Perimeter
5/1/2012
03:16 PM
Connect Directly
RSS
E-Mail
50%
50%

What Works For One Does Not Work For Two

To remain compliant, your approach must grow in scale with your business

My wife, Doris, is the founder and president of a company in the real-estate industry. I once heard her explaining how systems and processes must be rebuilt for each new scale of a business. "What works for one does not work for two. What works for two does not work for three," she said.

What a great concept. Whether you are adding more staff, more locations, more servers, or more processes, we must realize that doing the same things harder or smarter is rarely enough. We must accept that the scale of the business has changed, requiring that all associated tasks and systems maintain the same scale.

For instance, if you add an additional location to your organization, new processes are likely required. Computers may require new secure remote access to off-site servers, technical support may not be "just down the hall" for these users, and the staff responsible for compliance and security may not be in the same building as before.

Sometimes the biggest challenge is realizing the scale has changed. Perhaps a department grew from two employees to 15 in only a few months. How these employees work together and coordinate their tasks likely transitioned with each hire. With the transition, did the documentation of their work processes change, too? Did security measures change? Were managers or leads introduced into the process?

The more people, locations, data, and public exposure an organization adds, the more risk it creates and assumes. In time, properly managing this risk requires new systems and new processes. This includes new compliance-related systems and processes. How an organization monitors and addresses issues is never a completed task but an ongoing process of business culture and behavior.

In our office and for our client projects, we frequently contend that the fastest way to do something is to do it right. This mantra works great for organizations that are growing and need to remain (or become) compliant. Build in the new processes needed for proper and practical compliance as growth occurs. This makes the growth more solid and removes the need to come back after an audit and redo hastily built processes and procedures.

In the long run, thoughtful scaling not only saves the organization time, but also significant revenue. It also reduces the temptation to build ill-fitted extra steps to meet compliance requirements and helps prevent situations where dangerous cover-ups can seem like reasonable solutions.

Business growth is exciting, and those responsible for maintaining compliance don't have to be the party-poopers. Growth is an opportunity to help your organization build solid processes, procedures, and culture. Treat it that way.

Glenn S. Phillips, the president of Forte' Incorporated, works with business leaders who want to leverage technology and understand risks within. He is the author of the book Nerd-to-English and you can find him on Twitter at @NerdToEnglish.

Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7392
Published: 2014-07-22
Gitlist allows remote attackers to execute arbitrary commands via shell metacharacters in a file name to Source/.

CVE-2014-2385
Published: 2014-07-22
Multiple cross-site scripting (XSS) vulnerabilities in the web UI in Sophos Anti-Virus for Linux before 9.6.1 allow local users to inject arbitrary web script or HTML via the (1) newListList:ExcludeFileOnExpression, (2) newListList:ExcludeFilesystems, or (3) newListList:ExcludeMountPaths parameter t...

CVE-2014-3518
Published: 2014-07-22
jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to exec...

CVE-2014-3530
Published: 2014-07-22
The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via...

CVE-2014-4326
Published: 2014-07-22
Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.