“Cybersecurity isn’t just about technology; it’s also about processes, people, and governance.” – Tonya Ugoretz

Introduction: Why Cybersecurity for SMEs Can’t Be Ignored

Every leader diligently locks their office door at night. You insure your premises and your stock. But what about your digital front door – the one that is open to the entire world, 24/7? Is it left completely unguarded?

As SMEs continue to embrace digital transformation, many business owners still overlook one critical element: cybersecurity. In fact, many SME CEOs still believe they’re too small to be targeted by cybercriminals – an assumption that’s not only outdated, but dangerous. Hackers don’t discriminate by size; they look for opportunity. And SMEs, with lean defences and valuable data, are increasingly seen as low-hanging fruit. In fact, statistics show that 82% of ransomware attacks today are aimed at small businesses.

Cybersecurity for SMEs is no longer a technical issue, but a strategic imperative. Ransomware, fraud, and espionage are not just threats for big business – they’re very real risks for companies of every size. And, as you scale your business, expand into new markets, or pursue product diversification, your digital footprint grows – along with your exposure.

This article is the third in our digital transformation series, and this week we turn our attention to the all-important issue of cybersecurity – and how to build a resilient, scalable, and budget-conscious cybersecurity blueprint that supports your strategy roadmap and long-term growth.

After all, your digital transformation is only as strong as its weakest link – security.

Related Articles:

• The CEO’s Digital Transformation Roadmap: Driving Sustainable Growth on a Sensible Budget
• Building Scalable Tech on a Budget: A CEO’s Guide to Smarter Spending
• “Cyber Crime is the Greatest Threat to Every Company in the World.” – Ginni Rometty

Why SMEs Really Are Targets

You might be wondering, “Why would hackers target my small business?” It’s easy to believe that cybercriminals focus on larger, more lucrative organisations, but that’s simply not the case. SMEs are particularly vulnerable because they typically have weaker security defences, often with outdated software and less trained staff.

Hackers know this and exploit it.

With cyberattacks on the rise, SMEs are facing an urgent needto implement robust cybersecurity strategies to protect valuable assets and ensure business resilience.

Why SMEs are At Higher Risk

Let’s break down why your SME is at risk:

• Lower Defences: Smaller businesses tend to have fewer resources to dedicate to cybersecurity, leaving vulnerabilities wide open, and breaches often go unnoticed for long periods of time.
• Outdated Software: With limited IT budgets, SMEs often run on older systems, and ignore the need to keep software updated, making it easier for hackers to find gaps.
• Easier Targets: SMEs tend to be less vigilant about cybersecurity, making it easier for cybercriminals to breach systems.
• Valuable Data: SMEs hold valuable data – from customer, supplier and employee information to intellectual property – that hackers can sell or use to extort ransom.
• Customer Data: Hackers don’t just want your data – they want your customers’ data too.
• Used as Stepping Stones: Once a hacker breaches an SME’s system, they may use it to target larger companies in the SME’s supply chain.
• Quick payouts: SMEs are less likely to have robust backup systems and so more likely to pay ransoms to minimise downtime.

As Satya Nadella, CEO of Microsoft, famously said: “It’s not enough to protect your data; you need to protect your customers’ data too.”

Common Threats Facing SMEs

Cyberattacks are often automated and random, and seldom personal, which means your business is just as likely to be targeted as anyone else. The most common threats to SMEs include:

According to the Verizon DBIR, 61% of breaches in SMEs involve stolen credentials, and 94% of ransomware attacks are delivered via email.

Related Article:

• From Fragile to Fortress: Safeguarding Your Business with Cybersecurity Best Practices

The High Costs of a Breach

Let’s face it: the cost of a cyberattack can devastate a business. For example, KNP Logistics in the UK suffered a major ransomware attack in 2023 which crippled their systems and, as a result, their financial position. Despite annual revenues of up to £100 million prior to the attack, the company was forced into administration, ceasing to trade a few months after the attack.

The financial impacts of a breach can include:

• Ransom Payments: Hackers demand money to restore access to your data, with some companies paying millions.
• Lost Revenue: Downtime, loss of data, and customer trust can lead to significant revenue losses, directly and indirectly (lost opportunities).
• Reputational Damage: Once your business is compromised, customer confidence erodes, and you may lose current and future clients.
• Recovery Costs: If breached, you will face the often significant costs of forensic analysis and remediation.
• Regulatory Fines: If you’re found to be non-compliant with regulations like GDPR, POPIA, or other industry-specific rules, you could face significant penalties.
• Legal Exposure: If your business is compromised and data leaked, you could also face lawsuits from customers, partners or other affected parties.

The effect on a business of a cyberattack is invariably significant downtime, including: an inability to access systems or data, halted production or service delivery, staff unable to work effectively, and emergency resource allocation, any of which can be extremely costly to the business.

A further important point to recognise is that dormant viruses – those that lie hidden in your system before being triggered weeks or even months later – are a growing threat. Without a comprehensive backup process, these viruses can devastate your business. A solid backup strategy can ensure you have clean copies of your data, minimising downtime and recovery costs.

Related Articles:

• Protecting Your Crown Jewels: Safeguarding the Intellectual Property of Your Business
• Navigating the Data Privacy Maze: A Practical Guide for SMEs

Cybersecurity as a Strategic Investment – Not a Reluctant Purchase

Cutting corners on cybersecurity – like under-investing in accounting controls or skipping insurance – is a classic case of being penny wise, pound foolish (or as we say in South Africa, “Goedkoop is duur koop”). The up-front savings pale in comparison to the long-term costs a security breach can inflict, especially if you’re following a diversification roadmap for growth.

Think of cybersecurity not as a cost centre, but a strategic investment that fuels scalable growth. It protects your assets, reduces operational risk, and enhances your reputation with customers. Viewing it as a necessary reluctant purchase will cost you far more in the long run.

Why It Matters for Strategic Growth

• Supports scaling: secure systems enable steady growth and expansion.
• Protects customer trust: essential for brand reputation and retention.
• Enables compliance: opens doors to enterprise clients and regulated sectors while preventing legal issues.
• Reduces risk exposure: strengthens your resilience against disruption.
• Competitive Advantage: having comprehensive cybersecurity gives you a significant competitive advantage.
• Aligns with The Art of Scale: lean overheads, standardised systems, outsourced expertise.

