Thought Leadership Compendium FEATURING ARTICLES BY:
Table of Contents
03
Growing a Small GovCon Services Business into a Mid-Size Firm – a Thousand-Day Strategy
08
Leverage Your Cybersecurity Posture
ACT1 Thought Leadership for PSC’s Federal Acquisition Conference Growing a Small GovCon Services Business into a Mid-Size Firm – a Thousand-Day Strategy. Thanks to the Small Business Administration’s rules requiring the federal government to award a portion of its contracts to businesses meeting certain socio-economic characteristics, the GovCon service market provides unique opportunities for entrepreneurs to launch small-business ventures. Many GovCon services firms have experienced tremendous success in their first few years, or early in the lifecycle, of our companies. Unfortunately, for some emerging firms, success can be short-lived, when they outgrow size standards and must compete in the unrestricted market against far more sophisticated, established firms. The journey to success in the unrestricted market is hard, with many hurdles to jump and potholes to avoid, but not impossible. For example, many established 8(a), SDB, WOSB, SDVOSB, and HUBZone firms have been snatched-up in recent M&A transactions by larger primes. When studying the acquired firms’ success stories, most have followed similar approaches that include a few simple building rules.
You may think of building your firm like building a house. What type of house do you want to build? Colonial? Mid-century? Tudor? This is your Vision. Then, ask yourself; for what purpose do you want to build the house? Generate equity quickly? Create a multigenerational legacy house? Make a vacation home? This is your Purpose. Then, ask yourself how you intend to use your home? To raise a family? Make it your retirement place? Develop a rental property? This would be your Mission. We’ll carry this analogy through our story as we suggest how business owners can prepare their businesses to operate in the unrestricted GovCon environment as they transition into successful, stable mid-size firms. Part 1: Building a Successful Firm Start with a Sound Foundation. To focus your efforts on the most impactful actions to achieve your objectives, you must define a compelling Vision, Purpose and Mission as your foundation. These will help you crystalize how to best leverage your most precious resources, time, and money, while attracting and retaining talent. For example, your company Vision could be: “We would like to be the leader in Army Engineering and Logistics”. The type of foundation required by an Engineering and Logistics business that services the US Army is very different than an IT/Data Analytics business that services the Intel 3
Community. The same applies to your firm’s Purpose and Mission. A key component to build your firm’s foundation is to develop an effective Culture. Referring to an overused, but accurate, quote from Peter Drucker: "Culture eats Strategy for Breakfast." Culture always determines success regardless of strategy. Success in GovCon is more likely to come from a kind and compassionate firm with a humble, smart, and hungry corporate culture that focuses on what matters most: Growth, Customers and People. Part 2: The Firm Takes Shape. Add Framework/Structure and Focus on Growth, Customers and People. Growing beyond the first few contracts takes discipline, flexibility, focus, and attention to detail coupled with a unique blend of skillsets and talent. In turn, discipline takes emotional restraint and solid approaches. Success is more likely to come from the right blend of discipline and flexibility. For example, develop your own firm’s version or interpretation of The Shipley Process. Allow yourself and your team to appropriately tailor this process when warranted to save time and effort. Trust yourself/your team to apply judgment as the best designed processes will never replace intellect and sound judgment. Fix your team’s focus on the prize. Start and end with your Win Strategy, incorporating time for technical solutioning and ideation throughout the
proposal process. Have a sense of your Price-to-Win as early as possible and push your team to produce the highestquality, 100% compliant and technically compelling proposal possible. The ability to bid and win new business contracts is the most critical component of your firm’s success. However, depending on your Vision, Purpose and Mission, internal capabilities such as back-office support functions, processes, procedures and controls (i.e., accounting, contracts, IT, finance, HR, procurement, quality, talent acquisition) are critical to transform your small business venture into a GovCon services powerhouse. Tightly integrated processes can be both a major discriminator and robust valueadd in the GovCon arena. After a contract win, in conjunction with your transition-in approach, develop a Customer Engagement Plan. Nothing sells/builds your business better than great customer referrals and “Exceptional” CPARs. At the start of every engagement, focus on regular, meaningful multi-level interactions between your customer and your firm’s senior leadership, program managers and technical staff. The best winning recipe is to continually deliver highquality products and services while working alongside your customers. In practice, use monthly program reviews to ascertain your customers’ pain points and introduce new ideas, opportunities, and value. And don’t forget to follow-up 4
with detailed notes and minutes to buildupon and continue your commitment to customer dialogue. Document your CPAR self-assessment and do not hesitate to advocate for your well-earned “Exceptional” ratings. Finally, always concentrate on your people, starting with human capital functions (talent acquisition, human resources management, and talent management) and your middle managers, especially your PMs. Charge your human capital leadership to identify, attract, retain, grow, and optimize your workforce. Develop your firm so people can’t wait to join you. Offer competitive pay and benefits— you will be rewarded handsomely. Recognize exceptional performance, provide career mobility, and allow a flexible work environment. And for your PMs and middle managers, hone their leadership skills because they are critical to scaling your business. PMs and middle managers are the key framework of your organization. Part 3: Focus on Fueling Growth Shape the Firm’s Infrastructure. After establishing the firm’s foundation and structure, develop your detailed processes to ensure repeatable and predictable growth, stellar customer satisfaction, and a dedicated workforce collaborating as a Team. Repeatable, predictable growth is synonymous with focus and
