How to find the best CIO Solution for your organisation.

IT Strategy: How to decide which CIO Solution is right for your business?


Having a CIO-level professional on your board is the first step to treating IT as a strategic asset rather than a cost. Question is, full time, interim or virtual CIO?

IT is no different from any other business-critical area. You know a transformational IT roadmap will bring significant operational and financial benefits, but you need a professional with the right skillset to pull it all together. It needs a strategy, leadership, and ongoing management if you want to achieve measurable returns and competitive advantage. A CIO – but do you need that position filled in-house or with a virtual CIO?

A CIO (Chief Information Officer) is usually the most senior technology executive inside a business. They hold responsibility for the IT strategy and determine areas for improvement and development within the IT systems and processes. A commercial mindset, extensive experience as well as a deep understanding experience of technology and its application, is necessary for a CIO. 

A CIO will focus on IT strategy and leadership, ensuring that IT is aligned with business goals.

Unlike an IT Manager, a CIO is more outward-facing. They will focus on IT strategy and leadership, ensuring that IT is aligned with business goals and works in unison with the overall business strategy. However, as the CIO is often the executive level interface between the IT department and the rest of the business, they need to keep abreast of day-to-day operations and issues. Any IT projects will likely be owned by the CIO, and they will be accountable for signing off on the solution and the implementation. They will ultimately be responsible for the project’s success, outcomes, and ultimately the ROI. A good CIO can see past emerging technology hype.

Many businesses assume that the only way to gain access to a CIO’s knowledge and experience is a permanent hire. While this is certainly one option, it can be costly and unnecessary for your current needs. If you’re flying blind how will you know they really are as experienced in the field as you require? There are alternatives available that may be a better fit for you. 

We explore four different ways businesses can fill the CIO role: Full-time Permanent CIO, Interim CIO, Virtual CIO and a CIO service. We look at pros and cons of each to help you with the decision-making process.

The 4 types of CIO you could hire

Discussing Information Officer needs

1. Full-time, permanent CIO

A full time permanent hire CIO is an experienced technology leader who sits within the business at board level, with full time generally meaning 40+ hour week for most – and doesn’t come cheap.

What are the benefits of hiring a full-time CIO?

  • Dedicated and experienced IT leadership at board level
  • Effective IT strategy that works in unison with the business strategy
  • Removes the load from senior leadership, allowing focus on their expert areas of the business
  • Delivery of operational improvements and a measurable return – they’ll advise on the right investments
  • Significantly reduces the likelihood of poor project outcomes, disruption and disgruntled staff.
  • Enables businesses to address and manage risk more effectively
  • Awareness of evolving threats, as well as changes in the commercial landscape
  • Gives a competitive edge, allowing the business to mitigate risk and capitalise on opportunities their competitors may be unaware of. 

What are the disadvantages of hiring a full-time CIO?

  • The CIO skillset is in high demand – these senior professionals can pick and choose their roles to some extent 
  • The specialist knowledge makes a CIO an expensive hire. (Average salaries are around £141,000 but can be upwards of £200,000)
  • If this is the first CIO a business has hired, then senior leadership may be unsure of what they need.
  • Difficulties assessing candidates’ experience and whether it aligns with business needs only serve to make the process even longer  
  • Mid-market businesses may not have the requirements for a full-time CIO
  • Although the strategic direction and commercial focus will undoubtedly be of benefit, a less complex IT environment and a lower capacity for projects could mean a limited scope for change  
  • Research shows that CIO tenures are short, with an average of just 4.3 years – making them the shortest-tenured C-suite exec
  • Two-year stints aren’t uncommon as CIOs often want new challenges and the opportunity to deliver real change.
  • A full-time CIO may turn out to be a very expensive, short-term hire. You might find yourself stuck in what feels like a constant recruitment cycle. 



2. Interim CIO

Also known as a Contract CIO, an Interim CIO is an experienced technology leader who temporarily fills the CIO role.  The average tenure is between six months to two years and an Interim CIO is usually bought in to tackle a specific challenge while the business transitions between permanent CIOs. However, they are also sometimes hired to support and mentor a newly hired or promoted CIO. 

An Interim CIO’s role typically falls into one of two camps:

  1. Responsible for building corporate resilience so the business can maintain a competitive advantage. Essentially keeping the lights on.
  2. A transformational role, tasked with formulating a strategic plan and executing it. 

What are the benefits of an Interim CIO?

  • Quicker to hire – a benefit for businesses in ‘crisis mode’ who cannot afford to wait to make a permanent hire
  • A benefit to time-sensitive projects (such as an M&A) and need for immediate access to the skillset
  • Their laser focus on a specific project or business area allows Interim CIOs to add immediate value
  • A dedicated, experienced professional driving an initiative increases the likelihood of that project remaining on track and delivering expected outcomes
  • A rich and varied CV can make Interim CIOs valuable mentors
  • Experience across multiple industries, business types and environments. They will have seen a multitude of scenarios and challenges – knowledge that can aid the IT department
  • Can help senior leadership make better IT-related decisions 

What are the disadvantages of an Interim CIO?

  • Interim CIOs are an expensive hire
  • They are in high demand, and with a limited number of professionals available, they can cherry-pick their projects
  • An Interim CIO is only going to be available for a set period, so there may be limits as to what can be accomplished in that time 
  • Businesses will need to define a clear objective for the engagement and a fixed schedule for delivery
  • Existing problems in the business environment may affect the success of delivery
  • Long-term or chronic underinvestment in the IT environment, problems left behind by predecessors, or a need for overall business transformation can all affect project delivery 
  • An Interim CIO will need to quickly get up to speed with the organisation structure and technology portfolio, and quickly win round and influence key team members to ensure objectives are met. (of course, it’s not impossible, but the senior leadership team need to be confident in their hire). 


Hire a virtual CIO (vCIO)

3. Virtual CIO

Virtual CIO (vCIO)also known as a fractional CIO, provides consultation on IT and technology strategy as a third party. Compared to full-time and Interim CIOs, who take an active role in company operations, the vCIO is often an advisory role.  

They will have similar responsibilities to an in-house CIO, but the core difference is that the service is delivered virtually. You may not meet your Virtual CIO and there could be multiple people working on the business at different times, depending on the structure of service. 

What are the benefits of a Virtual CIO?

  • A vCIO Service offers significant cost savings compared to hiring internally
  • Most services are offered at an hourly rate or flat fee, making it easy to budget and account for
  • With a vCIO you will have someone dedicated to strategic IT management, even if its on a limited basis 
  • A good starting point for companies new to the strategic approach
  • Will be better than people within the business spending a few hours here and there trying to make improvements. 

What are the disadvantages of a Virtual CIO?

  • Virtual CIO Services focus more on the improvement of day-to-day operations, rather than long-term strategic planning, management and innovation  
  • A vCIO typically works across multiple businesses, so may not be as readily available to deal with issues that arise
  • Businesses which are tech-heavy or very reliant on technology will probably need a more heavyweight and involved resource 
  • As a virtual service, you may have little to no ‘face time’ with your CIO
  • It may be difficult to build trust as the CIO may feel disconnected from the business, affecting results delivery
  • Depending on the provider you have chosen, you may also need to factor in time zone and cultural differences. 


