Most small businesses hire a cybersecurity advisor for the first time after something goes wrong. A phishing attack lands. A vendor gets compromised. Cyber insurance renewal asks questions nobody can answer. The relationship starts under pressure, which is the worst time to be figuring out what you actually need.

This post is for business owners who are thinking about working with a cybersecurity advisor before the pressure hits — and who want to know what a good engagement actually looks like.

You Are Not Buying a Tool

A cybersecurity advisor is not a software vendor. You are not buying a dashboard, a scanner, or a monitoring platform. You are buying judgment.

That means the first thing a good advisor should do is ask questions, not pitch solutions. What systems do you rely on? Who has admin access? What vendors touch your environment? What would hurt most if it failed tomorrow? The answers to those questions shape everything that follows.

Expect Honesty About What Matters Most

Small businesses are not banks. They do not need enterprise-grade security theater. A good advisor will tell you what your most avoidable risks are, prioritize them by business impact, and help you fix the things that actually matter — not the things that generate the most billable hours.

If an advisor’s first move is to recommend a long list of expensive tools, that is a signal. Practical cybersecurity starts with access, ownership, and configuration — not purchasing.

What Good Deliverables Look Like

At the end of an engagement, you should have something usable. Not a 200-page compliance report with no clear next step. Expect a risk summary written in plain language, a prioritized list of actions, and clarity on who owns what going forward.

If your advisor cannot explain the findings to someone who is not technical, the engagement did not fully succeed.

What to Expect on Microsoft 365

For most small businesses, Microsoft 365 is the center of the environment. Email, identity, file storage, admin access — it all runs through there. A competent advisor will review MFA configuration, admin role assignments, sharing settings, email security, and account recovery paths as a baseline. These are not advanced controls. They are the fundamentals, and they are frequently misconfigured.

Ongoing vs. One-Time

A single assessment gives you a snapshot. Ongoing advisory gives you a direction. Some businesses need a one-time review to understand where they stand. Others benefit from a fractional vCISO relationship — regular check-ins, guidance on new initiatives, and someone to call when something feels off. Know what you need before you start.

Where to Start

If you are evaluating cybersecurity advisory for your organization, start with a conversation — not a contract. A good advisor will tell you quickly whether there is a fit and what the right scope of work looks like for your situation.

You can also read more about my advisory focus areas at NigelRobertsAdvisory.com/advisory and review my credentials on Credly.