“disciplined-flexibility” in execution, quality control, and diversity in skillsets and thought. Creating a deep, robust pipeline of opportunities that is reviewed/curated weekly is certainly one part, but another is to avoid falling in love with any one opportunity. You can easily get yourself and your team distracted chasing low probability-win opportunities that your firm is not wellsuited to win. In addition, the best pipeline in the world can only get you as far as your proposal development team’s throughput. You must balance the volume of your funnel and your proposal team’s capabilities without sacrificing compelling technical discriminators, or the quality and compliance of your proposals. And consider the data collection and analysis that goes into predicting price-to-win, and the pricing drills that ensure you can meet your price-to-win goal without jeopardizing the credibility of your execution model. To sum it up, sometimes focus means less is more! At this stage of your firm’s development, the holy grail is to have a functioning management dashboard. This includes real-time data feeds from your processes/procedures to operate and improve your firm’s results and teamwork. Key data and metrics must include your BD funnel and pipeline, your proposal development team’s throughput, your CPARs, your team’s kudos, staff utilization, contract margins, indirect rates, cash collection,
5
recruiting stats, staff headcount, and similar data/KPIs. To improve customer satisfaction and achieve customer delight, your processes/procedures (like ISO-9001, CMMI L3, and Financial Audit results) and regular, useful engagements with customers at all levels (PMs, middle managers, executives) must focus on problem solving and innovation to improve results for your customers. Demonstrate how your processes, procedures/controls drive consistent, repeatable, high-quality performance results and customer success. Finally, ensure your processes, procedures and controls support your workforce. Just like your growth and customer satisfaction strategies, you need a human capital/people strategy. Ensure you align your corporate strategy with your human capital/people strategy to include individual goal setting, staff recognition and training programs, especially for those high profile, highperforming PMs and technical SMEs. Balance internal support programs as well as social, community and philanthropic events within your local communities and governments that mesh with your company values and your staff’s outside interests. Part 4: Create Value Around Growth, Customers, and your People – Add Finishing Touches for Stakeholders.
Like value-added finishing touches on your property and inside your home (e.g., nice landscaping, updated kitchens/bathrooms, paint, and lighting) you need to develop Value-Added Capabilities within your firm. For example, you want the right type of growth, that which adds more profitable contracts, key IDIQ opportunities and increases proposal throughput, quality, and pricing capabilities. Similarly, with your customers you want to expand existing contracts, add more complex and valuable technical work, and add more complex customers with higher level technical work. This is like updating your home to keep pace with improved technologies and the changing environment. Finally, you might consider an acquisition or two to grow your existing market base, or to expand your firm’s technical domains and/or your functional capabilities. And we can’t forget adding value through your people. Add advanced degrees, more technical certifications, and higher clearance levels, all of which increase stakeholder value. And finally, build a Board of Advisors/Directors, and integrated C-Suite to add more value - just like developing your PMs and middle management teams. Part 5: You Are Ready to Scale Now you and your firm are ready to scale. So, grow the firm vertically (like adding a new level to your home) or horizontally (like adding a new wing to
6
your home), or grow through acquisitions (like adding more land). Remember building a successful midsize firm is a project - whether it’s a Thousand Days or longer. Success starts with Building a Solid Foundation, followed by Adding Framework and Structure, then Shaping the Infrastructure, and adding the Finishing Touches. To build any successful business one must focus on driving growth, delighting customers, taking care of your people, and creating value for all stakeholders.
ACT I in ACTION Video - ACT I (acti.com)
www.act-i.com
7
Leverage Your Cybersecurity Posture Sharing your credit score and KPIs is old-school trust-building. Partners, vendors, and investors today want to know your compliance score first.
In business, trust is hard-won and easily lost. If you’re about to jump into an agreement with another company you want to see the glossy brochure but also the ugly truth. Pulling a credit report might start the process, but it’s no longer enough. We’re seeing cybersecurity stance and compliance scores joining the conversation early—laying the foundation for trust. What can a company’s cybersecurity posture reveal? First, it shows how the company takes steps to protect the information in its possession, which is often its most valuable asset. Second, it shows that the company has committed to a set of standards. Are you ready to tell the world about your cyber program? Or share your NIST score? The largest companies in the world already routinely do—and are using their stance competitively— but small and mid-sized businesses lag behind. With costly breaches making the news almost daily, there’s never been a better time to show off what you’ve got. Here are four ways you can use your cybersecurity stance to build trust.
