Las Vegas Information Security (Now TCM Security)

How This Cybersecurity Expert Makes $14K/Month Helping Small Businesses

$14K
revenue/mo
1
Founders
1
Employees
Las Vegas Inform...
from Henderson, NV, USA
started January 2021
$14,000
revenue/mo
1
Founders
1
Employees
Discover what tools recommends to grow your business!
Discover what books Alexander recommends to grow your business!
Want more updates on Las Vegas Information Security (Now TCM Security)? Check out these stories:

Hello! Who are you and what business did you start?

Hello! My name is Alex Tushinsky, and I'm the founder of Las Vegas Information Security, a consultancy focused on startups and small businesses specializing in practical, common-sense solutions to complex cybersecurity problems.

Despite having "Las Vegas" in the name, I work with people across the entire United States and operate from Henderson, Nevada.

The company itself has been around in one form or another for almost thirty years now. I've always had a sole proprietorship or an LLC to help keep my various side-hustles and projects segregated from my corporate career. The latest incarnation is "Left to My Own Devices Computer Solutions LLC" and was officially started in 2016 when I was offered a contract as a Chief Information Security Officer or CISO for a fintech startup.

I launched Las Vegas Information Security as an alternate name for my LLC, or a DBA, on January 1st, 2021, when I realized that I could make a real difference to many smaller organizations and startups that have been largely overlooked by IT and Cybersecurity firms.

Today, Las Vegas Information Security, or LVIS for short, is a consultancy designed to help consumers, small businesses, and small enterprises.

las-vegas-information-security
My interview on local TV

As a software developer, I was always able to find customers. Cybersecurity is different. Everyone has different needs, and no one thinks a cybersecurity incident will happen to them. As a result, education is critical to promoting this business.

What's your backstory and how did you come up with the idea?

I spent the past thirty or so years in IT, and most of that time was spent either writing or architecting software solutions. Yes, I was a software developer. Over the years, though, I've been pulled more and more into cybersecurity. While I watched some struggle with implementing security features and dealing with security requirements, I've always found information security to be "common-sense" and good practice, and so in 2016 made a career shift to focus on cybersecurity full-time.

I began work as a CISO while at the same time working towards a master's degree in Cybersecurity and Information Assurance from Western Governor's University. Cybersecurity has always been part of what I do, but this was the first time that it became a primary role.

Despite having doubts about my abilities, I was able to build out a solid information security program for the startup and learned a lot in the process. College was fantastic as well, and I closed on my degree within 18 months. I learned ethical hacking, various information security frameworks, secure network design, and various aspects of threat analysis and preventative measures.

I figured that getting customers would be easy! After all, everyone needs help with cybersecurity, right? Well, yes, but they don't know it. It was hard to convince anyone that an ounce of prevention is worth a pound of cure.

Sometime towards the end of 2020, I had to get my photo professionally taken and went to a local photographer. Once the photographer found out what I was doing, he told me a story of how his business was a victim of ransomware and how he lost many of his customer photos in the process. I also heard a similar story from a local pool company owner. Finally, I heard from an attorney who had his email hijacked and was in trouble because the attacker sent out fake invoices to clients, some of whom paid the invoices, not realizing they were paying the attacker.

Listening to all these stories, I realized a common theme. Many small businesses are simply unprepared to deal with an attack. Many think that something like a firewall will prevent every kind of attack or that they are "too small" to be noticed by an attacker. All of this is false. And so, I started LVIS. The company concentrates on offering solutions to help prevent cybersecurity events BEFORE they happen and does it in a way that won't impede business and will not break the bank.

I decided to concentrate on prevention and education rather than be the "ambulance chaser" and show up after the event. For example, ransomware recovery may cost a small company $30,000 - $100,000 in ransom, lost revenue, employee downtime, legal costs, lost billable and lost customer confidence. Some businesses never recover, and many disappear within six months after the event. Proactively, however, preventing ransomware may cost as little as $1,500. It makes more sense to prevent rather than clean up!

