WIN
Business is a battle, and we came here to WIN!
Carrie and Ian Richardson are partners and serial entrepreneurs who specialize in strategic growth and exit planning for SMBs.
Every week, we ask business owners and leaders two important questions:
"What's Important Now?"
"How are you winning?"
Created by entrepreneurs who love strategy, sales and strategic selling, we interview business owners and sales leaders at all stages of growth across multiple industries.
Learn from experts sharing their strategies and the tactics they use to identify and pursue opportunities.
Take away actionable ideas that you can use to help you scale and/or sell your business.
Learn more about Fox and Crow Group at https://foxcrowgroup.com
WIN
Greg Schaffer WINs by taking a holistic approach to information security
Welcome to W.I.N. (what's important now?) - the entrepreneurial podcast where we dive into business challenges, achievements, and opportunities!
Join your host, Ian Richardson, from Richardson & Richardson Consulting as he explores what entrepreneurs care about and focus on. This week, Ian hosts Greg Schaffer, Founding Principal of vCISO Services, launched in 2017 to combat the growing threat of cyber-attacks to SMBs with part-time seasoned executive information security expertise at a fraction of the cost of hiring a full-time CISO.
Carrie Richardson and Ian Richardson host the WIN Podcast - What's Important Now?
Serial entrepreneurs, life partners and business partners, they have successfully exited from multiple businesses (IT, call center, real estate, marketing) and they help other business owners create their own versions of success.
Ian is certified in Eagle Center For Leadership Making A Difference, Paterson StratOp, and LifePlan.
Carrie has helped create and execute successful outbound sales strategies for over 1200 technology-focused businesses including MSPs, manufacturers, distributors and SaaS firms.
Learn more at www.foxcrowgroup.com
Book time with Carrie here!
Be a guest on WIN! We host successful entrepreneurs who share advice with other entrepreneurs on how to build, grow or sell a business using examples from their own experience.
Hello and welcome to WIN. I'm your host, Ian Richardson from Richardson and Richardson Consulting, and today I am joined by my new friend, Greg Schaffer. Greg, how you doing today?
Greg:Doing awesome. Glad to be here. How you doing?
Ian:Hey, I'm doing well. Trying to keep warm in the Michigan winter. Greg is the founder of vCISO Services launched in 2017 to combat the growing threat of Cyber attacks to SMBs with part-time season executive information security expertise. That expertise comes at a fraction of the cost of hiring a full-time ciso. He has over 33 years of experience in both information, technology and security, including 15 years at the ciso. Before launching his business, he served as the senior information security executive in higher education for the largest undergrad university in Tennessee, in government for the largest city in Tennessee, and in finance for the third largest Tennessee headquartered bank. He's passionate both about information security, both from within the job as well as for external endeavors. Having participated and volunteered in leadership positions across several organiz. Focused on information security both locally and nationally. This passion has prompted him to pursue other information security projects designed to help small business. He produces and hosts the virtual CISO Moment podcast, which will be linked to in the show notes and is authored information security for small and mid-sized businesses, which you can get on Amazon. Look at the link in the show notes to go ahead to that book. I've got two really, really key questions. One. Okay. Tell me about this lamp. I'm seeing it right there. That's where I'm focused on. Give us a little bit of background on this lamp and what its purpose is that one back there? Yes, sir.
Greg:Next to the red stay for Yes, sir. That's where I keep my ideas.
Ian:that's where you keep yours. I can, you
Greg:kinda like go down a little bit in the, it's above my head sometimes, you know, but, uh, no, it's just a, you know, it's just a, just a fun lamp. I thought it was a good bit of decor and all that from the office, but uh, you know, sometimes I do think that maybe some ideas flow out from there. I love that. I
Ian:love that. And while you were in all these large organizations, did anyone try to take that stapler?
