“They said running a small business was going to be easy.”
Said no one.
This article is written for anyone running a small business. It is not as easy as some folks think.
How do I know? I am the founder and CEO of a 18-person cybersecurity consulting company.
Over the last 66 months, I’ve grown the business from 1 person (me) to 18 of us.
I have learned a lot of things along the way. This article is way overdue. (This is the fifth part of a series.)
I haven’t done one of these in a year. Our business has changed dramatically since then.
What does reading have to do with running a business? I’m not sure why, but it does seem highly correlated with success.
I have read/audiobooked some great books over the past year. Some of the best business books here:
Managing the Professional Service Firm by David Maister – Required reading for anyone running a consulting company.
by Erin Meyer – Amazing for understanding working with people from other countries. I’ve mentally applied it to working with people from different generations. The Culture Map
by Brene Brown – “Paint Done” was my favorite part but there are a lot of good learnings from this book. Dare to Lead
by Philip Tetlock and Dan Gardner – Great book on estimation. I did the piano tuning exercise with my team. Superforcasting: The Art and Science of Prediction
by Matt Mochary, Alex MacCaw and Misha Talavera – Listened to it twice. Full of terrific advice. The Great CEO Within
by Julie Zhuo – Great recommendation for new managers on your team. The Making of a Manager
by Cees Van Der Wens – Okay, this is not a business book and they are changing the ISO standard, but it’s still a really good book if you are implementing / have implemented ISO. ISO 27001 Handbook
More than anything, I highly recommend that you spend more time reading! You can learn so much about running a business from books.
If you’ve read the past articles in this series you probably know that company culture is super important to us. We always look for ways to improve our understanding of each other and find better ways to work together.
Clifton StrengthFinder to be a fun activity that can help everyone learn more about themselves and the team. I’ll share my five strengths and summarize what Clifton means by all of them, and if I think they’re accurate!
Strategic: Clifton says that Strategic people are adaptable and can find alternate solutions. They’re good at spotting patterns and issues. Yep, sounds like me!
Learner: People with the Learner theme love to learn. The process of learning is more exciting than the outcome. Yes, the learning process is fun. I love learning about security, our clients, and our team.
Input: Input is a strange name for this strength because it’s about collecting and archiving. As a kid, I collected baseball cards. Now I collect ideas, but yes, I am a collector.
Arranger: Arrangers are good at aligning the right resources and team to get tasks done. I might be biased, but I’m really proud of my team. Definitely an Arranger!
Achiever: Clifton’s Achiever is about working hard and having stamina for work. Achievers feel satisfied when they are busy and productive. Even now, five years later, I do at least an hour of work almost every single day. Even on vacation – which is NOT something to be proud of. It is a goal for 2024 that I can take a weeklong vacation without a work laptop. We’ll see how that goes.
Speaking of the team, the team has grown since we last did one of these.
Here is the latest official team picture. Unfortunately, we are missing a bunch of folks that we hired in Q4.
So here is an unofficial picture from last week. Alas, we did not get all 18 of us in the photo due to vacations and a variety of unforeseen circumstances. We are thinking about having “I survived the Orlando QBR” t-shirts printed. QBR = Quarterly Business Review.
Next quarter I plan to have a picture of the whole current team. I wish it were easier to get all-hands pictures, but it is quite challenging when you have employees in several states and also Canada!
Entrepreneurial Operating System (EOS)
We are adopting some key elements of the
Entrepreneurial Operating System (EOS). It is covered in a series of books by Gino Wickman and others. The most well known / comprehensive one is Traction.
It is a great framework for small businesses. I love the accountability elements of it. The goal setting and management is a great framework. We have seen significant positive results in the past several months.
Advisor and peer group
The person that alerted me to EOS is my business mentor, Curt Davis
who I’ve written about in the past.
Curt is the chair of my Vistage group.
Vistage calls itself the “world’s largest executive coaching organization.” I meet with Curt and my peers on a monthly basis and work on elements of our business.