4. The CIO Service – a better alternative for the mid-market… 

You may feel that a virtual CIO wont deliver the expertise and attention needed to achieve measurable outcomes – but you also don’t have the resources or requirements to justify a full-time hire, and an interim CIO just won’t do.

Often, it’s not operationally or commercially viable for mid-sized organisations to have a full-time senior internal IT professional. However, access to professional IT management expertise and skills offers a competitive advantage.  With the right management, IT can improve the business’s bottom line, aid client engagement and service delivery, and improve staff retention.

Luckily there is a fourth alternative that bridges the gap, while still delivering tangible value on a cost-effective and flexible basis – a CIO Service.

QuoStar’s CIO Service has been specifically designed to provide mid-market businesses with the strategic IT leadership necessary to deliver the benefits of a full-time CIO but without the significant costs.  

What are the benefits of a CIO Service?

  • Harness the transformational potential of IT
  • Enables access to the skills, expertise and commercial acumen of a CIO-level consultant
  • Flexible and cost-efficient
  • Supports organisations throughout their entire IT transformation journey; from evaluating current standing and areas for improvement, through to building and implementing a roadmap and change plans.

Our QuoStar CIO Service offers

  • Proven, seasoned sector-specific CIOs with a combined 60+ years’ experience 
  • A proven methodology and framework to deliver a strategy and transformation 
  • Completely embedded within your organisation – one of the team 
  • Guaranteed results backed by our Outcome Assured™ promise 
  • Delivering measurable outcomes for businesses just like yours!

Hear how Blanchards Bailey have benefited from using the QuoStar CIO Service here.


Get more from your IT with a strategy, on-demand CIO-level Consultant: We help businesses to us IT to gain security, stability and a competitive advantage in a rapidly developing marketplace. Click here to find out more.


Security Awareness Training FAQ: Why it’s absolutely vital for every employee

FAQ: Security Awareness Training - Benefits and Best Practice Tips

In 2021, experts estimate there will be a cyber-attack incident every 11 seconds.  

That’s twice what it was in 2019. 

And four times the rate five years ago. 

These shocking statistics probably aren’t even that shocking. Every Director knows that security is a pressing issue. It’s a topic of conversation in every board room and a significant budget has been allocated to invest in various security measures and solutions.  

However, there’s a weak link in the business which is often overlooked. Your employees. While they might not mean to put the business at risktheir actions can do just that.  

From clicking on links in phishing emails and actioning fraudulent bank transfer requests, through to connecting to insecure Wi-Fi networks and sharing personal data incorrectly. All these actions can result in a breach or successful attack, causing financial and reputational damage  

Most employees are not malicious, they simply are not aware of the risks. They don’t understand that they are a target, and they don’t know how to spot the danger signs.  Many don’t understand that security is their personal responsibility and even fewer understand sensitive data privacy best practices. Thankfully, this can be easily addressed with effective security awareness training. In this article, we will cover the benefits and types of security awareness training, as well as best practice tips to follow for an effective program.  

What is security awareness training?

Security awareness training is designed to educate employees about the important role they play in helping prevent information breaches. It provides formal education about the type of risks facing the businesses, how employees might interact with them or be targeted by them, and how their actions can have a positive or negative affect. 

 ‘Real-life’ scenarios – for example, demonstrating how their response to a phishing email could cost the business thousands of pounds – are often included to drive the message home and show the employee what a breach would feel like.  

Quizzes, questionnaires, and games can also be used to test employees’ knowledge post-training and identify any weak spots. There are also various online systems that train and test employees in an automated manner, flagging those users who need additional focus and training. 


Turn your employees from a SERIOUS RISK into A STRONG LINE OF DEFENCE.

Sign up for our free webinar: Going Beyond Technology – the critical role of your people in cyber-security.


Why is security awareness training important?

Security awareness training ensures everyone in the business is aware of the threats and how they might present themselves. It helps build a security-aware culture and encourages everyone to follow best practice. For example, instead of the accounts department immediately actioning a bank transfer due to an email from the Financial Director, they know to double-check the request with another method (e.g., a call, a Teams message).  

A more security-aware culture will significantly reduce the chance of a successful attack against your business. Research found that security awareness training could reduce the threat of socially engineered cyber threats by up to 70%   

Training is also a requirement for compliance purposes in certain industries. The Financial Conduct Authority (FCA) states: 

Firms of all sizes need to develop a ‘security culture’, from the board down to every employee. Firms should be able to identify and prioritise their information assets – hardware, software, and people. They should protect these assets, detect breaches, respond to and recover from incidents, and constantly evolve to meet new threats.”

Types of security awareness training

  • Phishing – Trains employees on how to recognise potential phishing messages by demonstrating what could happen if they respond to one. 
  • Passwords – Promotes password best practice, ensuring strong passwords are created and are not used across multiple accounts or shared with others. 
  • Privacy PII – Shows employees how to protect personal information in the business, including clients, prospects, colleagues, and partners.  
  • PCI Compliance – This training is required to comply with the PCI DSS (Requirement 12.6). Educates staff on the requirements, roles and processes and demonstrates the severe financial and reputational damage of a payment card data breach. Reinforces best practice to help staff actively keep card data safe and reduce the likelihood of a breach. 
  • Ransomware – Demonstrate to employees just how easy it is to be attacked and the destructive consequences. 
  • CEO/Wire Fraud  Fraudulent emails designed to trick the employee to think they are responding to the CEO (or another senior executive), which shows them how easy it is to be conned. Helps employees to recognise the first signs of risk and encourages the practice of double-checking when unsure how genuine a request is  
  • Data in Motion – Teaches employees data security best practices to ensure vulnerable data is not put at risk. Highlights the dangers of behaviours such as sending company attachments to home email accounts, copying company data to personal cloud storage, plugging ‘found’ USB drives into company devices  
  • Office Hygiene – Educate employees on the importance of physical securitydemonstrating the risk of unsecured paper, unlocked screens, open buildings and more. 
  • GDPR – Ensure all employees are aware and understand data privacy rights – and the severe penalties for breach or non-compliance.  
  • Social Engineering – Train employees on the various methods and guises hackers may use to gain illegal access to their computer, including phone, email, mail or direct contact.

How often should train employees?

Ideally, every four to six months. There are various software solutions that test and train users more frequently than this, perhaps weekly, however they do not cover all areas of cyber-security. 

Research found that after four months, employees were easily able to spot phishing emails but after six, they began to forget the learning. Although this research was specifically about identifying phishing emails, it can be applied to all types of security awareness training.  

However, it is up to you to determine the right cadenceUse this timeframe as a starting point. In the beginning, you may need to test employees more frequently. 

The key is to strike the right balance. Employees need to be informed and educated, but you want them to be proactively engaged. Training that occurs too frequently risks becoming a chore and treated as a tick box exercise. Employees rush to get it done, rather than engage with the learning, as they know they will have to do it again in a few weeks.  

How expensive is security awareness training?

The cost of security awareness training will largely depend on the provider, the type of training and the number of employees. Some providers often tiered pricing with different training methods at each tier. As an example, some of the automated training and testing systems for training users, particularly around phishing and ransomware can be in the region of £12 a year per user.  

However, with the average cost of a data breach $3.86 million, the cost of your training program will unlikely ever come close to the cost of a successful data breach. In fact, research shows that employees with less than 1,000 employees will see aROI of 69% from a security training program.  

