OVER 33 YEARS of running an IT service provider business, I’ve learned some hard lessons about clients and their security. Anyone in the business of defending computer networks, which of course is all of us, knows that attackers have the advantage over the long run. They need find only one entry point, or trick just one person, and our client is compromised.
While it may at times feel like we are tilting at windmills, the enemy is very real and the quest to keep clients safe is serious business. The journey not only requires the careful assembly of a robust security stack, but constant vigilance on the part of both us and our clients who share in this mission.
Like many of us in this field, I am an accidental entrepreneur. I started Net Sciences in 1995, becoming “self-unemployed” after finally deciding that if I was going to work for a bastard, it might as well be me. I slowly built my practice, went “all in” as a managed service provider in 2010, and finally hit my three goals of revenue, profitability, and personal earnings last year.
Along the way, I’ve learned that most businesses you cross paths with will not become your clients simply because they will never take their own security as seriously as you do. Most of us start out believing we can work for anyone who knocks on the door, and that our obvious wisdom will sway every prospect. But that’s just not reality.
As a result, I have learned to be ruthless in selecting the right clients, even if it means letting half of them go, which I did in 2010. Why? Because no matter how profitable, if a client brings systemic risk to your practice, they are a liability and must be shed. Finding stronger clients can be easier than strengthening weaker ones.
I have also learned to prioritize security above all else and that saying “no” can be liberating. Today, I only work with clients who maintain a modern UTM device; have MDR on every endpoint; and backup, filtering, anti-phishing, and alerting on every M365 “endpoint.” Everyone gets our top security package because that is all we offer.
Despite all that, due diligence never ends. Every single security victory is fleeting, with the next battle just around the corner, because no matter how many tools you use and how tightly woven the net is, there will be failures. Often, it’s not the tools that are the weaknesses, but our own processes. That’s why we are always reviewing our work, checking for something we may have missed, a detail we got wrong, or even a device at a site that we were previously unaware of. Sometimes this is the result of a client not being transparent, or not having adequate situational awareness. But it can open a hole in the wall that we’ve built for them. Remember, we must defend against all threats, both “foreign and domestic.”
Our own teams must buy into this too. It’s important to find the right players, lead by example, and behave with honor, which is our first principle. Net Sciences would not exist without our great techs Eric and Ethan, who have adapted to my flaws for 24 years in total.
In addition, we all need to seek out business mentors and peer groups to leverage the collective knowledge in our industry. Net Sciences has greatly benefited from membership in The ASCII Group and The Tech Tribe, and from the wisdom of such channel luminaries as Karl Palachuk and Richard Tubb. Emotional support from family and friends is important too, and I’ve been fortunate to have my wonderful wife, Heidi, by my side.
Finally, while our work can often feel quixotic, we know that serving our clientele with valor is its own reward. Keeping them safe is our mission and we must not fail.
Photography: Minesh Bacrania