Part of our series on Security for Medium Businesses.
A medium business usually has the same security threats and strategies as a small business, but with an added wrinkle: consistency. In a firm with 3 principals, an office manager, and 3 technicians, it’s easier to ensure that everyone’s got their computer set up right.
When you have 150 people, getting that stuff done doesn’t take any longer to do, it just become harder to make sure it always happens.
This is important –you don’t get credit for your best effort. In security, you are only as strong as your weakest link. Consistency and tight control are especially important for delivering security results.
There are a bunch of tricks to ensure that your weakest link is still strong enough. The security and audit industries usually refer to these approaches as governance. This can be as simple as a checklist; here are some more:
Organize the work to make the right way easier than the wrong way. There are many creative strategies in process design. Many smart people have written books and you can get advanced degrees in the discipline. Expertise in this approach is Simple Salt’s focus and competitive advantage.
Tell a computer what needs to happen and it will follow your instructions the same way every time. It’s kind of their whole thing. But remember: a computer has limited power – people often ignore the computer’s suggestions. Even if the computer is in control of what someone can do, people are amazingly creative in getting around it.
You measure something connected to the thing you want to happen. Metrics are a powerful way of staying on top of a lot of aspects of your business. Beware, though: teams generally optimize to the metrics they’re judged on. If you choose bad metrics, they may make choices to improve the metric at the cost of actual business success. Call centers are full of examples.
You (or someone else) can check on how things are going and verify that what you asked was done correctly. This is usually called an audit. Since it’s absurdly expensive to pay someone to check everything that gets done, usually auditors check only a small fraction of all the work. Audits have a bad reputation because nobody likes a judger. They have their place and done well, they can be almost invisible. Done very well, assurance can even feel positive and supportive to workers.
Where to start?
Of these, process design and metrics are often the cheapest to do, go the furthest, and often support each other. Metrics and Process Design are also the foundation of Six Sigma. For the most important parts of your business, you’ll find all four helpful in ensuring your teams deliver what you’ve asked, and security is no exception.
This guide will extend the strategies covered in the Small Business Guide. For each security strategy, we list several examples of how each governance approach can be applied to ensure that what you want actually happens.