If I could give only one piece advice for CTOs and IT teams, it would be this: Data security is not just an IT task—it comes down to people and processes. As a startup CTO, you’re often going to lead the charge when it comes to information security for your firm.
According to the Identity Theft Resource Center, U.S. companies and government agencies suffered a record 1,093 data breaches in 2016—a 40 percent increase over 2015. We’ve all seen the headlines and the high-profile victims, but attackers don’t discriminate when it comes to security breaches. Any company can become a victim, leading to losses of your data, your customers’ data, financial information, proprietary product information, and, ultimately, a loss of goodwill in the market. As more processes move online and into the cloud, companies increasingly feel this burden of staying secure.
The solution? Establish information security standards
To reduce your risk of an incident or breach, I highly recommend obtaining an information security certification that makes sense for the markets that your firm serves. In addition to making your data and services safer, it will give your customers peace of mind and provide a competitive advantage in the market.
It will also help lower expenses or prevent loss of business due to interruptions in service or data leakage. If your company has been growing rapidly, obtaining a certification will provide an organized method for escalation and response to security incidents and will force you to define responsibilities, such as who will manage information assets, who has the right to access certain systems, and how to manage the offboarding of employees so they don’t take your data with them.
At Cloud9 Technologies, we recently went through the process of obtaining the ISO 27001 and SOC2 compliance certification, two of the most widely recognized security standards that provide best practices for information security management.
4 key components of the security certification process
I’ll be honest with you: Obtaining a certification required exhaustive documentation and a dedicated team, but the result was a robust method for protecting our firm and the data of our users, as well as a distinctive talking point for sales. Here are four important things to keep in mind when going through the security certification process.
1. Choose the right certification
Do some research on certifications that are relevant to your industry and your product. What are your customers looking for? Will that certification help reassure your customers and help you win more business? Common certifications that not only provide comprehensive security systems, but will also be recognizable to your customers are ISO 27001, SOC (1, 2 & 3), PCI Certification, NIST and COBIT. Once you determine the certification you’re working toward, appoint a manager or a management team that understands the procedures and milestones needed for that accreditation.
2. Take your time when assessing risk
The first step when beginning a security certification process is risk analysis and assessment. You will likely need to submit a formal risk assessment report as part of your certification, but this process also helps provide a roadmap for addressing the gaps in your current security policy. Look at the standards required by your certification, and find out your assets, vulnerabilities, threats, acceptable levels of risk, and availability of information. Risk assessment may take weeks, or in many cases, months—but that’s a good thing. This effort should be detailed and comprehensive.
Once the risk assessment process is finished, you’ll know what areas are crucial for your company, and you’ll be able to create a step-by-step plan for addressing any gaps in your security coverage.
3. Documentation, documentation, documentation
This is so important that I’ll say it one more time—documentation. It’s crucial to keep detailed records of your policies, controls, procedures and progress against the certification standards. When you undergo a security certification audit, you need these documents to prove objectives have been achieved and procedures are actively being implemented. It’s also the most reliable way to keep track of what you’ve done and what you still need to accomplish.
Plus, you don’t just achieve the certification and get off the hook. Many standards involve annual review processes and periodic re-certification, so you can’t become careless after the auditor leaves. Make sure you have concrete plans to continuously improve and document the security practices that are integrated into daily operations. It will make your re-certification process that much easier, and it will ensure you are consistently de-risking your firm’s business on an ongoing basis.
4. Get everyone in your company involved
Engage each and every one of your employees in information security best practices. It’s crucial to establish a mindset and culture of compliance to protect your firm. This step is easy to overlook, but absence of employee engagement in the accreditation process is the second most common reason for project failure. It should be emphasized that the entire organization shares the responsibility for keeping company data, proprietary information and even the office premises safe.
Hold regular meetings to explain the significance of the certification, how it will help your company and what it means for customers. Keep employees informed of the objectives, and let them know what they can do to contribute to your company’s certification success.
Keep track of what is working and what isn’t with employees, and communicate to them about what needs to be improved. Don’t be afraid to game-ify the process. At Cloud9, for example, we gave out “red cards” if employees didn’t lock their computers, which kept people aware of their actions. Through the certification process, as well as after, it’s important to designate an internal champion who maintains standards and motivates these security efforts—and whom employees know to alert in the event of a security issue.
Following these steps will assist you as a CTO in chartering the waters of information security. They will also ensure you implement comprehensive safeguards against security threats at your firm regardless of if you’re in the process of securing compliance certifications.