Why Owners Must Own Cybersecurity Decisions

Show Notes

Chaos loves a vacuum, and small businesses feel it first. We sit down with Mike Meyer of M31 to explore how leaders can cut through noise, make smarter decisions, and take ownership of cybersecurity without turning into the IT department. The conversation starts with the shift from old, linear playbooks to a world where assumptions change overnight. Mike explains why divergent thinkers thrive under complexity and how leaders can turn that creative energy into practical structure that protects revenue and trust.

We get honest about cyber risk. The most damaging incidents often aren’t cinematic hacks; they’re everyday failures like an unencrypted laptop left in a cab or a lost USB stick full of client data. Mike reframes information as the secret sauce of a business—systems, workflows, pricing logic, and client history that create leverage—and shows how to safeguard those assets with simple, repeatable practices. We dig into the growing reality of director liability and why “the tech team has it” no longer satisfies duty of care. Instead, owners need fluency: the ability to ask clear questions, set risk appetite, and demand evidence that controls actually work.

If you run a small team, the trap isn’t ignorance—it’s over-delegation. Feeling out of depth, many owners outsource judgment instead of tasks, creating a grey zone where no one owns trade-offs. Mike offers a fix: curiosity, courage, and a light systems mindset. Learn enough to read the signals, require plain-English reporting, assign decision rights, and test basics like backups and recovery times. We also talk about fractional talent, integrating multiple specialists, and using simple templates and checklists to keep security aligned with fast-changing products and markets.

We wrap with details on a leaders-only workshop delivered with ISO Matters: cybersecurity for leaders, not technicians. Attendees map their critical assets, clarify roles, and leave with practical templates to raise maturity without bloat. Subscribe, share this with a fellow owner who’s juggling risk and growth, and leave a review telling us the one cyber safeguard you’ll implement this quarter.

Chapters

• 0:10: Host And Guest Introductions
• 0:29: M31 Origins And Purpose
• 1:35: Divergent Thinking And Leadership
• 2:41: Resilience And Clarity Amid Chaos
• 4:18: Neurodiversity And Business Complexity
• 5:36: Fractional Talent And Scaling Smart
• 6:50: The E-Myth And Owner Overload
• 6:51: Why Cybersecurity Now Matters Most
• 8:41: The Real Risks: Data Loss And IP
• 9:59: Personal Liability For Directors
• 11:20: The Trap Of Over-Delegation
• 13:10: Learning Enough Without Becoming IT
• 15:00: Trust, Visibility, And Tech Decisions
• 17:41: Event Overview: Cybersecurity For Leaders
• 18:39: Who Should Attend And Why
• 19:27: Funding Story And Regional Access
• 20:56: How To Learn More And Closing

Transcript

SPEAKER_01: 0:10

Hello and welcome to the Canberra Business Podcast. I'm Greg Harford, your host from the Canberra Business Chamber. And today I'm joined by Mike Meyer from M31, one of our members, and we're going to be talking about cybersecurity. Mike, welcome to the podcast. Thanks for having me here. What a wonderful uh opportunity to be able to share with our community. Absolutely. Um, so look, let's kick off with a little bit of background. Um, uh, what's what's your background and and what's M31 and when did you kick the business off?

SPEAKER_00: 0:38

Yeah, M31 started a few years ago, and it rose out of a desperate need, particularly around small and medium business, to be able to access leadership advice in a way that was more accessible. And from that, we've really been continuing to grow that element and recognize that there are beautiful, brilliant, divergent minds, technical people, all walks of life where they need someone to be able to lean on to, someone to be able to ask, and be able to go, how how can I start moving the needle forward in a range of different ways?

SPEAKER_01: 1:23

So, how how important is divergence to that? So you've you've um you've you've mentioned that specifically. Is that is that a real focus of the work you're doing in the leadership development space?

SPEAKER_00: 1:35

It is because a lot of our people, especially small businesses, are quite divergent thinkers themselves. And so, in a world that's been created for converged minds, it's not so straightforward always to be able to turn around and go, Do I do it the old way? Or is my imagination actually telling me something here? And so that's where I talk about people where I help them make sense of a world where those old rules no longer apply. You've got to do something different now. And it's a beautiful tension because sometimes you still use the old rules, sometimes you don't. And bring those together and being able to understand and recognize how that works in this crazy chaotic world. And why I say chaotic is because one of the old rules is always been about taking time, cadence, and pace to do something, test something in business, develop market, etc. etc., develop product with a really clear goal at the end. Yet today, that could vanish tomorrow. So that is really unsettling for people.