Greg:No, because I didn't have it at the time. Stapler is a symbol of my freedom. Ah, there you go. They can't move me to the basement anymore. And no, I didn't set any of my previous organizations on fire, so
Ian:That's good. That's good. It's always good to, always good to not commit felonies. So I appreciate that. So at Win we always follow a, a, a standard format and, and a, a structure for the show because this is an entrepreneurial show and we're focused on what's important now for entrepreneurs and that's always challenges, achievements, and opportunities. And you had shared Greg before the show that you guys have been focused since the inception of the business on building an overall security program. instead of just compliance for your partners and and and clients. You found that business needs actual help instead of just checking that box off on security, off on compliance. How are you tackling that challenge?
Greg:Well, there, there's a couple of things behind that. The first is, uh, at one of my previous, um, full-time engagements, uh, the CEO there, uh, we had a conversation at one point in time about, uh, this was when I was at the, the bank about, um, the, how to be successful in business. I can't remember exactly what the impetus was for the conversation, but he said it's very important to do a couple of things. First of all, always recognize the ugly truth. So in other words, I'll try to hide, run away from anything, but also recognize. Competencies, core competencies and stick with that. And my goal in information security, I, I've been doing this as you said, in some way, shape or form since before there even was like the term cybersecurity information security. Been doing it for several decades. But my goal has always been, I wanna make sure that, uh, Create and build and manage programs that actually make sense to help the business. Mm-hmm. And to that point, we're very focused on the idea of making sure that we help small and mid-size businesses build holistic, complete information security programs as opposed to meeting compliance. And you might ask, well, what's really the difference? Because they are related. Um, if you build. A solid information security program. Mm-hmm. based on some well known framework, there are many out there. Then you will most likely reach compliance with just about any rural regulation standard out there to within like 80, 85%, and then you can kind of fill in the gaps after. And in the process of doing that, it's like, great, you, you, you comply with a particular regulation, but just because you're compliant with something doesn't mean that you're secure. And that's sort of a mantra that we say in the InfoSec field. I'm sure you've heard it before too. Compliance does not equal security a hundred percent. And, and, and so by building the program, we're actually serving the business. Uh, better. Mm-hmm. I don't believe that just building a a compliance program is, is gonna help the business because you'll get that false sense of security. It's like, Hey, you know, we, uh, passed our sock too, um, at a station. It's like, wow. You know, we're secure. Not really. I mean, that's just a kind of a littlebit of a measure.
Ian:I, I, I love that. Uh, I love that focus on making sure that, hey, this is a holistic view because one of the biggest barriers from, from my previous life in it, Was getting my customers engaged in security and to see the value there. And every part of an organization can have something that resonates on security. And, hey, this is why it's important. If you're in sales, it's, Hey, protect your customer list, protect your prospect list, right? Like that. Those are. those are the gold to the sales rep. You don't wanna lose those, those customers or those prospects to competition For operations, it's, Hey, we need to be able to service our clients, our customers, in whatever way we are. Whether you're a doctor's office or an accountant, or a lawyer or manufacturer, you need to be able to provide service or, or build those products on a routine cadence. Finances is a no brain. Nobody wants their bank account to suddenly be zero on Monday morning. Right. Right. Uh, and that executive suite, every organization, every company have yet to meet a business that didn't have some sort of purpose for existing outside of, Hey, well we all need to make a paycheck. Everyone's there to, to do something, to solve a problem, to carve out that bit of legacy. Mm-hmm. and with. Senior leadership, especially if you get them on board to seeing security as, as bigger than just, Hey, we're checking a box. We're, we're ch we're, we're compliant because we have to, and we don't want to get a fine if they embrace it as a strategic focus that, uh, I have to imagine that you and your team. See some magic happen when it, when it flows through an organization. Oh, a
Greg:absolutely. Absolutely. And couple of the secret sauces to success for a security program for SMBs is, is first of all, it's not strictly an IT issue. Mm-hmm. obviously there's IT elements involved. I like to kind of distinguish the, the, that as being the Cyber security portion of information security. And there's some people think that, The other way around. That's okay. It's, it's long as you're communicating the right idea. You understand what the other person is saying. Mm-hmm. Um, and so all of those other departments, you talk about the entire business. That's why we use the word holistic. It, it involves everybody in some way, shape, or form. Every information. Security is everyone's responsibility. But then you talk about the, uh, leadership there. Uh, leadership can make or break a good security program and mm-hmm. um, if we don't see again, The commitment from upper leadership for our clients or our prospects, that then tells me again, they're not really looking to build their security program. Or maybe they don't quite understand that that's important. But the leader, a lot of times in small and mid-size, a lot of times in business you'll see where, um, The C that, well, I don't have to take information. Security awareness training, that's for the employees and all that. And yet they're often the most targeted, particularly like the cfo. And, and you have to lead by example. And, and with that leadership from the top coming down, your program's not gonna get any close to being efficient and effective as we.
