You are understaffed and underfunded and now your new customer wants you to conduct risk assessments? Assessments of what, your own garage?!
Jokes aside, every start-up owner or CEO of a small to medium enterprise was probably there at some point. Instead of getting started on your never-ending to-do list of important things, you had to waste your valuable time on some security stuff.
As annoying as it may be, this has to be done sooner or later, and the earlier you tackle it, the less of a problem it will become in the future. So, when is the right time to lay out your security management basics? If you are asking this question, the answer is probably right now.
Security can get fairly complex pretty quickly, therefore it is important to have a clearly defined structure right from the start – otherwise, you are bound to get stuck with a system that cannot handle the load.
Work smarter and not harder, and look out for the future. You will thank yourself later.
Deciding on the approach can have a pretty significant influence on the overall workframe of your security management system. Impact-based and scenario-based approaches are the two most common ones. One focuses on ensuring the continuity of the operations, the other on preventing specific threats or scenarios. Both have their pros and cons, and it is safe to say that they best work in tandem. The compliance-based approach focuses on – surprise! – ensuring compliance with the security standards. It is probably the easiest approach to enforce out of those three, however, it will likely become insufficient on its own at some point in the road. Just complying with standards doesn’t always mean being prepared for a real emergency.
You can choose to blend those three together or even not distinguish them at all. However, for a security newbie, perhaps the compliance-based approach might be the easiest one to tackle.
I am ready, you say. Bring it on. So how do I tackle it?
Well, to reinforce security standards, first you need some standards. Whether you have them in a document, spreadsheet or as guidelines, it doesn’t matter that much. As you acquire more assets and critical resources, you will need to expand them significantly, but perhaps ISO standards might serve as a good starting point.
But not only do you need to have them, but you must also check that they are being met. The easiest way to do that is by using a checklist or a questionnaire.
Those are great tools to ensure compliance with security standards. They don’t require your employees to become security experts overnight, they are quick and accessible, easy to understand and they do their job fairly well. Of course, there are some limitations to their functions, but using them will give you an idea of where you are in terms of security, and where you are still lacking. Once you construct them, you can re-use them until the standards change.
Of course, if you have our platform, you can use our fancy questionnaire module, but otherwise, you might just want to keep your questionnaires as excel files – so that if you decide to transition to a digital tool, you will be able to easily import them into the system.
To close this slightly too lengthy post – don’t be afraid to fiddle with your security system for a while, adjusting and changing it to fit your organization.
At the end of the day, it is all about protecting things that matter the most – your business and employees.
If you are still unsure, grab one of our free checklists – they might serve as a good example and help you meet some basic security standards.