I also don't sell hardware. Many cybersecurity firms concentrate on network equipment sales and don't offer the same type of consulting that I do. Sure, I can recommend hardware such as a firewall or an intrusion prevention device if that's what is needed. Overall, I tend to look for simple, common-sense solutions that can easily be implemented and help the business avoid problems in the first place.

Take us through the process of designing, prototyping, and manufacturing your first product.

While working for the fintech startup, I followed the guidelines of a popular information security program known as ISO 27001. It is one of several great frameworks designed to keep larger organizations from cyber-attack by requiring the organization to implement and adhere to roughly 140 controls.

Control is how we detect, prevent, or deal with various identified risks and threats. And while ISO 27001 and other frameworks are excellent, they are geared toward organizations that have a budget for information security and have dedicated people to help bring that framework to life. Unfortunately, working with smaller companies, I found that none of the frameworks worked well.

So, one of the biggest hurdles in getting started was identifying the specific things to concentrate on that would be most meaningful to a small organization. Having fifty policies and procedures for a 2-person office is not practical. The policies also had to fit the business; they must be something that the organization's people can understand, follow, and do.

I spent time building out a small set of controls that can be customized for each client as needed. These controls include the essential features of information security that everyone should adhere to and provide easy-to-follow guidance and support for the business owners and employees. Having an information security program at a business, regardless of the size, reduces your chances of being a victim by 60% to 80%. That is significant!

The program provides a basic risk assessment to identify the key technology and people within an organization and then, based on the findings, implements any of 15 or so controls to mitigate and deal with the identified risks. These controls may include regular vulnerability assessments, penetration testing, security awareness training, and some guidance provided by policies.

For example, most companies should have a good antivirus and a good data backup – two critical factors for keeping ransomware at bay! Those requirements become policy, and any computer implemented at the organization must include those two features, which in turn reduces the risk of getting ransomware to a shallow level.

Describe the process of launching the business.

As I mentioned before, I've always worked through a company that helped keep my side-hustles and personal projects segregated from my corporate life. As a software developer and consultant, I used a sole proprietorship while I lived in New York City, and once I moved to Nevada, I opened the company as an LLC. Getting that DBA in place was the first step.

For pretty much all of 2021, I worked on figuring out what would work best for smaller organizations and small enterprises. Building out the company website was a real struggle. I build websites for others from time to time and enjoy them, but I struggled to find the right messaging or even develop a good design for the initial website.

The current site in place now is version 2, and I continue to improve and revise content incrementally. While I could have outsourced some of this, I felt that I was the best person to explain the business, and if I can't do that, I can't expect someone else to.

I also figured that getting customers would be easy! After all, everyone needs help with cybersecurity, right? Well, yes, but they don't know it. It was hard to convince anyone that an ounce of prevention is worth a pound of cure, and I struggle to get business, even today. While I have some wins, enough to hone my offering, validate my idea, and get me out of "beta" mode, I still haven't found the right recipe for attracting customers.

Initially, I reached out to a local marketing company and was able to get a couple of spots on TV (January 3rd spot, and April 4th spot) and worked with them on email and Facebook ad campaigns. All these things helped establish the brand but, surprisingly, didn't generate as much business as I hoped.

Thankfully, not every project comes through my marketing efforts. I have had a couple of referrals and have picked up various projects from others in the industry, people I've met through my profession but consider friends today. I also enjoy teaching and took on some cybersecurity courses for Pluralsight, a popular online learning platform for the technology workforce. Lastly, I’ve had people find me on LinkedIn and reach out!

In terms of funding, I tend to put back into the company as much of the revenue as I can. This is a bootstrapped effort, with my work as a CISO, and my various projects paying for everything. My credit cards and a small business line of credit through American Express help fill the gaps and provide a safety net. I have a lot to learn about marketing and getting leads, but it's interesting stuff, and I plan on continuing my efforts until I find that right balance between cost and the number of leads generated that I'm happy with.

las-vegas-information-security

One of the ads that ran on Facebook

Since launch, what has worked to attract and retain customers?

