By Steve “The Doctor” Meek | Talk To Th3 Doc Podcast | The Fulcrum Group, Inc.
🎙️ Doctor’s Diagnosis: A Podcast Doc-umentary
Cyber Risk Is Business Risk – Episode 126
I sat down with my associate David Johnson to talk about something most executives don’t enjoy thinking about, cyber risk. Not because it’s technical, but because it forces an uncomfortable truth. Cyber risk has never been an IT issue, it’s always been a leadership issue.
And like most leadership issues, ignoring or passing down the responsibility to handle doesn’t make it go away. It just makes the consequences louder when they arrive.
Why This Matters Now
At Fulcrum, our purpose has always been simple. Help leaders make confident decisions about technology before those decisions get made for them. Not usually the technical details but the implications, variables and impacts of going left versus going right. Cybersecurity is one of the clearest examples of why simplifying matters.
During the episode, David shared a quip that perfectly captures what we see every day.
Cyber risk is business risk.
That’s not marketing copy, that’s math. Downtime costs money, breaches cost trust, poor preparation costs companies their future, so on and so on. I’ve watched, coached and played basketball for years, and one thing never changes. Teams that don’t practice defense don’t lose by a little, they lose by a lot. Cybersecurity in your corporate networks works the same way.
The Real Problem Leaders Face
Most SMB and municipal executives don’t underestimate cyber risk because they’re careless, but rather because they’re so busy. They worry about cash flow risks, legal risks, workforce risks, economic risks and vendor risks all day. They only think about cybersecurity if someone forces them to, because they assume someone else has it covered. Maybe an IT person, their vendor, a piece of software they bought three years ago and haven’t looked at since. These assumptions are what attackers count on, the lack of an executive champion setting the tone and holding everyone accountable.
On the podcast, David talked about how ransomware has changed. It’s no longer a smash-and-grab. It’s patient, quiet, and strategic. Hackers don’t kick down the door anymore, they politely knock, wait for someone to open it, and then walk around taking notes.
That’s why “we’re too small to be a target” is one of the most expensive sentences a leader can say (or think, but not say out loud). I think of it similar to how some people use the phrase “I’m to busy” instead of “I am a poor manager”, “I don’t prioritize well” or “I am completely disorganized”.
The Fulcrum Way
Here’s where Fulcrum sees things differently. We don’t believe cybersecurity starts with tools, it starts with leadership behavior. That’s baked into our STARPower™ Framework, which is built around alignment, technology roadmaps, clarity, and continuous improvement, not random acts of IT spending.
Our SPOT Managed IT Services and SPOT Managed Security Services are designed around a few core ideas.
- First, leaders must understand their current state. You can’t protect what you haven’t identified. We can spend time mapping systems, risks, and dependencies so nothing critical hides in plain sight. But, an executive can prioritize which data is more important and which apps needs more protection, so you spend first where needed the most.
- Second, improvement has to be intentional. We prioritize based on risk and business value, not vendor hype or popular IT security topic of the month. Just like ITIL v4 teaches, improvement only matters if it ties back to business outcomes.
- Third, security has to be layered and practiced. Tools matter, but preparation and process matter more. Incident response planning, tabletop exercises, and security specific monitoring are how you move from panic to posture.
Or as David put it near the end of the episode, be the cybersecurity leader yourself so culture follows behavior.
A Real-World Metric That Should Get Your Attention
One of the most sobering moments in our conversation was discussing recovery time. Organizations without a documented incident response plan take more than three times longer to recover from a cyber incident.
That’s not an IT metric but rather an operational metric. Hope is not a strategy, it’s a delay. My old senior administrator used to say, “There is no try, only do”. Delays are expensive, as some experts estimate the recovery cost of most breaches to be 50 times (or more) expensive than the mitigating control that should have been done in the first place.
Mark Twain once joked that a man who carries a cat by the tail learns something he can learn no other way. Cyber incidents work the same way, the lesson arrives whether you scheduled it or not. And anyone who has been part of an incident, never forgets the costly lesson.
Key Takeaways Leaders Ask Us About
Is cyber insurance enough?
No. Insurance helps you survive the incident, not prevent it. Car insurance doesn’t make you a better driver. But cyber insurance is an important part of a proper cybersecurity program. It can help with the high forensics and recovery, but adds a “breach coach” to advise along the way, ransomware negotiators, possible business impact coverage, cyber legal help and other skills you don’t have in-house.
Do I need to understand the technical details?
No. You need to understand the risks, priorities, and decisions. Leadership owns direction, not configuration. Leadership co-creates the plan with a technology strategist to guide hands-on technology experts, similar to how a breach coach works on your behalf.
What should I do first?
NIST and other security frameworks advise a path to identify, protect, detect, respond and recover. In the identify stage you assess your current state, identify all your hardware, software and cloud apps, prioritize your crown jewels, and build a response plan. Then improve in small, measurable steps.
How does Fulcrum help differently?
We ascribe to security frameworks with the same rigor of a structured approach. We also scale down enterprise approaches to more practical ways blending cybersecurity, compliance awareness, and business context for budget efficiency. No fear selling or overwhelming you with buzz words, just a more reasonable approach.
What to Do Next
If this conversation resonated, I’d encourage you to do two things.
First, listen to Episode 126 of Talk To Th3 Doc with David Johnson. It’s an honest conversation about cyber risk without the scare tactics.
Second, if you want help turning cyber risk into a managed business discipline, not a source of anxiety, connect with us at Fulcrum. We specialize in helping DFW leaders move from reactive to ready. Technology doesn’t run your business, you do. In life, you either let things happen or make things happen. Our job is to be your advocate to make sure you stay in charge.
Watch the Episode
📺 https://youtu.be/s_wob023cXU
Listen on Your Favorite Platform
About the Author — Steve “The Doctor” Meek, CISSP
Steve “The Doctor” Meek is a DFW-based IT strategist, cybersecurity leader, podcast host, and co-founder of a 24-year technology legacy in North Texas. A recipient of the 2024 MSP Titan of Industry Award for Community Impact, Steve brings decades of experience helping CEOs, city managers, and healthcare and manufacturing leaders navigate cybersecurity, AI readiness, and operational resilience. As host of Talk To Th3 Doc, he explores leadership and ownership topics to find practical insights for SMB decision-makers.
Founded in Keller, TX, The Fulcrum Group, Inc. delivers relationship-centered DFW Managed IT Services through its flagship SPOT Managed IT Services and SPOT Managed Security Services platforms. Using its proprietary STARPower™ Framework, Fulcrum helps businesses strengthen security, modernize operations, and plan technology with clarity and confidence. With a 100% Texas-based team and a No IT Jerks philosophy, Fulcrum has earned repeated national recognition on the MSP 501 and CRN Top 500, serving SMBs, local governments, and mission-driven organizations across North Texas.
