Welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, and together we'll work with business leaders and industry experts to dive into the misunderstood business of cybersecurity and compliance to learn how to start making money from being secure and compliant. Welcome to Cash in the Cyber Sheets.
Hey everyone, welcome to episode 13, that's right, 13 of Cash in the Cyber Sheets. I'm your host, James Bowers, Chief Security and Compliance Officer at InputOutput. Getting some cool things lined up, actually have some new digs. We've got ourselves a little bit of a brick wall back here, speakers, new desk, new setup.
Coming a little bit more professional as we get to lucky number 13 episode here. So I have more stuff and really excited. Not sure, I kind of want a neon sign back there, but I don't know how that'll work.
So we'll see new stuff in store. Really cool episode today. Want to do a little bit of a different format, try to not make it as long.
And a little bit more bite-sized, but doing a lot of business continuity reviews with clients and everybody that we work with, I shouldn't say everybody, a lot of the people that we work with, they approach it in a way that really leaves a lot of areas exposed. It leaves things out there that they never think of, that they never address. And today I want to talk about how you can just make a really simple perspective shift.
Just how it is that you approach going into your continuity planning, your disaster recovery planning. This is also going to relate to also relate to your incident response planning. So it's a really good way to readjust your perspective, how you look at things, and it can help you address all of those unknowns out there.
So we're going to jump into that. Also upcoming in some episodes here over the next few weeks, we're going to have a director of municipality coming in. I'm amazed that I got through that word right.
He's going to come in and talk to us about the DNS, the sitting ducks attack. Apparently a lot of companies are susceptible to this. And there's some easy ways to help mitigate it, more business processes, but really, really important.
You'll want to stay tuned for that. We're going to have a personal injury attorney firm coming in to talk to us about some ways that you can protect your business, things to look for. They're near and dear to my heart.
They love Disney too. A lot of things going on there. And, um, also to, to help continue to merge this risk management to the business development side, we'll be having a business development coach come on.
So really just how, when you're investing time with this, you can also be cultivating the business, which is really what, what the whole show is about. What, what this is about here. So to show you how to get through these things, how to address your security, how to address your compliance, and also at the same time, drive your business.
You don't need to be separate there. They can really be together. So very, very excited about what's upcoming.
Uh, so before we jump in, always have to say it, mash those like buttons, hit subscribe, send us some comments. Let us know if there's anything you want to talk about. Apple podcast, Spotify, wherever you're listening to us at.
We'd love to hear from you. Um, but let's go ahead and jump on into it. So I think a good place to start at notes.
I get notes today. I'll try not to click my pen because that's really loud. My first, uh, few episodes, I actually redid them because I was so nervous.
I was clicking, but I've gotten used to how the voice sounds. Uh, so a business continuity plan, I want to start by saying in, and you've got to, you've got to have this understanding, I think in any field you're in it, security, legal, healthcare, any of it, the very specific words, the very specific definitions may mean something to us in the industry. And if we're talking with say another CIS SP, um, we may use all the same nomenclature, but in the wild, in business, in boardrooms, business, not bow, a business continuity plan to be also referred to as a disaster recovery plan, a continuity incident management, there's, you really need to get to the heart of what people are looking for and when they're, when maybe you talk to an engagement or your company comes and says, Hey, we need, we need an incident response plan.
They're probably wanting also business continuities, disaster recovery of it, which should be a part of it. Not always is, but as a business continuity, one-on-one business continuity plan is really just that. It's your continuity planning.
How are we going to keep our business running when things go sideways, whatever that is, whether it's a fire, whether it's a internet outage and employee leaving, whatever it is, how are we going to make sure that the business continues to do what it's supposed to do, what it means to do to stay viable and a lot of, a lot of companies, a lot of, well, I guess that's it, a lot of companies, enterprises, businesses have continuity plans, but I think as we've seen in the past few years, 2020 with COVID, we've had a supply chain issues. We've had the, uh, the chip shortage, all kinds of different things. And it impacted businesses in ways that they never considered.
And a big part of your continuity plan is being able to identify the unknowns and it's, it's hard to answer that question. I don't know what I don't know. So going through there's, I don't want to oversimplify it, but a simple perspective shift to help identify some of those unknowns or more so not have to worry about them.
So the importance of continuity planning, I think we kind of went over it right there, um, but I'll hit the bullet points, minimize this downtime, uh, helps protect the assets of the business. You know, things are going sideways. If we've got a plan, we know what to do.