As was mentioned in the previous article, Building Scalable Tech on a Budget, security is a key component that needs to be treated as an investment in the future – one that enables you to reach your medium to long-term goals for the business.

Related Articles:

• Fortifying Your Business through Risk Mitigation and Resilience: A CEO’s Strategic Blueprint
• Tech-Enabled Triumph: How You Can Leverage Technology for Unprecedented Growth
• The Art of Scale

Your Cybersecurity Priorities: Where to Start

Your cybersecurity strategy must grow as you do, ensuring scalable technology that matches the needs of your expanding business.

So where do you start? A good place is to think of “People, Process, and Technology” as three pillars supporting your business success:

People: Your First and Last Line of Defence

• Training: The majority of cyber incidents stem from human error. Regular, focused training on phishing awareness and safe credential handling is non-negotiable.
• Credential Hygiene: Staff must understand the risks in reusing passwords – one compromised password can unlock multiple systems.
• Shadow IT: Unapproved software and cloud services are a silent risk, as are copies on unapproved devices. Implement a straightforward process for employees to request and adopt the tools they need.
• Culture of Security: Make cybersecurity responsibility clear from the boardroom to the front line, with a clear no-blame process for reporting incidents – security is everyone’s job, led from the top.

Process: Turn Knowledge Into Action

• Policy & Procedures: Document regular password updates, mandate strong (preferably unique) passwords, and require multi-factor authentication (MFA) where possible.
• Remote Work: Every device outside the office, including mobiles, must use secure VPN connections and encrypted tools.
• Role-Based Access Control: Limit staff to only the data and systems they need. This also applies to what data can be copied/downloaded and also provided to AI systems, particularly those that are not company specific.
• Backup & Disaster Recovery: Establish and test policies for regular, reliable, offsite backups.
• Physical Security: Don’t neglect physical access – servers, laptops, and storage must be locked away when not in use and secured in place when they are in use.
• Incident Response Planning: Prepare for the worst – a simple, documented plan for identification, containment, eradication, and recovery, together with one to learn and teach lessons from any incidents. This would include processes for lost/stolen and end-of-life products.
• Cyber Insurance: A safety net for unavoidable incidents; ensure policies cover the risks relevant to your business and scaling aspirations.
• Reference Frameworks: Consider guidance from NIST or ISO 27001, but keep documentation practical, actionable, and jargon-free. Similarly, for data, plain language guidance on GDPR, POPIA, HIPAA, etc., as appropriate.

Technology: The Enabler – But Never a Substitute for Process or Culture

• Firewalls and Endpoint Protection: Modern firewalls, updated antivirus, mobile device management (MDM), MFA, and email filtering are minimum standards.
• Monitoring and Alerts: Even basic monitoring can provide early warnings; investigate any anomalies promptly.
• Regular Updates and Patch Management: Staying current is your best first line of defence against known exploits.
• Device Control: Retire and securely wipe any device before reallocation or disposal.
• Leverage Outsourcing: Consider managed security providers or “security as a service” platforms, along with fractional executives (CIO or CISO), if you lack in-house expertise. Demand clear reporting, transparency, and responsiveness.
• Built-in Cloud Security: Make the most of security features baked into your cloud platforms – let your supplier bear part of the load.

It’s not just company-based devices, but all devices with access to your company systems and data need to be approved and secured – this includes those such as laptops, tablets and mobile phones, together with remote routers and the like, so minimise the potential for cybersecurity incidents.

Related Articles:

• Is Your Business Safe from Cybersecurity Threat?
• Compliance is More than a Tickbox: How Building a Culture of Compliance Can Drive Business Growth
• AI Risks: Protecting Your Business in the Age of Artificial Intelligence

What Not to Do: Common SME Mistakes

Even with the best intentions, SMEs often make key cybersecurity mistakes which hinder business resilienceand can undermine your long-term growth ambitions. Avoiding these pitfalls can significantly reduce your risk exposure.

Here’s a list of what not to do:

• Reusing Weak Passwords: It’s tempting to use simple, easy-to-remember passwords, but this is an open invitation for hackers. Common passwords like “123456,” “password,” and “admin” are the first things they’ll try, along with default logins and passwords shipped with various devices.
• Lack of a Central Device or User Policy: Without a unified policy, devices can become a security mess. Having a clear, centralised policy ensures consistency and security across your organisation.
• Delaying Updates: Procrastination might seem harmless, but failing to apply software patches and updates regularly makes your business an easy target for hackers who exploit known vulnerabilities, as evidenced by the continued rise in the use of zero-day exploits by hackers.
• Unsecured Public Wi-Fi: Using unsecured public Wi-Fi for business activities opens your business to attacks. Always use a VPN to encrypt data. Similarly, have secure guest WiFi access on a separate guest network to prevent hacking to your systems.
• Sharing Credentials: Sharing passwords or using common accounts is risky. When employees leave, credentials are often overlooked and become an easy access point for attackers.
• Overly Broad Access Rights: Not everyone needs access to everything. Ensure that access to information is based on role-based access controls (RBAC).
• Neglecting to Disable Former Employees’ Accounts: Ex-employees can be a major security risk if their access rights are not revoked immediately.
• Ignoring Security Alerts: Don’t ignore alerts, even if they seem insignificant. They can be signs of an impending security issue.
• No Response or Continuity Plan: A lack of a detailed, tested incident response plan is a major vulnerability. Every business should have an effective plan that includes response, recovery, and lessons learned.
• Relying on a Single IT Person: If you have just one person responsible for IT, it leaves you vulnerable if they are unavailable or leave the company. Ensure redundancy and support. For SMEs, using outsourced service providers can be a cost-effective solution.

By identifying and avoiding these common mistakes, you’re taking the first step towards building a robust cybersecurity defence.

Related Article:

• Is Your Business Safe from Cybersecurity Threat?

