Hey there.

You are a small business owner. You own your own business. Yet even still, you're probably thinking like you still worked in a job. That's to say that you've patterned your business model after trading your time for money. So your business model looks something like this:

You land some work. You declare your hourly rate. You produce some form of output over time. You receive money in trade for your time. Hey, not a bad deal, and you start marketing yourself to more clients. Your first client is happy to give you recommendations, and leveraging their trust, more people sign on the dotted line for your services. Sounds great, eh?

Well, there's an unfortunate reality happening in the background that's actually hurting you - a negative system based off of your business model. That pattern looks like this:

You see, the more work you obtain, the less time you have - because there's only one of you. You're only capable of so much output (you can only work forty, sixty, eighty, or even a hundred hours in a week), and eventually, you make a diminishing return on money.

You flat-line. You can only work so hard, with so many clients and projects, and make so much money. And system is part of what's hurting you. You're thinking like an employee.

Employees trade their time for money. It's the only revenue stream they have. But trading time for money isn't a business. It's a job. Their work isn't scaleable, which means, you can never add more time and you can never add more labor. Meanwhile, some of the ancillary effects of the system should be pretty obvious to you. The more clients you obtain:

1. The more work you're contracted to perform.
2. The less time that you have, diminishing your ability to take on new work.
3. Tardiness increases; deliverables become more and more late; quality slides and you make more errors; you over-commit and under-perform.
4. That diminishes perception and confidence. Fewer people can recommend you. You aren't paid top billing for your services. You're working as hard as you can for little benefit.
5. Your business develops a bad reputation; you burn out; cash flow becomes constrained.
6. You're out of business.

One of the first things to recognize when owning your own business is that you're not an employee. You've got to stop thinking like one. You're creating a great job for yourself but not a great business. 

Next time, I'll talk more about thinking like an entrepreneur or a business owner, and address potential solutions to this problem. Until then, think about your business. Where are you trading your time for money? How isn't your business able to scale because of your model? That'd be a great place to start thinking about how to transform your business and change your thinking.

R

Companies all across the web are responding to a multitude of security threats by encrypting the web. Energy and resources are being expended to do the better thing and make their systems as difficult as possible to compromise. This is a great thing.

However, the small business usually doesn't have the resources or know-how to tackle these kinds of complex technology problems. The little guys don't know about encryption, Open SSL vulnerabilities, two-factor identification, or risk assessment. That makes small business substantially more vulnerable to attack and compromise: their IT systems are easier to hit and exploit by comparison.

I'm spending a great deal of time this quarter talking security with my clients. I'm making a slew of recommendations to improve their defensive posture. It's the right thing to do. It'll help provide a reasonable deterrent and make them less vulnerable as low-hanging fruit. If you have concerns about the state of information security in your small business, give me a call. I'd be happy to talk about practical, low-cost approaches to address these problems.

Thanks!

R 

I often write draft policy documents for my clients. I thought I'd go through a refresh those documents, and begin a blogging series that highlights the importance of Administrative Controls.

Administrative Controls are a "best practice" approach to managing information technology assets. They are the policies, procedures, and work instructions that convey management's expectations governing the use of those assets. These controls demonstrate management's interest and engagement in the process of managing information technology.

The risk concerning Administrative Controls is found in their absence, especially in areas of technical compliance. If management never bothered to create a policy governing their IT assets, they never bothered to create and communicate expectations to their employees, shareholders, or consumers, and therefore it could be construed they never intended to manage their IT environment in the first place. That lack of attention could be thought of as negligence, like, "why didn't management take reasonable, 'best practice' precautions in managing their stuff, anyway?"

In legal terms, management loses a "due care" argument: they never understood nor accepted the risks for managing their IT environment and never took "due care" obligations seriously. That becomes a hole in their defense of a negligence claim. 

The first policy I help my clients introduce is the IT Authority Policy. The IT Authority Policy identifies the executive responsible for implementing the suite of IT policies and procedures. This is the party responsible and accountable for IT policy implementation. This document serves as authorization from the chief executive or board of directors, delegating authority for managing the IT problem, and becomes the basis from which all other IT Policies are drafted.

This is a reasonable Authority Policy that can be modified to suit your needs; it is intended for use with a small to mid-range business. Have fun with it. Meanwhile, stay tuned for more policies and procedures that'll be introduced through my blog and available eventually from my website.

R