Being a consultant for many years, I know what works well for customer retention. First, I think listening and understanding your customer's needs is paramount. Secondly, it takes time, effort, and trust on both sides to cultivate a long-term relationship. Lastly, prices have to be fair, and you must provide value to your customers for them to stay. I have many customers that I've been working with since the mid-1990s on web and software development projects, and I'm very proud of that accomplishment.

As a software developer, I relied primarily on word of mouth for business and always seemed to stay busy. At least, whenever I wanted a project, I was always able to find one. Cybersecurity is different. Everyone has different needs, and no one thinks a cybersecurity incident will happen to them. As a result, education is critical to promoting this business.

While the TV spots and Facebook marketing helped establish the brand and drive traffic to the website, their marketing efforts didn't translate into sales as one would think, so a more in-depth approach is needed. Over the next several months, I plan on implementing a larger campaign consisting of different types of marketing and educational approaches.

las-vegas-information-security

The marketing company brought over 77,000 people to my door. Not everyone became a customer.

First, I plan on being a guest on business, startup, and entrepreneurship-related podcasts. My goal is to be on at least 15 podcasts over the next seven months, build awareness about cybersecurity issues, provide free advice, and further establish the brand. Additionally, I am working towards sending out a physical mailer to various professionals in my local area. Doctors, lawyers, accountants, and realtors could all use my help.

I plan to utilize LinkedIn more and continuously update my website until the messaging and the information available there keep people engaged and give them the details they need to make the necessary decisions.

Additionally, and this is where things get a bit ambitious, I would like to start work on mobile and web applications that my potential customers could use as self-service tools to evaluate their needs. The mobile app will provide tips, offer advice to consumers and small business owners, and provide alerts for zero-day attacks people should be on the lookout for. Web-based tools will include risk management software and evaluation wizards that could help identify security-related gaps within a business based on how they answer specific questions.

How are you doing today and what does the future look like?

There are definite challenges and surprises that I've encountered along the way, but I'm confident that I'll have a breakthrough moment. When most people think about cybersecurity, the consensus is that it's a very hot industry. Salaries are high, and there are endless opportunities because of the shortage of qualified workers. While that’s true if you’re looking for a corporate job, as a consultant, that's not necessarily the case. As a result, I struggle to get customers or even leads.

I am not discouraged and continue to work towards the company's goals. I know that there are many companies and individuals that I can help, and it's just a matter of reaching them and letting them know that I'm here for them when they are ready.

Since 2016, when the company was first established, it has grown in revenue year over year, although not significantly, with 2022 showing the largest revenue, highest expenses, and most growth. I believe that the various marketing initiatives that I have planned for the summer and fall will further help grow the business.

I'm always looking for ways to make it easy for someone to purchase my services. I introduced consumer-level cybersecurity products in early April and have recently launched a small business "Essential Cybersecurity" offering, which bundles and discounts many of my popular services. I'm also working on starting to perform gap analysis for popular security audits such as SOC 2 and CMMC v2.

Lastly, I plan on running a live cohort in September to help people interested in a cybersecurity career get better acquainted with cybersecurity, the type of work they're going to do, and what they should study. Cybersecurity is a very dynamic, fast-paced, and broad field, and the cohort will let you "dip your toe" into the field before you invest time and effort into making it your career. More information will be available here. The cohort is limited to 15 people for September, and I kept the cost to a bare minimum, so I'm hoping for a good turnout!

Through starting the business, have you learned anything particularly helpful or advantageous?

Many of us get caught up in the business itself and fail to identify the various avenues in which we will connect with our customers. Sometimes getting customers comes naturally and easy, but sometimes, it's a struggle. I seem to be in the struggle camp and find it hard to get business.