Best practice tips for an effective training program

Effective training needs to deliver the right information, at the right level, at the right time.  

1. Repeat, repeat, repeat

Staff will only recall approximately 90% of training after a month. So, a programme of sustained and repeated training is the best way to ensure knowledge retention. 

Plus, the cyber-security landscape is rapidly and constantly developing. New threats occur all the time and you need to equip your staff to deal with them.  

2. Gamify your training

Mandatory training can seem dull, leading employees to switch off and become disengagedYou need to ensure these important messages are hitting home. Experiential learning through game-like approaches can help some staff members remember things more effectively. 

Studies show that using humour and entertainment in the training process boosts engagementNearly 60% of employees prefer training which mixes serious and entertaining content.  

3. Break training down into manageable chunks

Hours of back-to-back training is unlikely to engage anyone. In fact, your employees will probably just see it as another ‘tick box’ chore – not ideal for building a security-aware culture. Instead, break your training into bite-size chunks, spread out across the year.  

4. Try different methods

Employees all have different methods of learning. What suits one may not suit another, so it’s important to switch up training delivery. Posters, books, quizzes, games, interactive demos and small group training are just some of the ways to educate employees. Unfortunately, you can’t just buy an online training and testing package and believe that’s your training box ticked. 

5. Cover a range of topics

While phishing is a top attack vector, it’s important that your training does not focus solely on one area. You need to educate your employees on a wide variety of topics, including those which they might not connect directly with the workplace. For example: 

  • Not to overshare information on social media 
  • Dangers of public Wi-Fi and how to use it safely 
  • Not to plug unknown USB devices into corporate devices 
  • How to manage passwords 

Are you ready to build a security aware culture?

New call-to-action

How to get the Board engaged in IT: An IT Manager’s guide

How to get the board engaged in IT

If you’ve ever had to request budget from the board or tried to get buy-in for an IT project, you will know how difficult it can be to get the board engaged with IT. Despite the critical role IT plays in operations, too many senior executives still see it solely as a cost to the business rather than as a competitive advantage.

Research shows that regular conversations between IT and the board actually decreases IT and cyber risk, while increasing innovation and IT project ROI. These achievements improve the more frequently the conversations occur. Conversations that occur every quarter hold more value than those held bi-annually or annually.




However, getting these conversations to happen in the first place is often the most difficult part. IT Managers can struggle to get their voice heard at board level and IT often does not feature on the agenda as often as it should. Part of the problem is this often requires a change in culture, but the good news is IT Managers can facilitate this by framing their conversations with the board in the right way.

3 strategies to engage the Board of Directors with IT

Most organisations spend a significant portion of their revenue on their IT, so they need to be sure that it is being invested wisely and delivers a return for the business.

This can only happen when senior executives fully embrace the potential of IT and view it as a strategic asset. While it’s important that IT has a voice at board level, the conversations themselves need to be effective too. We’ve compiled three best practice tips to help IT Managers frame the conversation in a way the board will engage with.

IT Managers should make technology a routine part of the conversation

1. Make Technology a Routine Part of Conversation

IT Managers need to think strategically about how they can navigate technology conversations with the board. Assess the levels of technical knowledge and understanding to determine whether an educational component is required and build conversations accordingly.

Some members of the board may be more technologically-savvy or be more. Identify these allies and build relationships with them as they can help you garner support for IT investment and focus from other members of the board.

Consistent communication is key so ensure IT features as standing item on the agenda or designate regular meetings where you can focus solely on IT. Strike the balance between protection and growth and build a narrative which focuses on the short term (6-12 months) and the long-term (5+ years).

Any conversations about long-term strategic planning should be a collaborative effort. IT Managers should be fully briefed on the intended strategic direction of the business so they can educate the board about the relevant risks, opportunities, and industry changes, ensuring the IT strategy supports the business objectives and the budget is allocated effectively.

IT Managers should demonstrate the strategic value of IT

2. Demonstrate the business value of strategic IT investment

You will need to make the case for IT investment, so be prepared to convey the financial, operational and reputational benefits. Back your pitches with data and present the information clearly and concisely e.g., by utilising dashboards and scorecards.

You may need to ‘connect the dots’ and give context to the risks facing the business. If board members do not understand the mitigating effects of benefits a particular solution or service will deliver, they may not be willing to allocate the funds. For example, data security might be a concern for the board, but they may not understand why the business is a target, where they are vulnerable, the effects a successful attack can have and how it can be prevented. Take into context the board’s own appetite for risk and align your recommendations and scorecards to reflect this.

Budgets can vary widely so you may wish to present a shortlist of options to the board. However, if you do decide to do this you need to ensure the board is fully aware of the limitations of each one, so they do not decide based purely on flat costs.

IT Managers should focus the conversation on the right topics

3. Focus the conversation on the right topics

Try not to get bogged down in the technical detail during conversations with the board. It’s unlikely that their level of technical knowledge will match your own, so they will be less likely to engage if it doesn’t seem directly relevant to the business. Instead, focus the conversations on the potential impact and deliverables of IT.


Ensure that the board understand how IT can positively or negatively impact the performance of the business.

  • Financial – Link technology investments to financial performance such as profitability, margin and revenue. Demonstrating the positive impact can help the board see IT as more than an operational cost.
  • Operational – Demonstrate how IT can improve the efficiency of operations and free up budget for innovation and business transformation. This may include things like automating processes, replacing legacy systems, and embracing cloud services. IT Managers can support this process by measuring, reporting, and discussing the impact of technology-driven business transformation.


Ensure the board keeps up to date with current and emerging threats, be it cyber-attacks or disruptive technologies. IT Managers can help develop the risk appetite and measures to prevent unnecessary risks from being taken. IT and Business must be wholly aligned on risk appetite levels to ensure neither side make inappropriate risk management decisions.

  • Cyber Risk – Businesses must be able to protect their assets from cyber-attacks if they want to achieve strategic goals. IT Managers have the responsibility to educate the board on current and emerging risks, the potential threat to the business and remedial actions.
  • Regulations – Technology can help businesses comply with regulations, but it also the subject of regulations itself – such as data privacy. Boards need to be aware of how technology can speed the process of meeting compliance policies, as well as where regulations may require additional investment or affect company priorities. Conversations should focus on the positive and negative implications of the regulations, the opportunities for rationalisation and any other business impacts.
  • Industry Challenges – New technologies can topple a company’s competitive position and business models. Help board members understand the risks and opportunities of technology-driven industry disruption to ensure the business doesn’t fall behind.


IT Managers should help guide the overall business strategy by educating board members on the strategic potential of IT and other disruptive technologies

  • Innovation – IT Managers can help create a bolder risk appetite by demonstrating how the effective use of technology can result in business growth. Successful innovation requires a culture of continual incremental improvements. Boards need to give IT Manager the opportunities to test, experiment and analyse.
  • Data – Help the board understand how technologies such as machine learning, natural language engines and AI, can help businesses better collect, process, and analyse customer data. Highlight how this data be used for more effective decision making and monetised for business success.
  • Client Experience – Customer demands are constantly changing and increasing. Businesses need to keep pace with this is they want to both attract new customer and retain their existing ones. Service levels are a key battleground. As service levels increase across all industries, tolerance levels have declined, and customers are no longer prepared to accept reduced levels out of brand loyalty. IT Managers can help the board meet these challenges by showing how to leverage technology to proactively anticipate and address customer needs. These conversations can help ensure the pace of technology change aligns with customer readiness.

