Last week in the supermarket something very unusual happened to me. A lady asked me to reach up for a can of drink from a top shelf. At 5’8’’ in my pomp and shrinking fast, this is not something I am used to, and I have spent much of my life finding few benefits to being small.
But not so for companies. In recent years at Blacksmiths, we have been asked to advise start-ups on security. Having spent most of my career in large organisations and advising multinationals it has been rather refreshing to realise how much easier it is to implement good security practices when there aren’t many of you, your IT consists of three laptops and your premises barely extend beyond your mother’s spare room. Security is not rocket science, and establishing the principles at the outset is quite easy.
Unfortunately, it appears that it isn’t the first thing in the minds of company founders, and they are likely to miss the boat. Most are focused on developing and establishing their offer and getting people to buy it. Security somehow doesn’t seem that important. So, as a rule, we don’t get called until something happens.
That something might be an injection of investment funding, which comes with strings attached, or it might be an outbreak of success and the demands of customers that the company should display its security credentials (particularly so for tech start-ups). Or it may be an incident. As someone with a particular interest in insider risk, who is used to having to persuade people that personnel security is even a thing, surprisingly, it is often an insider threat which is first to rear its head. It goes something like this. Three friends have an idea. They talk about it, work on it, develop it, become obsessed with it, and eventually decide to form a company to sell it. They are friends, and trust between them is unquestioned. Then something happens. Maybe an investor offers them money. Two of the friends think this is a great idea, and one of them thinks they should remain independent. There is a parting of ways. Suddenly, someone who knows everything there is to know about the company’s intellectual property (which is probably on the back of a napkin) leaves feeling betrayed.
That is, of course, only one example of an incident which might occur, but it is one we have seen variations of repeatedly and one which might trigger a start-up to call for assistance with their security. In the early days, we would then march in with our well-honed maturity frameworks to assess their security policies and processes. Which, of course, they don’t have. We might ask to interview the CISO, the DPO or the HR Director – they don’t have any of those either.
So, we found ourselves instead sitting down with those founders and explaining the principles of security in terms relevant to them. It forced us to sweep away all the procedures, tools and assumptions which form the bedrock of most security advice. And it is quite liberating. For a start, there are no silos yet. I spend most of my working life trying to help clients to manage their silos – whether between Cyber Security, Physical Security and Personnel Security – commonly all sitting in separate teams, or between Personnel Security, HR and Welfare, or between Security and Procurement – the list goes on. Then, we might discuss security awareness – pretty straightforward if the CEO gets it because they can brief every employee in person while watching the kettle boil.
At its heart, security is about risk management. And this is something all companies must learn, not just in relation to security. Before reaching a size where you buy a tool which calculates risk to 5 decimal points, it is a process which can well be followed by thinking about it in the bath.
The challenge comes with growth. All successful start-ups get bigger. Often very quickly. There comes a time when you must have processes, when an HR Director and a DPO are essential and when you cannot possibly know everyone and have time to discuss security with them. CEOs grapple with how to retain the agility they enjoyed at the start when they have been forced to implement several layers of management, and all actions need to be ‘authorised’. But if they have a thorough grounding in the principles of security at the start, I would argue that they are far better placed to avoid the security pitfalls which await.
About the author
Malcolm Sparkes is head of the insider risk consultancy in Blacksmiths group. He previously held a number of senior security roles within UK Government, including running vetting within the FCDO.