Ian:Oh dear. The, the horror stories there, I had a, we had a, a municipality that we worked with where the treasurer of the, of the municipality got targeted by a, by a spearfishing, by a targeted email that presented is from the city administrator, and there's a$50,000, uh, check that just walked out the door. and that's you, you hear
Greg:these? Yeah. That's the information security tax there. You know, you just pay tax by, uh, by not realizing. So
Ian:Exactly. And that, and that, uh, awareness training that you mentioned, it was, it was less than 10% of that for an annual cost for that city. And it, and we kind of sat down and said, look, this is what we're talking about is this right here. We had a, we had a, a neglect to do a$2,000 spend that just cost us$50,000. So perhaps we might. reevaluate our, our strategic focus here.
Greg:Oh, yeah, yeah, yeah. And awareness training. Awareness training is, is, is so important because it, it is low cost, as you said. Mm-hmm. but it's like everything else. You have to constantly exercise in order to keep that muscle memory.
Ian:Just wanted to get that in. Yeah. Yeah. Just, just like a pushup, right. You could know how to do a pushup, but if you're not doing it routinely, you're not gonna have good. Yeah.
Greg:or are you just gonna plop
Ian:Do you, you and your team have had a couple of pretty big milestones. First off, there's, there's, uh, there's a couple of thresholds with business. There's, there's revenue thresholds and there's, there's other thresholds. But one of the big ones is a length of service. How long have you been able to successfully. and quote unquote keep the doors open. Mm-hmm. And you've surpassed that five year milestone in business, which really separates success from failure. So many businesses will fail within 12 months, and then even more will fail within two years. And then once you've kind of passed that five year, it's gone from startup to almost second stage. Hey, we're concerned with growth and, and strategy and building the next layer of leaders and, and expansion of footprint and impact while you guys. Surpass that milestone. Congratulations, by the way. Thank you. There's been a focus on steady,
Greg:sane,
Ian:sustainable growth throughout. Mm-hmm. talk to us about how you balance the need for growth against the need for that stability in the organization and, and what your focus is there.
