You have a
brilliant concept for a new product or service.
You’ve gotten funding and created the core of a great team. To see you dreams become reality, you willingly
pay the price of 80-100 hour work weeks.
But sometimes it seems the rule-makers are doing everything they can to
get in the way. This time it’s cyber
security.
Finally, you
have your first big customer lined up, and here comes their due-diligence
team. They send you a questionnaire with
hundreds of items about cyber security, backups, disaster recovery, encryption,
and myriad other arcana. It is a sobering moment. Your customer takes this seriously because
they’ve been whacked by their regulators after a nasty and all-too-public data
breach. The information risk management
folks are in no mood to compromise, having gotten the word that if there’s
another breach heads will roll.
What does it
take to satisfy IRM and win the business?
All it takes, it seems, is answering Yes to 400 detailed questions like
“Do you do background checks on all employees?” and “Do you protect all your
critical data with strong encryption?” – most of which you have never thought
about before. On top of that you “must
have” certification of your security controls by an independent third party,
like a SOC2 or ISO 27000 audit. Then you
learn that the next customer has its own requirements.
It’s enough
to drive one mad.
You need a
strategy to address this big new business risk, and quick!
In a series
of notes like this one, I’ll give the small-medium business executive some
practical tips on how to meet these challenges in a rational, businesslike way
– without going either broke or crazy. What
is easily lost in the technical minutiae and, lately, the fear, uncertainty,
and doubt about cyber security, is that managing cyber risk boils down to the
same basic management principles you use in the rest of your business. My aim is to show you how to apply those
principles in a simple and intuitive way, so you can focus on growing your
business.
No comments:
Post a Comment