For most Startups companies it is crucial to acquire and maintain high levels of growth to sustain their business. Boards are increasingly pressuring startups to establish a strong information security posture while maintaining the momentum needed to grow the business. Balancing security with the need for rapid growth can be challenging, especially in today’s environment where many organizations have either faced a data breach or are at risk of one. Board members are asking, 'How are we protecting our organizational resources?' as concerns about security and privacy continue to rise.

From my experience, many organizations run their business like a car in need of repair. The body or sub-frame may have cracks or rust, and there are visible signs (such as the check engine or warning lights indicating that something needs fixing. Just like a car, a business can keep going for a while, but eventually, these issues must be addressed before they lead to bigger, more expensive, problems. The key to building a sustainable home is addressing critical components from the outset, ensuring they are done right the first time to avoid repeated repairs down the line. Building an information security program is similar and can be broken down into three essential pillars: Foundation, Integrity, and Trust.

Foundation

In this first stage which can be considered as the real building block of the program. When designing a new car we need blueprints, procure building materials, resources, and new production initiatives. However, before construction can begin it is imperative to understand where the organization is in its current trajectory, meaning what are the corporate objectives, what’s currently pressing and what aspects do we need to prioritize?

In an organization, we can initiate the state by establishing the following:

• Formal Risk Register (or a central repository for all corporate risks with severity).
• Information Security function charter (if not established already)
• Development and implementation of both policies and standards or directives that will set the blueprints
• Commitment or alignment of Information Security initiatives

Integrity

The second stage focuses on quality control. In other words,‘how good are we at doing the things we say and do?’, or ‘what does good look like?’ In our car construction phase this is similar to reviewing the car body frame,  ensuring the car panels are aligned to the blueprints, engine oil is not leaking, etc.

For an information security program this phase can include the following:

• Conducting a series of both internal and external assessments that can include a penetration test, cloud security assessment, compliance gap assessment, etc.
• Establishing metrics and Key Performance Indicators (KPIs) for the program, for example Mean Time to Remediate (MTTR), open vs closed risks or vulnerabilities, and security requests, etc.

Trust

The final phase examines the pre-delivered car and reviews the designated specifications in order to receive a safety pass for regional and jurisdictional requirements. This provides confidence and assurance the car will operate appropriately. Other merits may include additional awards such as JD Power or MotorTrend’s Car of the Year Award. 

For an organization, they essentially want to say to the customer ‘you can trust us with your data’. Similarly to raise the information security posture, many organization look to acquire a third party attestation certificate or assessment to improve the quality of Trust, such as the following:

• PCI Certification
• ISO 27001 or 27002 Certification
• SOC2 audit program
• NIST Cybersecurity assessment
• EU GDPR

Furthermore, the product of Trust must also be integrated within multiple business functions such as operations, legal, marketing, product, engineering, IT teams and advocated by the senior leadership team as a core commitment. 

In conclusion the construction of an information security program can be achieved by establishing these three states and lead to a path of success. These three states lead to mature information security practices that may strengthen the organization's security posture leading to a path of success. Given the current landscape which includes a series of data breaches or compromised services, achieving the product of Trust has become challenging. However, if all business functions including senior leadership support the Trust model the path to success is then achievable.