Greg:Well, a lot of this came from just learning and experience. I probably didn't do it quite the right way. When I first started, I didn't lay out a huge business plan because I really didn't know what my goals were outside of the fact that I wanted to, to eat, basically, and, and I was really just looking to be a sole owner. Maybe have somebody eventually help me here and there as a contractor. but for me it was just, I just wanted to go solo and and do my own thing. And that was the way it was for the first two years. And then I started to bring on someone and realized that I could start to become more efficient if I created a process by which I'm more or less shepherding other virtual CISOs. And this is, this is not a uncommon business model, not only within information security, but it was something that I. Had to slowly adapt. And yet even at that point in time growth, whether it be client or revenue, was really not my goal. Uh, it was just providing the, the service. And yet, during all of that, I've come to realize that a sweet spot, Vc. So services growth has been what we've experienced, which has pretty much been steady around 40% year over year revenue increase. I think that anything above that, we might start to get into a little bit of dilution of who we are as a service. I, I I like to tell people, and, and I'm gonna really date myself with this reference, but I wanted to be the Matlock of information security. And Matlock, for some people who don't know, was a, uh, 19 early 1990s show, I believe Andy Griffith. Mm-hmm. and, uh, involved a southern lawyer who was really good, never lost a case, had a few people working for him, but he only took on like, things that hit a few marks. He wasn't like going out and trying to be build a big law firm and all that, but he was making a difference in people's lives. That's what I wanted to do. And so long as we're growing at a rate that I don't lose that Matlock image. Mm-hmm. I think, we'll, I think we're gonna be okay. Um, I don't have a projection, um, for the next five years except for the fact that I want to be here still doing this five years from now. I think, I think I, I think that's gonna be all right. I think I figured out how to make that work. Um, but if I were to make a guess, I'd ha I'd have to say, uh, we're probably still gonna be 40% year over year, cuz that's manageable, that's sustainable, and we don't dilute our service. And again, like I said beforehand in the first question that, uh, w we, we could have grown much faster if we would take on clients that were looking just for compliance. I, I have. Many just in the last six months that I have called an end on the prospect call saying, we're not for you. Nothing personal, but for what you're looking for. There are other organizations that can better serve you in that capacity. And and that's fine. They understand that too, cuz sometimes they're just not ready for that. I try to convince'em otherwise, but you know, you can't do that all the time.
Ian:Yeah, you can't, uh, you can't be everything to everyone or else you'll be. To everyone. Yeah. The, the, the focus on making sure that hey, we're not compromising the soul of the business, not compromising the soul of the service. And that our service quality and our, our customer experience, for lack of a better term, is always to a standard of excellence. Resonates, uh, resonates. True. This is, uh, Richardson and Richardson's not my first business. It's not even my second business. And. One of the things that you said out there that bubbled up to me is, Hey, like creation of that plan, creation of those processes and the documentation, and it's, uh, it's just such a different experience having everything written down, building up those processes, and I'm, I'm certain you, you would agree that it just feels different and my stress level personally is way lessened by. All right. Well, I'm gonna take the. and document this out in a way that's easy and, and, and simple and straightforward and, and can be done by anyone on my team, not just by Ian. So that, uh, so that there is that predictable outcome of, of an excellent experience for whoever I'm engaging with. So,
Greg:Yeah, and it was a little bit hard for me in the beginning to let go of some of the items, and I realized if, if I'm assigning a client, a virtual ciso, that virtual CISO is leading the client. And I learned a long time ago in my career that, that I, I, I can do a lot of stuff. I can do stuff really well, but sometimes my way, as effective as it is, may not be the best way and somebody can teach me a better way and by, by letting go and letting. The folks do their own, apply their own management capabilities and their own skillset. Not only does it work better for them because that's what they're more naturally attuned to, but I learn more and then that. Just some of the processes for the firm. Then we share all that with each other and, and we have this sort of like constant feedback loop where we've been getting better over the years. Not because Greg says you have to do this, but because we all collaborate together to make the best process. Possible. And it, and it is less stressful for me now because I'm like, I look back over the last five years, I'm like, we have a really good process in place now. And I never could have seen this and I couldn't have written that down five years ago cuz I just didn't have the, the years behind me. I love
Ian:that. That's, uh, it, it's funny, the, the longer, the longer I go forward in business, the. the more stuff just starts to click and make sense and, and you start to, you start to make those connections. I absolutely love that. One of the big things that, um, that you had mentioned too, that, that just made sense to you was a motivator on why you started the business, and this is really your future focus. That opportunity that you're pursuing next is as you continue to move forward, as you continue to grow. you had a key motivator that started when you started the business and indeed was what almost, uh, for, for lack of a better vocabulary word, was the calling that had you leave from where you were to starting the business. Talk to us about that, about that motivator, as well as that entrepreneurial focus on, hey, we are going. hold the line at service and always be doing our very best. Making sure that our core beliefs are honored while we continue to grow at a stable, sane price.