Strategic development for IT Managers

IT Managers have a huge wealth of technical experience and understanding, so it makes sense why they are often heavily focused on the technical details.

This knowledge is highly valuable to a business, but it doesn’t always translate to the board. If they do not understand, they will not engage. They need to see the business benefits of investing in IT. Requesting budget to replace an old server, for example, is not enough. However, if you explain that the new server will help increase resilience, availability, and network performance, and enable employees to deliver faster customer service, the board can begin to understand the ROI of that investment.

If you’re used to focusing on the technical details, then framing conversations in this way can feel a little uncomfortable initially. IT Managers who want to take a more strategic standpoint should seek out additional training and mentorship from experienced CIOs and IT Consultants. A dedicated Coach can give IT Managers advice and direction, provide education (where required), share knowledge and best practice, help develop a commercial mindset, and talk through challenges faced by the business and how to overcome them.

Book a free, online discovery session today to find out more about QuoStar’s IT Coaching & Mentorship Service and see how a dedicated Coach can support you.

Training & Mentorship: Learn how to train a business-focused approach to IT Management. Book a free discovery call to find out how a dedicated coach can help you to achieve better buy-in from the board and increase your IT budgets. Click here to book now

9 essential cyber-security measures every business needs

essential cyber-security measures for businesses

What are the essential cyber-security measures every business needs?

In today’s digital era, advancements in technology are happening very rapidly. Therefore our defence systems against very real cyber-security threats must keep pace. If the correct measures aren’t taken, your business might be more at risk than you think. Here are 9 essential cyber-security measures your business can take.

Are you relying on the same security basics you were a few years ago?

It’s easy for time to pass unnoticed while all these advancements happen around us. Before you know it, you’re relying on the same old security basics to protect your business as you were a few years ago – firewalls, antivirus and intrusion detection software. Most people update their mobile phone software more frequently than that. So here are our 9 recommendations on how to keep your company more secure.

Why is it so important?

The truth is, we all feel impervious to cyber-crime and security breaches. It’s just something that happens to other people – until one day it’s not. Even if a direct financial attack is not a concern for a business because that’s locked down, many people are unaware of the intrinsic value of the data their business holds in today’s world.

Hackers aren’t just after your bank accounts.

Cyber-crime is now an industry that produces over £1 trillion in revenue for cyber-criminals. Ransomware can be used to encrypt a company’s files and hold them for ransom. Network penetration can enable mass data theft and crypto-jacking to harvest crypto-currencies by stealing your machine’s processing power. Money can even be gained by using social engineering to persuade employees to transfer cash to a fake bank account.

9 steps to combatting cyber-threats

1. A Unified Threat Management (UTM) system

A UTM system is a combination of security appliances and acts as your gateway to the internet.

2. A SPAM filter

A Spam Filter tops potentially malicious files from entering your network via email.

3. Antivirus/anti-malware software

Antivirus and Anti-malware are applications that protect your servers, laptops and other devices from malware.

4. A patch management system

A Patch Management System manages the installation of software updates to close security holes.

5. 2-Factor authentication

2-Factor Authentication gives you a second level of security, preventing unauthorised sign-ins.

6. Device encryption

Device Encryption makes any data stored on the machine useless to criminals and keeps your data secret.

7. A regular data backup

Regular data backups. You should keep a copy of your business data at a secure off-site location in case the original is lost.

8. Content filtering

Content filtering prevents access to dangerous or illegal websites which reduces the risk of infection.

9. A disaster recovery plan

A Disaster Recovery Plan sets out how you will recover from an unplanned event such as a fire or cyber-attack.


Regulatory fines and costly lawsuits sting victims of cyber-crime too.

Keeping businesses cyber-secure is even more important since the implementation of the General Data Protection Regulation (GDPR – tailored by the Data Protection Act 2018). Businesses are responsible for their data leaks or breaches if the correct security protections/protocols have not been put in place. Hefty regulatory fines can be levied, and costly lawsuits can follow for the victims of a cyber-attack or security breach.

All businesses should ideally be looking into taking more than just the bare minimum steps to keeping the company cyber-secure, but it’s at least these 9 steps that start the journey in the right direction. The next step beyond the basics is to become Cyber Essential certified.

Cyber Essentials is a Government-backed Accreditation

Cyber Essentials is a government-backed accreditation that acts as a way to understand where your security succeeds and where it needs improvement. It’s similar to a cyber-security audit and allows you to see what your next steps in improving security will be.

Cyber Essentials still covers fairly basic security concepts, such as having the ability to remotely wipe devices, application whitelisting, daily virus scans and the disabling of OS utilities. All of which are simple things that you should already have in place. But it’s well worth going through the accreditation process if you haven’t already – it can improve your company’s image as well as open you up to working with more cyber-conscious clients.

If you want some help implementing the basics, or would just like some friendly advice, contact our team today.

I’ve already met the security basics, but I want to level up >>

How to make remote working secure: 13 best practice tips to increase security

IT Security: How to make remote working more secure - 13 best practice tips

As businesses scrambled to suddenly support much larger, permanently remote teams, certain cyber-security policies and procedures fell by the wayside. Simultaneously, cyber-criminals capitalised on the uncertainty, confusion and panic caused by the pandemic and found new opportunities to attack, via remote workers and unsecured technologies 

Remote Desktop Protocol (RDP) attacks were up by 400% in March and April alone, while COVID-19 related email scams skyrocketed by more than 650%. A survey by Verizon found users were 3 times more likely to click on pandemic-related scams, putting businesses at greater risk of credential theft, data breaches, malware and more  

Remote working is not going away. In the UK, businesses will be subject to at least several months of restrictions. Yet, even when things do return to ‘normal’ its unlikely that operations will be the same as they once were. It is imperative that businesses prioritise making remote working secure to prevent themselves from falling victim to a breach or serious attack.  

13 ways to make remote working secure

1. Educate your employees

New scams, particularly revolving around business email compromise, arrive daily in relation to events, such as the pandemic or a legislation change. It’s important that your staff can identify a one-off or unique phishing scam or at least raise it with IT if unsure. Software can help keep staff sharp with phishing, but ongoing training is critical to protect the business from other methods of social engineering, such as via the phone.

2. Establish 24x7x365 security monitoring

The threat landscape has changed forever and so have the risks as the workforce works remote as standard. It’s essential to continually monitor the security of all infrastructure, cloud environments, cloud applications and end-user devices. The more devices outside the perimeter the greater the potential holes and entry points to an attacker. 

3. Establish advanced threat detection and response

It’s vital that you are aware as soon as possible when major threats appear. Security systems also need to be aware and rapidly notify you of any breach or attempted breach of your security. The system action and human response must be rapid to isolate and contain the threat, even if it’s not on your local network. It’s important to note here that the human element is critical, too many organisations are simply relying on slick-looking AI solutions, which on their own just don’t cut it. 

4. Deploy aggressive vulnerability management

Keeping systems up to date with the right security patches is more important than ever with a disparate workforce. Unpatched systems and system misconfigurations are a key focus for attackers. It’s important to use scan networks but also to use host-based scanning that allows remote workstations to scan themselves outside of the corporate perimeter. 

