Compass: Stewards of Client Data—and Their Own

ABOUT COMPASS COMMERCIAL CONSTRUCTION

Founded in 2010, Compass is a $245 million general contractor and construction manager. With 43 employees, Compass is considered a small business. But its projects are often massive. Think corporate headquarters, manufacturing facilities and industrial parks, and precast mega-warehouses scaled for e-commerce giants.

Compass builds throughout the Midwest, but Central Indiana is home, and strong regional growth and government construction incentives there have led to a booming business, with 181% revenue growth FY 2018 to FY 2020. In 2021, the Indianapolis Business Journal ranked Compass eighth on a list of the Fast25 fastest-growing businesses in the area.

Ask anyone at Compass, and they will tell you their greatest asset is relationships. Compass prides itself on finding the right cultural fit—and that includes both staff hires and partner relationships with clients, subs, and vendors.

Whether the project is as large as the 358,000-sf Toyota Tsusho or as small as a locally owned 5,500-sf Crew Car Wash, “being good stewards of our clients and building relationships are of foremost importance to us,” says Jade Dugger, Operations Development Manager. In fact, stewardship is among the company’s core principles, expressed as CARES: Collaboration, Accountability, Results, Enthusiasm, Stewardship.

THE BUSINESS CHALLENGE

For several years, Compass has relied on an IT company to handle responsibilities like overseeing licensing, antivirus tools, and infrastructure. But it had yet to establish a cyber risk management program to protect its data—and that of its customers and vendors. That’s not unusual outside the tech space, where small businesses may be aware of cyber security but unsure whether they are truly at risk (they are) or how to protect themselves.

In 2019, however, Compass’s leadership decided it was time to act. “We realized we had a great relationship with our IT company,” Dugger says, “but we wondered what we could do above and beyond to make sure we were prepared. The same vulnerabilities exist no matter what size the company. Moving into the future, why not be ahead of the cyber security curve as a small business?”

As always, relationships were a chief concern. “We wanted to keep our IT company while finding a partner we trusted and could rely on as an additional security measure,” Dugger explains. Beyond that, the goals were simple: Understanding Compass’s risk as a general contractor and mitigating those risks—for themselves and the clients the company serves. (Another goal would emerge once Trava came on board: Establish an ongoing procedure for continuing to monitor and mitigate cyber risk.)

Its IT company would continue to handle day-to-day IT concerns, but Compass hoped to create a team approach uniting the three companies as a cyber crime-fighting team.

THE TRAVA SOLUTION

Collaboration. Accountability. Results. Enthusiasm. Stewardship. Trava’s cyber risk management approach delivered on all five:

Collaboration. Conducting an initial risk assessment is always the place to start. But an integrated approach to addressing it brings the ongoing assessment and mitigation process to life. Buy-in matters, especially when addressing the result of a risk assessment, which always discovers some vulnerabilities.

Trava built a structure of collaboration with quarterly Security Council meetings and regular risk assessment meetings that involved staff members, the IT provider, and a Trava virtual Chief Internet Security Officer (vCISO) who happened to be one of the world’s foremost experts on cyber security. “It was really helpful as a small company who's never done this process before to have somebody with his level of expertise to break things down to a level of better understanding for us,” Dugger says.

Having IT members on that team made a difference. “Since they manage the lion’s share of our infrastructure, it's important for them to not have secondhand exposure to what we talk about with Trava,” Dugger explains. “It just makes a lot more sense for them to sit alongside of us as a partner.”

Accountability. A blended cyber security team not only promoted collaboration. It also created a level of accountability, with members from across the organization agreeing on and monitoring the success of its prioritized efforts. Trava established a cadence of assessments and resulting discussion kept everyone on track.

Results. Knowing which vulnerabilities to prioritize gave Compass a cyber risk management roadmap it could measure itself against and cite when enterprise clients inquired as part of their due diligence. Smaller companies might not know to ask about Compass’s cyber risk profile, but the company had evidence that it was doing all it could to mitigate risks for all.

Enthusiasm. Receiving a one-off assessment without guidance toward a lower-risk future would do nothing to galvanize a cyber security team. But Trava’s can-do spirit—and its demonstrated success with small- to medium-size clients—kept Compass from dwelling on the “red” areas indicating the most significant vulnerabilities. “Trava helped us break off the pieces that are most important for our particular company and address those first,” Dugger says.

Stewardship. Protecting its own data was a chief motivator for Compass. But the stewardship piece is an indelible part of company culture, so its clients and vendors were always top of mind. “Being good stewards not only of our own resources but also of our clients’ resources, whether they’re an enterprise type client or a small client, is critical,” Dugger explains. (This level of personal commitment is not surprising, coming from a firm that makes a point of doing 11-month walk-throughs for clients so trouble spots are addressed before their one-year warranties expire.)

WORDS OF ADVICE FROM COMPASS

1. When it comes to cyber security, it’s better to be proactive than reactive. Cyber threats are only getting more complex.
2. Small and medium-size businesses should realize they face the same vulnerabilities that enterprise companies do—and they may be less able to withstand an attack.
3. “Out of sight, out of mind” is too easy when it comes to cyber security. But when a risk assessment is put in front of you, your outlook changes.
4. The difference between a risk assessment tool administered in-house or by an IT generalist and a true cyber risk management program can be life or death for small companies.
5. Build buy-in and achieve results more quickly by involving staff and vendors such as your MSP (managed service provider) in the ongoing teamwork your program requires.
6. When you talk with a prospective cyber security provider, ask them what they will do for your company beyond just gathering a list of vulnerabilities. Will they prioritize fixes? Attend meetings with your staff and related vendors?