Practical Tools to Protect Your Business

It’s one thing to have a good strategy, but you also need the right tools to back it up. Here’s a list of effective tools to protect your SME’s data, devices, and systems:

• Password Managers: Tools like 1Password and Bitwarden allow for strong, unique passwords for each login, reducing the risk of weak passwords being exploited.
• Endpoint Detection and Response (EDR): Tools like CrowdStrike and SentinelOne help monitor and protect endpoints (laptops, desktops, etc.) in real time.
• Mobile Device Management (MDM): Solutions like Jamf or MobileIron help manage and secure mobile devices that access company systems.
• Email Filtering: Tools such as Mimecast or Barracuda can block phishing attempts and other malicious emails before they reach your team.
• VPN and Encrypted Messaging: Proton VPN and Signal provide secure communication channels and encrypt your internet traffic, ensuring privacy and security.
• Drive & File Encryption: Devices nowadays offer the facility to encrypt their storage – do it.
• Secure File Sharing: Platforms like OneDrive for Business and Dropbox Business offer secure cloud file sharing and collaboration with enterprise-grade security.
• Standardise Devices and Operating Systems: Having standards for all devices and operating systems makes keeping all devices updated with the latest software easier, so reducing potential vulnerabilities across your organisation.

Having the right tools is only one piece of the puzzle. Regularly updating them and ensuring they’re properly integrated into your security systems is key to maintaining a strong defence.

Related Articles:

• Practical AI for SMEs: Streamlining Operations, Boosting Efficiency, and Gaining a Competitive Edge
• Tech-Enabled Triumph: How You Can Leverage Technology for Unprecedented Growth

Understanding Penetration Testing and External Audits

Just like you wouldn’t build a business without testing your products or services, you can’t neglect testing your security systems. Cybercriminals are constantly evolving their tactics, and so should your security measures.

As Chris Nickerson put it, “When you fail to test your defences, your adversaries will do it for you.”

Here’s what you need to know about testing your defences:

• Vulnerability Scans: These automated tests identify weaknesses in your systems. They are a quick way to pinpoint obvious vulnerabilities.
• Penetration Testing: A more thorough process where ethical hackers simulate cyberattacks to find security holes.
• Red Team vs Blue Team Exercises: These are competitive simulations where the Red Team attacks your systems, and the Blue Team defends them. This can give you an in-depth understanding of how your systems react under pressure.
• Black Box, Grey Box, and White Box Testing: These terms refer to how much information the testers have about your system before conducting tests. Black box testing is like an attacker with no insider knowledge, while white box testing gives the tester full access to your system for reviewing code, configurations and processes.
• Automated Scanning vs Full “White Hat” Manual Tests: Automated scans are efficient but can miss complex vulnerabilities that human testers can find.

It’s highly recommended that you consider basic penetration testing every 12-24 months – “Grey Box” testing providing the optimal balance with cost for most SMEs. These tests are an affordable way to ensure your business remains resilient in the face of evolving threats. Complement these with more frequent vulnerability tests.

Who to Engage: Reputable security firms or certified ethical hackers are your best bet for quality tests. Look for accreditations such as CREST, OSCP, or EC-Council CEH, and always require transparent, plain-language reporting.

Related Article:

• Is Your Business Safe from Cybersecurity Threat?

Backup and Recovery: Your Last Line of Defence

The old adage, “Failing to prepare is preparing to fail,” rings especially true when it comes to cybersecurity. Having a solid backup and recovery plan is your last line of defence.

A 3-2-1 backup rule ensures the long-term resilienceof your digital infrastructure, making your business adaptable and scalable.

Here’s the 3-2-1 Rule for backups:

• 3 copies of your data
• 2 types of storage (e.g., cloud and physical)
• 1 copy offsite (preferably immutable, on an external drive, located remotely)

These three steps ensure that if one copy is corrupted or lost, you still have others to fall back on, and encrypt your immutable backups, too, for further protection.

Dormant Threats: Backups should not just be about keeping data safe from accidental loss. Some attacks, like ransomware, inject dormant threats into your systems that are activated months later. Malware often targets system files, so separate system and program backups from your data backups to enhance the likelihood of recovering your data in the event of an attack.

Regular testing of backups is a must. Don’t assume they’re working just because you have them set up.

Cloud vs On-Premise Backups: Cloud-based backups offer scalability and reliability, often with a standard cybersecurity toolkit, while on-premise backups give you more control but require more maintenance. A hybrid approach – cloud and encrypted local backups – can maximise resilience.

A Basic Cybersecurity Checklist for SMEs

Every business needs a comprehensive checklist to ensure they’re not missing any essential security measures. Below is your basic checklist for keeping your SME secure.

What to Include:

• MFA (Multi-Factor Authentication) on all systems
• Strong password policy and password manager
• Device management policy, including VPNs
• Regular updates and patching
• Comprehensive, regular backup schedules
• Employee training plan (phishing, credential management)
• Antivirus and firewalls in place
• Role-based access control
• Secure mobile device and remote work policies
• Policy to disable former employees’ access immediately
• Incident response and recovery plan
• Penetration test schedules
• Risk register updated regularly with cybersecurity threats

When to Do It:

“Cybersecurity is not a set of products – it’s a set of practices.” – Ed Amoroso

Culture and Leadership: Cybersecurity Starts at the Top

Cybersecurity is not just an IT issue – it’s a leadership and governance issue.

As a CEO, you set the tone for the entire organisation. Cybersecurity must be embedded in the company culture, starting with strong leadership support. Here’s how you can lead the charge:

• Lead by Example: CEOs set the tone for how seriously security is taken. Board involvement and clear priorities make it part of business-as-usual, not just an IT “nice to have”.
• Make it Everyone’s Responsibility: Set clear expectations for all employees, making cybersecurity a non-negotiable part of company culture. Staff should feel empowered – never blamed – for reporting incidents or concerns.
• Embed Security in Your Culture:
  This is as non-negotiable as financial controls or workplace safety. Investment in security is an investment in business continuity, customer confidence, and the entire diversification roadmap..

Your leadership in cybersecurity isn’t just about policies – it’s about instilling a security-first mindset across your company.

Related Articles:

• Defining Company Culture: Building a Foundation for Business Success
• Embedding Culture into Your Business: Transforming Values into Action
• Culture Without Borders: Building a Strong Hybrid Work Culture in a Distributed World
• Leading a Fearless Business: Boosting Growth and Profits

Conclusion: Don’t Wait for a Wake-Up Call

Cyber-attacks are not a hypothetical risk; they are a daily reality of doing business. For an SME, the impact can be existential. The right time to build your fortress is before the attack, not during the siege.

By moving from a mindset of cost to one of strategic investment, you can transform your approach to cybersecurity. It is a continuous process of managing risk through the layered defences of your people, your processes, and your technology. This commitment is an investment in business continuity, customer trust, and brand reputation. It is the bedrock of resilience and the ultimate enabler of sustainable growth.

