A severe cybersecurity incident is the most dangerous risk most companies face. It is the greatest threat to a company’s ability to deliver for its customers, and so it’s value. This is first of a series of posts about cybersecurity risk, and how you can reduce it to give customers and investors confidence.
Your business probably started with a founder also wearing the hat of IT admin. They signed up for the cheapest and easiest to manage systems they can find, and barely controlled chaos followed! Founders usually need to be focussed on sales and/or product development, so as the company grows, day to day control over IT will often be delegated to a trusted individual or outsourced to a third party. It is only a matter of time until resource allocation challenges arise, and so it is important to think through ownership.
Before assigning IT ownership it is important to understand the difference in characteristics between the two types of technology in an organisation – IT and product.
IT management is about finding the balance between productivity and security. It handles identities (email addresses), devices, internal tools, data storage, networks, servers and security. It involves careful and detailed architecting of a system stack and its associated security and access protocols.
Product development is about creativity and experimentation. It creates new products or features based on market demands and innovation, focusing on experimentation, agility, and calculated risks to deliver customer value and drive revenue.
Separating IT management and product development reduces conflicts and improves performance as you can get the right character fit for each role.
Outsourcing is always going to be part of the solution. Depending on how your systems are configured will determine if you have a little or a lot of user support; whilst it is important to do some of this in house to feel the pain and so incentivise improvement, this can’t be more than part of a person’s role initially, and it is thankless work. You will also likely need external expertise to help with some of the more technical configuration of your systems.
The critical risk with outsourcing, is how you manage your outsourced services partner. You need someone commercially and technically savvy in house to ensure performance and make sure the right system configuration is being done at a reasonable cost. You cannot rely on an external organisation to drive delivery and value in the way you can an internal person as incentives will never be completely aligned.
One of the earliest hires in many companies will be the generalist ‘fixer’ type role of an Operations Manager. They will need to be tech-savvy and resourceful, but whilst they can learn to manage the IT, they are unlikely to have the relevant experience to configure it, as the level of capability required to configure and architect systems is different than that required to operate them.
Whilst an outsourced service partner can do most architectural config changes, the Operations Manager will still need to do some iteration and tweaking, so there needs to be some provision for learning, experimentation, and testing. They might also benefit from guidance from a consultant.
At some point headcount will be sufficient to justify dedicated IT headcount. Then it will be a case of understanding the existing context to work out the best way of slotting them into the organisation. In any situation this person is going to have to be a strong influencer, commercially savvy with a balanced instinct for cyber risk management.
As the value of your company increases you need to professionalise your IT management and reduce cyber risk commensurately and the first step is identifying who is going to drive it. Customers will require third party certifications and increasing transparency about your IT operations. Investors will want to see an empowered organisational owner driving a robust cybersecurity risk reduction agenda, ideally with a separate budget pot to product development.
If you are navigating some of these challenges at the moment we can help. Our mission is to help you reduce your cyber risk, and so our help can be in whatever form is most helpful to you, from conducting an assessment of your current setup, to advising on system architecture and config, introducing trusted partners, training up staff or helping with op model development or hiring. Please reach out below 👇