5. Monitor cloud infrastructure and applications

You must monitor systems that hold your data, even if you don’t actively manage them. Most cloud infrastructure and cloud applications, especially the like of Microsoft, AWS and Google provide large volumes of data that can be monitored for suspicious events and activity. 

6. Monitor the dark web for breaches

Corporate data, particularly passwords, appear on the dark web daily. This may come from large breaches, such as with LinkedIn or Adobe, but also from smaller malware attacks that have skimmed off information during an infection. More than half a million Zoom accounts are currently for sale on the dark web and, at only 1p per login, are extremely cheap to buy. It’s important to know when passwords and sensitive information is leaked, so that action can be taken to mitigate the associated risks. 




7. Ensure multi-factor authentication (MFA) is in place

Multi-factor authentication is a basic and essential security control both too many organisations are still not deploying it to improve the security of their remote access. 

8. Don’t forget backups

Most of the attacks focused on the remote workers aim to deploy ransomware on a corporate network. To take that further, they are also looking to encrypt backups to ensure that a company can’t recover their data. Therefore, businesses should be looking at creating an air gap backup to protect against this threat.  

9. Run attack simulation training

Spear phishing is still one of the most common attack vectors. By running this type of training, you can see how employees would respond to real-life attacks and socially engineered campaigns. Results can be used to identify weaknesses and deliver personalised training to those more likely to fall victim to a breach attempt 

10. Implement device risk and compliance checking

You need to ensure devices are secure before allowing them to connect to the corporate network and access resources. Personal devices often do not have the same security protocols and can open several weak points. Businesses need to have clear oversight of all devices connected to the networkbe able to distinguish between personal and corporate devices and be aware whenever a new device joins or tries to join. As it may not be possible to install additional security software on the device, businesses should flag it for unusual activity and put it on to a separate network.  

11. Implement access governance policies

The rising threat of a breach, internally and externally, means it’s important for businesses to monitor and control who has access to key resources. Policies should assume the principle of least privilege (POLP) – giving users the bare minimum permissions they need to perform their role – and clearly define who has access to which resources and under what conditions they have accessWith the right policies in place, it becomes easier to identify areas of ‘privilege creep’ and prevent stale accounts (e.g., ex-employee accounts which are still active).  

12. Manage privileged access

Employees are often given full admin rights as standard. However, increased access means an increased risk level. Instead, you should ensure employees are only able to access what they need to fulfil their job role and responsibilities effectively. There should be systems in place allowing administrators to respond to access requests and be notified of any unauthorised access attempts.  

13. Adopt a zero-trust principle

The increase in cyber-attack frequency and sophistication, coupled with the hybrid nature of today’s IT environment, means traditional security frameworks are no longer enough. While businesses typically focus on defending their perimeters, assuming everything ‘inside’ is already cleared and safe, this is too open of an approach. Zero-trust is essentially about removing all automatic trust. Anything and everything which tries to connect to the system must be verified before access is granted – ensuring it is the right user, from the right secure endpoint, with the right access permissions, who is making the request.  

Remote working security is a critical issue

More than ever, businesses cannot afford anything which would harm their productivity, their reputation, or their bottom lineIt’s understandable why measures may have not been fully in place at the beginning, but it’s imperative that businesses now make security a priority. 

To make remote working secure, businesses must take stock of their current security landscape, assess the risks, and take steps to improve and protect themselves. If you would like advice or assistance in doing this, to ensure all the bases are covered, please contact the QuoStar team for a no-obligation chat or initial risk review.  

New call-to-action

Are you using WhatsApp for business communications? 2021 is the year to stop

Should you be using WhatsApp for business communication?

While WhatsApp is a consumer-grade application, many people are using it for business purposes. It’s free and it’s easy to use – most people are probably already using it – so it seems like the ideal communication tool, particularly now many employees are working remotely. 

But is WhatsApp really suitable for business communication? 

Privacy Policy Updates

WhatsApp was acquired by Facebook in 2014. At the time, CEO Jan Koum stressed how deeply he valued the ‘principle of private communication’. However, just two years later, in 2016, both apps announced they would be ‘coordinating more’– but did give users the option to opt-out of sharing their personal data with Facebook.  

This time around, there is no opt-out. 

Users who want to continue using WhatsApp after May 15th 2021, have to agree to the updates made to its terms and privacy policy. This means being prepared to share their personal information such as names, profile pictures, status updates, phone numbers, contacts lists, and IP addresses, as well as data about their mobile devicewith Facebook and its wider companiesUsers who don’t accept the new terms will be blocked from using the app. The new policy, which applies to all users outside of Facebook’s European Region (including the UK), also means that simply deleting the app from the device will not prevent WhatsApp from retaining a users’ private data.  

Since the privacy policy changes were announced, WhatsApp has now said that it will not be sharing personal data from people who previously opted out of sharing their information with Facebook. According to The Register, this setting will be apparently be honoured going forward next month, even if you agree to the new policy. For all other users though, there is no opt-out.  

A WhatsApp spokesperson also said this update ‘primarily centres around sending messages to businesses to get answers and support’, claiming there will be no change in data-sharing for non-business chats and account information. However, there has been much criticism and concern about the update online.  

Update: 12th May 2021

Originally, WhatsApp planned to roll out its privacy policy update on February 8th 2021. However, due to huge public backlash and confusion, they opted to delay until mid-May. Through a series of updates, WhatsApp attempted to clarify its position, reiterating that the update is mainly meant for businesses using its messaging platform. But nonetheless, WhatsApp stated that the change would not impact “how people communicate with friends or family” on the platform. The company also specified in a blog post that it would continue to provide end-to-end encryption for private messages, and it didn’t keep logs of its users’ messaging and calling.

However, despite the clarification around data sharing, there are still plenty of reasons why businesses should stop using WhatsApp for business-related communication

GDPR Compliance and Liability

WhatsApp makes it abundantly clear that the app is designed for personal use in their Terms of Service. 

“Legal And Acceptable Use. You must access and use our Services only for legal, authorized, and acceptable purposes. You will not use (or assist others in using) our Services in ways that: … or (f) involve any non-personal use of our Services unless otherwise authorized by us.” 

After installing WhatsApp on your device, you’ll receive a pop-up asking for your permission for the app to access your contact. It requests that you ‘Upload your contacts to WhatsApp’s servers to help you quickly get in touch with your friends and help us provide a better experience. Agreeing to this means that all your phone contacts are accessible in the app. The problem is, it doesn’t distinguish between personal contacts and business ones. Your contacts haven’t given permission for a third party to access their personal data, which could be a potential breach of GDPR.  

WhatsApp has been clear that is for personal use. Users must agree to these terms and conditions before they can access the service and WhatsApp can access the users’ contacts. Therefore, the responsibility for GDPR lies with the user, not the app. 

Individuals who use WhatsApp for any business communications are in breach of the terms of service. This limits WhatsApp liability for GDPR because they have given the user all the responsibility for seeking the permission of their contacts.  

Security Risks of WhatsApp

Using WhatsApp for business communications is fraught with security risks tooWhile the app famously boasts security due to its end-to-end encryption, there have been plenty of reported hacks and flaws.  