The best time to secure your business was yesterday. The second-best time is now.

Next Steps:

Now is the time to assess your current cybersecurity position. Start by identifying the key vulnerabilities in your business, whether it’s outdated software, weak passwords, or lack of employee training. Develop a phased approach to strengthen your defences, starting with the basics: multi-factor authentication, regular backups, and staff awareness.

Remember, cybersecurity isn’t a one-time fix – it’s an ongoing process that scales as your business does. Begin now, before the next attack becomes a reality.

It’s your turn now:

What’s the one cybersecurity weakness that’s been sitting on your to-do list for too long?  I’d love to hear your thoughts in the comments, or feel free to drop me an email directly.

FAQs – Top 10 Questions About Strategic Tech Investment:

1. Are SMEs really at risk from cyberattacks, or is this just hype?

Absolutely at risk. Automated attacks target any system that appears insecure. Over 60% of SMEs worldwide report at least one cyber incident annually, with over 80% of ransomware attacks being on small businesses.

2. How can I get started with cybersecurity on a budget?

Start by prioritising the basics: strong passwords, MFA, antivirus, regular backups, and employee training. These low-cost steps can significantly reduce your risk.

3. What is a penetration test, and how often should I do one?

Penetration tests simulate a cyberattack to find vulnerabilities. SMEs should consider a grey box test every 12-24 months.

4. What is multi-factor authentication (MFA), and why is it so important?

MFA adds an extra layer of security by requiring more than just a password to access systems. It’s one of the easiest and most effective ways to prevent account breaches.

5. What cybersecurity mistakes do SMEs commonly make?

SMEs often reuse weak passwords, delay updates, and don’t implement proper device management policies. These mistakes leave systems vulnerable to attacks.

6. Can we outsource cybersecurity affordably?

Yes. Managed Security Service Providers (MSSPs) offer monitoring, response, and compliance help, scaling services to fit SME needs and budget.

7. Is cyber insurance necessary?

Yes. Cyber insurance helps mitigate the financial impact of a breach, covering costs like ransom payments and legal fees.

8. Can my team work remotely securely?

Yes, but you must implement secure access tools, such as a company-managed laptop, VPN, and encrypted communication channels.

9. How do I ensure compliance with data privacy regulations (GDPR, POPIA)?

Ensure you have robust data protection policies, train staff, and regularly review systems. Regular audits and penetration tests also help ensure compliance.

10. How do we protect against ransomware?

Maintain regular, immutable backups; train staff to spot phishing; keep software up-to-date; and have an incident plan so you’re ready if attacked.

11. What’s the 3-2-1 backup rule?

Three copies of your data (original + two backups), two different storage types, and one held securely offsite.

Simply put, domains are an inescapable pillar of business. As CEOs consider company operations in a world that is increasingly digitalized and recovering from a game-changing pandemic, now is the time to focus and take great care in optimizing a digital platform.

If your business doesn’t have a domain, you are cutting off a major source of visibility and potential revenue. That said, it’s not just about having a domain for the sake of it anymore. There are a number of reasons why a CEO needs to be careful when choosing the right domain name for their business, and we look into the real impact of those below.

It’s Essential to Build Trust on Today’s Internet

It’s a given that your domain is the digital address that marks your home base on the internet. In an age that is filled with fake news, viruses, AI, and a growing number of malicious cyber attackers and fake sites that redirect to phishing scams, online users have become much warier of the places they visit. Credibility is an asset that you can leverage.

Having a good domain name helps you build trust, not just to launch your business but also to expand its presence over time. If you hit that inevitable point of asking ‘How to Drive Sustainable and Long-Term’ Growth’, you will want to exploit the opportunities led by the potential of a domain foothold. From there, you must be strategic in your implementation and be mindful of not just the actual address name itself but also the domain extension.

Both your site’s name and its extension will be essential in establishing trust with consumers. Most people tend to trust .com, .org, and .net more than other extensions. Statista.com reveals that .com remains the most popular top-level domain worldwide with a 52.8% market share. TLD .org follows distantly with a 4.% market share.

Domain History Matters

Even though there are plenty of available domain names, this doesn’t mean that they haven’t had previous owners. You need to make sure you do your research on the domain you’re eyeing, as it may carry some history that doesn’t align with your business.

For instance, if a domain is already known for using black hat tactics and sketchy business affiliations, you are only hurting your brand and credibility by inadvertently connecting yourself to that. It’s also worth checking if there is a history of trademark disputes with a particular domain, as it can be a headache dealing with those matters both financially and time-wise.

Offsite Marketing Still Matters

With the vast web of the internet, offsite marketing still matters to bring traffic to your spaces. Although people may not need to memorize your exact domain anymore these days, it’s still a good idea to have a good, punchy domain that you can incorporate into digital marketing and e-mail efforts. 

Namechk.com outlines that short, easy-to-spell domain names with little to no symbols are the best for brand recall and visibility. Their domain generator is actually a viable tool you can use to simply generate a name that represents your business well. It automatically checks for duplicates and sticks to proper naming conventions, so you can efficiently find one that works for you and focus on integrating it with offsite marketing efforts. Because of Google results and linking, users will have an easier time finding your domain without knowing the exact name.

You Need to Curate Your Online Presence

Curating your online presence includes your domain, but it also goes beyond that and trickles over to social media and digital marketing. Online brand curation is an essential part of modernization for businesses that want to create longevity in the digital age.

You may ask – ‘Managers and Leaders, Which Contribution to Modernization?’ we’ve noted how a key aspect of modernization is the differentiation and protection of technical expertise. You must invest in property rights and leverage the possibilities it offers to best maximize the opportunities and conversions that can come from, in this case, your online presence.

When you create a domain name, you want to tie it in with social networking sites and off-site content that sticks to your brand’s tone. This makes it easier for your target audience to find their way to you regardless of what site they may have come from.

Domain Disputes and Squatters Remain a Large Problem

The last thing you want to deal with is a domain dispute or domain squatters. Disputes arise from names that have been filed for complaint due to being used illegitimately. You must take care not to be on the receiving end of this, but it’s also important to go for domains that aren’t already being eyed by squatters that you may have to file a complaint against. In the first quarter of 2023 alone, there have already been 1,443 dispute cases filed in the WIPO.int database.

