Perimeter
5/1/2012
03:16 PM
50%
50%

What Works For One Does Not Work For Two

To remain compliant, your approach must grow in scale with your business

My wife, Doris, is the founder and president of a company in the real-estate industry. I once heard her explaining how systems and processes must be rebuilt for each new scale of a business. "What works for one does not work for two. What works for two does not work for three," she said.

What a great concept. Whether you are adding more staff, more locations, more servers, or more processes, we must realize that doing the same things harder or smarter is rarely enough. We must accept that the scale of the business has changed, requiring that all associated tasks and systems maintain the same scale.

For instance, if you add an additional location to your organization, new processes are likely required. Computers may require new secure remote access to off-site servers, technical support may not be "just down the hall" for these users, and the staff responsible for compliance and security may not be in the same building as before.

Sometimes the biggest challenge is realizing the scale has changed. Perhaps a department grew from two employees to 15 in only a few months. How these employees work together and coordinate their tasks likely transitioned with each hire. With the transition, did the documentation of their work processes change, too? Did security measures change? Were managers or leads introduced into the process?

The more people, locations, data, and public exposure an organization adds, the more risk it creates and assumes. In time, properly managing this risk requires new systems and new processes. This includes new compliance-related systems and processes. How an organization monitors and addresses issues is never a completed task but an ongoing process of business culture and behavior.

In our office and for our client projects, we frequently contend that the fastest way to do something is to do it right. This mantra works great for organizations that are growing and need to remain (or become) compliant. Build in the new processes needed for proper and practical compliance as growth occurs. This makes the growth more solid and removes the need to come back after an audit and redo hastily built processes and procedures.

In the long run, thoughtful scaling not only saves the organization time, but also significant revenue. It also reduces the temptation to build ill-fitted extra steps to meet compliance requirements and helps prevent situations where dangerous cover-ups can seem like reasonable solutions.

Business growth is exciting, and those responsible for maintaining compliance don't have to be the party-poopers. Growth is an opportunity to help your organization build solid processes, procedures, and culture. Treat it that way.

Glenn S. Phillips, the president of Forte' Incorporated, works with business leaders who want to leverage technology and understand risks within. He is the author of the book Nerd-to-English and you can find him on Twitter at @NerdToEnglish.

Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8370
Published: 2015-01-29
VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, VMware Fusion 6.x before 6.0.5, and VMware ESXi 5.0 through 5.5 allow host OS users to gain host OS privileges or cause a denial of service (arbitrary write to a file) by modifying a configuration file.

CVE-2015-0236
Published: 2015-01-29
libvirt before 1.2.12 allow remote authenticated users to obtain the VNC password by using the VIR_DOMAIN_XML_SECURE flag with a crafted (1) snapshot to the virDomainSnapshotGetXMLDesc interface or (2) image to the virDomainSaveImageGetXMLDesc interface.

CVE-2015-1043
Published: 2015-01-29
The Host Guest File System (HGFS) in VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, and VMware Fusion 6.x before 6.0.5 and 7.x before 7.0.1 allows guest OS users to cause a guest OS denial of service via unspecified vectors.

CVE-2015-1044
Published: 2015-01-29
vmware-authd (aka the Authorization process) in VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, and VMware ESXi 5.0 through 5.5 allows attackers to cause a host OS denial of service via unspecified vectors.

CVE-2015-1422
Published: 2015-01-29
Multiple cross-site scripting (XSS) vulnerabilities in Gecko CMS 2.2 and 2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) horder[], (2) jak_catid, (3) jak_content, (4) jak_css, (5) jak_delete_log[], (6) jak_email, (7) jak_extfile, (8) jak_file, (9) jak_hookshow[], (10) j...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.