Security management can be a tedious job. Whether you are the chief information officer (CIO), chief technology officer (CTO) or even the chief executive officer (CEO), it can be hard to deal with possible risks and apply appropriate controls. For companies that maintain their relative size in terms of revenue, number of employees and target markets, this task may be somewhat easier. However, growing companies tend to forget that increasing any parameter means security management is shifting as well. Don’t stress out if your company hasn’t appointed a direct supervisor for the security field and you’re unsure what exactly is needed. For an easy jump start, the following are the foundations and basic do’s and don’ts that will help you understand the scope of this role.

Do: Supply Resources for Security Purposes

The most common mistake when considering — or reconsidering — the security management’s agenda is providing the means to handle the targets that were chosen by the directives of security (or perhaps by the senior management itself). Like any other department in an organization, it’s hard to do magic when you are running on insufficient funds. This is at the top of the list since growing businesses tend to focus on products and services development, sales and unbalanced finance distribution.

From a security manager point of view, it isn’t easy to persuade a chief financial officer (CFO) or vice president of finance to increase your resources. However, it is sometimes only possible to fight fire with fire, and the best argument is that poor investments in security management will likely result in expenses that supersede the original budget.

Don’t: Neglect Your Network Security

Short time frames for product releases, hectic development cycles and trying to please many customers — does this sound familiar? If so, there’s a good chance that you might be trading off your company’s network security to meet those demands. Perhaps a lack of developers or information technology staff are making you believe security threats are low-risk. Actually, these roles are vital for keeping your company’s assets safe. You may have ninjas or rock stars for programming tasks, but companies also need a superhero for managing network security. Between domain separation, resource authentication and authorization and event audition, the responsibility is great. Treat these roles with great respect.

Do: Train, Train, Train

So now that you’re all set with a neat budget and a security team, the next step toward proper security management is training. Not only is this objective important, but it is also ongoing. Like your company, the world of security is ever-growing and ever-changing, so your employees must undergo periodic training and certification. Due to the unique nature of growing companies, training sessions should be held more often than they would be at a more static enterprise since new employees will be quickly introduced to the company. It is also useful to use short yet powerful tools instead of long sessions. Occasionally forwarding an interesting webinar or composing a memo about a recent attack is a nonintrusive way to remind employees about security.

Don’t: Kill All Security Issues at Once

It’s easy to be misled when it comes to growing companies and security breaches. Even though there may be fewer issues to tackle, some are still difficult to solve and combat by implementing a proper solution. A common framework for risk management is still required, regardless of the number of security issues. There are many tools to help you plan the right security risk management program for your company. When they are utilized correctly, everyone should have a clear idea of what needs to be addressed immediately and what can be treated later on.

Do: Discuss Security Gates With Product Managers

When it comes to stable enterprises, the security policy and management is headed by the chief information security officer (CISO) and CIO, who supervise the entire department or team. The policy is usually self-dictated after a long history of balancing the needs of a business versus security. On the other hand, when it comes down to growing companies, there is a good chance the security team is small enough to sit in one room. It is also likely that the company’s business units (product managers, business analysts, etc.) will be nearby.

Companies that wish to promote their products or services as fast as possible sometimes neglect to include security management throughout the required specifications. This “coziness” could be an advantage if you can walk to the next room over and talk through any gaps regarding features or requirements the business units are trying to promote.

Don’t: Avoid Security Feedback From Your Customers

When it comes to new products, such as a first stable version or a beta version, feedback is an ultimate must-have. Beyond quality assurance and the release, most enhancements come from the “battlefield” of customers’ installations and malfunctions. Some of these customers also test the products for security issues and provide feedback from testing results. Due to the nature of a growing company, the security-related feedback is sometimes pushed aside for feedback on functionality. It is not recommended to ignore any kind of feedback; however, some customers would prefer you address the security feedback first. This is usually asked by companies that come from security-oriented industries or in cases when the product relates to security. You do not want to find yourself on a security-indifferent vendors list.

Do: Know the Industry’s Way of Security Management

Perhaps you know everything about the market of your product, from dominant players down to the tiniest feature in a competing product. Obviously, you must own that knowledge to promote your company and product. But what about the security topics in your industry? Many companies are sometimes unaware of discussions held at an industry level that revolve around security. Unfortunately, these companies tend to get acquainted with those discussions only after they are breached or attacked. It doesn’t matter whether your company offers a service based on a public cloud or has a flagship product developed by numerous teams. Best practices, security guides and emerging controls are out there, and it’s up to you to catch up.

Don’t: Think You Are Incident-Proof

Another security that is somewhat forgotten is incident handling. Proper security management specifies actions and protocols in case of data loss, breach detection and critical vulnerability detection (in a product). In most growing companies, there is a minor to nonexistent incident response plan as most security efforts are narrowed down to active security rather than passive security. Planning ahead impacts not only security but reputation as well. Nobody can prepare for every vulnerability or breach out there — and that’s not the purpose of such a plan. The incident response planning should exhibit coverage for most threats that are relevant to your company or product. The key ingredient for that is mapping out threats, attack vectors and vulnerabilities in your business.

Traditional security management is considered to be mature and stable. New methodologies of software and business development forced companies (not just their products) to be scalable — a challenge with security implications that must be addressed.

More from Risk Management

Are you ready to build your organization’s digital trust?

4 min read - As organizations continue their digital transformation journey, they need to be able to trust that their digital assets are secure. That’s not easy in today’s environment, as the numbers and sophistication of cyberattacks increase and organizations face challenges from remote work and insider behavior. Digital trust can make your organization’s digital transformation stronger. A lack of digital trust can do irreparable harm. However, according to ISACA’s State of Digital Trust 2023 report, too many organizations struggle to define and implement…

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging. We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically. For this reason, 75% of organizations…

How IBM secures the U.S. Open

2 min read - More than 15 million tennis fans around the world visited the US Open app and website this year, checking scores, poring over statistics and watching highlights from hundreds of matches over the two weeks of the tournament. To help develop this world-class digital experience, IBM Consulting worked closely with the USTA, developing powerful generative AI models that transform tennis data into insights and original content. Using IBM watsonx, a next-generation AI and data platform, the team built and managed the entire…

How NIST Cybersecurity Framework 2.0 Tackles Risk Management

4 min read - The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines. The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to…