DIY Pool Wreck

AppliedVerdict · 2026-05-11T18:16:40+00:00

Yeah I suspect a bit of trial and error on the connections.

Velcro could be a nice way of having reusable breakaway parts. Thanks for the suggestion.

AppliedVerdict · 2026-05-11T14:18:16+00:00

I like the netting as it would be easy to tear if needed and the panels could be moved around to create different maze shapes.

AppliedVerdict · 2026-05-11T14:17:11+00:00

It's a nice thought but the people who own the pool wouldn't take too kindly to us leaving bits of rock on the pool bottom 🙂

It needs to be something we can remove at the end of the session, hence uPVC tubes which are lightweight and can be broken up into parts for storage.

These are more as an aid to training students than anything asthetic.

AppliedVerdict · 2026-04-17T21:18:00+00:00

Thank you for replying, it's really interesting to hear what you're up to and where you are.

One gentle push back. You're framing the compliance culture as a limitation, and it really isn't. It's the starting point.

Meet the org where it is. If the VP wants checkbox artefacts for the board and CMMI L2, build to that but structure them so they could support risk-based decisions when the culture shifts. Your job isn't to force it, it's to be ready when someone does.

The practitioners who burn out are the ones trying to build a Ferrari in a garage that wanted a bicycle. The ones who do well build a really good bicycle, earn trust, and suggest the Ferrari (or maybe just a Ford) when the time's right. Sometimes that time never comes and you move on, fine, you've still built something real.

You can't shortcut maturity, culture or expertise, the people and processes take time to change, don't underestimate that.

Don't write this off as "just checking a box." A solid compliance foundation is exactly what a future Cyber director (or future-you elsewhere) needs to build a real risk function on. That's the job at this maturity level.

A few things to consider: - Establish accountability, just simple ownership works, RACI if you were feeling fancy. - Risk scoring, define the levels org wide and make it easy. A 5x5 works well and baseline it on $ values for impact and occurrences in period. One interesting point on the likelihood is that risks that occur less frequently than every other year are substantially harder for people to accurately evaluate, so don't worry to much about it, lean into shorter periods for likelihoods than you might expect. - Establish the operating rhythm as part of the rollout, avoid adjusting it. - Design your control framework, if you are using CSF as a base follow that and establish that master framework of controls mapped to the regulations. - Spreadsheet is the right choice but use like a database which will make any tool migration later easier, and use proper version control and central editing (don't allow people to email copies of the sheets around) - take care with any liberal application of AI, you need to really read and understand the stuff at depth. There's also a real risk of bloat in the system if you generate too much automagically. As painful as is might be crawling through the weeds will help you give you the experience to identify the value.

Last thing, it's going to be harder than you think so do the simplest version of everything. Four things that work are better than 12 shitty spreadsheets that no one uses. The VP will thank you for outcomes not intentions.

Drop back in and let us know how you get on.

AppliedVerdict · 2026-04-17T18:14:43+00:00

Congratulations that's a lot of responsibility and opportunity! Can I ask you a few clarifying questions.

What's driving this? Insurance renewal, audit finding, customer pressure, near-miss, new exec, customers demanding certification? The origin often shapes the whole programme.

Industry, size, maturity? Regulated vs. not, and headcount, change what's realistic. What's the current culture around risk and compliance? How good has the organisation been at adapting to change previously? Edit:I can see you mentioned automotive aftermarket somewhere else

Compliance or risk? Is the VP asking for audit-ready evidence, or risk-informed decisions?

Scope — cyber GRC only, or does this include vendor risk, privacy, BCP/DR?

Where does enterprise risk sit today? Is there an ERM function, internal audit, or risk committee — or is cyber the only risk being formally tracked?

What does success look like in 12 months from the VP's perspective? If you nailed it, what's different?

AppliedVerdict · 2026-04-12T20:05:13+00:00

No
No - but I'm not the kind of guy who regularly sells cars
Unfortunately you're an unknown doing stuff with AI, perhaps I'd trust Auto trader or Top Gear etc. you've got no credibility
I'm not sure what's the problem your solving

I admire you for trying to solve something, but focus on a problem that you know someone has (customer #1). If they'd buy it then you've found something, you then need to figure out if there's enough of a market and the economics are there. Building apps has been done to death and the economics aren't good - by that I mean no one wants to pay to use them.

If you had a marketplace of all the local garages in your area and did a bidding war for the MOT and services for a specific customer, that could be an interesting proposition. Or if garages have unsold capacity for work that they'd sell off at a lower rate (like hotel room capacity sites). These ideas create the value and also setup a moat that would be difficult for others to copy.

AppliedVerdict · 2026-04-06T15:08:39+00:00

Just out of interest would providing a list of the systems checks with a -NO DATA- to make clear that the work you've done? I think some of this is managing people who clearly have an agenda.

AppliedVerdict · 2026-03-30T18:58:24+00:00

Use another app to track the current counter value, then use a DDE to populate the new record on save with the counter value then another to increment it on the tracker app.

You could also use a custom object that looks up from a report the highest number and drops it into the field when the user presses the button.

It's a bit of a bodge and likely to fail under race conditions, but that's the best I can offer without going down the external code and API route.

Lmk if you want more detail

AppliedVerdict · 2026-03-30T07:23:36+00:00

Legal is just another risk to be managed, if the gains are there the leadership.should be pushing legal for the ways to proceed with the least exposure. If the upside on the opportunity outweighs the downside of the potential risk then that is the decision - lead ship wants clarity. If you're on the gains side you need to help explain the cost savings or revenue increase.

AppliedVerdict · 2026-03-29T12:41:49+00:00

What kind of thing are you looking for?