‘Cyber Ants Can Ruin Your Picnic’, so don’t underestimate the competitive playing field of your enterprise in the digital space. Even when you’re mindful of picking a domain name, you also need to ensure that you are registering it and incorporating the right security measures to prevent cyber attacks. Your files, servers, and systems are all at risk of data loss, theft, and disruption form the moment you go online.

New end-to-end enterprise application platforms let you produce high-fidelity application prototypes that reduce risks of failure or overruns.

IT Projects Face New Requirements and Old Challenges

The evolution of Cloud Computing and Rich Internet Applications (RIA) has brought about some fundamental changes in IT that is drawing attention to how IT projects are being managed and paid for.

The real goal of software development is the fulfillment and delivery of requirements. Yet, the puzzling reality is that (according to NIST) (1) 70% of the defects in a delivered enterprise application are injected during a project’s requirements and design phase, and 60% of those are discovered only during user acceptance testing! At that point, the cost of fixing defects is 20 times higher compared to if the problem were fixed during the design phase.

A recent study(2) by IAG Consulting found that more than two thirds of companies are likely to have a marginally successful technology project or outright project failure. Half of this number experience project ‘runaways’ which take too long to deliver, consume too much budget, or under-deliver on functionality.

It seems that while computing power and development tools have improved tremendously over the years, the proportion of project failures nevertheless remain unreasonably high – making IT projects particularly unappealing for organizations attempting to improve competitiveness in today’s recession climate.

The Need for Testing and QA

According to Gartner Research, “The lack of testing and QA standards, as well as a lack of consistency, often lead to business disruption, which can be costly.”(3) Gartner also reports that “testing consumes 25% to 50% of the average enterprise application life cycle and often is viewed as adding no business value.”(4)

Clearly, then something is being lost in translation. It seems that making an enterprise application fit to the corporate requirements and standards of the organization is an increasingly bigger challenge that is still frequently overlooked or taken for granted as an unavoidable evil.

Growing Complexity and Communication Issues

The problem may lie in the fact that business technology infrastructure has largely failed to address the growing complexity of the projects they are designed to support. Software projects today involve multiple entities – requiring the active input of professionals from various IT and business departments. And there is a big difference in the way most IT professionals and business managers reason and solve problems.

Largely speaking, IT professionals are often “process” centric, preferring structured information and algorithmic definitions (do this, make a decision and then do that). Business managers meanwhile, are more “interaction” centric, prefer loosely structured and rather interactive information (messages, meetings) and declarative definitions (table/choice driven).

This ‘communication gap’ can lead to situations where teams find themselves continually revising projects where specs are not properly defined, or where discrepancies arise between business requirements and the finished enterprise application.

Metadata Application Platforms Offer a Way Out

To solve the problem organizations need to carefully select technology that will support and encourage sound business analysis procedures and facilitate collaboration. A new breed of end-to-end application platforms is already available and may offer a way out. Products such as UNIPaaS feature a single metadata-driven development and declarative paradigm to facilitate and shorten the application development cycle.

Metadata platforms work by substituting hard-coded business logic with lighter-weight code, or ‘metadata’. By abstracting the technological complexities from the development process, business managers and IT experts finally find themselves on the same page.

• Better Collaboration between Business and IT: The incorporation of metadata into the development effort shifts the emphasis of IT projects away from ‘how’ they will be achieved; instead allowing teams to broaden and focus on ‘what’ business functionality is required. This results in better collaboration and understanding and allows enterprises to more rapidly and efficiently meet their business and IT goals.
• Faster and Easier Prototyping: Metadata-driven approaches are also more productive than traditional techniques. This allows IT to produce high-fidelity application prototypes quickly and simply, without consuming large amounts of resources. With an accurate prototype, business logic can be checked and double-checked in accurate scenarios to ensure the application fits the requirements of the project and adheres to corporate quality standards.
• Shorter Development Cycles: Gartner points out that the “use of a metadata-based interpreter for the execution of applications enables excellent productivity.” (5) Because metadata is relatively simple to implement in the design phase, developers can create short and highly interactive development-cycles where the application can be easily modeled, reviewed for feedback, and modifications implemented and iterated quickly and cost-effectively. This also means that testing takes up a much shorter proportion of the total application life-cycle.

Enterprise Application: A Solution for Today’s Business Climate

With the current recession being felt in all areas of business, companies will have to shift their focus to more efficient IT project management in order to stay ahead. With the new breed of enterprise application platforms such and UNIPaaS, businesses can now achieve a significant competitive advantage at a time when other companies are retrenching and retreating.

(1) NIST Study, Planning Report 02-3: “The Economic Impacts of Inadequate Infrastructure for Software Testing”

(2) Keith Ellis, “The Impact of Business Requirements on the Success of Technology Projects”, IAG Consulting.

(3) Partha Iyengar, Frances Karamouzis. “Offshore Application Testing Drives Greater Business Value.” Gartner Research, August 17, 2007, ID Number: G00150394.

(4) Iyengar and Karamouzis. “Offshore Application Testing Drives Greater Business Value.” Gartner Research, August 17, 2007, ID Number: G00150394.

(5) Yefim Natis, “Reference Architecture for Multitenancy: Enterprise Computing “in the Cloud””, 3 December 2008 ID Number: G00163395.

About the author: A Swiss based Board-level professional, Avigdor Luttinger helps technology providers achieve their business objectives by leveraging their core competencies and the market opportunities; he is one of the founders of Magic Software Enterprises, and continues to dedicate a significant amount of his time to the company, where he functions as Vice President of Corporate Strategy. With over 25 years of experience and recognized expertise in the software industry, Luttinger is a frequent speaker and contributor at industry conferences and publications, and is also Executive Consultant at APL Technologies & Management Ltd. Luttinger currently covers Cloud Computing, Mashup technology, High Performance Workplace, Application Platforms, BPM and Integration. He holds an MBA from INSEAD in France and M.S. in computer sciences from the University of Lyon.

Companies cannot afford to waste time to achieve its strategic goals, such as correcting an existing problem, proceeding with a M&A or a project that impacts the whole company. When they delay their decision to hire a competent manager, many companies get into trouble, loose their competitive advantage or fall behind on their market.

