Improving Security Without a Security Team

Five Things To Help Your Organization Now

Helen Patton
5 min readDec 14, 2022

--

smoke in rainbow colors
Photo by Pawel Czerwinski on Unsplash

Professionally speaking, if I could wave a magic wand I would provide security support to every company, agency and organization, regardless of size, industry, or age. Unfortunately, too many organizations can’t find or afford a security team, let alone a Chief Information Security Officer (CISO). The task of “doing security” falls to some poor schmuck, usually in IT, who has to try to make security happen while also doing their day job, a herculean task if ever there was one. Even if there is a team, often they are under-resourced and over-worked, and managing security on their own can be overwhelming.

Something that is often overlooked by business leaders and security leaders alike, is that there are things a business can do to reduce its security risk, or improve its security capabilities, without doing anything that requires a security program, tool or service — and doesn’t involve outsourcing services to a security company. Small companies, start ups, and organizations struggling to resource security properly may wish to consider some of these things…

Data Management and Reduction Plan

You don’t need a security team to classify your data and get rid of data you no longer need. Ask yourself (or your teams):

  • What data elements do we collect, not just from customers, but also from partners, employees, contractors and stakeholders?
  • Do we need to collect it in the first place? (for example, do you need an entire birthdate, or is simply collecting day/month or month/year enough?)
  • After we’ve collected it, do we need to keep it, or can we delete it immediately? (e.g. do you need to keep a birth certificate or transcript or drivers license, or once you’ve seen/verified the information on it can you mark the record as “verified” then delete the document?)
  • How long do we need to keep it? There can be regulations that require data is kept a certain time (legal/tax documents, medical records, etc), so it’s OK that you are keeping things for at least that time. If you’re keeping it longer than that, ask yourself why and make sure your reason is defensible (“in case we need it later” doesn’t…

--

--

Helen Patton

Written by Helen Patton

1.2K Followers

Cyber Security, Technology Ethics, and Humanity. What else? I can be found at CISOHelen.com or on Twitter @CisoHelen or on Mastodon @cisohelen@infosec.exchange

More from Helen Patton

See all from Helen Patton

Recommended from Medium

Lists

Kim Scott Radical Candor

How to Give Difficult Feedback

7 stories202 saves

How to Lead Well as a New Manager

14 stories208 saves

How to Run More Meaningful 1:1 Meetings

11 stories149 saves

Intro to People Ops: Not Your Mama's HR

8 stories25 saves
See more recommendations

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Text to speech

Teams