Get Started

25 months in: What I’ve learned starting a cybersecurity company

  • 7 min read

Share this post

A follically challenged Virtual CISO delivering client value

This is the second part in a series. If you haven’t read the 18 month one, you should. It’s here: https://fractionalciso.com/18-months-in-what-ive-learned-starting-a-cybersecurity-company/

After re-reading my 18-month blog post I couldn’t believe how much has changed with our business and with me in just six months. Okay, seven months but I started writing this post at the six-month mark. June was a super busy month with lots of client work and several speaking engagements.

The jump our business has seen over the past six months has been tremendous. I now expect to sign a new agreement each month. You might ask how we did it. Here is the answer…

I’m not sure! But here are some of the things that we’ve done and learned.

Administrative Assistant

We hired a part-time administrative assistant. They say that time is money and they are not kidding! Running a small business requires lots of administrative paperwork. (Like, a lot.) I only track client time and not admin work, but I guess that I easily spend five plus hours every week on administrative tasks. For someone who does not like administrivia, it is mentally burdensome and keeps me from doing important client things. If I can effectively hand off a couple of hours of work, then I have more time and my mind is freed from these tasks.

Proposals Management

“Send me a proposal.” Should be considered the most-evil sentence ever uttered. The salesperson on one side of the conversation (me) is giddy with excitement. “I am going to make a sale.” The person on the other side is thinking, “is this going to be 10 grand or a million dollars?” Or even worse, “asking for a proposal will get this guy off of the phone.” I have learned the hard way that you should only send a proposal if it is going to move the relationship forward. While things are not perfect, I have improved in this regard.

Understanding the motivation for the proposal is really important. Some good questions to ask,

  • “Who will be involved with the decision-making process to bring us on board?”
  • “After I send the proposal what would be the next step?”
  • “Can we schedule a review meeting to discuss the proposal for later this week?”

You want to make sure that proposal is not a tool for getting you off of the phone or just calibrating your fees with your competitors. If they are willing to meet again to discuss, then even if they aren’t that serious about you, you have a chance to win the business.

I also like to set expectations that the fees will be in the tens of thousands of dollars. Even though I frequently let prospects know a price range, it is still not perfect.

Alan Weiss’s “Million Dollar Consulting Proposals” is a great book if you are selling professional services.

vciso ebook

Set Written Goals

Wow! Are written goals powerful. At the beginning of this year, I wrote out a document with 16 goals across four categories – Financial, Client, Marketing, and Company Process. We have achieved six of them already which of course means that some of them weren’t ambitious enough. Six we look to be on track for. Two will require some work to measure. And two we will clearly not achieve including publishing 48 blog posts this year. Although if we achieve our pipeline and revenue goals then I won’t worry too much about that one.

Content Creation

Whoever coined the “publish or perish” phrase must have been trying to promote their corporate website. We have had really positive results with clients finding us through our website. We definitely have more work to do here… see above written goals section but I am a huge believer in content creation.

Here is the secret of content creation… write something that people want to read! Write about stuff that you are an expert on and there are not similar articles out there. Write long, long blog posts. Long like 1,000 – 2,000 word ones. Just like the one you are reading now. Google rewards these types of posts and sends traffic your way.

You don’t know what will be a hit but I have had some great ones. Here is the LinkedIn response to a recent article I wrote on IoT platforms. (Something I am an expert on having helped build and work on the security for two of them.)

For those of you that are unfamiliar with “reactions”, 98% of them are Likes.

Hire Hard, Manage Easy

I talk to a lot of people every day. Many of them have great advice. One of them I connected to through a mutual former colleague, Ken Wilkins, recently said something to me that resonated. “Hire hard, manage easy.” It is one of those expressions that has been around for a long time but evidently, I was out of the room every time someone said it. I am a big believer in the philosophy so now I have a name for it.

I have always believed in practical tests when recruiting. When working for larger companies, I used to torture candidates with presentations that they would make to our organization. It was a terrific predictor of job success. I once told a hiring manager not to hire one candidate who had a terrible presentation. He did anyway and the candidate did not work out well. A candidate who gave the best presentation turned into one of the best employees I ever hired.

At Fractional CISO we have moved to a model of employee fit test by an HR assessment service. It is crazy how the test can predict behavior. We also have candidates submit a writing sample which you might think would not be hard. It is surprising how many candidates cannot write a few paragraphs clearly and concisely. When candidates come on site, we give them a number of practical tests in addition to the traditional interview. We got the “hire hard” part down.

We are about to bring a new cybersecurity analyst onto the team. We are really excited about her joining. She was able to successfully navigate all of the challenges. The need is fueled by a booming cybersecurity market and a great network of people that I know and have met.

On the manage easy part, the team is very conscientious and self-motivated giving us a great rounded skillset. My role as a manager has been a pleasure so far, so hopefully, I have that one down too!

