[Reading time: 62 seconds]

Who do I help and when do they call me?

While I help all types of organisations, I have a very specific image in my head of my typical client and the challenges that lead to them contacting me.

I was listening to a podcast recently which recommended that I write this down and hang it on the wall over my desk. (Apparently, this will ensure I will always be mindful of the person I am trying to help).

But I’ll go one step further – Rather than hang it on the wall, I’ll post it on d’internet!

If this is you, or someone you know, let me know if I’m way off with this list of challenges.

I have helped many people in this position, so I think I’m closer to the truth than you’d like to admit.


(PS If you’d prefer to read this in PDF format, you can download it from here).


Who do I seek to help?

You are accountable for cyber security even though cyber security is not your area of expertise.

You know your neck is on the line if something goes wrong.

You do not have direct access to in-house security expertise – You rely on third parties.

You, your organisation, and/or your clients are risk-averse (and probably regulated).

You would all prefer to avoid any incidents that could damage reputations or lead to regulatory investigations.


What challenges do you face?

There are specific challenges in every organisation, but I bet that your most painful challenges include:


1: You don’t have the time to get your head around this

You know it’s important and you know your neck is on the line if (when) things go wrong.

But there’s always something else to do.


2: You don’t have the interest to get your head around this

You do not have IT or security expertise because you chose a different career path.

And your chosen career path is still your focus.

You’re just not interested in going down the security rabbit hole.


3: You rely on third parties but you don’t know what they are doing:

25+ years of experience tells me that…

    1. Most IT contracts focus on service, not security.
    2. They seldom address security or regulatory requirements in sufficient detail.
    3. If you receive any reports from these third parties, they contain techie-speak that you can’t translate.
    4. If you have ever tried to get your head around this, you realise you don’t know the right questions to ask and or the right answers to receive.

And because of reasons (1) and (2) above, you have not been able to sort this out.


4: You know but you won’t say:

You suspect (i.e. know) that security is not being managed appropriately.

However, you don’t want to admit this because it will only mean more work for you.

And for reasons (1) and (2) above, you don’t need this work.


So, how did I do?