What Security Lessons Can Large Enterprises Learn From Small Businesses?

Have you ever been in a situation where multiple adults are attempting to solve a problem, but a small child is the only voice of reason in the room? Children often lack a filter — and have a unique type of wisdom that can only stem from a young person’s perspective of the world. Why can’t we harness these powers for the business world?

Well, small and midsized businesses actually can offer valuable security lessons to business leaders at larger organizations.

Security is an imperfect field that involves many aspects of politics, culture and (above all) common sense. But small and midsized companies tend to have advantages. Why? They’re not as set in their ways as large enterprises, they don’t have as many internal conflicts and they often don’t have a shareholder-centric business model. As a result, smaller businesses tend to make decisions more quickly.

The Vicious Cycle of Bystander Apathy

For large organizations, it often takes a dozen weeks — and a dozen people — for even the smallest tasks to get started. It’s an unproductive mess, to say the least.

In many cases, these businesses appoint the wrong people to make important decisions and are therefore ill-equipped to execute them. It’s the epitome of bystander apathy: Everyone is sitting around the table looking at everyone else, assuming they’re going to take care of things. Then, months — and even years — pass and nothing happens. The cycle continues as security risks grow.

Then there’s security implementation: Most larger businesses have mastered the bureaucracy aspect of security. There are cool titles, figureheads and documented policies — but nothing of substance is getting done. Small and midsized businesses, meanwhile, are better positioned to identify security risks, see opportunities for improvement and immediately act on their discoveries. They get the budget, procure the product or service and implement (as necessary) to see it through. They then integrate the management of the product or service within their own business needs or environment.

Poof — it just works!

Why Security Must Be a Shared Responsibility

What is perhaps the most significant thing that stands out about smaller businesses? When it comes to security, everyone chips in. Rather than deflecting responsibility, more nimble organizations are full of people who do whatever it takes — whether that means evangelizing the security message among employees, working with business partners and customers to ensure that security requirements are met on the sales and marketing side or outsourcing security to the proper vendor.

When everyone works together to make security work, it sets the business up for tremendous success over the long haul.

For security to work effectively in larger organizations, it requires more motivation, more effort and the necessary talent to see it through — the latter of which is often missing. Of course, there’s no changing certain aspects of big businesses because some bureaucratic complexities simply cannot be stopped. But they can be overcome with the proper discipline on the part of executive management, both inside and outside of IT.

Knowing what we know today, security must be a highly regarded, board-level issue that is managed like any other critical business function.

Translate Security Lessons Into Forward Progress

Even with strong management support, it’s dangerous and frankly unrealistic to assume that everyone will do all the right things all the time. This assumption is probably the most difficult security challenge to overcome for larger businesses because everything is as it is — and it’s unlikely to change. In small and midsized organizations, it’s easier to shape behaviors, implement more meaningful security controls and even adapt business processes when necessary.

Pay attention to this security reality: If you work for a larger organization, do what you can to adapt and progress. There are so many opportunities to right the ship at the grassroots level — even when it seems like your voice isn’t heard.

Simple things done well over time will get noticed and can ultimately make a big difference in the business and its security efforts. If you manage security in a smaller organization, know that security is not going to get any easier than it is today. Make it right and do things well so that you can grow into your security program over time.

For any business, regardless of size, the important thing is to approach security with a clean slate. Try not to let past decisions and experiences affect how you move forward today. When all parties involved take a measured and prescriptive approach, it’s possible to implement an effective security program in even the largest organizations.

Learn how to build a corporate culture of security awareness

Kevin Beaver

Independent Information Security Consultant

Kevin Beaver is an information security consultant, writer, and professional speaker with Atlanta-based Principle...