I have made mistakes in how I approached marketing and what I expected marketing to do for me versus the reality. That said, if I had to do it all over again, I would spend the time identifying the various ways in which I could or should connect with my customers, rather than just thinking to myself, "Oh, you're going to be on TV, you can't possibly fail if you're on TV!"

What I've learned and what I think can help anyone getting started is that you should understand your customer. Who is it that you're working with? Once you have that information, it's a bit easier to try different types of marketing tactics because you are hopefully using the channels best accessible by the people you want to help. This is not to say that I have all of the answers, but I think I'm in a much better position today than I was for pretty much all of 2021.

What platform/tools do you use for your business?

I use several tools and software for the Las Vegas Information Security stack. Other than the tools of the trade, such as the ones found in Kali Linux (an ethical hacking operating system), I use the following:

  • TickTick – Absolutely the best to-do list around. It keeps me on track and scheduled for all of my work.
  • ClickUp – I use this for larger projects where back-and-forth between myself and my clients is needed. Great way to organize a project and track its progress.
  • Microsoft Teams / Zoom / Slack – Used for various meetings and chats.
  • Microsoft Office 365 and Google Apps – It's funny that my company, Left to My Own Devices Computer Solutions LLC, uses Google Apps for email and documents. At the same time, Las Vegas Information Security relies on Microsoft software for email, chat, and document handling. I find Microsoft's offering in terms of security slightly better and has the necessary auditing capabilities. Since people do trust me with their sensitive data time-to-time, I make it a point to make sure I take every precaution with their data, and in this area, Microsoft wins out.
  • WordPress – I use WordPress for my site, along with Elementor Editor and Astra Themes.
  • Stripe/SquareUp – I use SquareUp to run my payroll and invoice customers, while Stripe is used on the web front-end for customers to buy packages.

I write my software, so the shopping cart integrated into my website is a custom piece that I wrote myself using Microsoft .NET.

What have been the most influential books, podcasts, or other resources?

There are too many to mention, but here are a few books that stand out for me:

  • Rich Dad Poor Dad by Robert T. Kiyosaki – This book, despite its age, is eye-opening. I found it motivational and validating.
  • Unfu\k Yourself by Gary John Bishop – I'm not a huge fan of the remainder of the series, but the first book is right on point and delivers the truth that many of us need to hear. It helps keep you from being complacent and pushes you to discover what you're capable of.
  • Finding Ultra by Rich Roll – I am a runner and a vegan and thought this book would inspire me in both of those areas. While it certainly did, its main attraction for me was the "do not give up" message.
  • Greenlights by Matthew McConaughey – While a biographical look at McConaughey, the book is about growing and doing what you want and making your dreams a reality.
  • Can't Hurt Me by David Goggins – Goggins achieved amazing things and persevered through great obstacles. While Finding Ultra was about not giving up, Can't Hurt Me is about pushing through, being uncomfortable and being OK with that, and working towards the goals you want to achieve even though they are at times painful.

Advice for other entrepreneurs who want to get started or are just starting out?

I think you must first have a vision. I stumbled a few times early on because I couldn't quite decide what it is that I wanted to do exactly and for whom. Having a clear vision of what your business will look like in 5 years is a great way to start. Because now you have a specific goal to work towards.

Secondly, spend a bit of time figuring out who you will help. Understand your customer and what they're all about. That's a broad statement, as I've just scratched the surface on my journey, but I think if you have a good handle on both of those things, you'll have a much easier time easing into entrepreneurship.

For those interested in doing cybersecurity work, I can tell you that it is a great field, filled with many mentors and very passionate people who will help you along the way. Depending on what you want to do, formal education is not always necessary, and anyone can get started in the field. There are so many resources and books, and ways to participate. It's a very diverse, exciting, and dynamic field, so you must like learning, experimenting, and working through problems in great detail. As mentioned above, I have a live cohort starting in September that will concentrate on helping people get started in cybersecurity. The cohort URL.

Where can we go to learn more?

If you have any questions or comments, drop a comment below!