We're probably going to reduce the impact, the damage that we experience. It can really go a long way in helping to maintain customer trust and put a little pin in the current discussion and just dive into that a little bit incidents. Incidents are bad.
We never want anything bad to happen. However, we all know that bad things are going to happen. We don't know what, but something is going to happen.
And if you handle negative incidents, if you handle negative situations in a good way, the best way that, that you possibly could, that can go a long way with your clients, with potential customers to gain trust in because they all know something's going to happen, but this company, they really had it together. They knew what they were doing and something happens in the future. We're going to get through it.
I'm going to trust them. I'm going to stick with them on the other side. If you completely fumble, that's where you can lose a lot of customer trust.
You start losing clients. So it's always going to be an impact when you have a negative incident or some sort of an incident, but there's also opportunity in there. So just keep that in mind that the continuity plan can actually, at some point, help you capture or retain clients.
Uh, not just say, get your it systems back online, which is always a big part of it, but not all of it. The, uh, another really important one is legal and regulatory requirements. FTC safeguards rules, uh, HIPAA, uh, PCI, they actually require that you have incident, uh, response plans, continuity, uh, business continuity considered.
It's not just a good to have, it's an absolute must to have. And as I think the industry, not just a security and compliance industry, but, uh, business as a whole, it's more savvy and there's more attention to security and compliance, more and more businesses, more and more agreements are also requiring these things. So setting up a new relationship with another business, you may be required to have a continuity plan or to show what you have after all, you need to make sure you're hitting your SLAs.
Um, a lot of venture capital, venture capitalists and investors, they're now actually requiring these things. So very, very important, whether you like it or not, you got to spend time on it, spend time the right way and make it work out for your business. So identifying what we need to make a continuity plan for all the, all those unknowns, what could happen? And that's where a lot of companies start.
A lot of, uh, security experts start in looking at let's list out all the negative things that could happen. We'll group some of those because some of the, some of the reaction would be similar, and then we'll just, we'll walk through what we would do and how we could do it better. And that's not bad, but it's not great.
Because no matter how much time you spend on this, you will never, never, never, never identify every single thing that could go wrong. It, you, you cannot do it. You cannot conceptualize it.
So you're going to miss things. So the way that we like to approach it is before we even get into starting to identify the threats, the bad things, let's make sure we understand core business metrics, you've got to know this. We've talked about it before on the show.
If, uh, if you haven't heard it, go back a few episodes, really dive into it in the risk management, risk assessment, uh, podcasts, but we've got to identify those key business metrics and what are those that's our lead generation. How many leads perspective clients do we have coming in our conversion percentage? How many of those leads are we converting to customers? Our average lifetime value for a client. So over the entire course of their relationship with us, how much money are, are we making off of them? Client average lifetime, how long are they sticking with us? Also a lot of times looked at as retention.
And then, uh, what are our expenses where you could look at it as margin, you know, how much money is going out the door to be able to generate our profit. And these are really important to know. Not only for definitely not only for the business continuity planning, but just to be able to drive your business, understanding where your leads are coming from, you can see how to get more of them, understanding where your conversion percentage is and what's supporting that can help you drive that up.
And what's really cool is when you go through these, making a small tweak to one as a ripple effect, and it's, it's exponential. So we add just a few more leads. Well, those few more are going to turn into more conversions and that could turn into a longer, longer lifetimes or, or a more robust average lifetime value.
So very important to identify these as it relates directly to the business continuity though, once we have those down, then we can identify, and it's good to do this on like, you could do it on like a whiteboard or something like Nero or, uh, there's all free form, all kinds of different whiteboard programs that you can write down, just do some columns. Okay. Where, what are our leads? How many are we getting? Okay.
Let's say 500. We get 500 leads a month. What are the systems? What are the processes? The flows, the channels that are bringing those leads in.
And for, for some companies, especially a lot of, uh, entrepreneurs or solopreneurs, I think is a better way to put it. A lot of them, that's just going to be leads. Maybe it's BNI, a business networking group or referrals is, is what, what it typically comes down to.
That's okay. For some companies, major logistic companies or larger companies, a lot of their leads are coming in from, from their website or from partner connections or from certain forms or all these different areas, wherever they're coming from, we want to identify what those are, but just write them down. Make a list.
There's all the different spots that they come from and do the same with your conversion percentage. All right. What systems, processes, people, et cetera, what supports us being able to convert a lead to a client? And maybe that's, well, I need access to Microsoft 365 or, uh, because that's where all my marketing materials are.
