A common perception is that information security is simply a “necessary pain in the ass” that organizations don’t want to invest in, implement or think about until they get bigger. And even then, it’s often resented. Smaller enterprises and startups feel like they don’t have the time or resources to put into protecting themselves. That might appear unreasonable, but it makes sense that organizations just starting out might feel that way. Founders are trying to validate their ideas and get their businesses up and running...and it feels like a waste to invest a significant percentage of their cash in security solutions before they even know if they have a viable business! How can they possibly justify any security investment early on in a company’s life?Are You From The Past?
Many of the world’s biggest and most successful technology companies started out with almost no consideration for security in their solutions or in their corporate IT. Some would argue that this is still the best way to get a company started...move fast, break things, and then play catch up when they reach a certain size. Others would argue that we’re worse off because of it...and the world is a different place now.Today Now that data breaches are in the news every day, some startups think they need to spend years building a “perfectly secure” and “perfectly available” solution before getting it in front of potential customers and validating the idea...and, unfortunately, many find out too late that there is no market for their product. Ouch . Balance
There needs to be a balance between lean startup agility and designing security into a fledgling product and company. But again, how do you justify the security investment? It’s time to treat information security as a business enabler...or better yet, a sales advantage.According to Barak Engel in his book Why CISOs Fail , the CISO needs to integrate security into an organization’s business operations...not block the business from functioning. The successful CISO understands all facets of the business so they can build security into its fabric...and make security a business enabler. It’s just logical. What To Do
But what if you don’t have a CISO? If your organization isn’t big enough to justify hiring a CISO or a security team, all is not lost. You can still build information security into your business operations and create a healthy security culture early in your organization’s life. Your customers, employees and investors will thank you for it. Smaller organizations can use the following steps to get started with minimal investment: