At the beginning of this year, we invited security leaders to talk about their past failures and the lessons they wanted to pass on. We called it If we had to do it again, and people really liked it. A number of folks approached me wanting to tell their stories as well; so a month later, we did part two. Here are more “If I had to do it again” stories that readers sent us.

Plan the growth of your program

Paul Farrall, Vice President and CISO, Skytap

Over the past 15 years, I’ve worked at a number of rapidly growing startups that needed security programs built from scratch. What typically happened in these situations was that we built security programs in an ad-hoc fashion, and added new controls as fires erupted. (“An important customer requires that we have a Disaster Recovery Plan. Quick, go write one!”)

The problem with this approach is that before you know it, you find yourself maintaining a patchwork jumble of security controls. There’s no master theme, and you’re possibly maintaining multiple separate compliance programs with overlapping, duplicated work. This might seem obvious in hindsight—but in fast-moving startups, it can sneak up on you.

Here is what I do differently now: At a very early stage (i.e. before we think we need it), we create one master controls spreadsheet based on a comprehensive security framework such as NIST 800-53. As we develop new security controls, we document them in the master controls spreadsheet. In the same sheet, we maintain mappings to all the other security and compliance frameworks we need to support.

This approach highlights remaining gaps as we develop the security program, and makes adding support for additional security and compliance frameworks easy. We just reference everything back to the master controls spreadsheet.