Greg:Oh, calling definitely is, is a very appropriate word. Um, I was, uh, CISO for the bank. um, as you mentioned in the beginning, uh, uh, the intro and, uh, I was doing fine there. I, I could have ended up retiring there. It was a nice place. Loved working with the people, but didn't really like the commute to Nashville that much. But other than that, it's like, I mean, if I had stayed there would've been a lot more remote stuff anyway, but, but, um, so I was doing well with my talents, but I got a little God tap on my shoulder saying, Greg, I think you can do better with your talents and mm-hmm. I am. I've never wanted to be an entrepreneur, wasn't baked into my dna. N I have always worked for somebody. I have always had a steady paycheck. I have always left a job for another job. I have never been unemployed in probably my entire adult life, with the exception of maybe a couple of like, Uh, breaks between part-time gigs, gigs when I was a teenager, but I mean, always, at least one job, always. So you can imagine, I mean, this is a very scary idea for me. It's like, God, you're telling me to leave and to start off on my own. And, and, and I really like the idea of eating, and I like the idea of having money and being able to live, but this was a faith not fear moment for me. And if I was really. Um, for lack of a better word, it's almost cliche, but if I was going to practice what I preach, I would have to follow this. Now, I already had a couple of clients that I was working through with another provider, so I had some runway, but I didn't have any clients of my own and I had no idea on how to get clients. But I did know getting back to core competencies about building a security program and. Mm-hmm. And so when all was said and done, My call was to serve, to use my talents to help small and mid-sized businesses because I was getting, um, really discouraged by seeing in the news. You see the big businesses that were getting dinged, and yet the small and mid-sized businesses they. The, the big business is, in some ways they almost had no excuse cuz they had chief information security officer on board, they had resources and yet they still get ding. But what about the small ones? Mm-hmm. which, which, which makes like such a, such a large base of the economy in the United States. Where, where are they gonna turn to? So, uh, again, the virtual CISO. Obviously my idea, I mean, a lot of, there's been fractional virtual C-Suite things for a variety of reasons, but basically that was my nudge and, and, and, and. I have, I remember one time talking about the service part. Early in my career as a virtual CISO doing this, I had the opportunity to become a partner with a, they almost, I guess I would describe them as an M S P brokerage firm. So you have MSPs that are looking to provide services, but they, the MSPs doesn't, don't wanna go out and necessarily do all that research, like if they want to have a virtual CISO service. So they contact a broker, which then contacts the virtual CISO services and they make that match together. Okay. And well, you know, as a new business owner trying to get clients, it's like, well, okay, I'm gonna walk down whatever path I can. So I walked down that path and we were going along on a good route until I began to realize that there's a mix of philosophies here. The second time that the brokers said on a call with a, um, with a, with an msp. So not with an actual end client, but um, no, with s p itself, right. The second time that they said, after all, our primary goal in all of this is to make a lot of money. I'm like, I had to stop. I'm like, that is not my goal. My goal is to serve mm-hmm. And to make a long story short, without getting into more detail, I, I cut the relationship right there.
Ian:Yeah, no. That, uh, whenever there's an alignment problem, whether it's customer or partner, or. that, uh, the, um, an an old mentor of mine shared a, shared a story that when, when there is a toxic element, and I, I use that word, uh, sparingly, but intentionally, when there is a toxic element in your business, that toxic element becomes cancer and it will spread true. So if it is an employee that's a core value or a mission misma. That negativity, that malaise can spread and demotivate other employees. The, the line of nothing will kill a good employee better than your tolerance of a bad one. Yeah. That's.
Greg:Yeah, because I mean, and you also sometimes end up taking on so much more work too in that place. Mm-hmm. it's like, cuz you're covering for the bad employee. I, I've, I've been in situations like that too. I think probably, you know, you go far enough and have enough like, uh, rings on your tree or years behind you, you, you everybody sees that.