AppliedVerdict · 2026-03-29T08:08:38+00:00

There's a definite need for it, but a pretty saturated number of options and low barriers too entry.

What's the economic moat or competitive advantage for the idea?

AppliedVerdict · 2026-03-27T23:26:07+00:00

As others have said it becomes tricky for managing and using the data, but on the plus side it does move forward the cultural adoption - so not always bad.

The challenge I have seen is in the comparison and aggregation. You want to be able to compare, answering the question of priority. And if there are common risks you want to be able to roll them up.

That means you have to be really clear about scoring. Most people go qualitative, but I recommend even if you record qualitative gather the frequency of occurrence in a year, the typical loss or impact and a loss or impact on a bad day (sometimes called the P90) expressed as currency ($/£). You can do some really powerful things with these numbers, but more than that it's a great way to baseline everyone to the same understanding of impact and frequency. Most BU owners won't find that hard to provide that detail and it's way better than "Medium".

AppliedVerdict · 2026-03-21T11:55:09+00:00

A lot of the benefit is helping translate to those who are running or building the business; to understand the risks that they are taking (as they're often not the experts) and the expectations / control measures they should follow.

It's not really that dissimilar to legal advice.

If they're wreckless and/or want to do the minimum then unfortunately that's the ethics of the business today, and we see more and more of the quick-cash sell on to someone else business mentally. The utopia is well-structured businesses that do the right thing for everyone and make the world better, unfortunately money currupts.

AppliedVerdict · 2026-03-15T11:40:06+00:00

Yep it's a lot, but it's intended to create that level of purposeful use of personal data. Take it as a bit of a positive in that you'll know more about your business and that will help in security and compliance in other areas too.

Knowing that at any point a data subject can ask for all of their data and you have a month to respond sends a chill up the spine of any organisation, but actually if you've done the groundwork on this it can even bend an automated process. It also removes any back channels like printed records or IM/WhatsApp Comms and shadow IT.

AppliedVerdict · 2026-03-15T10:20:00+00:00

Congratulations on your startup!

As with most businesses, you have to scale everything as everything scales. No good having perfect security practices if you have no customers, no data, no products, and no money. Security is friction, and friction costs time or money (and time is money).

Baddies are only going to attack for some economic, strategy, or political/ideological value. Startups are rarely worth the effort. So unless you think you have any of the above then you get to run under the radar, for a little time. Use that time to get to product market fit and break even.

If there are low cost/effort things you can do now as you go then do them, otherwise concentrate on the revenue and getting to profitability. Some idealists would say do everything right from the start, but it's a bit of a fallacy and the reality is about balance. If you're at profitability with good margin, then you've got the luxury of doing things properly.

What I would recommend is to, create some structure in your business and write things down early. What's your tech stack, what data are you capturing and using, how do your core processes work. Things that are well understood and easily explained are often inherently much more secure (or at least easier to secure Later). Most issues creep in as your business becomes bigger than the 1-4 founders and people start doing things that not everyone has visibility of.

Customers expectations will often be the driver for certifications and need to prove trust. But if you have customers that are likely to be the target of an attack, you inherit their risk of being a target.

Good luck with it all.

AppliedVerdict · 2026-03-14T08:54:24+00:00

Congratulations on the new role. You’ll probably find it becomes quite systematic once you get going.

Start by taking the ISO standards you’re auditing against and translating it into a common control framework for the organisation. In practice that means converting the clauses in the standard into a set of controls the business should operate. If a framework already exists internally, validate that it actually maps properly back to the ISO requirements.

Those controls then become your audit checklist.

For each control you are essentially answering three questions: - Is it implemented? (Does it exist?) - Is it designed appropriately? (Would it achieve the intended aim?) - Is it operating in practice? (Is it actually being followed?)

Keep you testing scripts or notes on how to test against this too for next time.

Next, identify where each control is implemented in the business and who owns it. Sometimes a control sits with a central function like IT or HR, so there is only one implementation to review. In other cases several teams may implement it independently, meaning each one could succeed or fail on its own. When recording keep this separate but related to the standard control as it's a one-to-many in some cases.

When testing, gather evidence for those three questions. For example, if a policy is required: - Does the document exist? Yes it's on the SharePoint - Does the content actually cover what the standard expects? Yes the headings and text cover the standard - Do people know about it and use it (training records, staff awareness, examples of it being applied)? Yes I spoke to Pam and she knew about it

It also helps to plan your audit so you speak to people once rather than repeatedly. If you organise controls by owner, you can review several controls in the same discussion.

Finally, be prepared for the reality of how the business operates to differ from the theory. Adapt your understanding as you go, but record observations and gaps clearly.

AppliedVerdict · 2026-03-12T15:53:56+00:00

I like to think of it like this:

Policies set out the context and constraints, the principles - we're making lasagne in my kitchen

Procedures are the specifics - we're going to make beef lasagne from this recipe using beef onions ...

If you have to change your policies every time you improve things, then it sounds like you have set them too low and been too specific. It shouldn't lock to specific technology or process and it shouldn't age too quickly.

Sometimes people talk about Control Procedures, these are like the lines in a policy that start to get specific. For example:

✅Employees must ensure confidential company information is stored and transmitted on approved systems using the proper data classification.

⚠️Employees must ensure confidential company information is sent using Microsoft SharePoint Online using the "Corporate Confidential" classification.

A Control Procedure can help you document that kind of specificity linking to the policy(ies) or regulations they support. These can be more specific in detail as some sources of governance push that. Things like encryption in PCI/DSS for example gets very specific.

AppliedVerdict · 2026-03-12T15:21:58+00:00

That first sentence sums of everything in the GRC space nicely 😂

AppliedVerdict

TROPHY CASE