Cybersecurity is important to businesses of all sizes, and many of the information security issues that mom-and-pop shops face also challenge larger enterprises. However, the finer details of security strategy and implementation can evolve in organization-specific directions as a company matures. It is therefore critical for business leaders to recognize the need to adapt accordingly and scale up their cybersecurity strategies in step with company developments regarding staff, processes and technologies.

Here are some cybersecurity best practices forward-thinking infosec pros can integrate into their security strategy as their organizations develop.

Reduce Organizational Complexity

Small businesses often have a single “IT person” who knows and manages everything about the business’ technology infrastructure and data, including all aspects of data security. Sometimes that individual’s efforts are supplemented by an outside contractor, consulting service or cloud-based offering. Slightly larger businesses may expand on that concept and have a small team performing security functions.

But these general models for IT operations are impractical if not impossible for large, modern operations to implement. Enterprises often have multiple offices and lines of business, many different information systems, complex business arrangements with partners and suppliers, and numerous data entry and exit points. All of these factors can result in dramatically more complicated information infrastructure than that of a smaller businesses, many more attack surfaces criminals can exploit to gain entry, and a need for more personnel to oversee technology resources.

The issue of complexity also means system interoperability can become a concern that leads to significant security risks — which makes addressing it an integral part of the security strategy for teams working in large businesses. Their peers working in smaller operations will have to deal with this challenge much less frequently.

As organizations grow they must plan for complexity and address it. Establishing formal policies and procedures for communication, documentation, education, and product selection and implementation is usually a good first step.

Lessen Human Complexity

While all workers in a small business may know each another, large businesses often have greater numbers of employees, contractors and partners working in scattered locations and sometimes speaking different languages, which can lead to information security challenges. Likewise, interpersonal dynamics (i.e., office politics) are far more likely to affect human-factors issues for larger businesses than mom-and-pop operations.

Also, because no one person can be an expert on all of the organization’s systems and technologies, proper communication becomes essential to maintaining information security, and communication failures or breakdowns can lead to dangerous mistakes or vulnerabilities. It’s no secret that people occasionally miscommunicate, so these risks, which small businesses consider far less frequently, must be mitigated in large businesses.

As such, implementing formal policies and procedures around communication can help reduce human complexity issues significantly by outlining the specifics of proper communications and limiting the potential for riskier techniques.

Manage Custom Security Systems

Large enterprises are far more likely to utilize homegrown computer systems developed in-house than small businesses. Such systems can add to organizational complexity, since the business itself must manage all security concerns related to those systems.

In these cases, security teams must write patches to address any vulnerabilities that are discovered. Small businesses rarely, if ever, have to deal with similar issues, as they are less likely to use computer systems developed in-house. In larger organizations, however, ensuring that system management has been properly implemented throughout system life cycles becomes an important component of effective information security programs.

Document Formal Procedures

Small businesses can sometimes get away with having minimal documentation of formal information security procedures, since only a small number of people actually implement the procedures. In a large operation, a lack of formal procedures and documentation for those procedures is a recipe for disaster.

The same is true regarding incident response plans, which many smaller businesses do not even have in place. Cybersecurity best practices dictate that larger organizations must have well-developed formal procedures, or else problems will likely occur more often.

Establish Formal Management

Larger organizations are far more likely to have dedicated information security management resources, whereas small businesses usually handle the related functions informally with one or more employees who primarily serve in unrelated roles. Chief information security officers (CISOs) can focus their attention on staying ahead of the latest threats, while workers who are only doing a CISO’s job in their spare time or as a small fraction of their primary responsibilities are far less likely to be able to stay current.

Understand Cybersecurity Regulations

Larger enterprises are typically subject to many more regulations than smaller businesses. All public companies in the U.S., for example, must comply with Sarbanes–Oxley, a set of laws intended to protect investors from unfair management and employee practices that includes rules which affect information security. Breach notification laws also tend to affect larger corporations more than smaller businesses, and larger enterprises tend to make better targets for lawyers after breaches due to the depth of their pockets.

The requirements around protecting credit cards established by the payment card industry (PCI) also scale with size, as larger companies are required to afford greater protections than smaller ones. To account for this, make sure the right people in your organization understand and enforce the regulations that pertain to your business.

Stay Ahead of Targeted Attacks

Lastly, larger enterprises tend to be the targets of advanced attacks more than smaller businesses. As a result, large enterprises must prepare for these attacks by strengthening organizational defenses and observing the latest threat intelligence.

Of course, this list is not comprehensive or specific to any one situation — few cybersecurity lists ever are. But if your business is growing, make sure to internalize the fact that a growing security strategy is not simply a matter of scaling into more of the same; it requires an evolution of your cybersecurity best practices as well. As your business grows, you will need to deal with increased complexity around human interactions and technology and address the possibility of increasingly sophisticated attacks from adversaries.

More from CISO

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

How the Talent Shortage Impacts Cybersecurity Leadership

4 min read - The lack of a skilled cybersecurity workforce stalls the effectiveness of any organization’s security program. Yes, automated tools and technologies like artificial intelligence (AI) and machine learning (ML) offer a layer of support, and bringing in a managed security service provider (MSSP) provides expertise that isn’t available in-house. But it isn’t enough, especially for the medium-sized businesses that would most benefit from an internal security team. However, the talent shortage doesn’t just impact present-day security concerns. The lack of a…

4 min read