SPEAKER_01: 2:47

Yeah. So so the art of leadership these days, presumably, is managing through the fog in some cases and not knowing where your destination is. Is that is that a fair summary?

SPEAKER_00: 2:56

Exactly. That's the resilience that comes into the equation when we're working with people because realistically, clarity is our goal. That's what we do. And so the clarity is possibly one of the most valuable things that we can have these days because we are just flooded with information. And in previous eras where we might have paid$70 for a newsletter that would help us access a great swag of information because it wasn't accessible, we now live in a world where there is an abundance of information, yet we can't get good access all the time to make sense of it all.

SPEAKER_01: 3:37

And that's one of the real challenges facing businesses. Do you think that neurodivergent people have a I mean, obviously a different different way of thinking about things? But but what does that do in terms of outcomes?

SPEAKER_00: 3:54

Being either a divergent or a neurodivergent person, there is a fairly uh blurred line between the two. It's a great opportunity for people, though, to recognize that they're seeing a lot of things at play at once. And so a divergent thinker is going to take 20 things and try and make sense of 20 things. Whereas a convergent approach might be taking account of one or two things and going, I'll deal with that. Both have pros and cons. And so let's take a classical manufacturing business, for example, where you might have done an MBA from 30 years ago, would have taught you a fairly narrow, converged approach to running a business. And you might only have one product in those days. One approach to accounting, one approach to logistics and delivery. These days, a business could, in essence, have dozens of products changing every second day, different markets, different delivery modalities across the board. And that that's a big shift in our landscape. You know, and one of the biggest uh observations that we feel right now is that staff recruitment's different because we don't really, as a small business, always employ one person to grow. We go, I need these problems in my business solved. I'm going to probably need 10 different skill sets for that. Yet I need those 10 right now, and I can't scale from one to ten that quickly. So we see things fractional, resourcing appearing on the market, and people want it. So you might be a social media manager working for five people, and they fractionalize that time up and give you that skill for a portion of their time. And in small business, that's a very popular way of starting to change from, oh, we have to recruit everybody in our business to I'm going to start scaling by using resources a bit differently.

SPEAKER_01: 6:11

Yeah. And certainly in a small business, you don't you just don't have the resources to bring everyone on. But it can be challenging, right? To uh for a small business owner in particular to be across every facet of everything that they need to do and often Exactly.

SPEAKER_00: 6:28

Exactly. And and that's more challenging than ever because if we consider famous books like EMyth, where so many of us as business owners have come in as the technicians of the organization, which are beautiful divergent minds, being able to access that other resources to not feel like you have to do it all yourself is really a big deal.

SPEAKER_01: 6:50

Yeah. Now, of course, um, one of the things which uh business owners and business managers need to be worrying about constantly is is cybersecurity. Um, and I know you're running an event on that and we'll we'll talk about that event. But um, you know, what's what's your involvement in that cyberspace and and and how are you helping businesses um come to come to grips with what they need to know?

SPEAKER_00: 7:15

It's a curious one because lots of people go, Mike, but you've been in the tech sector your whole life. I have and I haven't. I love technology because it has shown to us an opportunity that is bigger than anything we can imagine. That can be monetized, amplified, it creates great outcomes for society and wealth. It's just fantastic. And I saw that early in my career. Yet, am I that good at the tech? No. What am I good at? Problem solving. The divergent minds are great at problem solving. When everything that we do these days is digital, everything, there is a need to problem solve between the both the material and the digital at the same time. And so I've brought those two worlds together in my career to do both at once.

SPEAKER_01: 8:17

Now, cybersecurity is something that keeps many people awake at night. Um if they're thinking about it. Um, do you you know, because uh there's some there's some big um risks to a business, right? From from if if you get hacked or if your systems aren't up to scratch. Um, you know, what what are the what are the biggest risks that you see?

