As a small business or a startup, approaching security within your burgeoning company can seem overwhelming. On the journey to this point, you’ve probably come to know what security controls should be in place in some areas, you might know what security controls would be best practices, and you actually know that along the way, you kept a list of where your company is vulnerable. With that information at the ready, the questions are now: Where do I start? How intensely should I be addressing these issues? How do I create a timetable that will balance my resources with my risk?
Now that you’ve set yourself up to begin from a place of strength through knowledge, it’s time to go forth on the path to a secure environment. We’ve forged this path for you through years of experience and practice, so let’s hit the trail!
First we want to deduce where your company might get the greatest value for your investment. A foundational layer might be organizationally impactful factors, such as external compliance requirements or internal governance structure of your company. For the former, you know that your industry requires compliance with certain regulatory statues (HIPAA, FFIEC) or obtaining industry certifications (HITRUST, PCI). Many of these compliance standards are similar to some degree and can be used as a guide when deciding what controls to implement. For example, a small healthcare firm may want to ensure that their access controls are in alignment with best practices, such as the “principle of least privilege”. Access controls developed intentionally and early can help alleviate some of the pain associated with the inevitable certification demands to come. As a domain, access control is the largest section of a HITRUST assessment, while also forming the basis for several HIPAA regulations as they relate to access to protected health information (PHI). I know companies that might not have encryption or password policies up to certain standards, but if their access control policies are mature, they can act almost as a rough form of a compensating controls, at least in the shorter term, while the other controls are developed..
For the latter example of governance structure, choosing an area of focus here isn’t as hard to accomplish as it may seem and can really advance your overall security posture. Though I’ve been a virtual CISO (vCISO) for several years and for several small organizations, I still think about my years in community organizations as a guiding principle: build structures for the movement you want, not the cadre you have. Basically, if you’re going to put the work into building some structures in the beginning, why write policies for six employees when you could just as easily write policies that could support 40 people? In practical terms, that means investing a bit more into security a little earlier than you probably wanted, but knowing you’ll be prepared and taken care of down the line as you grow.
Assuming your company has some basic policies (or even informal SOPs) around security, how does one apply, review, and monitor the efficacy? Contracting outside help rather than hiring internally is the most efficient and economical way to keep up with continuous monitoring, which is a key piece of a strong security foundation. Part-time professional services, such as legal and security, are widely available these days, hence the rise virtual CISO and legal services available for many industries. Having a professional review and formalize policies, consult and implement security controls, and continually monitor the efficacy of the everything together will seem like overkill for six people (it is) but will easily scale as your company scales. They can also help guide your company to achieving your certification or compliance goals. Paying compliance debt when your company is struggling to scale and is already paying its technical debt can really drag down the energy of the team.
Kuma is here to help you keep your fire hot! I already mentioned that I am a vCISO for companies similar in size to yours (maybe) and it would great to meet you. We can discuss where you’re at, where you want to go, and what we have to do to get us there. No judgements, no games, just radical honesty. And if you need to get a certification (or two), we can help you with that too. Kuma can act as a liaison between your company (retained by you) and the auditing firms or governmental actors who will be certifying or auditing the security controls. Starting a company is hard, but you’ve done that already. With Kuma, you can be sure of the next steps instead of “getting lucky.” Talk soon!
