No phrase in a fast-growing company kills the mood quite as quickly as “we need to start thinking about cybersecurity”. I get it, really I do. Your growing company has a list of risks that are likely to kill it at any stage and if we are being really honest, cyberattack isn’t even in the top 10.
That’s why, over the past decade, high-growth companies worldwide have engaged me to help mature their cybersecurity practices — with one very specific requirement. Cybersecurity has to be a tool for growth and innovation, not slow them down.
So after too many years deep inside high-growth companies big and small, here are the five things that I have learned along the way.
1. The earlier you start, the easier it is
Like most chores, it’s tempting to park security until your company is bigger, more mature or reaches a certain growth milestone. However, like most chores, the longer you leave it the more work you have to do when you finally get started.
World-class cybersecurity programs are not made up of highly expensive initiatives, implemented in a few months. They are made up of hundreds of small changes you and your team can put in place through everything you do, ongoing.
Making small changes as early as you can in your company’s life can compound over time and create a security culture that grows alongside your business.
2. The most important cybersecurity investment you will make is in creating a solid incident response plan
I know it’s a cliche for a security person to be all doom and gloom but it’s really much easier for us all to stay safe if we all assume we will be breached at some point.
That’s not to say you won’t try to reduce risk and take good care of your systems and data, it just means that there are a lot more people trying to find vulnerabilities in systems and cause harm than there are people defending.
Having a strong incident response plan isn’t admitting defeat, it’s being prepared. Having a rehearsed plan can help you identify security issues quicker, respond quickly and minimise the impact.
Think of it like your airline safety card, hopefully you never need it but having everyone on board spend five minutes reading it before they set off can save lives in the event of an emergency.
3. There are no magic boxes — security tools save you time, that’s all
Your company does marketing — you know how this works. Security products are software products just like yours. Their marketing teams do exactly the same as yours.
As amazing as it would be to have one magic box to protect our people, systems and data from cybersecurity threats, there is no such thing.
Most security initiatives can be done manually and with very little cost. Many of the security devices you see are there to automate these manual processes.
4. Cybersecurity can be a sales superpower
If you are growing fast then customer acquisition will be top of mind. The bigger the sales and the bigger the organisations you are selling to, the more security scrutiny your organisation will be under.
Remember that these customers are deciding if you and your product pose a risk to their systems.
Having a well-organised, maturing approach to security helps you communicate with these customers and demonstrate clearly how you will keep them safe. This can go a long way to securing those fairytale deals.
5. There is no such thing as ‘too small to be at risk’
Cybersecurity attacks are very rarely personal. Most attacks we see are opportunistic ways to reach a goal. An attacker may discover a flaw in a system or technology and see where it leads, hoping for financial, political or personal gain.
Sometimes these attacks lead to the theft of data or unauthorised access to specific systems but sometimes it’s just the digital equivalent of smashing the window on a random building to see if there is anything interesting inside.
Even if your company is too small or new to be purposefully attacked, you may be targeted just for the resources you use, such as AWS hosting accounts being used to mine bitcoin or send spam emails.
Whatever stage your company is in, the best time to get started with cybersecurity is now and the best way to do it is as a team. The tiny actions you can all take together can create a huge impact on the risk of your business, and help you stay safe and secure enough to grow.
Laura Bell Main is an author and founder of SafeStack.