Fresh Thoughts #102: Operations or Innovation
- Newsletter
Last week, I spoke to a friend who had sold her startup a few years ago.
Her reason for selling was simple...
"We had £2 million in annual revenue and were told we needed to expand into 12 new territories.
We didn't know how."
Her startup was innovative and was snapped up by a larger company.
Within 3 years, the annual revenue from the acquisition was £48 million.
Looking at companies, it's easy to be blinded by innovation hype.
But when you ask...
Where does the value (revenue) come from - operations or innovation?
Attention to the froth seems misplaced.
For think tanks and startups, everything is about innovation.
But they fail... a lot.
Unless you're in a company expecting to fail, it's all about operations.
Doing what you say you are going to do.
Each time.
Every time.
The pockets of innovation in these companies focus on emerging standards, how to become more efficient, and occasionally creating the next cash cow.
Life in a business older than 5-10 years is about operations, systems, policies, processes, procedures...
...this is what we do.
...this is how we do it.
It's why startups get acquired...
Innovation and the next cash cow is bought at a known and quantifiable cost.
Then, it is operationalised.
Whether crafted by scenario planning sessions.
Or documented in standard operating procedures.
Or informal "tribal knowledge".
The way a business works is embedded in its culture and business-as-usual operations.
Cybersecurity must do the same.
Cybersecurity is not an innovation.
Cybersecurity is a cost of doing business.
Cybersecurity is about operations.
Cybersecurity enforces your processes and policies - right-sizing constraints and friction.
When your sales teams travel internationally - there's more risk, so you need more security control.
There's a moderate risk when field technicians are on customer sites, so you need some controls.
When your support team is in the office, in a known and secure location - they shouldn't be interrupted.
Whether you have worked through a security scenario planning session.
Or your standard security practices have emerged.
Enforcing your security policies and practices is as fundamental as maintaining your electricity, water and coffee supply.
Should sales staff be able to access your entire customer database from an unmanaged personal computer?
Should your customers' personal data be available to any mobile device - even insecure and unencrypted ones? ...with all the privacy concerns that entails.
If not, what is your standard operating procedure to prevent this?
The most straightforward answer could be using Conditional Access
And - if your Conditional Access implementation aligns with your policies - little more thought is needed.
It's just an enforced standard operating procedure.
January 23, 20242 Minutes Read