The following case studies show how some companies, for different reasons, hired a transition manager to get out of difficult situations.

A) Case N# 1

Field of activities: Consulting

Problematic

his company suffered from permanent underinvestment in their IT system, resulting in an instable IT environment which did not meet the company’s needs. Finally aware of this problem, the company first invested heavily, recruited an IT Manager and hired consultants, though without the anticipated result. After 18 months, the company totally changed tactics and decided to work with subcontractors. In the end, this decision created new problems, such as increasing IT related staff threefold, because the subcontractor had to increase staff dedicated to the company in order to compensate system inefficiency while trying to ensure a high reactivity. One year later, the company hired a restructuring manager to solve the problem. The first five appointed managers, who have been recruited without the appropriate diligence, failed to find an efficient solution … until the arrival of the sixth.

Solution

Within 18 months, the transition manager, aware that IT difficulties can prove very complex, adopted a methodical approach. He first corrected the network hardware (cabling, router, hubs, etc.) before dealing with the network management and security. He then operated a revision of the servers and the applications (optimization of the installation on the individual systems, analysis of the interfaces, optimization of the data bases, etc.). The goal was to create an efficient and customer service oriented organisation, based on a clear hierarchical structure of the interventions and a reduction of the number of problems through prevention (instead of intervention). By quickly solving critical demands and pushing back non critical demands, customers could be satisfied with less resource. Today, the required IT staff has been reduced from 55 to 23, while improving the system efficiency.

Key points to remember

The company underestimated the problem and tried to solve it by making investments and hiring consultants. Then it hired subcontractors, but without satisfactory results. A strategic correction cannot be carried out just theoretically or operationally, but by using a rare blend of expertise, operation and people leadership.

It is difficult to select the right transition manager, and only the sixth was able to perform the requested assignment.

The company lost 36 months before finding the right solution to its problem, and then it took another 18 months to create a healthy environment.

CEO Worldwide’s +

Reactivity: with its pool of selected and certified profiles, CEO Worldwide is able to qualify, interview and present a first selection of candidates within only a few days.

B) Case N# 2

Field of activities: Software editor for a niche market

Problematic

This young company was encountered massive financial and technical problems and was very close to liquidation. The shareholders decided to fire the former managers and to call upon two experienced transition managers, a CFO and an IT manager to rescue their failing subsidiary.

Solution

In less than 48 hours, the two leaders succeeded in negotiating with the banks the continuity of the company. After 5 days, the disastrous internal organization was completely revised. At the end of the first month, they decided to transform the company’s BtoC approach into an indirect distribution model (thus B2B). The two transition managers needed 16 months to perform this transformation with, at the end, the opening of 500 points of sale and the sale through 40 Internet sites. This company now has good chances to survive, but the heavy loss before acting weakened it financially, impacting its development for the next 5 to 7 years. Indeed, the losses were “converted” into capital cost over 10 years, representing 30% of the operational expenditure. However, with a 45% market share and healthy margins, the company now benefits from a good repositioning.

Key points to remember

The decision to call upon experienced leaders was belatedly made. The subsidiary was put in a very difficult financial situation.

The two transition managers confirmed their adaptability by learning in less than two weeks how this market niche operated.

The managers successfully repositioned the company on its market.

CEO Worldwide’s +

Experience: By certifying only profiles with a minimum of 15 years experience, CEO Worldwide offers transition managers that already have been successfully dealt with the problems met by its customers.

C) Case N# 3

Field of activities: Training platform

Problematic

After years of growth, this company realised that the European market was too limited for its market and decided to expand its operations to Asia and the USA. The existing management wanted to manage this critical project internally. But they did not have the necessary experience to lead that kind of project and they underestimated the budget and the completion time. Thus the estimated budget was quickly exceeded and the start of the project was delayed. To solve the problems, the company decided to hire a transition manager for a 18 months assignment. Moreover, this project would change the internal organization and no director wanted to be responsible for such significant changes.

Solution

In less than 14 months, the transition manager successfully transformed the European structure in a worldwide acting company, providing services in the USA, Singapore, Japan, Australia, Brasil and Saudi Arabia. To achieve this, he created a new offer, which corresponded to a global market and created a convincing Internet infrastructure offering the complete product range via a simple Internet connection. Today, the company grows very fast and is able to deliver its services offered on any site worldwide in less than 3 days.

Key points to remember

The company very quickly made the decision to recruit a transition manager and gave him the necessary means to succeed.

The transition manager worked with each director to transform the company in a global mode and made every one of them feeling personally committed.

After the end of the project, the transition manager accompanied the directors for 2 months to ensure the smooth transition of the new operational mode.

CEO Worldwide’s +

International: with more than 16,880 iCEO certified managers available in 180 countries, CEO Worldwide offers profiles with a strong international knowledge.

D) Case N# 4

Field of activities: Internet SSII

Problematic

One year after the merger of two subsidiaries of two different groups, the new company did not reach the expected results. Internal conflicts increased and the development of new products and services almost stopped. After nine months of internal conflicts, both groups still had not come to a compromise how to run this subsidiary and it was decided to engage an external expert taking up the position of transition CEO.

Recommendation

The transition CEO very quickly took control of the company and got the sales and the development of new products started again. He set the solution of the conflicts as a priority in order to create a healthy environment with motivated and active employees. Sales staff once again attacked the markets, the IT department worked with the marketing department to launch new products. In-house, the transition CEO took
complete control of the commercial/marketing department, the R&D, and then of the financial department. His strong involvement enabled the company to obtain a 50 % growth and a 20 % net profit. At the same time, the number of employees increased by 42 %. After the departure of the transition CEO, the company still enjoys great success in its market.

Key points to remember

Over nine months of conflict before the transition CEO arrived, made the company lose important customers and created a feeling of failure regarding the merger.

The recruitment of an experienced CEO made it possible to solve internal conflicts and to industrialize whole departments. At the same time, the launch of new products and services boosted sales again.

The transition CEO also recruited successfully (and within the deadlines) his successor.

CEO Worldwide’s +

Professionalism: By proposing interim managers, CEO Worldwide offers its customers external managers, neutral to the internal conflicts of companies, which enables them to just attack the pressing problems.

E) Companies in Jeopardy: Conclusion

Many companies get themselves into trouble by delaying an obvious decision. These four cases confirm that a good transition manager can make all the difference, by restructuring a company, opening new markets or defining a winning strategy. CEO Worldwide commits itself in this process to facilitate the selection and to find the best suited manager with the right set of competences within a very short time span.