My Vistage group helps me to stay on track for running the business. Having a mentor and peer group has paid dividends for me and Fractional CISO!
Small Group Workshops
We help mid-sized companies run their cybersecurity program. We have gotten great traction in the past couple of years.
However, one thing has bothered me. It is our goal to “Help Companies Secure Themselves for a Safer World.” We do that through our vCISO engagements with clients, and by creating some of the best non-gated security content for mid-sized companies there is.
What we have not been able to do is to help smaller companies with their security program. It has not been economical… until NOW!
Just how my Vistage peers and chair create tremendous value for our business. I want to be able to do similar things for smaller companies.
I think a similar model can be applied to the early stages of a startup’s cybersecurity program.
Here’s our model for our workshops, which we’re calling the Cybersecurity Workshop Series:
12-week program of once-weekly meetings 1.5 hours in length.
Small groups of 6-10 client organizations, with up to three employees from each client allowed to join in.
Each meeting is led by a cybersecurity expert. (That’s me! To start, anyways. Eventually we will expand the program with other leaders from Fractional CISO.)
In each meeting, we will cover one cybersecurity topic and go hands-on with a couple of client environments to demonstrate the work.
Other clients will need to apply what we learned on their own between sessions.
Each client gets a once-monthly one-on-one meeting with a cybersecurity expert from my team to do a deep dive on their security challenges and get strategic guidance.
By working with small groups instead of individual clients, we can provide our cybersecurity guidance to more organizations at a much more affordable rate.
By the end of the 12-week program, each client will have measurably improved their cybersecurity posture, be much safer from cyber attacks, and have the foundational elements of a cybersecurity program that they can build on.
Ultimately, I hope that this program will enable more organizations to secure themselves, creating a safer world!
A Frustrating Limitation
The nature of cloud services does pose a frustrating problem to this model.
Securing your business email provider (usually Google or Microsoft) and cloud service provider (AWS, GCP, Azure, etc.) are two of the single most important areas for any organization to improve their cybersecurity. A poorly secured AWS implementation could, for example,
let the FBI’s No Fly List leak out with little effort.
Each vendor has very different ways of doing things, and covering all of them would require more time than I can provide in a given group. I will have to form groups based on the clients’ selected providers: AWS/Google Workspace and Azure/Microsoft 365.
The first group I’m running will exclusively focus on AWS and Google Workspace, since I’ve found that pairing to be most common among startups.
If you’re interested, but have Microsoft/Azure, please still reach out! We are soliciting ideas for our next workshop series.
Will it work?
Any new service offering comes with some questions. Notably, will it work? Will it last?
Hang on… let me look into the future and project the answer onto this white card.
I am confident that all organizations who participate in the program will walk away with an improved cybersecurity program. They will be much less likely to suffer phishing attacks or have their AWS instances hacked. They will have a good Incident Response Plan so that, if something bad does happen, they are prepared and can minimize the damage.
Psychic abilities can’t tell me how the market will react to the program, however. As a small business owner, you have to work hard to understand the market. We don’t have a market research department!
I do believe that the market responds well to those who provide value, and I know this program will be very valuable for all who participate.
Where do clients go after completing the program?
Whatever a client does after completing our Cybersecurity Workshop Series is up to them. Only they can decide what is right for their cybersecurity and business goals.
Obviously, it would be great if some of them decided to continue working with us through a future workshop series or our vCISO service offering, but that won’t be right for everyone.
I just hope that they will continue to prioritize security after their time with us.
How do I get started?
My marketing person told me that we needed to have multiple ways for readers to “convert” and get in touch with us about the program. There’s a
pricing page and form, you can contact us, and you can learn even more about the Cybersecurity Workshop Series on its overview page.
This is the fifth part in a series about my lessons learned from starting Fractional CISO. I’ve learned a lot running this
CISO as a Service business!
If you haven’t read the 18-month, 25-month, 30-month ones and 54-month ones, you should! They’re here:
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.