editione1.0.0
Updated October 9, 2023This all seems quite straightforward, right? There are events we can plan for or prepare for, and so long as we are well organized, we can weave security through everything that happens in our business. It’s simple … except when it’s not. Let’s take a look at the common challenges we face with triggered security events when we’re growing.
Even predictable events (hiring, promotions, etc.) can be difficult in a growing company due to the pace our worlds run at. We have the same events as any other organization, but because of the way we are funded and the ambitions we drive towards, we may experience many more of these events in a shorter time period than a more established company. Combined with relatively constrained resources and budgets, handling all of these events can be challenging enough without adding a layer of security on top.
Acknowledging this challenge doesn’t excuse us from trying, however, it just means we need to be clever with our approaches. Using automation and playbooks can make these tasks easier to complete (and sometimes automatic) and enable you to share the responsibility across the team. We’ll dive deeper into how to do that later in this chapter.
Growing fast can be hard. It’s an exciting time filled with big challenges, many of which you will have never faced before. This is the entrepreneurial life.
The trouble with evolving challenges is that we have to adapt to them dynamically. Sometimes the situations and events that happen in our company are unplanned, not because they are rare, but because we haven’t reached a stage of maturity where this event happens predictively enough to be planned.
For example, the first time your organization receives a security due diligence assessment, you may have no idea where to begin. It’s likely that you won’t have well-documented processes to get the job done. The same goes for hiring. When you first started out, your onboarding process would likely have been quite informal and evolved with each person you hired.
In the growth stage, however, these processes have to mature fast. You may have to respond to lots of due diligence questions or onboard seven new team members a month. There is no time for informal processes now.
If you are at this stage, it can feel like a lot of work to define these processes, document them, and work on them as repeatable tools. It can feel unrealistic to add more layers of security into these fledgling processes, but believe it or not, this is the easiest time to add security.
Adding security from day one of a process lets the security mindset rest in the foundation of the process and grow with it as the company matures. It is much easier to tweak a small security process in a new operational process than it is to take a complex process and weave security through it at a later stage, retrofitting it where needed to those who have previously been through the process or event.
Let’s dig into some examples and make this theory into something we can put into practice.
The following table is by no means exhaustive, but provides a guide to the types of events that might happen in your company that you would want to plan for. Don’t get overwhelmed, there are a lot of them (and I’m sure you will think of more)—remember that a lot goes on in your growing business, so it’s not surprising that there is a lot of security to consider on the way.
For each of these, you would list the associated actions, procedures, or playbooks that should form part of your response. For example:
| Event | Suggested Actions |
|---|---|
| A new device is acquired | 1. Record the device in the asset register. 2. Assign the device an owner. 3. Provide secure storage guidance to the new owner. 4. Configure the device with appropriate security controls or hardening. |