What have you been doing all of this time?

What have you been doing all of this time?

When it comes to small business manufacturers in the defense industrial base, I see a lot of tsk-tsk'ing from people who have swooped into the CMMC world to posture: “Well, it’s about time companies got with the program,” “They should have been fully compliant long ago,” and my favorite: “It’s the cost of doing business with the Government.? Do you want the work, or not?”?

There appears to be an assumption that small business has been sitting here, playing on our phones, scrolling through Insta reels, simply avoiding the inevitable. A small business who isn't setting CMMC as a priority? gasp - clutch the pearls, Myrtle.

Is this to say cybersecurity efforts should be low priority in a small business? No, but the reality of it is that we are resource constrained - and that there are only so many hours in a day.

Right or wrong (in your eyes) - there have been other things happening that business owners have had on our radar.?

Some of us are representing companies small enough to have to wear multiple hats – and many of us do not yet have the luxury of working “on” the business instead of “in” the business, as the kids say these days.?

The same person responsible for IT or cybersecurity strategy is often someone in the [small] business is also making other important decisions - decisions that immediately impact cash flow.

There have been a few other things on our radar – either doing, or managing our lean staffs to make it happen:?

  • Finding employees
  • Hiring employees
  • Keeping employees?
  • Renewing AS9100 certification?
  • Managing cash flow
  • Pay local, state, and federal tax
  • Monitoring the budget
  • Planning for machine replacements
  • Approving large purchases?
  • Replying to capacity surveys per government census request (and giggling when you read that it is “required” for you to respond)
  • Paying vendors
  • Quoting parts
  • Setting up customer orders
  • Reading customer purchase orders
  • Pretending we’re a lawyer to understand DFARS and FAR flow down
  • Negotiating purchase order flow down
  • Determining new ways to stay competitive in a variety of marketplaces
  • Setting up job jackets for manufacturing
  • Scheduling jobs
  • Communicating job updates to customers
  • Shipping product to customers
  • Ensuring customer receives follow-up when parts ship
  • Ensuring customer receives follow-up when parts don’t ship
  • Managing time effectively
  • Invoicing customers
  • Receiving customer payment
  • Reconciling accounting books
  • Working with accountant to close out books monthly
  • Chasing after customers who are slow pays
  • Strategizing about cybersecurity game plan
  • Changing our minds about cybersecurity game plan
  • Cry
  • Keeping up with 92 different logins for customer websites and portals; three different hardware tokens and an MFA app that lists enough codes to make a hacker throw up his hand and ask “How the hell are you supposed to know which one is which?”
  • Answering 47,834 customer surveys
  • Answering 12,826 government agencies surveys
  • Making heads/tails of the moving pieces to required employee deductions
  • Consider “digital transformation” and laugh at your lie when you tell someone it’s ‘on your list.’
  • Ordering piece parts
  • Ordering material
  • Actually make the product
  • Plan to pay taxes
  • Tracking KPIs?
  • Navigate through a pandemic
  • Worrying about the next supply chain shake-up
  • Maintaining customer relationships
  • Generating weekly payroll
  • Generating quarterly payroll reports?
  • Generating reports for annual insurance audit, workers compensation audit, health insurance renewals…
  • Buy lunch for staff now and then, to say thanks
  • Wonder if today is the day that China invades Taiwan
  • Coming up with a game plan for rising costs in the supply chain
  • Mitigating rising logistics costs
  • Archiving closed customer orders to ensure traceability and compliance to AS9100 and compliance to cybersecurity requirements: Even if they are competing requirements.
  • Figure out what to do now that Congress screwed small business pulling R&D tax credits, the expected tax relief you've had for nearly 30 years.
  • Auditing process flow
  • Determining what data should be protected, since, let's face it, there's no consistency to marking or identification
  • Monitoring rule-making for a number of small-business related topics: Environmental, employee-related, tariffs and taxes…
  • Handling HR "incidents"
  • Managing people
  • Planning for community engagement to raise profile of the business
  • Wearing the document control hat to manage AS9100 compliance
  • Renewing employee health insurance
  • Running open enrollment for employee health insurance
  • Fixing the copy machine
  • Worrying about cyber incidents that affect me, but that I have no control over
  • Renewing commercial insurance
  • Renewing workers compensation
  • Completing required OSHA forms
  • Teaching the salesperson who just stopped by how to read the "no soliciting" sign
  • Answering the phone
  • Convincing a customer that I have to increase prices because my costs are going up, and no, prices don’t come down just because I like you
  • Taking meetings with a customer
  • Taking meetings with a vendor (just not the ones who cold-call)
  • Taking meetings with people considering a career in manufacturing
  • Taking a meeting with Comcast technician who may have to replace the modem. He's not sure yet.? He’ll need to come back.? Twice.
  • Monitoring U.S. defense budget shifts and reallocations
  • Planning some version of a student internship
  • Coordinating said student internship?
  • Managing said student internship
  • Managing the employee emergency contact list?
  • Creating social media content
  • Posting social media content
  • Trying to keep up with supply chain-related Executive Orders
  • Reviewing and documenting risks involved with any number of related worker strikes in industry
  • Traveling for work conferences?
  • Ordering and picking-up the monthly birthday cake
  • Serving the birthday cake
  • Updating business hours per employee request: 10 hour, 4 day work weeks (Monday-Thursday) – hurray for 4-day work weeks!
  • Working on Fridays.
  • Working on Saturdays.
  • Working on Sundays.
  • Analyzing productivity reports to ensure we're not spending too much money on non-production employees. That wrap rate is a killer.
  • Reviewing scrap rate and nonconformance trends, assign trend investigations to applicable manager
  • Wondering if the weaponization of space will bring mo’ money, mo’ problems to your company
  • Laugh when someone outside of your company asks if anyone in your company works remotely
  • Cleaning the lobby bathroom because the cleaning person you've used for 20 years is now retired and you haven't gotten around to finding a replacement
  • Vacuuming the front office for the same reasons
  • Submitting customer reports on sub-tier usage
  • Determining supply chain risk in the DIB as it pertains to many ever-evolving facets, and
  • Other duties as assigned.