Virtual CISO Business Model

I have spent a lot of time thinking about the right business model for the Virtual CISO space. From looking at what my peers are doing, it seems that there are a number of possibilities for a successful model.

Just like any new industry, we need to better figure out the business model. I have consistently looked at how CPAs do things. This topic is one that I intend to work on in the coming months and maybe you will see a post dedicated to this one in the near future.

If you are a fellow Virtual CISO or aspiring Virtual CISO then let’s chat about the Virtual CISO business model or anything else on your mind.

Creating a Company Culture

It might seem silly for a company with 2 ¼ employees growing by 1 in the near future to be focused on company culture. I see further down the line where we are a 30-person dynamo that most mid-sized companies would be crazy not to do business with.

For most everything that we do, I work to justify it in the Fractional CISO company culture framework. I don’t have a Netflixian culture document, yet. But it is on my to-do list!

Minor Cybersecurity Interlude

Sorry for talking about cybersecurity in a business blog post but it is the subject matter of our business. Some of the biggest security challenges we’ve found is right sizing frameworks clearly designed for large organizations for our smaller clients.

CIS 20 Controls

I really do like the CIS 20 framework but it isn’t great for smaller enterprises. It assumes that the organization has made some progress in many of the areas. For a small client that has very little, my advice is to focus on protecting Internet facing infrastructure and minimizing phishing. With the CIS 20 those are controls 7, 12 and 17.  It would be security malpractice to focus on Maintenance, Monitoring and Analysis of Audit Logs (#6) before those other items.

We use a modified framework, but it would be great if it were an industry standard that we could follow instead of explaining to clients why they need to work on #17!

Our Clients

I would be remiss if I didn’t cover our clients. We are very lucky to have a bunch of great clients. They are almost all appreciative of the work we do. We enjoy their collaborative spirit and learning about their business and security challenges.

Why do we get along so well with them?  Many of our clients are people that I had a previous relationship with, so I think that help. A lot of our clients are founders and they may have a soft spot for other entrepreneurs. So, I don’t know the magic for getting great clients but I sure am happy that we seem to have it!

Summary

To summarize, client and security focus seem to be part of the recipe for success. Hard work doesn’t hurt either!

If you would like help with your cybersecurity strategy or program, give Fractional CISO a call for a complimentary consultation. We can be reached at (617) 297-9509 or by email at [email protected].

Rob Black
Rob founded Fractional CISO in 2017 and has helped dozens of mid-size SaaS and technology companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).

Tales From The Click

Sign up for our monthly newsletter for business leaders on minimizing cybersecurity risk.

Suceed at SOC 2

Free eBook:
5 Things to Know for your First SOC 2

  • How to scope your SOC 2
  • Estimate the cost and length of your SOC 2
  • Prepare for your SOC 2
  • Manage the SOC 2 audit period
  • Leverage your SOC 2 for growth

Related Posts

Just Show Up

Rob Black

What to Know About Encryption Now, at the Dawn of the Quantum Era

RJ Russell

What Is ISO 27001? (And Why It Matters for Growing Companies)

Rob Black
Is your Cyber Insurance really going to cover you?

Only 1/3 of cyber insurance policies actually pay out in incidents. Most companies have cyber insurance policies that insure too little, or too much, and have absurdly low caps and silly exclusions.

To learn more about cyber insurance and determine if you have the right coverage for you, join us for a free vCISO Office Hours session on Tuesday, April 18 at 1 p.m. eastern time. Bring your questions!

New Release: Free SOC 2 eBook!

Getting ready for your first SOC 2? This eBook is full of actionable advice to help you prepare for and succeed in your first SOC 2 audit.

Learn:

  • How to scope your SOC 2 project
  • How to estimate the cost and length of your SOC 2 project
  • How to prepare for your SOC 2
  • How to succeed in your SOC 2 audit period
  • How to leverage your SOC 2 report to enable your business and sales
Is your Cyber Insurance really going to cover you?

Only 1/3 of cyber insurance policies actually pay out in incidents. Most companies have cyber insurance policies that insure too little, or too much, and have absurdly low caps and silly exclusions.

To learn more about cyber insurance and determine if you have the right coverage for you, join us for a free vCISO Office Hours session on Tuesday, April 18 at 1 p.m. eastern time. Bring your questions!

New Release: Free SOC 2 eBook!

Getting ready for your first SOC 2? This eBook is full of actionable advice to help you prepare for and succeed in your first SOC 2 audit.

Learn:

  • How to scope your SOC 2 project
  • How to estimate the cost and length of your SOC 2 project
  • How to prepare for your SOC 2
  • How to succeed in your SOC 2 audit period
  • How to leverage your SOC 2 report to enable your business and sales