The history of all entrepreneurs has one universal characteristic and that is they understand their market. But this competitive strength gives a business an enormous potential edge to succeed when the insights actually protect their customers from enormous losses and even bankruptcy.
Peter Lilley is the co-founder of Stratsec – a cyber security operation – which took out the 2010 mantle as Australia’s best business.
The company was crowned the 2010 Telstra Australian Business of the Year and achieved this despite the challenges of the global financial crisis. Based in the ACT, Stratsec provides independent information security consulting and testing services for blue-chip government and commercial clients, which were the customers who were more reactive to the threats of a financial market meltdown.
Not a bad effort for a business that only opened its doors seven years ago.
“I started Stratsec because I am passionate about cyber security and I wanted to change the way the cyber security industry worked,” Lilley explains. “Back in 2003 when we started, the market was dominated by technology vendors, and system integrators where the consulting they provided always seemed to have a push toward a particular product or technical solution that they sold.”
His goal was to start a company that was different in that it had a total focus on cyber security. It would operate independently of technology vendors but at the same time have deep expertise in current and emerging cyber security technology and provide the best advice to clients to manage cyber security risks.
That was a stand out from the crowd plan that all successful entrepreneurs strive for in building an enduring brand. And it has worked with the company now employing 56 here in Australia and across Southeast Asia and the award-win proves the point.
So what are the insights that Peter Lilley has accumulated about businesses – especially small- and medium-sized – that helps his competitive edge?
“SMEs definitely need to think about cyber security in their business – most businesses will have a web-site, they might allow their customers to buy products and services online,” he points out. “They probably also have an office network so that they can connect to the internet and use email to do business, and they probably have critical business systems/services such as their accounting packages, their business banking services, customer relationship management systems.”
He believes a big threat is that SMEs have limited budgets to spend on IT, and cyber security, so it needs to be spent wisely. This means the critical outlays should be where a business needs it the most and that means thinking about the risks and coming up with simple strategies to address these potential threats.
Lilley gave these tips to SME owners on what they need to do to make sure they were at less risk from cyber crime:
- Keep whatever systems you use up-to-date with the latest patches from the developer of that system.
- Have up-to-date anti-virus software on all of your systems.
- Ensure there is up-to-date anti-virus/anti-malware software for your email.
- Avoid following links in emails, unless you are certain of the sender. This is a very common starting point for an attack on the employees of a business.
- Maintain good quality passwords in order to logon to your systems.
- Consider getting some security testing done to assure yourself that your security is robust – think about your website, your network and your key business systems.
“As the business grows, your security needs will change, it’s just like any other business function and process – what works when you are small will need to evolve as you grow,” he advises. “As your business becomes more complex, the cyber security threats and risks you face will change.”
The general attitude needs to be driven by the reality that cyber security threats change and that there are new vulnerabilities discovered all the time. Lilley says if your systems are misbehaving, or are bogged down, you might have picked up a computer virus and so you need to be “‘alert but not alarmed’ to coin an old government advertising campaign”.
While I had him focused on SMEs, I asked him about what are the IT goof ups that these businesses generally make? ‘
“A lot of SMEs I know do very well with their IT investments and are innovative in their usage of IT,” he observes. “But there are many out there who do make mistakes.”
This is how he summed it up:
- They fail to keep up regular investment in their IT and then face large spends to catch-up or stay with technology
- They move too fast on some technologies/IT developments and expose their most valuable business assets to security compromise
- They try to do too much themselves, and don’t engage selectively subject matter experts to cover skills gaps
- They end up investing in technologies that they don’t need or in over-engineered solutions because they don’t fully understand their IT needs
- They don’t invest in the skills needs to design, build and operate the IT they deploy.
So, how did Stratsec meet and beat its threats to business success?
“As a consulting company we took the decision to focus on our capability and we thought that meant we would grow more slowly in the market place – that didn’t happen,” he reveals. “It turned out we grew amazingly fast, on average 30 to 40 per cent a year.”
The early years it grew organically in Canberra focussed on the Federal Government market and then the merger with a company called SIFT in early 2009 opened up the commercial market giving them new customers within Australia and in Southeast Asia.
Despite these opportunities, the company first had to learn to work with government business cycle challenges to create a name.
“How do you position yourself for the high demand of the last quarter of the financial year when Government budgets are being spent, to managing through caretaker mode when little or no procurement activity goes on?” he asks. “And then there’s ‘vendor reduction’ strategies, which means buying a lesser service and paying more because it’s easier from a procurement perspective.
“As a specialist you face the challenge of staying registered with your client over their desire to rationalise to a smaller number of ‘generalist’ providers.”
But generally just educating the market on cyber security issues was not easy.
“Everyone understands physical security – guards, barriers, gates – it’s very tangible and you see it everyday,” Lilley says. “Cyber security is more difficult to understand and far less visible to clients – a big challenge is relating cyber security issues into something businesses understand.”
And this lack of market understanding made differentiation even more difficult to pull off – how can you tell potential customers how you are better if they don’t understand what cyber security is about?
The Stratsec strategy was to get outside support.
“Our business looked to independent accreditations and certifications to build credibility and differentiate ourselves,” he says. “We have the most industry accreditations and certifications of our key competitors.”
“We diversified our services portfolio to expand our reach and relevance for clients – the more we could do for them, the more they wanted to use us.”
They also used the merger with SIFT to build size and capacity, establishing the company as the largest independent security consulting firm in the region.
There was also a show-off strategy, which really works.
“We also won some great awards that provided recognition in the markets in which we operate,” Lilley admits. “Telstra Business of the Year for 2010 was the pinnacle achievement for us.”
The victory has actually helped their business.
“All businesses thrive on recognition, and for small and medium sized businesses, the Telstra Business Awards are the most coveted,” he says. “The winning of the award created a great buzz across the crew, and with our clients.
“Since the win, we have signed major deals in Southeast Asia and our team has grown by another 30 per cent in size – all that in just three months since winning the award.”
Asked what tips he would give other entrepreneurs, he advised to stay flexible and agile – don’t get locked into your 50-page business plan at the expense of everything else.
“Recruit well as people and the culture you establish in your business are critical to its success,” he insists. “Have great business partners, or a business mentor if you’re on your own, who bring other ideas and help overcome challenges.
“I consider myself lucky to work with two of the best security professionals and business partners in my industry – Doug Stuart and Nick Ellsmore.”