Security can't be left behind at a rapidly growing company

CIOs are finding ways to meet both the growing business needs as well as the evolving and increasing security requirements – without sacrificing the speed needed in fast-growing companies.

Ginna Raahauge, senior vice president and CIO at Informatica, is focused on speed.

She has to be. Her software development company is growing so fast that she doesn’t want anything – not even security – to slow down production on the technology initiatives that support corporate growth.

But Raahauge has found the sweet spot to get the work done, without sacrificing strong security.

“Rapid growth often means solutions or processes could be selected outside of a governed process (by the business directly or through an acquisition that didn’t have prior governance or reviews),” she says. “Capturing those for review or detection needs to be done in a ‘friendly partnership’ way as to not impede the need for speed. Celebrate that the business needs to move at the pace of growth and create a safe environment of disclosure or amnesty approach. It’s better for them to help you find them than try to hide something.”

+ ALSO ON CSO: The security laws, regulations and guidelines directory +

Security is just one item on the list of items that take priority status.

CIOs across the spectrum say they’re dealing with a rapid pace of change in their IT departments. And, indeed, many are hiring staff and getting budget increases to meet rising demands for new technologies and functionalities. However, CIOs at rapidly growing companies are contending with that scenario – and all the pros and cons that come with it – on overdrive.

“We’re always talking about how we can be more efficient and how can we be quicker, mainly because the number of projects we work on today continues to grow,” says Mike Peterson, senior vice president and CIO at CHG Healthcare Services.

Security, too, has to be done right because without it, all the speed and tech-driven competitive advantages can be for naught.

“As we scale up, we have to have better monitoring in place. There are more systems, more connections now to monitor,” says Bill Weeks, senior vice president and CIO at SquareTwo Financial, which recently grew its headcount by 32 percent, going from 315 to 416 in just one year.

He points out that his company’s rapid growth and the security requirements that come with it are in addition to the growing regulatory requirements and ever-evolving best practices and industry standards, such as those set by the Payment Card Industry (PCI).

CIOs are finding ways to meet both the growing business needs as well as the evolving and increasing security requirements – without sacrificing the speed needed in fast-growing companies.

Raahauge says ensuring speed and security requires a shift in thinking.

She explains: “[Neither] security nor IT should ever slow down the pace of delivery; a better objective is to move with speed by changing the mindset of having security at the forefront of the design or business requirement vs. an afterthought or necessary evil. Leading with security as a capability that could be a differentiator during growth allows for exponential growth to occur.”

But not everyone says security in hypergrowth companies looks any different than security elsewhere.

“For the most part, the security challenges are identical,” says Darren Tedesco, managing principal of technology for Commonwealth Financial Network.

Although Tedesco says his company’s growth rate doesn’t impact his security strategy, he does acknowledge that both the overall growth of Commonwealth Financial Network as well as expanding cybersecurity threats has prompted some changes.

“We’re hiring sexual hackers, or security companies depending on how you want to label them, to try to breach our systems, but I don’t think growth has anything to do with that,” Tedesco says.

Troy Cardinal, CIO at audit, tax and consulting firm of RSM US LLP

Troy Cardinal, CIO at audit, tax and consulting firm of RSM US LLP, had a similar take.

“To me, there really isn’t a link between the fast growth pace of our firm and security,” he says.

That, though, doesn’t correspond to staying with the status quo, he says. Just as spending for overall IT has increased, so has how much money and additional resources he has allotted to security, Cardinal says.

“We’re spending more time and energy on security than we have in the past, but we’d be spending it even without the growth,” Cardinal says. “We’re in a new era with security, where the focus has shifted over the past few years, from having to prevent all breaches to the fact that it’s not a matter of if, but when, so if we’re going to be breached so how do we respond.”

As such, he says he treats security policy like disaster-recovery in that he’s running security simulations to put his team through the paces, to test out policies and procedures in the case of a real breach – something that savvy IT leaders have been doing around disaster-recovery and business continuity for years.

“We’re doing testing cycles every six months to run scenarios and see what we are going to do in the case of an actual breach,” he says. “We’re just starting the process, just like you hear about DR tests every 12 to 18 months. We’re going to do a cyber incidence test every six months to test our response.”

To meet growing security demands, Weeks says he’s adding additional security staff, working with outside security experts, and ensuring that security is part of all the new projects, systems and capabilities his team is adding to keep up with corporate growth.

“It’s money and technology,” Weeks says, who has noted that his company has invested millions in security infrastructure over the past few years as well as building more robust knowledge and skills.

He adds: “It’s just something we’ve got to do. We’re going to keep doing more and more and more in this space.”

Join the CSO newsletter!

Error: Please check your email address.

More about BillCSOindeedInformatica

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mary K. Pratt

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place