About the author: Erik Van Rompay

Executive (CEO/COO) specialized in the developing of high volume Internet companies by making them financially secure through the development of new innovative services.

View Erik’s short bio

When picturing the relationship between the enterprise and the Software-as-a-Service (SaaS) business model, I imagine an evolutionary process that can be divided into three main stages. The first let’s call ‘The Comfort Zone’; the second ‘The Enlightenment’; and the final stage ‘The Re-Assessment’. Once we examine these we can then decide upon the right course of action when choosing how to adapt to the IT demands of the enterprise.

The Comfort Zone

First let’s look at the enterprise company. Typically it may be a bit strapped for resources and possibly even struggling to find the staff to assign to some of their most mission-critical IT projects in one of their departments.

And then there’s the SaaS business model – now a major trend among enterprise corporations. Most major SaaS players, such as Salesforce.com provide some form of web-based application functionality. Also known as on-demand, these guys charge their customers on a per-use subscription basis. And it’s a particularly attractive and efficient alternative to on-premises applications because it reduces the significant risks and costs of CRM implementation (and we’re all aware of the success rates of most CRM projects).

The major advantage of SaaS is that it can exist within the enterprise – similar to an ICBM missile silo within a military network – where the silo remains completely self-contained. The great thing about SaaS, from the enterprise’s perspective, is that it allows the business people to operate independently from IT, typically requiring only minimal input from them. It also makes life much easier for the CFO – allowing finance to make on-going payments rather than have to allocate and then justify a full-blown investment.

So SaaS really offers a ‘comfort zone’ solution for both the business and IT departments. SaaS offers the department’s user group a fully-functioning solution in quick time, while freeing IT from the worry and cost of having to implement a large on-premises IT project, or build the application in-house. A typical example of such a success is Salesforce.com, where a rapidly implemented sales force automation solution makes for happy sales staff and company executives alike. A win-win solution for all involved – for the time being. This leads us on to our next stage, ‘The Enlightenment’.

The Enlightenment

One of the great barriers to maximizing the full value of SaaS comes from the very reason the enterprise adopted it in the first place. The ‘silo’ effect means that the on-demand application remains effectively disconnected from the other applications that run in the enterprise, with the result that its information remains compartmentalized.

In the case of on-demand CRM solutions, SaaS software running solo can be viewed as a set-back to the process-driven enterprise, working in opposition to the goals of architects and business process analysts. And as a result, the enterprise, while happy with the fact that their mission-critical tasks are being performed, now begins to grumble.

Add to this the following issues and a re-assessment become almost inevitable:

1. The lack of automation that comes from being disconnected from the enterprise’s in-house applications means more data duplication, more manual entry and more human errors. You can’t even imagine how much enterprises are spending on these problems today!
2. As the on-demand application acquires increasing quantities and quality of information, other departments will want to buy-in and enrich their own applications with this data.
3. With the on-demand application becoming further enriched, your CIO will eventually want to apply some ownership to the system for security’s sake. Whereas in ‘The Comfort Zone’ it was more convenient not to own the system, now the situation becomes reversed.
4. And: With continued growth of subscribers to your on-demand application, eventually the enterprise will want to re-evaluate the license cost structure and subscription fees.

The Re-assessment of SaaS applications

Our enterprise now knows both the benefits and drawbacks of SaaS applications. Essentially the enterprise now needs to transform their SaaS application from a department-level tactical system to an enterprise-level solution to eliminate the duplicated work and manual processes, and to find a way of milking more value from their application and creating a more favorable cost-structure for the long-term.

The enterprise is essentially faced with two choices:

• Find an alternative solution to their on-demand application. This would normally mean going back to square one, with an on-premises solution or home-grown application, and losing all the appealing benefits of SaaS. This is a definite no-go.

Or:

• Somehow, bring their on-demand application more into the enterprise and integrate it with their existing applications.

The Value of Integration

I do believe that integration is really where the greatest value lies. Integration ties your on-demand solutions into your existing business infrastructure and enables both your on-premises and on-demand applications to work together in a way that gives them significantly more power and scope.

With integration, companies can multiply the power and reach of their Salesforce.com, SAP, Oracle JD Edwards, Movex, and other applications, allowing the enterprise to efficiently and automatically share and update information company wide.

Comprehensive information sharing gives both employees and management a fuller and more accurate picture of their overall business. Such a view allows management to make better business decisions, be more responsive to the customer’s needs, and get more efficiency and return out of their business transactions.

Integration Infrastructure vs. Custom Code

A word about custom code. The advantages of integration infrastructure over custom code integration solutions are clear. Custom coding is inherently more risky since it’s a one-off that hasn’t been tested in multiple scenarios. It’s also man-dependent: If you loose your coder after a year on the job, your project may be lost. While custom coding can seem an attractive alternative for some integration projects, the process is also time-consuming and inflexible when changes to the original architecture are needed. Few enterprises have the luxury to wait for their custom-code project while the market continues to evolve and move on. And when changes are required to your business process, or new applications must be added, many of the existing coding threads become redundant and need to be re-written.

Conclusion

So while I recognize that “integration” is a word that may scare many SaaS users and IT staff, the benefits far outweigh the potential fears.

Like in any industry, there will always be vendors out there willing to promise you integration at the push of a button, and who make it appear far simpler than it may be in reality.

The important thing is to choose a vendor that has the project experience to bring to the table a productive tool-set and powerful technology stack that can handle any integration scenario – whether straight-forward or more complex. Remember – the last thing you want or need is to start introducing custom coders and extensive consultancy that will push off your ROI and make you wonder why you didn’t stick with the more expensive and time-consuming on-premises solution. Integration remains by far the more cost-effective and practical solution for the enterprise. And when undertaken correctly, will bring your enterprise – SaaS relationship to the next level. Just make sure to integrate with a partner or vendor who really knows how to deliver on their promises!

