Entrepreneurship can be defined in many ways. Let’s talk about some key attributes. Entrepreneurship focuses on innovation and growth. Startup companies are full of entrepreneurial spirit out of necessity. They must innovate to enter a crowded market, and they must grow to survive. Well-established organizations have long passed this stage. As an organization matures, so does its business model. Those true entrepreneurs that started the company, or saw it through its high growth periods, often leave. They are usually replaced with very talented professional managers.

Therein lies the struggle between how to manage a business versus how to “grow” it. This is not an abstract problem. It has significant implications for security policies that must reflect the core values of the business.

A company in its early startup stages or in high-growth mode focuses on agility and innovation, and it tends to have a greater acceptance of risk. This is when you see a dominant entrepreneurial culture emerge. When a business has a large percentage of leaders who share this entrepreneurial mindset, you will also see a greater level of risk acceptance. They challenge the status quo and push the limits of policies to achieve their goals.

Conversely, as the company matures and this population of entrepreneurs leaves the company, they are often replaced with professional managers. These may be talented individuals coming from the finest business schools. But you do see a different culture emerge with a greater focus on how to sustain and manage a business. This translates into less risk taking and a clearer definition about how business should be run. During this latter maturity stage, the business starts growing its bureaucracy.

It’s not suggested that one approach is better than the other. That will depend on the business and situation. But an information security professional must recognize which attitude dominates his or her organization. All organizations have dominance of one over the other. Security policies must be written and implemented to accommodate this mindset and tolerance for risk.

Although there is always a dominant culture, an organization can by design be a mix of these two mindsets. The mix typically comes in when a mature company is “testing the waters” into a new business line.

Consider, for example, a company that has little or no sales presence on the Internet. It wants to start a new unit to test for feasibility by selling a limited number of products online. Let’s assume the test period is 24 months. The business intends to evaluate the success or failure of the effort. The business wants to keep costs low—it may completely disband the new unit and abandon the idea within the next 24 months. It brings in leaders with startup experience, and a clash of cultures occurs almost immediately. The new unit’s staff is under tremendous pressure to demonstrate small successes quickly. They have little tolerance for delays. They face pressure to get their applications onto the Internet quickly and to have access to information on demand. This situation promotes a tendency to take shortcuts within existing processes, which can increase risk.

Security policies need to reflect the dominant view of risk within an organization. This is often referred to as risk tolerance. You need to establish security policies that reflect the overall tolerance for the enterprise. Establish through policy those tolerances as acceptable behavior. Then create risk acceptance processes and mitigating controls for behavior that falls outside the tolerance area.

That’s exactly what is called for in the example of an entrepreneurial unit startup in a more mature organization. Although the policies would apply to this unit no differently than any other unit, their execution and mitigating controls may be different. For example, you could segment the network in a way that isolates those systems and applications being placed on the Internet. You could also grant them the elevated privileges necessary for them to create, change, and deploy experimental products. The acceptance of risk in this environment would be greater than that in the environment of well-established products and services.

This does not mean that the controls associated with an entrepreneurial unit are bypassed or disabled. A business cannot accept unreasonable risks or risks that place the company in noncompliance to regulations. It does mean that your service model to an entrepreneurial unit must change. You must adopt a service model that reflects the same agility that the unit needs to stay in business. This could mean assigning an ISO directly to that business unit. Dedicating resources to the business would improve responsiveness. It would also increase costs.

Entrepreneurial businesses, like any other, need the discipline that comes with security policies to control risks. The service model associated with these businesses needs to be responsive and agile to avoid impacting their productivity. The security policies also need to support processes that can quickly escalate risks to the business for acceptance or mitigation.