Perimeter
5/1/2012
03:16 PM
50%
50%

What Works For One Does Not Work For Two

To remain compliant, your approach must grow in scale with your business

My wife, Doris, is the founder and president of a company in the real-estate industry. I once heard her explaining how systems and processes must be rebuilt for each new scale of a business. "What works for one does not work for two. What works for two does not work for three," she said.

What a great concept. Whether you are adding more staff, more locations, more servers, or more processes, we must realize that doing the same things harder or smarter is rarely enough. We must accept that the scale of the business has changed, requiring that all associated tasks and systems maintain the same scale.

For instance, if you add an additional location to your organization, new processes are likely required. Computers may require new secure remote access to off-site servers, technical support may not be "just down the hall" for these users, and the staff responsible for compliance and security may not be in the same building as before.

Sometimes the biggest challenge is realizing the scale has changed. Perhaps a department grew from two employees to 15 in only a few months. How these employees work together and coordinate their tasks likely transitioned with each hire. With the transition, did the documentation of their work processes change, too? Did security measures change? Were managers or leads introduced into the process?

The more people, locations, data, and public exposure an organization adds, the more risk it creates and assumes. In time, properly managing this risk requires new systems and new processes. This includes new compliance-related systems and processes. How an organization monitors and addresses issues is never a completed task but an ongoing process of business culture and behavior.

In our office and for our client projects, we frequently contend that the fastest way to do something is to do it right. This mantra works great for organizations that are growing and need to remain (or become) compliant. Build in the new processes needed for proper and practical compliance as growth occurs. This makes the growth more solid and removes the need to come back after an audit and redo hastily built processes and procedures.

In the long run, thoughtful scaling not only saves the organization time, but also significant revenue. It also reduces the temptation to build ill-fitted extra steps to meet compliance requirements and helps prevent situations where dangerous cover-ups can seem like reasonable solutions.

Business growth is exciting, and those responsible for maintaining compliance don't have to be the party-poopers. Growth is an opportunity to help your organization build solid processes, procedures, and culture. Treat it that way.

Glenn S. Phillips, the president of Forte' Incorporated, works with business leaders who want to leverage technology and understand risks within. He is the author of the book Nerd-to-English and you can find him on Twitter at @NerdToEnglish.

Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.