1. Know your numbers People want to do business with people they know, like, and trust. Establishing trust is huge. It’s also far easier to develop trust than to repair broken trust. One sure conversation starter—and a solid proof point—is to simply share your compliance numbers. Compliance numbers are your “scores” based on a set of cybersecurity standards, often depending on your industry. ISO/IEC 27001: This 2013 international standard for establishing, implementing, maintaining and continually improving an information security management system outlines how organizations should assess and treat information they hold. NIST SP 800-171: NIST SP 800-171 is a National Institute of Standards and Technology Special Publication (NIST SP) that provides recommended requirements for protecting the confidentiality of controlled unclassified information (CUI). Defense contractors must implement the basic cybersecurity hygiene requirements contained in NIST SP 800-171 to demonstrate they have adequate security to protect defense information. CMMC: The Cybersecurity Maturity Model Certification (CMMC) was developed for the DOD contractor community. Once it is finalized, expect to see it as the de facto standard for all organizations that interact with the government. It uses the controls and policies from NIST and combines them with a stringent program for the initial and on-going implementation of those controls and policies.
9
You don’t have to be a government contractor to use these standards as a scorecard to assess where you stand and identify gaps or issues. Knowing your self-calculated numbers—and freely sharing good scores—allows other organizations and customers to feel more comfortable sharing data or providing access to systems. Build trust with real numbers.
2. Bring in the pros Mention cyber compliance among colleagues and you’ll soon find yourself in a discussion peppered with buzz words and technical talk. The controls and objectives of industry standards are complex and difficult to interpret without some level of experience in-house. You may find, as a growing business, that it’s helpful to engage a cybersecurity services vendor to help assess your program and to address any gaps. What can expertise do for you? For starters, a good vendor will take the time to make sure you fully understand your baseline and the areas where you have vulnerabilities. They should also explain the requirements of your industry or best practices, and provide an estimate and scope of work for gaining compliance. Ongoing involvement from outside experts can help integrate cybersecurity into business operations, define the role of cyber leadership, embed a security mindset in your culture, and prepare for a compliance certification exam. With an expert on your side, you can use your cybersecurity position as a competitive advantage, like you would a superior credit score. Build trust by seeking out expert help.
3. Do your due diligence Investigations into your cybersecurity stance are becoming more common for M&As, banking and finance, and insurance. Your cyber posture—from technical configurations, to procedures, to training, to policies, holds value. Good posture smooths the path, is a value add, and opens conversations. Poor posture, or glaring gaps in cybersecurity, are seen as obstacles, liabilities, and costs. Most small business owners dream of success and growth such that someone else wants to purchase their company. The initial step, running the numbers to look deeper into the organizational health of the company, quickly involves a cybersecurity stance and quantifying remediation. We’ve seen cyber kill a deal and we’ve also seen companies take money off the table because of the costs involved in getting to compliance after the purchase is complete. Another use case is cybersecurity insurance. Cyber insurance helps cover the costs of business disruption, revenue loss, equipment damages, legal fees, public relations expenses, forensic analysis, and legally mandated notifications. Your rates for insurance, as well as business loans and banking, are based on your current stance and the level of risk or number of cyber vulnerabilities found during due diligence. Build trust during due diligence with a strong stance.
4. Trust but verify If you already have self-calculated your score, an independent audit can be used to verify your results, and may even be a requirement if you are pursuing CMMC certification. Audits are even important to companies that have cyber security-specific IT experts on staff; for the same reason you hire a CPA firm to review your books even though you have an accounting department or comptroller. An independent evaluation holds far more credibility than internal assessments alone. Investing the funds to verify indicates that cyber compliance isn’t a ‘one-and-done’ activity for your company but rather a commitment to ongoing practice and evolution. Build trust through an independent audit.
10
That brings me to my final point. Cybersecurity compliance costs money. Whether it’s new systems, expert advice, or training for your staff, the operational costs do add up.
Too often we hear from organizations who haven’t planned for remediation or the ongoing costs of cybersecurity monitoring and management. They want to see the ROI before committing to the spend. That’s an outdated mindset that needs to change. When companies don’t value security, they are willing to gamble that their data is safe or that they are too small to be a target. As modern business owners, we need to wrap our heads around this and prioritize budgeting for it as we would for HR, marketing, finance, or any other important business-building infrastructure activity. Damage control, when there is a breach (and statistically speaking there will be at some point), is far more expensive to fix than putting in proper controls and policies in the first place. In business, trust is hard-won and easily lost.
DTS experts certified as:
Contract vehicles: GSA Schedule IT 70 Contract Number: GS-35F-137DA GSA PSS Contract Number: 47QRAA19D006Q FAA eFAST Primary NAICS 541330, 541511, 541512, 541611, 541614, 541990, 611420, 611430 Privately Held Service-Disabled VeteranOwned Small Business (SDVOB)
DTS is a Service-Disabled Veteran Owned Small Business, founded in 2011, delivering cyber, consulting and management services—for exceptional results. Headquartered in Arlington, Virginia, DTS employs talented individuals with a passion for excellence and surrounds them with the resources they need to excel. For more than a decade, we have helped public sector and commercial clients respond to changing environments and daunting challenges by clarifying pathways, applying expertise, and managing implementation.
571.403.1841 sales@consultDTS.com www.consultDTS.com
3033 Wilson Boulevard Suite 700 Arlington, VA 22201