After over a decade of working with startups, private equity, and over the last 5 years of deep big 4 client services acting in different executive roles (CISO, CIO Advisor, Board of Directors support) I am certain there is a need and lack of implementation for adapted information security that is reflective of the size, maturity, and capabilities of the business. This applies independently to the the product and the enterprise as a whole. To that end, I have begun building models of activities to match each level of maturity to try and bring clarity or at least a set of guidelines.
As I share with my clients … in some cases a founder is deciding between EATING and NOT. So every function and feature, including security habits, must contribute to the current needs!
I have begun working with several partners and venture capital firms on this model, but wanted to share a nice post that highlights some very informative ‘Patterns in Hyper-growth Organizations‘ and what needs to be considered (employee type, tools, etc..). Please check it out and I look forward to working with the community on these models.
A snippet on her approach and great details:
We’re going to look at the framework for growth. The goal is to innovate on that growth. In terms of methods, the companies I’ve explored are high-growth, technology-driven and venture-backed organizations. They experience growth and hyper-growth (doubling in size in under 9 months) frequently due to network effects, taking on investment capital, and tapping into a global customer base.
Every company hits organizational break-points. I’ve seen these happening at the following organizational sizes:
via Mapping the Startup Maturity Framework | Likes & Launch.
Posted in Boards, Business Agility, Governance, Management, mergers and acquisitions
Tagged @br_ttany, angel, cio, ciso, founders, fund, hyper-growth, information security, james deluccia, jdeluccia, organization, private equity, Security, series a, series b, startup
KPMG put out a 10 to-do items for Audit Committees that defines excellent areas that should receive attention given the economic and competitive environments. You can find the press release here. Upon reading it I was struck by possible Information Technology business to-do items related to security and risk management, and wanted to share those that struck me.
- IT Strategy should be reset – Nearly all budgets were changed in 2008/9 and required massive shifts from the original 1/2/5 year plans. This shift to the immediate short term to avoid becoming terminal has passed enough to pick our heads up and assess the landscape. Goals should be reviewed; priorities re-evaluated, and teams adjusted to fit the new operating norms. This is not an endorsement to double budgets or blindly return to old plans, but instead a call to refocus and consider the business and operating realities BEFORE moving into new initiatives.
- What was lost during the cutting? – As organizations went through mergers and shrunk budgets certain information safeguards were impacted. They may have been impacted by staff reductions or lapses in maintenance of systems. An inventory of the technology and process canvas is necessary to see what assets exist within the organization. Assets does not only mean hardware, but software, process, and the people that form the glue!
- Consider the Risk Landscape – As the business evolved and adjusted to the challenges of the past 2 years, many changes occurred to the operations and the structure of the business. These may include such things as divestitures; consolidations; new partnerships; outsourcing; cloud computing, and other strategic cost saving strategies. The end result is the creation of new logical relationships and inter-dependencies that require consideration. An enterprise risk analysis can uncover these newly formed risks, and ensure that they are satisfied with the appropriate and necessary safeguards.
- Duck and Cover – An unfortunate consequence of a challenging year (or two) for companies is the natural response for team members to literally put their heads down and avoid making sudden moves that may draw attention. This negatively impacts the business directly – a loss of innovation, good-will, and full engagement of each associate. Leaders can address this by communicating the state of the business and take demonstrable actions that solidify the message.
The most important aspect for IT strategy and business is to re-center, focus on the people, and push/pull/drag the organization to a stronger more secure future.
James DeLuccia IV
Posted in audit, auditing, Business Agility, Compliance, GLBA, Governance, iia, information security, IT Controls, Management, mergers and acquisitions, Payment Card Industry Data Security Standard, PCI DSS, Risk Management, Security
The other day I was reading a post by Alan Calder who referred to a presentation overview covering mergers and acquisitions entitled IT Governance and Mergers. This topic has interested me for sometime. It is a very complex situation for two organizations to merge information environments, and one that I feel must be strongly considered by all practitioners and executives alike. A few considerations about how we are defining M&A:
- The blending of two information systems can be two separate public companies that are merging through some financial arrangement
- In other cases, and much more common, the organization may be centralizing the technology environment after years of organic regional self governance
- A third case to consider is the re-development of the information environment (i.e. cancel the BPO and bring technology systems back in house)
The convergence of information environments covers all aspects of an organization, its controls, the processes, and people at once. In the article the author does an excellent job highlighting the results of a conference session he hosted on M&A. He breaks down some great points to consider and pitfalls to be wary of when technology centers merge together (the focus is on Law firms but wholly transferable to any organization). I would strongly recommend reading his full post, as he had access to numerous high level CIOs.
While a full breakdown of M&A best practices is a worthwhile topic, this post focuses on the PCI DSS and general compliance issues that arise, and highlights some points that must be understood:
- Merging organizations creates a single entity – this applies for everything from taxes to compliance requirements. An organization that once was excluded from specific disclosure laws may now be obligated.
- PCI DSS levels of attestation are determined based on each card association’s total accounts processed by a single entity. Two organizations that merge as Level 2 Merchants may soon become Level 1 Merchants. This leap greatly increases the operating technology budgets to ensure greater controls are in place, and initiates a need to develop a plan to achieve compliance.
- Polices and Procedures of each organization are different, and as these systems are merged together – which is considered best practice, there must be a full revamp of the document evidence.
- The merging of backbone infrastructure from an organization also introduces larger numbers of access points to sensitive data, and/or increases the scope and applicability of compliance safeguards. These may require a full evaluation of technology architecture and information flows through the system.
The effects of M&A in organizations is an exciting problem to solve, but it may only be addressed efficiently by achieving the basic following steps:
- Develop a consensus on the business direction after the merger through a management level session
- Identify all systems that manage the information environment and map BOTH environments to the controls, business requirements, contractual obligations, and regulatory mandates of the post merger business
- Prior to “flipping the switch”, consolidation and expunging of unnecessary systems should be achieved
- Finally institute performance monitoring thresholds throughout the environment to further improve the organization’s information systems.
- A decision should be considered prior to every merger – should this merger happen? A strong question that must be weighed where technology environments are competitive advantages.
Other experience on M&A? Please add comments and how they effected your PCI compliance efforts.
James DeLuccia IV