business customer – Cooper Mann Consulting

In a previous article entitled The Psychology of Small Business IT Adoption, I discussed Icek Ajzen’s Theory of Planned Behavior and how a number of researchers applied it to the process of small business IT adoption. The concept, which ended up proving to be true, was that IT adoption by small businesses is a function of a number of fairly well-defined elements, and is not so much defined by specific types of businesses or the business leaders. The elements which lead to the act of business IT adoption (as well as adoption of other services, I’ll bet) can be identified and addressed by the potential provider of the product or solution ahead of time, making the possibility of actual adoption much greater.

Knowing how your prospective customer will approach the decision-making process is important, and getting a little insight ahead of time never hurts. Particularly when a lot of customers don’t actually reveal their thinking, it can be tough to know where to begin. You’ve been there before – you’re making your pitch and asking questions, but are getting nothing in return. Sometimes it’s “deer in headlights”, and they are simply overwhelmed. Other times they’re thinking about things you’re not telling them… but they’re not letting you know you’re not telling them. Dead air, and then a lost opportunity.

Boiling it all down to a fairly simple explanation, businesses adopt IT because there is a conscious plan to do so, and that plan is supported by a belief that the solution will do good things for the business, the solution is a recognized (if not expected) approach, and the business believes it has adequate resources and capability to effectively handle it. It’s all about:

Intent,
the attitude towards adoption,
belief of expected outcomes and their value,
expectations and the motivation to comply with them, and
evaluating barriers and the adequacy of resources to overcome them.

Intent

The first and most important element is intent, a conscious plan to get or do whatever it is. If the customer has no plan to get the item and sees no need for it, then the barrier is pretty high. However, if the need can be created, and the customer can be driven to believe they need to get the item, then there is intent. Now they’re looking for you and not vice versa. Consider that the Snuggie wasn’t “something” until folks were told that blankets simply weren’t good enough any more for lounging around (they don’t have sleeves!). Once people believed there was a problem, they pursued finding the solution.

The attitude towards adoption

Next, what’s their attitude towards getting the item? Sometimes people go looking for things they don’t think they can actually get, and often they know they need something but don’t think the solution is even out there, so they have a jaded viewpoint from the start. A prospect with a positive attitude and who wants to actually find a solution is far better to work with than one who has already determined that you can’t help them. Sometimes all it takes is a good listener to help create a positive attitude and make someone willing to tell you how you can help them.

Belief of expected outcomes and their value

Now, what does the customer think they will get from the deal? Will the solution actually solve problems or create new ones, and are the perceived problems to be solved big enough to really worry about in the first place? Small businesses tend to be very cash conscious, wanting as much value as possible for any expenditure. Further, most small businesses don’t let go of their cash easily and certainly not for frivolous purposes, so a successful sale is often supported by the customer’s belief that they will get a real solution and benefit – something of value which will be realized, and that is important enough to deal with sooner rather than later.

Expectations and the motivation to comply with them

It is interesting how many small businesses go shopping for products or solutions that they don’t actually intend to purchase or adopt. Sometimes they just want to be able to say “we’re looking in to it”, even if they aren’t and don’t plan to, and sometimes they have a business requirement that they don’t want to have to meet due to cost or complexity or whatever. Let’s say a business has customers complaining about unresponsive or bad support, and how they should have a ticketing system to help track issues better. Maybe the customers have the right idea: maybe the business should have a ticketing system (the business provides support and ticketing systems are considered a support service industry norm). This is the expectation. Let’s also say the business uses a CRM solution to handle support, and they believe it handles things just as well as a separate “ticketing” solution. Just because there is an expectation (customers want ticketing system), it doesn’t mean the business is motivated to comply (CRM does just fine). Expectations come in many forms and from many sources – customers, vendors, employees, contractors, the government and regulatory… on and on. Expectation and motivation to comply are both high when it comes to legal and regulatory issues, as these things can be tied directly to money and cash and risk. In other areas, it may not be as easy to identify or address. The best way to look at this issue is to try to understand what the business is doing now, whether the approach works or may be materially improved in servicing their business and model, and whether or not the business recognizes an immediate need to make the change.

