Risk is a tricky topic. At the intersection of statistics, probabilities and gut feelings, it is easy to agree there is no single correct answer to the question “what should we do about our information security posture?” This is true for almost any organization and can be especially hard for ambitious startups where everyone wears many hats. It is also relatively easy to postpone information security efforts due to the unfortunate definition of success in this context: if you get things right, nothing happens.
I help a number of biotechnology startups determine the right level of maturity when it comes to information security and then actually get there. To summarize what I have seen work well, I have compiled the following recommendations that are very likely to help:
Before you can start prioritizing projects and investments, you need to understand the risks that are worth mitigating weighed against all other business risks. Startups, by definition, are in the business of taking on various risks, and information security is only one category.
It is helpful to include all functional leads in conversations about what digital assets are worth protecting, to understand what their specific concerns are, and list some example scenarios to illustrate what risks threaten the business the most. Then, looking at the situations that are both most likely and most impactful, one can build a list of top priorities deserving attention.
You will likely find that there are some risks that are worth mitigating while others are worth accepting until some future milestone is reached. Note that plenty of improvement is possible without additional financial investment – setting up sensible authentication rules, establishing policies, processes and raising awareness can be done at very little cost.
In enumerating risks, it is crucial to include any regulatory compliance needs that require attention. Even though most startups themselves may not be directly subject to certain compliance requirements, collaboration with industry partners often requires some level of ability to describe a reasonable security program and show evidence that it is being followed.
While education is often not considered a formal control, it can go a long way towards making a security program much more effective. If the majority of your team actually cares about this topic, regardless of their personal history with it, other pieces of the program will be easier to handle.
Most successful security programs distribute accountability beyond just information technology experts. In today’s ecosystem where companies have diverse and distributed systems providing mission-critical applications to employees (in many cases where the applications and their operation are owned by a department other than IT), everyone needs to understand that some information is worth protecting.
This is increasingly true in personal life as well, where more and more of daily life is managed in some digital form or another. The one most impactful advice here is: take the time to educate your staff about current threats and some easy steps they can take to protect themselves at home as well as at work.
It is easy to get carried away and end a planning session with “all of the great things we will definitely do from now on” then not actually carry out the plan. Since a successful security program is basically an extra cost with no visible gain unless bad things happen, it is important to align its scale with company-wide priorities.
In doing so, it is very helpful to define a limited scope where more protections need to be added. For example, perhaps privileged access (administrative tasks, etc.) should be more tightly audited. And all personally identifiable information will be limited to a certain area of the company: specific databases, file shares, even printer areas.
A successful security program is many more times more useful if activities around it are documented. When asked, if you can produce well-written policies, standard operating procedures, and regularly updated evidence to show things are being followed, you will be in great shape. No matter how simple, the earlier you start collecting evidence, the more valuable the collection will be.
As with any information technology topic, if not more so than most, the security landscape changes very rapidly. I still find myself talking about the days when a brand new Windows XP machine would become compromised within minutes if connected to the Internet without added protections. Things are not like that anymore, the threats have morphed, criminals’ tactics have evolved, and things will keep changing.
It does not make sense to wait for compliance requirements to catch up because, by nature, they are behind. To keep up with things, involvement with the correct community resources can help. This can take many forms, including team members attending security conferences with some regularity, to hiring external resources once in a while to perform an audit of your environment or even communities of practice where experts get together to discuss what is happening in the larger world of business.
This conversation can easily expand to fill any amount of time and space you think is deserved, but no project can afford to ignore it. Stay safe!
Sign up to our newsletter to receive the latest industry news, and trends.