Ian:Yeah. Well, and, and, but expanding that out to the partnership level, I love that. I love that story of, hey, we have this strategic partner, but if that partner has a misalign. that's, that's not a good partnership. That can, that can sink a business just as quickly as a, as a negative employee from in the house that outside the house partner that's, that's misaligned in driving the wrong outcomes and driving the wrong, uh, the wrong focus is, is a hundred percent just not good. And I love, I love your story of the acceptance of. for a, a greater calling, a greater purpose, and, and founding the business through that with, um, that story really rings true to me. I, I had been running an IT company for 16 years and went through a, uh, went through some, some family changes throughout Covid and went through a divorce and after that was, was left kind of lost and, and aimless and, and floating out there in the middle of a pond going, you know, what's, what's the point on this? And after. going through some structure and looking inward, came with a couple of realizations that, hey, I, I don't wanna run an IT business. I'd much rather go into strategy and consulting and being, being on the same side of the table with other entrepreneurs and help them achieve their visions, uh mm-hmm. And then really the, the push off, the, uh, the, the push into the pond, the push off the dock came from my wife where we were walking, uh, in, in the summer of last year, and she said, Hey, you have these, this core focus of challenging assumptions. Are you assuming that when you sell your IT business you have to be at retirement age or could you reinvent yourself? And there I am, you know, she's down half a block down the road and she turns around and she says, you're kind of catching flies back there. Are we going for a walk? Are we going home? And I'm just sitting there dumbstruck. Yeah. By the realization that, hey, you could do something different. And, uh, that was a one way door. I, I couldn't walk back after. Well, and you
Greg:talk about the fear and, and, and the, it can, the fear can be a powerful distractor. It can also be a powerful motivator in some ways. Mm-hmm. But, um, with the, with the broker situation, that was a very vulnerable time for me. I, I think I had found one long-term client or was about to sign at that point in time, and I'm like, uh, and that was probably about nine months in. So, you know, the. the first year was, was pretty difficult for me. And here is like, um, you know, come to the dark side, Luke type moment, basically. It's like, you know, you don't know the power of the dark side. And, and yet I resisted and, and I, I don't know if home if that was like a test for me or not, but I know that I felt better sticking with my convictions. And so, um, you know, going forward as far as. Any sort of plans for the business. That's just one of the stories that I go back to where I'm like, uh, I'm, I'm less fearful now, having successfully navigated those type types of situations. No, I'm, I'm going to continue to serve until I get the calling that, you know, Greg, your time is done. And whether that means, uh, uh, folding the business, selling the business, um, whatever with the, I don't know, but, but for now, That's my primary focus.
Ian:I love that. Greg, I'm, I'm super appreciative that you took some time outta your day to come on and share your story and, and share some of the lessons you've learned throughout it with the audience of when
Greg:Oh, I appreciate the opportunity to come on. It's, uh, you know, it's, it's, it's been a fun journey. Um, again, coming from someone who never wanted to be an entrepreneur, never even thought about it. It's like now I can't imagine, you know, my only regret, and you probably hear this an awful lot, wish I had done it.
Ian:that's, you are absolutely correct. Uh, that is a, that is a constant theme amongst us all. Yeah. If you're curious about, about Greg and his organization over at vc, so services, you can learn more information, we'll link to the website, we'll link to the social media profiles in the show notes. You can also find where to find his podcast to maybe raise that tide on, uh, on teachable moments for your own information security strategy as well as to his. If you wanna learn more about Richardson and Richardson, you can visit us online@randr.consulting. There you can find previous episodes of when, as well as any of our recorded webcasts, blogs, white papers, case studies, and other useful tools you can use in your business to help figure out how you want to grow with alignment to whatever strategy you and your team decide is right for you and your customers. Until next time, take it easy.
