Your Security Strategy Should Scale and Evolve Alongside Your Business

December 20, 2019
| |
4 min read

Cybersecurity is important to businesses of all sizes, and many of the information security issues that mom-and-pop shops face also challenge larger enterprises. However, the finer details of security strategy and implementation can evolve in organization-specific directions as a company matures. It is therefore critical for business leaders to recognize the need to adapt accordingly and scale up their cybersecurity strategies in step with company developments regarding staff, processes and technologies.

Here are some cybersecurity best practices forward-thinking infosec pros can integrate into their security strategy as their organizations develop.

Reduce Organizational Complexity

Small businesses often have a single “IT person” who knows and manages everything about the business’ technology infrastructure and data, including all aspects of data security. Sometimes that individual’s efforts are supplemented by an outside contractor, consulting service or cloud-based offering. Slightly larger businesses may expand on that concept and have a small team performing security functions.

But these general models for IT operations are impractical if not impossible for large, modern operations to implement. Enterprises often have multiple offices and lines of business, many different information systems, complex business arrangements with partners and suppliers, and numerous data entry and exit points. All of these factors can result in dramatically more complicated information infrastructure than that of a smaller businesses, many more attack surfaces criminals can exploit to gain entry, and a need for more personnel to oversee technology resources.

The issue of complexity also means system interoperability can become a concern that leads to significant security risks — which makes addressing it an integral part of the security strategy for teams working in large businesses. Their peers working in smaller operations will have to deal with this challenge much less frequently.

As organizations grow they must plan for complexity and address it. Establishing formal policies and procedures for communication, documentation, education, and product selection and implementation is usually a good first step.

Lessen Human Complexity

While all workers in a small business may know each another, large businesses often have greater numbers of employees, contractors and partners working in scattered locations and sometimes speaking different languages, which can lead to information security challenges. Likewise, interpersonal dynamics (i.e., office politics) are far more likely to affect human-factors issues for larger businesses than mom-and-pop operations.

Also, because no one person can be an expert on all of the organization’s systems and technologies, proper communication becomes essential to maintaining information security, and communication failures or breakdowns can lead to dangerous mistakes or vulnerabilities. It’s no secret that people occasionally miscommunicate, so these risks, which small businesses consider far less frequently, must be mitigated in large businesses.

As such, implementing formal policies and procedures around communication can help reduce human complexity issues significantly by outlining the specifics of proper communications and limiting the potential for riskier techniques.

Manage Custom Security Systems

Large enterprises are far more likely to utilize homegrown computer systems developed in-house than small businesses. Such systems can add to organizational complexity, since the business itself must manage all security concerns related to those systems.

In these cases, security teams must write patches to address any vulnerabilities that are discovered. Small businesses rarely, if ever, have to deal with similar issues, as they are less likely to use computer systems developed in-house. In larger organizations, however, ensuring that system management has been properly implemented throughout system life cycles becomes an important component of effective information security programs.

Document Formal Procedures

Small businesses can sometimes get away with having minimal documentation of formal information security procedures, since only a small number of people actually implement the procedures. In a large operation, a lack of formal procedures and documentation for those procedures is a recipe for disaster.

The same is true regarding incident response plans, which many smaller businesses do not even have in place. Cybersecurity best practices dictate that larger organizations must have well-developed formal procedures, or else problems will likely occur more often.

Establish Formal Management

Larger organizations are far more likely to have dedicated information security management resources, whereas small businesses usually handle the related functions informally with one or more employees who primarily serve in unrelated roles. Chief information security officers (CISOs) can focus their attention on staying ahead of the latest threats, while workers who are only doing a CISO’s job in their spare time or as a small fraction of their primary responsibilities are far less likely to be able to stay current.

Understand Cybersecurity Regulations

Larger enterprises are typically subject to many more regulations than smaller businesses. All public companies in the U.S., for example, must comply with Sarbanes–Oxley, a set of laws intended to protect investors from unfair management and employee practices that includes rules which affect information security. Breach notification laws also tend to affect larger corporations more than smaller businesses, and larger enterprises tend to make better targets for lawyers after breaches due to the depth of their pockets.

The requirements around protecting credit cards established by the payment card industry (PCI) also scale with size, as larger companies are required to afford greater protections than smaller ones. To account for this, make sure the right people in your organization understand and enforce the regulations that pertain to your business.

Stay Ahead of Targeted Attacks

Lastly, larger enterprises tend to be the targets of advanced attacks more than smaller businesses. As a result, large enterprises must prepare for these attacks by strengthening organizational defenses and observing the latest threat intelligence.

Of course, this list is not comprehensive or specific to any one situation — few cybersecurity lists ever are. But if your business is growing, make sure to internalize the fact that a growing security strategy is not simply a matter of scaling into more of the same; it requires an evolution of your cybersecurity best practices as well. As your business grows, you will need to deal with increased complexity around human interactions and technology and address the possibility of increasingly sophisticated attacks from adversaries.

Joseph Steinberg
Cybersecurity Expert and CEO, SecureMySocial

Joseph Steinberg (CISSP, ISSAP, ISSMP, CSSLP) is a cybersecurity thought leader and technology influencer. He writes a column on cybersecurity for Inc., and ...
read more