SPEAKER_00: 8:41

The biggest risks that we see often is the accidental release of information. And that can happen in a range of different kinds of different ways, whether deliberate, where someone's deliberately trying to get access to you, which is the things that we see in the news. It's also the little things. I lost my USB stick and it had 20 years of business and client information on it. My laptop got stolen from the airport, which also had the same on it. And so these are all different kinds of scenarios. The other thing that's so important about information security is that it's our secret source of doing business. It's what makes us powerful, it's what creates the amplification effect, it's our systems, our processes, those special things that only we bring to our organizations, which means they're hyper-valuable assets. And we don't want to lose those either.

unknown: 9:43

Yeah.

SPEAKER_00: 9:43

And the loss would take to rebuild losing all of our intellectual property.

SPEAKER_01: 9:48

And the loss of that data also, or certainly the publication of that data often has some big reputational risks associated with it as well, and some legal ones. Is that right?

SPEAKER_00: 9:58

Absolutely. The biggest change that we've seen in this landscape, in particular, is that the roles around right cybersecurity as business owners has changed. And this is one of the key areas that we're going to be covering in our workshop. And that key change is that a business owner and director can be held personally liable for breach if they haven't done the appropriate duty of care. And that's a really significant shift. So instead of saying you had the tech guys do something, it's all okay, that's not sufficient under law. Under law, it says you as a leader, what did you do to manage this risk? How well is that documented? How well do you understand it yourself? So that when you've done your delegation, you're getting the results you're expecting to align accordingly.

SPEAKER_01: 11:02

Do you think um business owners and leaders are taking cybersecurity seriously enough?

SPEAKER_00: 11:11

In general terms, people try. I don't think you could turn around and say there's no effort. However, what becomes the issue is how much effort is reasonable. And this is where we see very possibly one of the biggest symptoms of the past 20 years entering the equation, probably more, because it's something that's so difficult for us to understand what happens. And what that mistake is, that we accidentally over-delegate, and that creates a boundary issue as owners. Because what happens is that we go, I don't really understand enough about it. I'm feeling uncertain and unconfident. And I've hired some great tech people to come and help me. Oh, thanks so much, guys. Yeah, what happens though is that when you've delegated and brought them in, they do their best effort. They'll try and read between the lines with you, overstep you a little bit as an owner, because perhaps you weren't strong enough to help them understand what they needed to know to do that. And that's a really grey area of responsibility and ownership. And that's the area that people do, they overdelegate their hat accidentally. It's not intentional. No one's doing this with malice. No one's turning around, they're they're doing it, they think they're doing the right thing, they're bringing all these resources on board to help out. And in enterprise and in government, that's a really good action. They're so big. Individual leadership, if I'm the CEO of a very large enterprise, I don't have to know. Because I'm I'm hiring leaders. As a small business owner, I am the leader. I have to do it all. And I'm going to then bring the right people on board to then technically execute in my business.

SPEAKER_01: 13:10

Yeah. So so what's the what's the answer to that though? Because um, you know, small business owners typically are are doing a million things at any one time. Um, they don't necessarily have the depth of expertise and they might be really great at uh running a kitchen or doing the roofing work or whatever it is, um, but not necessarily good at understanding the technical stuff. So if you're saying, well, you can over-delegate and and and get people in, but that doesn't resolve your problems, what what what would you be suggesting business leaders need to be doing?

SPEAKER_00: 13:47

It's about becoming curious about who we are as leaders and what we're responsible for. And driving that curiosity into learning moments for ourselves. And when we start to learn, I often say to people, you need to learn enough about something, say tech, without becoming a techie. Classically speaking, when we learn about accounting and cash flow, we learn enough about it to interpret it, understand it, and have an intimacy with it, yet we don't do the job of the accountant. So when it comes to managing risk, it's our risk management hat coming on. Do I know enough about the various domains and different things that my organization is doing it? So that I'm the person in control and I'm the one taking responsibility.

SPEAKER_01: 14:44

So um how do you how do you do that though? Like, I mean it's easy to say on one level, but how do you how do you know that you know enough? How do you how do you kind of work that out? What's what's the go there?