Evaluating barriers and the adequacy of resources to overcome them

The final and perhaps most important factor in SMB adoption of IT is the simple belief that it can be done. Done at all, I mean, not just done “affordably”. My dad taught me that it’s not a bargain if you can’t afford it. Now, this doesn’t mean that there aren’t times when a business needs to bite the bullet and extend itself to become better. But any small business in this position is a tough sell, simply due to real resources and capability. No matter how much a business may know it needs something, if it really can’t do it, or believes it can’t – it won’t.

Make sense?

Can you outsource compliance to the cloud?

Outsourcing IT to a cloud service provider can be tremendously beneficial for a business. The model allows an organization to offload not just IT infrastructure costs, but also the costs associated with developing and maintaining all of the practices and processes involved in managing and maintaining the infrastructure and systems. There is tremendous responsibility in handling everything from platforms and infrastructure to creating best practices for maintenance, management of scalability and growth, forecasting bandwidth requirements, implementing and monitoring security compliance, creating effective and comprehensive disaster recovery plans, and more.

The question which begs to be asked is whether or not HIPAA, PCI/DSS or any other compliance requirements, and the complexities, risk and legalities that come along with them, can also be outsourced to the CSP. For that matter, can any real level of responsibility be fully outsourced, where the liability for non-performance or noncompliance is also fully shifted?

Ummm. No. It is still your problem.

What too many companies really don’t understand is that they aren’t eliminating risk by moving to the cloud, and the requirement to meet various compliance requirements really can’t be outsourced. Particularly in this area, businesses need to recognize that outsourcing certain functions doesn’t reduce or eliminate responsibility or liability. Just the converse, it could make things a bit more difficult if you don’t keep close tabs on how the provider implements and is involved with your solution. Even beyond that, what is the impact to the business operation when requirements are not met? Cost recovery from the provider may be one option, but how does that help the business remain operating in the meantime?

“Gramm-Leach-Bliley (GLB) Act Requires financial organizations to enter into contracts with third parties that they share their customer information with (including cloud vendors) to ensure that the third-party handles that information securely. Executives of those financial organizations can be held personally liable for failure to do so.

Sarbanes-Oxley Act (SOX) Defines specific security mandates and requirements for financial reporting to protect shareholders and the public from accounting errors and fraudulent practices. SOX dictates which records are to be stored and for how long and requires the data owner to know the location of the data in the cloud and to maintain control of it. Failure to comply can result in fines and/or imprisonment.”

This discussion Isn’t limited just to compliance with regulations (at least it shouldn’t be)

In this conversation we need to also address what a business should do in terms of protecting and preserving its information assets (data!) even beyond what the CSP offers. Keeping confidential and private information secure and protecting the data of the business (and clients or patients or other entities) is essential, even when the CSP fails in its obligations or abilities. This aspect of disaster recovery and continuity planning is not often considered by the CSP yet remains critical to the business customer. The sales pitch, however, never really delves into this area, because it represents an aspect of service coverage that the provider simply can’t provide.

Illustrating this particularly difficult aspect of outsourcing to the cloud is the hard lesson learned by customers of a QuickBooks hosting provider who experienced a severe outage due to a ransomware attack. The hosting service provider promised customers it backed up their data and it did, but the backup archives were also compromised. In order to restore service, customers were expected to have their own backups of the cloud-hosted data.

While there may have been items in the service agreement which address these issues, I can say – based on a great deal of experience in just this area – the service providers rarely make this point very clear to customers, and more frequently tell customers backing up their data is no longer something they need to really worry about. It’s like that really tiny type at the bottom of a contract that nobody notices until it is too late.

“..restoration proved more difficult in Texas. Lezama explained that for the Texas clients, the backups had been compromised as well, because their backup data had synchronized with corrupt files. But Cloudnine clients are obligated backup their own data as well, as a sort of third-level security measure..”

With compliance in the cloud, it’s their system, but your responsibility.

Outsourcing IT to a cloud service provider in no way eliminates or reduces the obligations of the business to manage certain aspects of information systems and data. What outsourcing can do is deliver a greater operational capacity and agility more affordably.

The responsibilities to establish information and systems management practices and processes remain firmly with the business, and actually represent a strategic component of the business that is unwise to outsource anyway. Resilience in a business and its ability to conform to regulatory and other requirements are the foundations of sustainability. Remember that cloud providers and services can be leveraged to improve certain cost and system performance metrics, but it remains solely with the business customer to find ways to reduce risk and create a greater assurance of continued operational capability.

Make Sense?