Just last October, security researchers revealed that links to thousands of WhatsApp chats were accessible online. Although there was a quiet change to stop the links from being indexed by Google, the information was still readily available on other search engines. The group’s title, image, description and owner’s phone number were all readily accessible, you didn’t even need to actively join the group   

WhatsApp communications are also notoriously difficult for companies to monitor. It may be possible if they are taking place on a corporate-owned device, but even then, there are multiple hoops to jump through. Companies could require the employee to surrender the device, but to access the content itself, there would need to be an IT policy that states WhatsApp as an acceptable communication channel for business purposes. Although, this policy would be in breach of WhatsApp’s acceptable usage policy. The IT policy should be crystal clear about the firm’s right to access and for what purposes (ensuring these are proportionate), so the employee has no expectation of privacy.  

Things get even more complex if the employee owns the device and WhatsApp has been installed outside of a mobile device management (MDM) container installed as part of a BYOD policy. The same policy that applies to the corporate-owned device could be extended to employee-owned ones as well. However, given the device is owned by the employee and used predominantly for personal use, it is doubtful whether a forced surrender and access could be seen a legally proportionate.  

If there’s no BYOD policy in place? Access is near impossible. As a personal device, the employee would have much higher expectations of privacy and there would need to be an extremely compelling reason, akin to a criminal offence, for an employer to try and obtain access.

What should you use instead of WhatsApp?

While you could write WhatsApp into your IT policies as an acceptable communication channel for business communications, you would knowingly be in breach of the app’s acceptable usage policy.  

Plus, even with that in place, there is still a myriad of security, privacy, monitoring and accessibility concerns linked to the app’s business usages. That’s before you even begin to factor in cultural problems potentially caused by the informal nature of the app. Employees could post personal messages to work chats by mistakeaccidentally share their live location, or information could get lost between multiple group chats. 

Instead, it’s much better to opt for a business-grade secure communication solution. Many of these solutions function in the same way as consumer-grade apps, giving users a familiar interface so they can get started immediately, but with much stronger security. Solutions are available across multiple devices and will protect your voice, video and text data in transit and at rest, preventing accidental leakage or malicious attack.  

Join the Business & IT Leaders Forum

Do you want to receive more content like this? Then join our Business & IT Leaders Community. Not only will you receive our monthly briefing with more business improvement tips and advice, but you’ll also get exclusive access to virtual events designed for leaders who want to make strategic improvements and get ahead of the competition. 

What is IT outsourcing?

IT outsourcing - What is IT outsourcing?

IT outsourcing is the practice of using an external service provider to deliver some or all of the IT functions required by a business including managing infrastructure, directing strategy and running the service desk.

IT outsourcing providers can take full responsibility for all IT maintenance and support, this is called a fully managed service, or they can provide additional support for an internal IT team, this is sometimes referred to as co-sourced IT support and is usually an approach taken by larger organisations.

A company may use one provider for all their IT requirements, or multiple service providers to deliver different elements.

Types of IT outsourcing

Offshore outsourcing

This involves sending IT-related work to a company in a foreign country, such as India, China or the Philippines, which offers political stability, lower costs and tax savings.

Nearshore outsourcing

The process of sending IT-related work to a company in a country that shares a border with your own. Theoretically, this should make travel and communication between the two companies easier.

Onshore or domestic outsourcing

This involves contracting an external service provider, located in the same country as you, to provide IT-related work, remotely or on-site.

Cloud computing

Contracting an external service provider to provide IT-related services over the internet, such as Infrastructure-as-a-Service, Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS).

Managed services

This involves contracting an external company to provide network management functions such as IP telephony, messaging and call centres, virtual private networks (VPNs), firewalls and networking monitoring and reporting.

Which IT Services are typically outsourced?

  • Application/software development
  • Web development/hosting
  • Application support or management
  • Technical support or help desk
  • Database development or management
  • Telecommunications
  • Infrastructure – hardware, software and network installation and support
  • Networking and communications
  • Disaster recovery (DRaaS)
  • Data centre management
  • Data storage
  • Email
  • Security – virus, spam and other online threat protection

There are a number of reasons why businesses choose IT outsourcing. It can enable companies to reduce costs, increase productivity and take advantage of external expertise, experience and assets.

QuoStar offers a variety of IT outsourcing, such as Fully Managed IT Support, Co-sourced IT Support, Managed Cloud and Hosting, DRaaS and Hosted Telephony & VoIP.

If you want to find out how we can help you further speak to our team today.


NEXT UP>> The pros and cons of outsourced IT support versus an in-house IT team

13 tips for picking the right IT support provider


13 tips IT support Provider


There are a great deal of IT support providers out there, as you may have notice.

So, your company has decided it wants to outsource some, or all, of its IT function to an IT support provider. Finding the right one for your business can be complicated. Putting a business-critical function, such as IT, in the hands of a third party can be quite daunting.

How do you know if your provider is reliable? If your service is a good value? What will happen if something goes wrong?

Interviewing potential suppliers is a vital part of choosing the right IT support provider. Here are a few questions to get you started and the types of answers you should look for.


1. Where are you based?

This doesn’t mean the location of their head office, but more about where your servers are located. This is important if the IT outsourcing company will be providing services such as cloud hosting or VoIP, as it can affect the quality of your services.

GDPR and other laws can also have implications for data storage. Especially for companies working in a highly regulated sector, such as financial services or legal.


2. What geographical areas do you cover?

You no longer need your IT support provider based in the same location as you. However, if you plan to move premises or expand into different countries you need to be sure your provider can support you.


3. As an IT support provider, do you offer different levels of support?

Many IT support companies offer a choice of services levels to suit different budgets and requirements. This may include:


4. What exact IT Support is provided in your contract?

Be wary of a company that claims to “support everything” without actually going into any detail about what is included. Too often companies think they have complete cover, but discover they can only log a set amount of support tickets a month or there’s an extra charge for certain services. It is better to be clear from the outset on exactly what level of support you would be getting. Otherwise, you risk getting tied into an unsuitable contract. If it turns out what you were considering isn’t quite right you can always ask whether there are different levels of support.


5. What isn’t covered in the IT support contract?

Although you may think this would be covered by asking what is included, asking this additional question will provide you with extra detail. There may be a number of services that are not included in the contract and it is important that you have examples of what may be billed separately.

If there are any services that are not included in the support contract, ask about their ad-hoc or hourly pricing.


6. Do you have any guaranteed response times?

You should expect your IT support company to offer guaranteed response times in the case of a problem. The exact response time may depend on what level of support you are willing to pay for, and there may be different response times for different priority levels. For example for a high priority issue or a P1, the company might guarantee that you will receive the first response in 15 minutes.

It is also important to differentiate between response and resolution times. If your company just says two hours, ask them to clarify if this means they will respond to you within two hours or they will resolve your issue within two hours.

If a company guarantees they will resolve an issue in a certain time period, be cautious. Of course, you should expect a target timeframe, but how can they guarantee when a specific issue will be fixed? It can sometimes take longer than expected to get to the root cause of the problem.


7. Do you provide remote management and monitoring?

Prevention is better than cure. You want a company who offers 24×7 monitoring and is proactive in their approach, taking action to prevent problems which would cause major disruption to your business.


8. Will we get a dedicated account manager if you become our IT Support Provider?

It’s helpful to have a single point of contact at your IT support company, with who you can build a long-term relationship with. They will get to know your business and plans for the future, to ensure IT aligns with your goals. It is reasonable to expect one or two dedicated contacts you can deal with.


