This article is written as advice for aspiring Virtual CISOs (
vCISO) – but it will hopefully be relatable and helpful to other small and midsize business leaders.
I am long overdue in writing this article (
this is the f o urth part of a series). I haven’t done one of these in 2 years. In that time our business has changed dramatically.
As we have grown from a single consultant business to a nine, soon to be double-digit, sized company, we have many new and interesting challenges.
Here are a few of things that are most on my mind today.
I’ve thought about company culture even when we were just two employees. But as we have grown, I wanted to formalize more and more so that we were less Rob-dependent and more Fractional-CISO-culture-dependent.
I read/audiobooked a lot of company culture books and books that addressed company culture in addition to other things. Some of the betters books I consumed were:
But the book that most strongly influenced my thinking around formalizing company culture was…
by David Friedman Culture by Design
That book was suggested to me by my Vistage chair, Curt Davis. (We’ll talk more about Curt and Vistage in a few minutes).
Culture by Design is focused on Fundamentals, which are behaviors that an organization must embrace – created by the organization itself. There’s a system where you do a formal roll out and then focus on just one of the Fundamentals each week. Formalization is very important for burning it into the organization, so it’s something everyone lives every day, instead of being just a fad.
I’ve been through the book three times, each time picking up something new.
Fractional CISO Fundamentals
We came up with 28 Fundamentals that govern how we do things and how we should behave. I wish I could share them with you, but they are our proprietary intellectual property.
Just kidding. Of course I am going to share them with you.
We want all candidates to see our Fundamentals to know if we would be a good mutual fit.
Here are our Fundamentals:
They work as a great tool for giving feedback to co-workers. They do a great job in setting expectations for what a good job looks like. They are a great way to get aligned with candidates to see if they might be good fits with our organization.
Culture by Design suggests, we focus on one of the Fundamentals each week. It helps to reinforce our values with existing employees and roll them out to our newer employees.
Hire Fast, Hire Hard
One of our Fundamentals is Hire Fast, Hire Hard. The Hire Fast part might be aspirational at this point, but we have Hire Hard down pat!
We have a rigorous process for recruiting. After initially connecting with the candidate, they take a behavioral and cognitive assessment. If someone is a high fit then we quickly push them into the interview process where we have structured questions in addition to other assessments.
You might think that exposing our process might be a turnoff to some candidates. You’re right, and I hope it is; especially if the candidate is not an ideal fit.
I hope equally that it is attractive to candidates who want to work with a high caliber team. Knowing that other team members went through a similar process should help us attract the right candidates.
I always wondered how business leaders knew what to do. I know the things I know. I do not know the things I don’t know.
It turns out good business leaders connect with others who know what they don’t know.
That is why strategic advisors are so valuable, especially if you know someone like
Curt Davis. I met Curt through a networking group and every interaction I’ve had with Curt has been super valuable. He suggested that I join his Vistage group.
What’s Vistage you ask? According to the
Vistage website: “Vistage is the world’s largest CEO coaching and peer advisory organization for small and midsize business leaders.”
Our Vistage group is a terrific group of small business leaders. We meet monthly to discuss organizational challenges and I’ve learned so much from Curt and my peers.
If you don’t have a strategic advisor then I suggest you find someone with consistently solid advice and hire them!
I get a lot of questions of how I can write / video so prolifically. I will give you the secret… Hire marketing help! I wrote all of this article. That is not the norm. I typically write a portion of it and my marketing team writes / cleans it up and I do the final edits.
Special shout out to Blane Erwin who makes the marketing part of my job much easier. We published 50 plus articles and lots of other content in 2021. We have even more ambitious plans for 2022!
team has grown significantly over the past couple of years.
We now have three vCISOs and a team of cybersecurity experts with broad and deep experience. We are able to deliver superior service due to specialization. Now, we can bring in specialists to clients to solve particular problems. This is really handy.
Fortunately, our client base has been growing rapidly. So we are going to need some help.
You can get a glimpse of our future hiring plans past the crystal ball below…
Every small business is a criminal enterprise
Every small business is a criminal enterprise. If you don’t believe me then just ask a small business owner to show you all of their state and federal posters for labor laws, minimum wage, immigration. There is a good chance they are missing some if they have them up at all.
Do you think they are doing state employment taxes correctly? Many states take days, weeks to get you the appropriate identification numbers that you need to run payroll. Of course, you might have to run payroll before you get them.
Okay, maybe not EVERY business is a criminal enterprise. “Criminal” might be too strong of a word too, but “a bunch of businesses have difficulty complying with the law,” sounds less interesting.
It is very, very, very difficult to comply with all of the state regulations from various jurisdictions. Even when you get software to do it, it doesn’t always do it right.
Anyway, the point is that we need continuing human help to manage regulatory compliance, because this is one of my least favorite parts of my job.
We hired an HR consultant to help us with compliance but we are planning on opening a req in early 2022 to help us run business operations including bolstering finance, HR and legal.
What does the crystal ball say?
My crystal ball is always cloudy, unfortunately.
While we don’t know what client growth will be exactly, we are anticipating another strong year. Many mid-sized technology companies are being pushed by their large enterprise customers to improve their cybersecurity programs.
We are planning on doubling our staff size by the end of the year. In order to do it, we will need to hire several high caliber vCISOs (approximately 3) and a number of other staff members.
We will likely have open reqs throughout the year. Currently we have two open positions but as soon as we fill them we will probably add new ones. (It is a lot of work to have many open positions.)
You can check out our careers page here:
https://fractionalciso.com/c a reers/ We will keep it updated with the latest positions. This is the fourth part in a series about my lessons learned from starting Fractional CISO. I’ve learned a lot running this CISO as a Service business!
If you haven’t read the 18-month, 25-month and 30-month ones, you should! They’re here:
Want to get great cybersecurity content delivered to your inbox? C lick here to sign up for our monthly newsletter, Tales from the Click.