Security can't be left behind at a rapidly growing company
She has to be. Her software development company is growing so fast that she doesn’t want anything – not even security – to slow down production on the technology initiatives that support corporate growth.
But Raahauge has found the sweet spot to get the work done, without sacrificing strong security.
“Rapid growth often means solutions or processes could be selected outside of a governed process (by the business directly or through an acquisition that didn’t have prior governance or reviews),” she says. “Capturing those for review or detection needs to be done in a ‘friendly partnership’ way as to not impede the need for speed. Celebrate that the business needs to move at the pace of growth and create a safe environment of disclosure or amnesty approach. It’s better for them to help you find them than try to hide something.”
+ ALSO ON CSO: The security laws, regulations and guidelines directory +
Security is just one item on the list of items that take priority status.
CIOs across the spectrum say they’re dealing with a rapid pace of change in their IT departments. And, indeed, many are hiring staff and getting budget increases to meet rising demands for new technologies and functionalities. However, CIOs at rapidly growing companies are contending with that scenario – and all the pros and cons that come with it – on overdrive.
“We’re always talking about how we can be more efficient and how can we be quicker, mainly because the number of projects we work on today continues to grow,” says Mike Peterson, senior vice president and CIO at CHG Healthcare Services.
Security, too, has to be done right because without it, all the speed and tech-driven competitive advantages can be for naught.
“As we scale up, we have to have better monitoring in place. There are more systems, more connections now to monitor,” says Bill Weeks, senior vice president and CIO at SquareTwo Financial, which recently grew its headcount by 32 percent, going from 315 to 416 in just one year.
He points out that his company’s rapid growth and the security requirements that come with it are in addition to the growing regulatory requirements and ever-evolving best practices and industry standards, such as those set by the Payment Card Industry (PCI).
CIOs are finding ways to meet both the growing business needs as well as the evolving and increasing security requirements – without sacrificing the speed needed in fast-growing companies.
Raahauge says ensuring speed and security requires a shift in thinking.
She explains: “[Neither] security nor IT should ever slow down the pace of delivery; a better objective is to move with speed by changing the mindset of having security at the forefront of the design or business requirement vs. an afterthought or necessary evil. Leading with security as a capability that could be a differentiator during growth allows for exponential growth to occur.”
But not everyone says security in hypergrowth companies looks any different than security elsewhere.
“For the most part, the security challenges are identical,” says Darren Tedesco, managing principal of technology for Commonwealth Financial Network.
Although Tedesco says his company’s growth rate doesn’t impact his security strategy, he does acknowledge that both the overall growth of Commonwealth Financial Network as well as expanding cybersecurity threats has prompted some changes.
“We’re hiring sexual hackers, or security companies depending on how you want to label them, to try to breach our systems, but I don’t think growth has anything to do with that,” Tedesco says.
Troy Cardinal, CIO at audit, tax and consulting firm of RSM US LLP
Troy Cardinal, CIO at audit, tax and consulting firm of RSM US LLP, had a similar take.
“To me, there really isn’t a link between the fast growth pace of our firm and security,” he says.
That, though, doesn’t correspond to staying with the status quo, he says. Just as spending for overall IT has increased, so has how much money and additional resources he has allotted to security, Cardinal says.
“We’re spending more time and energy on security than we have in the past, but we’d be spending it even without the growth,” Cardinal says. “We’re in a new era with security, where the focus has shifted over the past few years, from having to prevent all breaches to the fact that it’s not a matter of if, but when, so if we’re going to be breached so how do we respond.”
As such, he says he treats security policy like disaster-recovery in that he’s running security simulations to put his team through the paces, to test out policies and procedures in the case of a real breach – something that savvy IT leaders have been doing around disaster-recovery and business continuity for years.
“We’re doing testing cycles every six months to run scenarios and see what we are going to do in the case of an actual breach,” he says. “We’re just starting the process, just like you hear about DR tests every 12 to 18 months. We’re going to do a cyber incidence test every six months to test our response.”
To meet growing security demands, Weeks says he’s adding additional security staff, working with outside security experts, and ensuring that security is part of all the new projects, systems and capabilities his team is adding to keep up with corporate growth.
“It’s money and technology,” Weeks says, who has noted that his company has invested millions in security infrastructure over the past few years as well as building more robust knowledge and skills.
He adds: “It’s just something we’ve got to do. We’re going to keep doing more and more and more in this space.”