From nuisance to enabler: why compliance can be your best weapon

Too often, security compliance is treated as a nuisance – something that has to be done in order to avoid getting dinged, but not something that brings clear value. Organizations don’t want to invest in it, implement it or think about it until they grow bigger. And even then, it’s typically a source of resentment.

Startups and smaller organizations often don’t place security compliance high on the priority list. It makes a kind of sense that organizations just starting out might feel that way. Founders are trying to prove that their business idea is viable and get their businesses up and running; it feels like a waste of time and money to invest a chunk of their scarce cash in security solutions before they even know if their brilliant idea will fly.

But it’s time to flip the script. While it may be tempting for SMBs to cut corners in terms of security, the costs are greater in the long term. Not only do you risk getting breached, but you also risk losing deals to vendors that can better show prospects their security posture. This piece will look at why this mentality lingers, why it needs to change and what SMBs need to know to turn security into the business enabler it has the potential to be.

Security compliance can be a value prop

Despite the ongoing headline litany of data breaches and security compromises, there’s still a misconception that compliance is no more than a necessary evil. It’s easy to understand why this belief persists; security can be a complex and convoluted process to figure out – and then you have to comply with regulations on top of it. But no one wants to be the subject of another negative headline, the latest company to wind up in the spotlight because customer or proprietary information has been hacked.

A number of what are today the world’s largest and most successful technology companies began with almost no consideration for security in their solutions or in their corporate IT. Some would argue that this is still the best way to get a company started: move fast, break things and then play catch-up when the company reaches a certain size.

But this philosophy isn’t going to get you far today. Attack vectors are increasing all the time, there are more connected devices than ever before, and more data is being collected. In addition, there are very real penalties and fines that can come from not meeting security and privacy compliance requirements for regulations like GDPR. For these reasons, a sea change is coming. People are starting to see that security assurance can be a value proposition and not just a nuisance.

In fact, security assurance can be a business differentiator that gives you advantage over competitors who don’t have it. Lacking demonstrable security compliance is a reason for prospects to move on; don’t give them that reason. Having a good security philosophy and practice, and being able to show it, can help accelerate you through the sales process and win more business.

How to bake security and compliance into your business

There needs to be a balance between having the agility of a lean startup and designing security into a fledgling product and company. But again, how do you justify the security investment? As outlined above, it’s time to treat information security as a business enabler and a sales advantage. The “work smarter, not harder” approach applies here. A core concept of security is the “ring fence your data” idea. In other words, limit your potential attack vectors.

It’s also important to know what data you’re collecting and where you’re collecting it. One of the smartest things you can do to bake in security is to really consider where and how you are storing that data. If you wait until it’s too late, then it’s everywhere – and that’s so much more difficult to grapple with. When you’ve examined your data storage from the get-go, meeting compliance requirements and/or going through an audit is that much easier.

Security leadership is important, too. A CISO will understand all facets of the business, so they can build security into its fabric. But if you don’t have a CISO at this point, you can still build information security into your business operations and create a healthy security culture early in your organization’s life. Select an individual to lead the effort – a project manager, engineering leader, product leader or sales engineer, for example. Buy an information security management system with security and privacy policies and recommended controls for the individual to oversee. That person will refine your policies to align with your business and support the organization’s functional areas to implement controls for compliance – and then needs to educate your organization about those policies

Commitment is key

For too long, security compliance has been the technology equivalent of flossing: everybody knows they should do it, but nobody wants to do it. If you want your business to have any teeth, though, you need to make a commitment to do it. Your customers, employees and investors will thank you for it.

Written by Patrick Murray.

This report/news/ranking/statistics has been prepared only for general guidance on matters of interest and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, CEOWORLD magazine does not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.

Email Address*

Name