OK, so how do the odds stack up in this challenge?

In my favour:

• As a Management Consultant, I have a plenty of experience of advising clients on how to set up and structure businesses
• I am familiar with many of the SME ERP (business software) packages on the market
• I have set up and run companies before
• I advise clients on the web, marketing and sales strategies
• I have experience working with databases and advising clients on handling personal data.

Factors against:

• I have little direct experience of ISO accreditations.
• I am very anti-regulation and resent red tape and other controls
• I have only a limited idea of what an ISO means in internal practical terms to a company that has one.

I do know that it is meant to provide a benchmark or kitemark so that companies that possess ISO can be assured that other holders meet similar standards. IN other words they provide a framework for assurance between secure destruction companies.

Based on account recorded in diary of September 2007.

Looking at the web sites of future competitors two things are apparent. The first is that its only the serious hard disk destruction guys who really bother with any standards at all. The second is that there is a wide range not only of information destruction standards but also of other accreditations as well. It appears at this stage that following standards may be relevant:

• BS 8470:2006 Secure Destruction of Confidential Material
• BS 7858:2006 Security Screening of Individuals Employed in a Security Environment
• BS7799 Information Security Management System

I keep reminding myself in the face of the scale of the task ahead, that accreditations are the main barrier to entry in this market and are vital to the whole project. Its comparatively easy to set-up a WEEE recycling business. Securely wiping or destroying data is more difficult but accreditations represent the biggest challenge.

Based on account recorded in diary of September 2007.

This project is about setting up a secure data destruction business from scratch which has quality assurance and security controls as an integral part of the structure.  Hence, the foundation stones of the business are laid in anticipation of  what the needs of the business are doing to be when it is considerably larger and is a major player in the information assurance sector.

This approach differs, I believe, from that which most people would take.  Most would set the business up and start shredding.  Then, when the business has acquired a particular size, implement Standards and controls which will be required to compete with leaders in the industry.

My feeling is that my preferred route is going to either be spectacularly right or spectacularly wrong.  The route I am choosing means there is a huge amount of donkey work up front before I am sure of the exact market response to the concept.  On the other side of the coin, it means that I can complete most of the structural work before I take more staff and save on costs.   I know from experience that there is little more stressful as an employer than having employees sitting around because they are waiting for systems to be configured.  My whole plan is based on the idea that its better to set the systems up first.

I obviously have surveyed the market but I now take it as read that the information security market is an expanding one and ripe for exploitation.  Moreover, most successful companies do not succeed with their first offering – they succeed with the second, third or even fourth incarnation thereof.   The best strategy is to establish yourself in the market with the right credentials and retain the flexibility to respond to the needs of the market which will become increasingly apparent the more one gets involved.

I know that my commitment to this Construct First – Sell Later strategy will be challenged every day as the company parts with or invests cash in its structure and framework rather than going for quick, route one sales from the outset.

Based on on account recorded in diary from September 2007.