?

So, forgive us if you think we haven't used the time wisely.

?


---

This list is not an invitation to spam me with sales messages claiming you can help me with these items. ?That said; You’re free to send ‘em, and I’m free to ignore.

Yes, I recognize that a single individual isn’t likely the one to do ALL these things, but if you’re a small business owner, I’m betting that at some point, you HAVE done all of these things.

This isn't an article that proposes solutions. If you came here for that, my apologies. It's just a list to explain to those who have never had to make payroll that their posturing and bloviating makes people like me roll our eyes.

You have shared your struggles and heartaches with me over the last years managing a small business and it is hard for me to understand how you are able to maintain. Until we have personally had to manage a small business we will never know. Its unfortunate that more have not really tried to understand. Overemphasizing one problem creates problems in other areas.

Yaro Taeger

InfoSec | Governance, Risk & Compliance | Information Systems Architect

3 周

I remember the run up to 2007. Then it was “you should be doing this anyway”. The implied was we should have been doing this all along. It’s basic hygiene. It’s not “extra”. Here we are nearly 20 years on…NIST 800-171 is still aspirational. Maybe any one of the requirements is achievable. All of them, in combination, continuously. That’s hard. I don’t care if you have been “doing it all along”.

Thomas Symons

IT Director, CISSP, Certified CMMC Professional

3 周

Not to mention the “other” elephant in the room: a company that did nothing (with DFARS cyber requirements) has historically had a competitive advantage over companies that spent lots of money on cyber trying to do the right thing.

Vincent Scott

CEO, Defense Cybersecurity Group (DCG), FBI Infragard SME on Cyberwarfare and Deputy Sector Lead, Defense Industrial Base

3 周

If only there were a "pearl-clutch' icon. Well said Allison as always

Krista Nichols

Quality Manager | Component Products Corporation (CPC) | CNC Machining | Aerospace & Defense

3 周

I feel tired now ?? Great post, thank you for sharing this - it is the reality for so many small businesses!

要查看或添加评论,请登录

Allison Giddens的更多文章

社区洞察

其他会员也浏览了