editione1.0.0
Updated October 9, 2023When do you go from a startup to a company with the larger needs outlined in Part IV? That can be hard to pinpoint, and depends on your circumstances. We’ve outlined the effect growth has on your security needs and strategy, so you can better determine where your organization stands.
Growth is amazing. However, the more successful you are, the more interesting you are to potential attackers. Simply put, before you grew, nobody knew you existed and they didn’t know how interesting and valuable you might be.
As your customer base and product grows, so does the complexity and size of your data. From customer data to commercially sensitive documents and application code—you have more of everything and it’s more spread out than ever before.
In the beginning, you were small. As a leader, you probably hired everyone personally, often from your social circles or close professional network. As you grow, however, this changes—and for good reason.
The more your organization grows, the more important it becomes that you have the right people and right skills. Unless you are exceptionally lucky, most of us simply don’t have a full 100-person organization in our friend group. As well as identifying and finding these people, the process of recruitment becomes slower and more complicated as you are expected to mature your processes, consider a wider range of candidates, and adhere to more HR laws and regulations.
This change in relationship dynamic brings with it a change in trust. Your organization is now filled with a rapidly growing list of people you didn’t personally hire and you don’t see every day. For some of us, simply remembering names is hard enough, without having to understand the risk that each of these new people brings with them.
While even for a handful of people, managing access and trust is important, this becomes more difficult as you grow and requires more process, policy, and systems to enforce.
As expectations and complexity increase, the impact of a security breach or incident also grows. From the amount of data or number of accounts that may be affected through to the amount of visibility such an incident would gain, this is no longer a subject you can take lightly.
Understanding your exposure to risk and planning for an increasing range of incidents will be crucial to ensuring that your team is prepared to respond quickly and minimize the impact on your business, your customers, and your reputation.
The table outlines some of the ways growth of an organization alters its risk profile.
| What is growing? | Changes to your organization | Changes to your risk |
|---|---|---|
| Size of team | More communication throughout your company (whether that is email, instant message, or other) | Increased likelihood of phishing-style attacks via email (including attempts to gain usernames/passwords or invoice fraud). |
| The team does not know each other as well as they once did | Less visibility across the team increases the time it takes to spot an issue. | |
| Increased operating cost | The impact of security incidents may have a higher impact on the financial health of the organization. | |
| Number of customers | Higher number of security due-diligence questions | More time spent explaining security posture as part of the sales process. |
| More customer data stored | Increased risk of poor data handling or a data breach, and increased impact if a data breach happens. | |
| More customer accounts | The more customer accounts, the more likely an attacker is to find access to a system (typically by using simple or common usernames and passwords). | |
| Impact of incidents and breaches | Larger number of customers and stakeholders | More is at risk if data stores or databases are accessed. Incidents could involve a breach of a larger amount of customer or stakeholder data. |
| Larger volumes and complexity of data | Data is stored in more places, which increases the likelihood that these copies of data may be lost or stolen. In addition, more extensive data is more likely to include personal data about customers or stakeholders; if revealed, customers can’t remedy leaked personal data like they can a leaked password. | |
| Complexity of operations | Greater number of roles and associated privileges | More administrative or privileged accounts mean more opportunity for those accounts to be misused, either by mistake of the employee or by an attacker who takes control of it. |
| Greater complexity of communication and workflows | Complex workflows introduce more points where things can go wrong, and more places where data can be accessed. More people are involved, leading to a higher chance of human errors unless protections are in place. | |
| Greater need for compliance | Larger customers and certain industries usually mean more standards or compliance frameworks that must be met. These standards will require different security controls to address that risk. Compliance gets more challenging the bigger your organization grows. | |
| Greater financial and accounting complexity | Complex financials make it more difficult to spot fraud or unauthorized charges. This could be someone within the business making fraudulent transactions, or could be an increased cost associated with the misuse of resources by an attacker. | |
| Complexity of the product | More features offered | More surface area for attackers to take advantage of, more customer data collected. |
| Larger codebase | More engineers, more room for security issues, more third-party libraries and potential vulnerabilities. | |
| More third-party tooling and analytics | Data handled by third-party software and systems could be leaked or misused. |
Making a book is hard.
I was lucky to have the best business partner in crime (Laura), helpful and passionate editors and publishers (Holloway), patient and supportive friends (Dibbie, Sarah), a partner who made sure I was always fed and watered (Len), a son who patiently waited to arrive into the world until after all the hard parts were finished (Kana), and parents who bought this book to support me even though they still can’t be convinced to use a password manager (Eric, Sherrie).