9. Will I get a dedicated engineer?

It would be unreasonable to expect to only work with one engineer. All technical staff will have different areas of expertise, therefore it makes sense for an IT support provider to assign the best-suited engineer.


10. Do you work with specific hardware and software companies?

It’s not necessarily a problem if a company works with specific manufacturers, but watch out for those who put their vendor relationship above your business needs. If your provider is vendor-agnostic they will focus on finding the best solution for your requirements, rather than where it comes from.


11. How and when will I be charged?

Terms vary depending on the IT support company. Ad-hoc or pay-as-you-go work typically comes with 15 to 30-day payment terms. Contracted work depends on your company’s terms. This can be billed monthly, quarterly or annually, and is usually payable in advance.


12. How can we raise IT problems with you?

IT problems are frustrating, so you want to make sure it’s easy to contact the company. Ask if your company has a dedicated number, an online support request system or a direct email address. If your contract includes 24x7x365 support, ask how you would contact the service desk out of hours.


13. If I phone you, will I be able to speak directly to a technician who can help?

Does your IT support company operate a call centre where someone simply takes your details and passes it on? Or can you reach the service desk directly? There may be occasions where it’s necessary for your problem to be escalated to a second or third tier of support, but it can be frustrating if you can’t at least speak to someone technical directly in the first place.

This list is by no means exhaustive, but it will provide you with a good foundation when you start interviewing the company that may become your IT support provider.


You can find out more about our IT Support and Managed Services here.


Why successful companies have IT leadership on their board

IT strategy - Why successful companies have IT on their board

Businesses whose boards have strong digital skills enjoy benefits including 17% greater profits, 34% higher return on assets and 38% faster revenue growth according to a report by MIT SMR.

Any of those advantages would put a company in a powerful place against their competitors, so how does this one difference deliver all three? And if it’s so impactful, why do so few businesses have IT on their board?

6 reasons why having IT on the board makes such a difference

1. IT and business alignment

Businesses without IT leadership on the board often have a siloed or even antagonistic view of IT. In these environments, IT is often labelled as a non-contributor to the business since they aren’t directly creating revenue. Even worse, an uninformed board rarely considers how the essential work of IT allows revenue-generating departments to succeed.

Resentment easily grows between departments in this scenario and causes in-fighting, loss of talent and a stressful work environment. This leads to long-lasting reputational damage, a reduction in business productivity and ultimately, lower revenue.

Once senior IT executives are present on the board though, they can clearly communicate IT’s value, potential and contributions. Improving alignment and collaboration whilst reducing friction across the business.

2. A lower technical debt

Digitally strong leadership is aware of the concept of technical debt and invest intelligently to eliminate it. Businesses without IT executives or their IT support provider on their board, are rarely even aware of technical debt and make flawed business decisions as a result.

Problems accelerate for non-savvy businesses if misconceptions such as IT being a ‘necessary evil’ or a business ‘cost’ get out of control and begin influencing the board’s decisions. This causes technical debt to accumulate even faster – narrowing cash flow, increasing job disengagement and lowering the business’ productivity ceiling.

If IT has a voice on the board, they can address these misconceptions and release the stranglehold on investment and advancement they cause. This reduces technical debt, improves day to day operations (and thus profits) and re-opens the gates to innovation by strategically investing when appropriate opportunities arise.

Book a free online review and discover how QuoStar’s CIO on Demand service can benefit your business

3. IT is held accountable at a high level

It might sound crude, but if someone’s job or ego isn’t at risk, genuine change and progress don’t happen. Having board members who are accountable for IT multiplies the impetus for delivering on IT’s full value and encourages greater performance. This ultimately accelerates project delivery and the achievement of companywide and departmental KPIs.

Having a CIO, or a CIO-level representative from your support provider present on your board means the knowledge and accountability to deliver real change is in place. But realistically, the entire board, not just one person, should be accountable for IT’s performance since IT underpins the whole business and is where competitive advantage lies.

4. IT and business strategies support one another

In businesses without IT representation on the board, the strategic direction of IT rarely fits with the overall business strategy and maybe even works in a competing direction.

A simple example of misalignment would be if the business wanted to increase customer engagement and service, but IT had an ongoing implementation of a business management solution like ERP or Practice Management with a poor CRM system built-in.

If IT had representation on the board, they could have seen the misalignment and raised it prior to purchase. Even if the software was already bought, they could have reviewed an additional CRM product that integrates with the other line of business applications and makes up for the existing solution’s shortfalls. While there would be additional costs, the CIO would clearly define ROI in advance, with support from marketing.

IT leadership on the board can also lead to other projects which deliver on the business strategy. This would create overarching benefits, from back-office automation in any sector through to shop floor management systems in manufacturing, and perhaps AI or general process improvements in legal firms.

However, more commonly than misaligned strategies, businesses without IT on their board rarely have a real IT strategy at all. Usually just having a budget and a refresh cycle documented; putting them far behind the pack.

5. A more pressing attitude to risk management

A board without IT leadership can place a disproportionate amount of focus on extraneous risks whilst critical IT risks go unaddressed. Even if IT has a solution to hand, the board may still deny funding since they don’t understand its importance.

Consequently, increased downtime, business disruption and lost money should be expected as the underlying infrastructure becomes neglected. Downtime alone costs the average business about £4,300 per minute – a painful sum for a non-savvy board’s inaction.

But downtime is not the only risk a board without an IT presence will fail to address. Cyber-security, reputational damage, data loss and other critical issues will go neglected without the correct emphasis from IT.

When IT has its place on the board, the correct emphasis is placed on IT risks since there’s an inherent understanding of their importance. Pressing issues can be correctly raised, evaluated and solved by top-down management, reducing downtime, disruption and the associated costs.

6. Broadened horizons

If you look at a CIO’s job description, you’ll see requirements like:

  • Create business value through technology.
  • Strategic planning of business growth objectives.
  • Ensure tech systems and procedures lead to outcomes in line with business goals.
  • Oversee the development of customer service platforms.
  • Manage IT and development team personnel.
  • Approve vendor negotiations and IT architecture.
  • Information risk management.
  • Establish IT policies, strategies, and standards.
  • Develop and approve technology futures and budgets.

Beneath the IT-specific language, these are all essential skills for a board member to have. Without IT leadership present at board level, these are skills you’re missing out on.

But specific skills aren’t the only thing boards with no IT representation miss out on. Thanks to their unique mindset, a proven business executive with a vast knowledge of Information Technology and its application can challenge assumptions and find opportunities in overlooked areas.

Why do so few businesses have IT leadership on their board?

Based on all these factors, you may assume every business has IT leadership at board level. However, you’d be wrong.

For a start, most IT support providers lack a mature enough offering to include true board-level assistance. This makes it nearly impossible for businesses who outsource their IT to have IT present on their board. (IT support providers with this level of ability do exist, but they’re rare.)

Many businesses also still ‘tolerate’ IT, rather than seeing its value-enhancing potential.

However, the most common reason IT doesn’t have board-level representation is that many businesses simply don’t have the budget to hire an IT specialist with board-worthy skills and experience.

You may realise the illogic in this excuse. While the salary may be large, it would likely be a fraction of the potential increase in revenue a savvy board can drive, let alone the potential at the bottom line. However, short-term costs are often a driver for many businesses, so they cannot see the value they’re missing out on.

