Why, then, do small businesses continue to engage consultants, such as myself? I'll offer up some insight here - and forgive me if I demonstrate my firm mastery of the obvious, but some things are so obvious we never think of them, unless someone writes them down.
Here then, are my rules for effectively engaging a small business:
- Understand the Client - I realize that this isn't necessarily unique to small businesses, but it makes a much bigger impact in the small company. There just isn't that much there to begin with, and in a large company if you flub something, you can typically sweep it under the rug and move on. In a small company - that tactic will get you walked out the door with a boot in your rear-end.
- Understand the Client's Market - Captain Obvious strikes again, right? How many times have we as consultants walked into a client, and tried to sell some technology, some process, some tool only to find out that that client doesn't care as much about being innovative as they care about keeping up with the competition? Often times, this is critical because as a small business the competition is usually big enterprises with much deeper pockets! Learn the market-space, at least on the surface and you'll be more successful.
- Be Prepared for the "Low Budget" Speech - The typical small business (those that are not well-funded by wealthy investors) has a very limited budget. Again, not unlike big enterprises but keep in mind that 10% of a million dollars is bigger than that same percentage of ten thousand dollars. You always have to think that you're going to be asked to do more with less. If you start off with that mindset - there will be no surprises and you'll be much better prepared to handle the client's needs. If you go in thinking you're going to put in a million-dollar security system to a company that sells widgets and barely breaks even... good luck.
- Know Why You're There - This isn't quite as obvious as we typically think. As a security consultant you're typically thinking... "I'm here to put some security in place, they must need something firewalled, virus cleaned, etc". And you'll typically be wrong. You as the consultant are typically there to meet some business-initiated need. This turns into a much deeper philosophical discussion but I'll make it short for reading purposes (write me if you want to talk philosophy!). Businesses are there to make money, period, and you're there to do "something" to help them to that end. I don't think I've ever met someone in a small business who has said to me "Gee, I think I have a virus infection, please come clean it for me." Instead, the need typically comes up as "My PC is slow and I can't get my work done effectively, come see what the problem is." After doing this a while most of us start to see this and just think of it as second-nature... but if you're not going into it knowing you're there to solve a business issue through some technology, you're going to have a hard time figuring the task at hand out.
- The Right Answer is Not Always the Right One - There are always at least two answers to every IT problem. The right(1) answer, and the right(2) answer. I'll explain here. The right(1) answer is the Cadillac, in our minds as consultants. It's the full buildout, all bells and whistles, and the armed guard. The right(2) answer, is often the used '87 Cutlass. It'll do the job, and it is cheap. Ponder that for a minute. Always be prepared to give both options to your small business client. This is actually a key differentiating point between consulting at the enterprise and consulting at a small business. Small businesses love the used '87 Cutlass, enterprises can afford the shiny, new Cadillac. What's "good enough"? How much security does your client need to protect their digital assets? Consider their size and income, and then come up with the right solution carefully.