I need access to my CRM to be able to put them in. Um, I need access to the actual product. I can't, I can't convert somebody if I don't have anything to sell.
Uh, my payment processing, any number of things in there again, list those all out. Okay. Here's all the different systems that support our conversion percentage and do the same for the average lifetime value.
Um, and the average lifetime typically comes down to kind of what's supporting our customer service or our service or product delivery, what are those systems? Completely different considerations. But just with those first two, once we have all of those systems identified, then we can start looking at not what could happen to affect these. But a better question is if this disappeared, just consider a complete deus ex machina, hand of God comes in, blinks it out of existence.
If that happens, what are we going to do? We're not even identifying yet. If, if it's due to a fire or if it's due to an internet outage or IT systems, I don't care as a business owner, the business manager, business leader, all I care about is how are we going to keep operating? How are we going to maintain the bottom line? How are we going to continue to deliver what we need to deliver? And yeah, I may have discussions about how it could happen, what we can do, but really at the end of the day, I just care about keep the business running. So make it simple.
Just answer that once you go through and start answering how, how you could continue to operate what we would do. Well, if our main, our main CRM went down, we would have to use Excel sheets. And what would that be very difficult.
Take that, take that thought train as far as you want to go, what it would mean, what it would do, and then ask yourself, is there something else that we should have in place? Is there something else we should be doing? If it's very critical, like a CRM and answering service for a logistics company, where if they don't hit that lead within the first hour, they lose 80% of their conversions. In that case, we'd want to make sure that we've got other systems, maybe even concurrent backup systems in place. So if one goes down, we're not losing out on 80% of our conversions.
Your solopreneur and say your leads are coming in from BNI networking group or from referrals. I think we can encapsulate all of that to basically referrals. Rather than a business continuity plan there, that may be more of a business question as far as maybe we should get some other marketing channels.
Maybe we should get some other lead sources and that's going to help us mitigate. But when you look at it from the lens of what would happen if we didn't have this system or it just completely disappeared, it's not a, it's not easing into it. It's not giving us time.
It just, we woke up today and it's gone. What would we do once you've answered that and you create a plan one that's more tied to the business or tied to business objectives, managing what you need for the business, but two, it really doesn't matter what happens. I've got a plan now from a business leader perspective, I can pretty much step back and say, okay, I'm going to now turn this over to all the subject matter experts.
You all figure out what the things, what things could happen to cause us to lose access because it's probably not just going to blink out of existence. Something's going to happen. Come up with those.
Let's identify the most critical ones or the most likely and come up with plans to mitigate that or to avoid those issues. So maybe if our say backup was just being stored on our, on our desk, on our server system here locally, let's put it into the cloud. That way we're going to mitigate if there's a fire, if there's a flood, if we lose access to this building, the data will be somewhere else.
That's a, that's a good way to look at it. But we want to have an answer for what if all that data just disappears, what would we do? Because again, then no matter what happens, we've got a plan for it. So this is a, this is the, really the biggest perspective shift that it seems small, it seems like semantics, but I can guarantee you it's not.
When you look at it from what are our core supporting systems, what happens if we lose those, you're speaking in more business terms, you're creating more robust continuity plans, and you can be prepared for pretty much anything that comes along. I am not saying to stop identifying the different threats or what could happen, have plans for those so that you can react so that you can act quickly, that you can minimize your impacts, that you can show all of your clients that you have it together. But having that perspective shift allows you to be ready for everything.
And that way, God forbid, there's another COVID, which there will be or another global supply outage. There will be or another global platform like CrowdStrike going offline and bringing systems offline, which there will be another one, not just from CrowdStrike, anybody. You'll be ready for it.
Even if you can't think of what those things are right now. So like you said, I think, I think that's a good place to stop for today. We'll probably dive in a little bit more because it's, uh, it seems to be business continuity season with all of our clients.
And we'll go through some of the questions to ask as you're building things up, things to consider. There's also, if you check out our blog, uh, actually the input output blog, there will be a whole article that talks about what we talked about here today and goes into a more detail. So for today, I think that is all.
I think that's a good place to stop some, uh, some good brain food and real happier here, real happy. You joined us. Hope you liked the new setup as always, please hit that subscribe button, hit that follow button, wherever you're listening to us at, tell your friends, tell your family, leave us some comments.
Let us know some things you'd like to talk about. And we'd also love to tell your business story. So if you'd like to tell your story, reach out to us, let us know.
We'll be happy to have you on. So everybody, thank you for listening to cash in the cyber sheets. I will see you next week.
Go out there, be secure, be better.
