My findings over 2018
I’ve spent a lot of time over the past year providing security and data protection advice and consultancy to small and medium businesses who often shy away from a good standard, or any standard, of security due to costs.
A large portion of this was guiding businesses to free resources and self-help services to keep costs down, but it always came back to things not being clear or too ambiguous for most, as the businesses wanted clear answers, clear responsibility and to know that they are doing things correctly.Make Security Accessible Again! (If it ever has been)A large portion of this was guiding businesses to free resources and self-help services to keep costs down, but it always came back to things not being clear or too ambiguous for most, as the businesses wanted clear answers, clear responsibility and to know that they are doing things correctly.
To summarise, SMEs do care and do want to make changes, but lack the expertise, the key is to give clear outputs and clear directions… the perfect solution is achievable certifications and automated solutions!
I have a finding, what can I do to make this easier and more efficient?
I’ve been teaching myself to code since starting Mappd as it was a gap that I had in my skill set so set used my regular consultancy as a starting point for a development of coding project — the vast majority of security and data protection consultancy is Q&A, gap analysis and risks assessments which I firmly believe can be automated and scaled to allow the masses to get professional experience at an affordable cost.
The subject of automating professional services is for another conversation as there are huge opportunities here to be had for enterprises, service providers and SMEs alike, but security is my area of profession and one where there are too, great opportunities to carry out efficiencies and scale.
In my case, I’ve been running a startup and working with a portfolio of companies under my consultancy business Periculo so spare time is a thing of the past. When juggling this amount of work, it’s really important to strike the right balance to ensure that you are always progressing effectively as otherwise you find yourself firefighting and not moving forwards.
2018 has been a year of driving business forward whilst analysis what can be condensed and made more effective at all times to allow for the juggling of multiple work loads.
However if I can automate and streamline some of my more tedious work, i’ll be able to work on the more important parts more whilst giving existing and new clients something that is equally as beneficial. For example my typical workflow is;
Preliminary audits and assessments;
the majority of clients that want to achieve certifications ask for a preliminary audit to ascertain their level of compliance. I typically charge a day rate for this as it can get complex dependant on findings typically taking a day or so including a simple Q&A, gap analysis and reporting of risks and findings
Old solution was to sit down with the client, walk through their business, go through the assessments and record findings and look for evidence
Consultancy and support to complete post assessment findings;
Once the company has received their report, had their wrap up meeting and all findings explained, they are usually left to carry out the tasks. This usually results in a phone call a few weeks later asking for me to carry out the changes for them or come back to help, which again is charged as a fixed price or day rate piece of work dependant on complexities.
old solution to this step, was to give a set of tasks related to their gaps of how they can fix with tips and hints alongside consultancy
Follow on services, consultancy and process building
After the tasks are complete and certifications have been achieved, organisations often struggle to maintain the new processes moving forward and stay motivated, the worst thing an organisation can do in my opinion is use a certification as a tick-box exercise and leave it to an annual activity, as in reality it wont make a difference and is wasted money.
If you can keep motivated and consistent, it will work out to be more cost effective to maintain compliance throughout the year, which is why most clients ask for follow on services, managed services or annual audits to ensure they don’t overburden their staff and give them time to work out the best operational model for it, especially if there aren’t a large number of them.
old process was to give them a set of documents and processes, and regularly check in to ensure that they had been followed and look for some evidence…. (another repetitive, simple step)
The eureka moment
process 1, repetitive and ability to automate… process 2, repetitive and ability to automate… process 3, repetitive and ability to automate… there’s a theme here.
I can do the majority of this remotely, at scale, for a much cheaper price and cover a much larger demographic WHILST reducing my workload to focus on my startup and honing in on my coding skills… mission accomplished.
I then began to build a tool for myself to take a customer through an initial audit, carry out a gap analysis, produce findings and risks and allow a company to track through to completion and gain their certification at the end.
I can now give the customer the ability to follow the traditional process if they prefer, or have the DIY option, supported by chatbot or human chat AND maintain their compliance year on year, at a fraction of the cost they are used to, but with the ability to offer it to an extremely large customer base
I won’t go in to detail on the processes of how I built it as I’ve written too much already, but if there is a demand, I will write up how I built it, the challenges of learning to code and even the juggle of doing this with very limited time, feel free to leave a comment.
The tool can be found at the Periculo website https://periculo.co.uk
I’m always looking for feedback, improvements and thoughts so please do get in touch. If this tool is something of interest please get in touch.
I’ve analysed my 2018 to see how technology can make me more productive and more efficient in 2019, I would encourage you to do the same as technology is so accessible and able to help in many sectors. Please share your experiences and hope you all have a good Christmas and New Year
P.s. If there are consultants or auditors reading things, please take it with a pinch of salt, I mentioned at the start that a large portion can be automated and these are the bits that I refer to as simple, it doesn’t mean that consultants are carrying out simple work, as the most effective consultant is the the one who gives the personal touch, personal experience and ability to join dots in a unique way — this should stay, and be promoted, but straightforward audits and assessments can definitely be automated and cheap to provide great value for money and a great foundation for an organisation to work from.