SPEAKER_00: 14:59

Believe it or not, I've often noticed that a lot of leaders have an internal meter, if you will, of discomfort in themselves and their approach to something. And so what can happen is that they might turn around and some people be around them helping, and then they might go, um, that isn't quite what I thought I was gonna get. They might go, oh, I'm feeling uncomfortable inside. Something's not quite right. Should they have made that decision or not? And these are the elitimus tests indicators inside our consciousness that go, something's not quite right. We're pretty smart cookies in leadership when we're running things. We go, oh don't that doesn't feel right. The cut of my jib's not quite right here. And that's your first indicator of something, and what that can be, and what area or domain that might be beyond. The next area is about courage, and this is where the discomfort comes into it so readily. When we're looking at something, say for example, we're manufacturing a widget or a pen, it's really obvious in many ways because we're wired as people to be visual learners. So when we put the lid cap on our pen, the result was straightforward. Lid goes on pen. Result achieved. Yet so much of tech can't really be seen. We see a lot of things on our screen, but we're ultimately trusting a one or a zero in something. And in ourselves, that's really hard to reconcile. We're going, how and we we go, oh, that's complicated. All that is technical. The good news is it isn't from a leadership point of view. And these are things that can be learned. Because the influence's leaders is the same, it's just a slightly different domain. And so there's ways to be really successful, and then things that you can learn, ways to run digital and tech teams, ways to see things being strategic enablers rather than a tool. So when you've got so many different things going on that changed over the past 20, 30 years, something that was just a tool on a desk now requires thousands of decisions to influence. We have to ask ourselves who is making those decisions and other who's the right person to make those decisions.

SPEAKER_01: 17:40

So you're going to be running an event on the 26th of February in conjunction with ISO Matters, um uh focused on cybersecurity and leadership. What is it you're going to be covering off there?

SPEAKER_00: 17:53

So this is cybersecurity for leaders, and it's not technical. This isn't for IT people, this isn't for tech teams. It's about understanding the role as leaders so that we can make those decisions together. And we'll be taking you through that learning that you need to be aware of, so that you can make the decisions that you need to be able to make, manage the risk, be more aware of what's going on in the broader landscape, so that risk assessment can occur, so you can make those decisions. And in the partnership with ISO Matters, we're bringing our systems approach into this. So we love systems, don't we, in business? And of course, cybersecurity has those systems too. And we're going to help build and help you template for your business those plans and responses that you need to have and achieve the maturity in your risk management. And so you're going to walk away not only learning a great deal, be able to influence a great deal, and you'll also work walk away with a tremendous amount of physical resources and processes and systems to help you do your job. So who should be coming along to this? This is targeted at small business. This is not enterprise. If you're a small business of one person through to 10, 15, 20 people, this is ideal for you. This is all about taking ownership of your leadership in this domain before you grow into that place where you can start hiring the leaders for you.

unknown: 19:27

Yeah.

SPEAKER_00: 19:28

And who's going to present, Mike? Is that you? It's myself and Justine will be the presenters of it. We're very quite fortunate. A very sad situation took place several years ago where a person in Sydney who would like to remain anonymous had their identity stolen. It was heartbreaking to hear this story. And they didn't want to see this happen again. And they saw that small business is a thing, and they also saw that the regions outside of our big cities don't typically have access to these kinds of resources. Where the enterprise end can have it, where there can be thousands of IT companies, leadership consultants, and things. And when we started talking about how intrinsic leadership is in our regions, ACT Riverina Murray, he reached out to us and said, guys, I'm going to help subsidize this. I need to help other people know that they don't have to live what happened to me. And I want to make that happen for them. And so through that generosity, he's been able to bring a significant and generous subsidy to make this happen, which has been wonderful. And in turn, we are traveling, bringing that to our regions, helping our small businesses bring their leadership back.

SPEAKER_01: 20:54

Excellent. Well, it sounds like uh really interesting event. If people want to know more, Mike, where do they go?

SPEAKER_00: 21:01

Uh, great places to go and check out all this is on our socials for M31. So at M31 with Mike or ISO Matters with Justine on her side of things and our respective websites to find out more about our businesses. And we'll be sending out brochures and flies to people as well.

SPEAKER_01: 21:20

Excellent. Well, I hope it goes well, and I look forward to catching up uh afterwards to hear all about it. Thank you. Thanks so much for joining us uh here today on the Canberra Business Podcast. I'm Greg Harford from the Canberra Business Chamber, and I have been talking to Mike Meyer from M31, uh, who's going to be uh presenting about IT for leaders at an event here in Canberra on the 26th of February. This is the Canberra Business Podcast brought to you by the Canberra Business Chamber. Don't forget to follow us on your favourite podcast platform for future episodes. We'll catch you next time.