This is the second part in a series. If you haven’t read
the 18 month one, you should. It’s here: https://fractionalciso.com/18-months-in-what-ive-learned-starting-a-cybersecurity-company/
After re-reading my 18-month blog post I couldn’t believe
how much has changed with our business and with me in just six months. Okay, seven
months but I started writing this post at the six-month mark. June was a super
busy month with lots of client work and several speaking engagements.
The jump our business has seen over the past six months
has been tremendous. I now expect to sign a new agreement each month. You might
ask how we did it. Here is the answer…
I’m not sure! But here are some of the things that we’ve
done and learned.
We hired a part-time administrative assistant. They say
that time is money and they are not kidding! Running a small business requires
lots of administrative paperwork. (Like, a lot.) I only track client time and
not admin work, but I guess that I easily spend five plus hours every week on
administrative tasks. For someone who does not like administrivia, it is
mentally burdensome and keeps me from doing important client things. If I can
effectively hand off a couple of hours of work, then I have more time and my
mind is freed from these tasks.
“Send me a proposal.” Should be considered the most-evil
sentence ever uttered. The salesperson on one side of the conversation (me) is
giddy with excitement. “I am going to make a sale.” The person on the other
side is thinking, “is this going to be 10 grand or a million dollars?” Or even
worse, “asking for a proposal will get this guy off of the phone.” I have
learned the hard way that you should only send a proposal if it is going to
move the relationship forward. While things are not perfect, I have improved in
Understanding the motivation for the proposal is really
important. Some good questions to ask,
- “Who will be
involved with the decision-making process to bring us on board?”
- “After I send
the proposal what would be the next step?”
- “Can we
schedule a review meeting to discuss the proposal for later this week?”
You want to make sure that proposal is not a tool for
getting you off of the phone or just calibrating your fees with your
competitors. If they are willing to meet again to discuss, then even if they
aren’t that serious about you, you have a chance to win the business.
I also like to set expectations that the fees will be in
the tens of thousands of dollars. Even though I frequently let prospects know a
price range, it is still not perfect.
Alan Weiss’s “Million
Dollar Consulting Proposals” is a great book if you are selling
Set Written Goals
Wow! Are written goals powerful. At the beginning of this
year, I wrote out a document with 16 goals across four categories – Financial,
Client, Marketing, and Company Process. We have achieved six of them already
which of course means that some of them weren’t ambitious enough. Six we look
to be on track for. Two will require some work to measure. And two we will
clearly not achieve including publishing 48 blog posts this year. Although if
we achieve our pipeline and revenue goals then I won’t worry too much about that
Whoever coined the “publish or perish” phrase must
have been trying to promote their corporate website. We have had really
positive results with clients finding us through our website. We definitely
have more work to do here… see above written goals section but I am a huge
believer in content creation.
Here is the secret of content creation… write something
that people want to read! Write about stuff that you are an expert on and there
are not similar articles out there. Write long, long blog posts. Long like 1,000
– 2,000 word ones. Just like the one you are reading now. Google rewards these
types of posts and sends traffic your way.
You don’t know what will be a hit but I have had some
great ones. Here is the LinkedIn response to a recent article I wrote on IoT
platforms. (Something I am an expert on having helped build and work on the
security for two of them.)
Hire Hard, Manage Easy
I talk to a lot of people every day. Many of them have
great advice. One of them I connected to through a mutual former colleague, Ken Wilkins, recently said something to me that
resonated. “Hire hard,
manage easy.” It is one of those expressions that has been around
for a long time but evidently, I was out of the room every time someone said
it. I am a big believer in the philosophy so now I have a name for it.
I have always believed in practical tests when
recruiting. When working for larger companies, I used to torture candidates
with presentations that they would make to our organization. It was a terrific
predictor of job success. I once told a hiring manager not to hire one
candidate who had a terrible presentation. He did anyway and the candidate did
not work out well. A candidate who gave the best presentation turned into one
of the best employees I ever hired.
At Fractional CISO we have moved to a model of employee
fit test by an HR assessment service. It is crazy how the test can predict
behavior. We also have candidates submit a writing sample which you might think
would not be hard. It is surprising how many candidates cannot write a few
paragraphs clearly and concisely. When candidates come on site, we give them a
number of practical tests in addition to the traditional interview. We got the
“hire hard” part down.
We are about to bring a new cybersecurity analyst onto
the team. We are really excited about her joining. She was able to successfully
navigate all of the challenges. The need is fueled by a booming cybersecurity
market and a great network of people that I know and have met.
On the manage easy part, the team is very conscientious
and self-motivated giving us a great rounded skillset. My role as a manager has
been a pleasure so far, so hopefully, I have that one down too!
Virtual CISO Business Model
I have spent a lot of time thinking about the right
business model for the Virtual CISO space. From looking at what my peers are
doing, it seems that there are a number of possibilities for a successful
Just like any new industry, we need to better figure out
the business model. I have consistently looked at how CPAs do things. This
topic is one that I intend to work on in the coming months and maybe you will
see a post dedicated to this one in the near future.
If you are a fellow Virtual CISO or aspiring Virtual CISO
then let’s chat about the Virtual CISO business model or anything else on your
Creating a Company Culture
It might seem silly for a company
with 2 ¼ employees growing by 1 in the near future to be focused on company
culture. I see further down the line where we are a 30-person dynamo that most
mid-sized companies would be crazy not to do business with.
For most everything that we do, I
work to justify it in the Fractional CISO company culture framework. I don’t
have a Netflixian culture document, yet. But it is on my to-do list!
Minor Cybersecurity Interlude
Sorry for talking about
cybersecurity in a business blog post but it is the subject matter of our
business. Some of the biggest security challenges we’ve found is right sizing
frameworks clearly designed for large organizations for our smaller clients.
I really do like the CIS 20 framework but
it isn’t great for smaller enterprises. It assumes that the organization has
made some progress in many of the areas. For a small client that has very
little, my advice is to focus on protecting Internet facing infrastructure and
minimizing phishing. With the CIS 20 those are controls 7, 12 and 17. It would be security malpractice to focus on
Maintenance, Monitoring and Analysis of Audit Logs (#6) before those other
We use a modified framework, but
it would be great if it were an industry standard that we could follow instead
of explaining to clients why they need to work on #17!
I would be remiss if I didn’t
cover our clients. We are very lucky to have a bunch of great clients. They are
almost all appreciative of the work we do. We enjoy their collaborative spirit
and learning about their business and security challenges.
Why do we get along so well with
them? Many of our clients are people
that I had a previous relationship with, so I think that help. A lot of our
clients are founders and they may have a soft spot for other entrepreneurs. So,
I don’t know the magic for getting great clients but I sure am happy that we
seem to have it!
To summarize, client and security
focus seem to be part of the recipe for success. Hard work doesn’t hurt either!
If you would like help with your
cybersecurity strategy or program, give Fractional CISO a call for a complimentary consultation. We can be reached at
(617) 658- 3276 or by email at [email protected].