About the author: A Swiss based Board-level professional, Avigdor Luttinger helps technology providers achieve their business objectives by leveraging their core competencies and the market opportunities; he is one of the founders of Magic Software Enterprises, and continues to dedicate a significant amount of his time to the company, where he functions as Vice President of Corporate Strategy. With over 25 years of experience and recognized expertise in the software industry, Luttinger is a frequent speaker and contributor at industry conferences and publications, and is also Executive Consultant at APL Technologies & Management Ltd. Luttinger currently covers Cloud Computing, Mashup technology, High Performance Workplace, Application Platforms, BPM and Integration. He holds an MBA from INSEAD in France and M.S. in computer sciences from the University of Lyon.

View Avigdor’s short bio

Imagine. In the middle of the Super Bowl; in the middle of Wimbledon finals; as the top of leaderboard approaches the 16 th tee; or during the overtime of the FIFA finals… imagine if suddenly, a score of kindergarten children made their way on to the pitch and began playing. Just one running free on the field would certainly disrupt the game would it not?

Your enterprise is a daily competitive playing field

Every day – all day – there is a possibility that someone is trying to find a way to disrupt your business. The threats come in all sorts and sizes. Oversimplified, there are three basic sorts of cyber attackers.

The first we will call “taggers.” Like vandals and those who graffiti walls and buses, this sort of hacker merely wants to show off that they got into your systems. They want to be sure you know they were there. Shutting down email servers; encrypting your files and calling for a ransom; and flooding your servers to keep anyone else from reaching you.

The second sort we will call “wedding crashers.” A great deal more subtle, these hackers enter your system and hope to go unnoticed. They stay and get to know everyone there… their passwords and access, for example. They hope to blend in and while some folks might wonder who they are and what they are doing in your systems, most will dismiss them as “somebody must know them,” and think little more about them. Just like wreckers of a reception, they will eat, drink and enjoy the dance music while mingling as though they belong. They take data like a crasher may take a few of the prized wedding gifts. Some even stand to make speeches by authoring emails sent out in an official capacity. Eventually, enough people will begin to notice and curiosity will cause them to be outed.

The third sort is the most dangerous. We will call these “cat burglars.” These are the most professional of the three and the most diligent. Much time and resources will be spent to “case the joint” – your enterprise. They want to know what are the most precious items you have and where you keep them. Most patient, many find their way in harmlessly enough and “wait in the pantry” until it is safe to come out and start their crime spree. They, most often, never want you to know they were there and will leave a door or window unlatched to enable them to return when they want to. Sometimes, they may not even take anything that you would notice – simply copy things and go. They covet things like personnel records for ID theft; customer information; vendor information; financials and more. A victim may never know the burglar was there, unless they made a mistake entering and/or leaving.

Despite all of this going on (and incidents on the rise) many executives and managers view security as an obstacle to efficient operations and a cost with zero return on investment. Further, security is most often viewed as “the IT department’s problem.”

The bold truth is that it is everyone’s responsibility. Most of the entry points for attackers are directly with the assistance of unsuspecting employees. When a corporate network is used to do discovery on all servers and storage farms, it often finds, to its dismay, gigabyte after gigabyte of music files; video files; pictures stored on corporate assets that are personal in nature to the employee and either uploaded from a flash drive they inserted in their company PC or a download from their mobile phone or directly from the internet. The seemingly innocuous email offer and/or online deal that can’t be past up, is often just what a hacker needed to get into your corporate systems.

No longer are these merely antisocial technology misfits in a dark room relentlessly tapping on a keyboard. There are well funded, professionally trained computer science teams – around the world – who have created and benefited from this new form of internet piracy. The market will dictate the worth of what has been purloined so just take everything one can from you and someone – somewhere will be willing to pay for what a hacker took. An entire economy is operating on a sub-web that is driven by supply/demand and creative ways to take virtual assets and turn them into cash.

A little off track but the fact remains that everyone has to be sensitive to the need for security. Participate in the creation of security policies and procedures with empathy toward the best balance between operational excellence and a secure environment. A representative from every function should actively contribute to the Security Incident Response Team (SIRT) that comes together to manage and mitigate risk. Explore and identify the “Who? What? Where? When? And How?” regarding the breach and the ways to ensure it cannot happen again. The challenge is to ensure sensitivity is present to how actions in one area have impact on others. The cure should never come at such an expense to a function or functions as to hamper their ability to succeed.

It is an art form to facilitate and optimize the potential for the enterprise while delivering the most effective and comprehensive security. This requires all of the players on the team to play their part. When there is a breach, Legal may need to be involved to assist in managing the potential damage; HR may be needed to address the impact to employees; procurement and finance may be affected; and even if not directly impacted by the breach, all members need to be present to ensure the cure doesn’t do more harm than good.

The return? This question comes up a great deal. Do you recall the last time the power went out in the plant or in your offices? People went home, right? Generators are cost justified by loss productivity.

Now can you recall the last time the e mail server went down or the network was unavailable? Most people went home right? The loss is quantifiable. Now, if all the files on your shared servers were abruptly encrypted by an outside force so no one could access them… how long would it take before people went home? How much time would it take to shut the servers; reformat the drives and restore backup files to the drives? Not to mention the amount of work that has to be redone from the period of the last back up. If an entire department was unable to function for a complete day – salaries and expenses could be calculated easily enough but the work that would have been performed has a value. The cost to redo the work can be figured but the intangible still has value – opportunities lost; disappointed customers; brand impact; lost sales; and more.

Expectant parents pack a “go bag” and rehearse the fastest routes to the hospital. No differently here should enterprises have a Security Platform Plan; an Incident Response Plan; a Remediation and Recovery Plan and a Review of Existing Plans to ensure that this particular sort of breach (and those related) are included and addressed going forward… a well-defined AND DOCUMENTED cycle must exist.

So, the next time you see graffiti covered walls; suspect party crashers or try to figure out where to hide the coffee can with your emergency cash in it… here is hoping these feelings you will carry with you to ensure your organization’s well-being.

About the author: Global Technology Executive with strong business and financial acumen. Strong ability to link marketing strategy and results directly to overall business strategy and company financial goals. Keen abilities to develop strategy from in-depth analysis of buyer and/or customer insights. Documented program development skills, from advertising to digital presence across all relevant marketing channels. Possesses excellent influencing skills and able to drive consensus. Able to recognize and articulate a future direction; provide strategic direction, and have the ability to direct global and localized products, brand, advertising and related specialties while managing budgets. A strong track record of new product development and demonstrated ability to forge strategic alliances with key partners. Accustomed to driving results and delivering return on investment.

View Joe’s short bio