in risk profile. If you happened to grow up in a nice neighborhood where the worst in local crime was the theft of your neighbor’s beloved garden ornament, then you may not have a lot of experience when it comes to understanding the difference in security culture and crime in other parts of the world. It is really difficult to understand what you have never experienced.

  Everywhere is different when it comes to security risk. Some places have more physical crime and theft, others more electronic. Some markets have operating cultures like bribery embedded in day-to-day life, others have very strict and tightly enforced anti-corruption laws. Your risk comes not only from the systems you build and the processes your company uses to operate, but also the environments in which you and your customers operate. This changes not only their behavior but also their expectations. Do your research, work with product teams, and generate personas for your new customers and markets to understand not only how their needs differ from your existing customers, but also how their behavior and environment will affect their security.

• New laws, regulations, and restrictions. Just like selling into a new region often requires careful planning to ensure you meet any new tax or operational requirements, each new region also brings new laws, regulations, and restrictions. This is particularly relevant to law around personally identifiable information and data storage/retention. Spend the time before launching into a new region and get some local expertise. Find out what you need to do to stay compliant and safe whilst balancing your own security requirements and those of your existing customers. Taking a little more time upfront can reduce a lot of stress later.

• International interference. At the far end of where growth meets security, we start to get into some very big and very complex sets of security challenges—those that involve national security, critical systems, and international interference. It’s beyond the scope of this book to dive into these subjects as they require a good understanding of not only the technical and security aspects of the risk but also the motivations that lead to them and the intricacies of our global, political environment.

  In short, this is a big space and if you are getting towards this end of security, it’s time to get some specialist help. In the meantime, be conscientious with your business model, pay close attention to the news and economic/political climate in all the markets that you operate in, and adapt as risks emerge.

​important​ Whatever changes you need to bring to your organization to scale and succeed, you will make them. It’s in your nature to adapt and adjust, to learn quickly, and to make sure you are optimizing for growth. Just remember that each change you make and choice you make can change the security risk of your company and introduce more challenges for you to solve. Be conscious and consider the security impact of every change you make and you will be well prepared to address them quickly.