But there’s a reason that excuse makes even less sense and it’s that, if you’re smart, getting the skills doesn’t cost a lot either.

Taking advantage of an outsourced service like a CIO on-demand service gives you access to exactly the same calibre of seasoned IT executive, without the costs, risks and hassle of hiring and leading an internal big hitter.

Gain a competitive advantage and increase your revenue with QuoStar's CIO on Demand Service. Click here to book an online review

8 steps to get started with automation

IT strategy - 8 steps to digital transformation through automation

Digital transformation and automation are hot topics – they’ve been hot topics in one guise or another since IT was born. But despite their proven effectiveness and capability to enhance the way a business operates; many businesses only pay lip service to improving their internal processes in earnest.

Why is this? The two most common reasons are that either they’ve been burned by a project or initiative that was sold to them using automation and digital transformation tags as buzzwords which then failed to deliver substantial results, or they’re distracted by the more visible (but less impactful) new campaigns being generated by marketing or sales.

This obsession with searching for new horizons whilst leaving the internal business to fall into disrepair is seen all too commonly. Even in manufacturing, companies who have been improving their production processes relentlessly for decades seem to have forgotten to apply the same fervour for efficiency gains in the back-office. There are huge gains to be made from automation, but it must be business-led and with a focus on ROI.

So, how do we begin?

1. Understand where you are

This early on, you shouldn’t be looking at the tools to conduct your automation. Nor should you even be looking for external consultants. You need to instead get a general feel for what could be improved and what should be improved in the business.

This is a straight forward exercise of breaking down the business into its component parts –  typically into departments. Then list all the business operations/processes within that department, such as client onboarding, lead-processing, invoice processing and debt collection.

You should then break down these processes into steps and actions. If you can use a flow-chart then great, else just map it out in a way that the team understands.

Regardless of what method you use, it is imperative that you are as precise and detailed as possible at this point in your journey. Every concurrent step follows on from this one, so ensure you start on steady footing. The more detail you add, the simpler it is to see areas that can be automated which saves future you time and other resources.

2. Determine priority areas

As you go through your analysis you’ll start to see areas that can be improved quickly. You’ll also typically see that many internal processes can be broken down into two core types of task – actions and approvals.

Taking a typical and traditional expenses procedure as an example: An employee would open an expenses sheet and enter the details of their claims, scan in all their receipts, print the form and receipts, sign the form, hand it to their line manager, they sign-it, it’s scanned back in and finally sent to accounts for payment.

You can see from this that even with simple tasks, there’s a good deal of steps and many opportunities for automation. However, there are also some stages that are impossible to automate – the signatures are a notable example. These can still be digitised, however.

The real purpose of this step is to gauge how and where automation/digitisation can make an impact. By identifying processes that have wide stretches of actions which could be automated or lots of approvals that could be digitised you can create a priority list of tasks that you should address to have the biggest impact. The more steps and touches by people the greater the potential impact.

3. Look at technology

Thanks to the rampant rise of technology and globalisation, you are likely to be able to find tools and applications that fit your requirements relatively easy.

Of course, many systems will be able to take over many parts of your operations and the processes within them. If you can find one system that can deliver greater efficiency and ultimately customer service then it’s potentially going to save you costs, integration headaches and upgrade hassles.

On the flip-side it’s important that during this stage you find a system that maps directly to your requirements, rather than trying to change your operations to fit a system – which can happen with complete business systems that blend various applications and operations, i.e. Practice Management Systems in law firms, ERP in manufacturing, etc.

You may have to create a blend of systems to deliver a highly configurable system. As in essence you then get a much more powerful solution that will deliver you greater results and potentially a greater edge over your competition. Lots of tiny improvements soon mount up into a measurable advantage.

A clear requirements analysis is really going to help you see the gaps when looking at software solutions and systems. Do understand that it’s common to buy a total business system and then not use large pieces of it because those parts don’t truly map to your operations, i.e. you use the accounting and service elements but don’t use the CRM functionality – potentially using a 3rd party solution that integrates better.

4. Plan the project

Once you’ve mapped out your processes, bundled them into relevant categories, evaluated where the big wins will come from and have a solid system/application more or less identified then you have a clear starting point. Now it’s time to look at the project delivery.

A clear time-bound plan along with sensible milestones is essential to deliver returns from a digitisation project. You should be working in conjunction with vendors and (if relevant) developers, along with internal affected teams to create a project plan that you all buy into and approve. It’s important to of course consider costs, not just the hard costs but also the soft-costs – which will often make or break a project in terms of delivering a business-enhancing result.

If you are looking at numerous digital transformation projects, it’s important not to fall into the trap of rolling out too many projects at once or back-to-back. Too many companies go for fork-lift upgrades where they change numerous projects at once and that can cause fatigue and frustration in the user base at best. Create a considered road-map that will give staff time to become accustomed to new ways of working or new systems before undertaking more change.

5. Go hard on testing

Testing can never be overrated. You can only ever deliver an effective digital transformation project through a rigorous and considered testing plan.

Ideally, you’ll be able to pilot the new process or system in a real-time test environment. That way you can see the difference whilst ironing out issues as you go, prior to a wide-scale rollout.

This is increasingly possible now since many applications and systems are now cloud-based, allowing you to trial a system in a fully-fledged test environment without signing up for long-term contracts.

If there isn’t a way to preview the effectiveness of the new process or system, it’s important to agree what success looks like with the vendor far in advance of signing an order or contract. Too many businesses sign-up on a sales person’s promise. A project can fail because clear deliverables aren’t agreed at the start.

If you have stakeholders, i.e. users of the system, ensure that they are happy with the testing. Without stakeholder and user group sign-off you can find yourself surrounded by disgruntlement and finger-pointing. Make sure you tie everyone into success.

6. Go Live

Once you’ve signed off your testing and pilot as a success, it’s time to finish your roll out and go live with your new system. If you’ve got to this stage successfully everyone should be raring to go (communication is everything) and fully trained.

You should now be following your project plan as you bring the solution live. It’s also important to document and analyse any issues that arose along the way. Discuss them in a ‘lessons learnt’ session with the project team during or after the rollout. We all grow through difficulties, and our experiences can help those who follow after us on other projects.

7. Evaluate success

After you’ve delivered your automation project it’s important to formally look back to what your objectives were at the beginning. Did you meet them? It’s also important to do a formal follow-up meeting. Ideally once everything has been running for a few months and then maybe after the first year.

If you can clearly demonstrate the value and business enhancement over a period that’s exciting. It will also transform a boards perception of IT. It will drive it to the centre of the board agenda – which it should be right now.

8. Start again

Digital transformation doesn’t have a clear end. It’s all about continual improvement and so should in effect be a never-ending cycle. It’s very unlikely that the change you have instilled is perfect and can’t be improved.

If you want to grow your competitive advantage and/or profit margin you should be managing change as you go; whilst also revisiting the whole process in specific time-frames. This could be every 3 months, 6 months, annually or longer if appropriate (unlikely).

Ideally, now you’ve gone through the motions, innovation, automation and transformation should have become part of your standard operations. Your board will hopefully be demanding it.


Digital transformation is without a doubt a buzz term. In reality, it’s LEAN and continual improvement rebadged. It’s something every business should be doing in a structured manner to survive and thrive in a global business environment. The challenges are there, but you can gain than ther is to fear.