Modern Software as a Service (SaaS) and other technology companies that provide services to businesses are getting asked to do more with cybersecurity than ever before.
In 2013, Target was breached via a third-party vendor and as a result, many businesses started expecting a higher security maturity level from their vendors.
Tactically, that can look like:
- Customers or potential customers asking for security questionnaires to be completed
- Operational security and technical requirements in contracts
- Market expectations for security features in the products we build
While this was always common in many regulated industries such as payments and health care IT, it was not as common across industries. Now, it’s becoming expected for all companies who work directly with businesses.
It’s easy to get tactical and do what’s asked without thinking to how it might change how we operate in the future.
Navigating risks and keeping our company safe start with two basic but essential steps
As a technologist or CTO, it’s easy to frame this in the context of technology. However, business is often the best way to focus the conversation. If you go immediately into a defined security process without doing this, it will focus on tactics and often activities that don’t add value.
Ensure you have the right people invested in the process
First, get the right people in the room including the business stakeholders and security leadership. This means having executive sponsorship so that critical decisions can be made swiftly with all stakeholders on board. Without this level of engagement, it’ll be difficult to make progress and could lead to paralysis by analysis.
Ensure that it is properly focused on risk management
Then, it’s important to ask the right questions:
- Are the services provided business-critical?
- Is the data involved valuable?
- Is the industry regulated?
With this approach, you can right-size the security process and ensure that you’re focused on managing risk. Otherwise, your sales process will be slowed down and you might end up with a security program that’s focused first on security theater without providing value.
Management of risk is essential for any effective security program. Make sure you keep this in mind as you develop and implement your security strategy. Especially because many times, the results of a security assessment can be misinterpreted and used to push an organization in the wrong direction.
Find more useful information for your business in our case study Ensuring HIPAA Compliance for a HealthCare IT Company with Gamma Force Fractional CISO Services.
However, by taking a proactive approach and involving the right stakeholders from the beginning, you can ensure that your company’s security program is focused on managing risk rather than being bogged down by processes.
Therfore, if you’re struggling with where to start or how to prioritize your company’s security initiatives, we can help. Schedule a call with one of our executives today and we’ll help you develop a plan that makes sense for your business.
1 Comment