I’m CISO at a fintech, and my approach to risk and security in a growing organization is to start small but set up structures that can grow. Call it a walking skeleton, that has the rough structure of the future thing but is small and simple to build/set up and run. It can then grow as you go. It is difficult to add in security and risk controls when you are large. Establish a culture of risk awareness and encourage people to think about risks and report them.
That’s just infotech though? Essential, but only one small part of the whole. And bottom up, not organically a part of the whole. I work at a small company with lax security practices and very little support for better ones from the top, and I can see how security is always an afterthought when you are growing up, and later it is already too late to do it right.
No. The principle applies to the structure of the organization and it’s culture in the same way as to it’s software.
Walking skeleton comes from software engineering, yes, that’s where I picked it up. But I intended it as a more general metaphor.
In the same way that it is difficult to add security into a software that never had it, so is it difficult to add a security mindset to a workforce that never had it. The relevant touch points are missing everywhere. HR doesn’t know what to look for, it’s not an interview topic with sufficient depth, nobody asks you to assign a strong password, pen tests are done superficially because no one knows all the endpoints to test etc.
You have start talking about this from the start and grow all of them as you go.
I’m CISO at a fintech, and my approach to risk and security in a growing organization is to start small but set up structures that can grow. Call it a walking skeleton, that has the rough structure of the future thing but is small and simple to build/set up and run. It can then grow as you go. It is difficult to add in security and risk controls when you are large. Establish a culture of risk awareness and encourage people to think about risks and report them.
That’s just infotech though? Essential, but only one small part of the whole. And bottom up, not organically a part of the whole. I work at a small company with lax security practices and very little support for better ones from the top, and I can see how security is always an afterthought when you are growing up, and later it is already too late to do it right.
No. The principle applies to the structure of the organization and it’s culture in the same way as to it’s software. Walking skeleton comes from software engineering, yes, that’s where I picked it up. But I intended it as a more general metaphor. In the same way that it is difficult to add security into a software that never had it, so is it difficult to add a security mindset to a workforce that never had it. The relevant touch points are missing everywhere. HR doesn’t know what to look for, it’s not an interview topic with sufficient depth, nobody asks you to assign a strong password, pen tests are done superficially because no one knows all the endpoints to test etc. You have start talking about this from the start and grow all of them as you go.