Two years ago, our IT department was a nineteen-year-old called Danny who came in when things "went funny."
No IT Department? No Problem. Here's Your Roadmap.
How we went from "Sandra's son fixes the laptops" to a proper IT operation
Two years ago, our IT department was a nineteen-year-old called Danny who came in when things "went funny."
Today, we have a Head of Technical Sales, a dedicated IT manager, a technician starting Monday, and systems that actually work. We've spoken at NCSC seminars. We've been featured in Network Week. Government contracts, private sector clients, the lot.
This isn't a brag. It's proof that where you start doesn't determine where you end up.
Here's the roadmap we followed. No jargon. No fluff. Just the steps.
Stage One: Admit Where You Are
This is the hardest part.
When I started, I couldn't have told you what a firewall actually did. Our WiFi password was "Welcome1." We had no backup system, no update policy, no clue.
Most small business owners are in the same boat. The difference between the ones who stay stuck and the ones who move forward? Honesty.
Write down what you've actually got. How many devices? Who has access to what? When did you last update anything? Who fixes things when they break?
No judgement. Just facts. You can't map a journey if you don't know where you're starting from.
Stage Two: Find Your Danny
You probably already have one. You just haven't recognised them yet.
Danny was Sandra's son. He'd learned everything from YouTube. No formal qualifications, no certifications, just genuine curiosity and a knack for making technology behave.
Look around. Is there someone in your orbit who's good with computers? A family member, a friend of a colleague, someone's kid who's always fixing phones at family gatherings?
That person is your starting point. Not a £500-a-day consultant. Not an outsourced IT firm. Just someone who knows more than you do and is willing to help.
Pay them fairly. Treat them well. They're more valuable than they know.
Stage Three: Get Your Baseline
Cyber Essentials certification isn't just a badge. It's a diagnostic tool.
Going through the process forces you to look at everything: passwords, updates, access controls, firewalls. It shows you exactly where the gaps are.
We found horrors. Software that hadn't been updated in years. A browser toolbar that was basically malware. Passwords that would make a security professional weep.
But we also found that fixing those things wasn't as hard as we'd feared. Most of it was free. All of it was achievable.
Get certified. Use the process to understand your own systems. It costs hundreds, not thousands, and it gives you a foundation to build on.
Stage Four: Build the Habits
Technology isn't the hard part. People are.
We implemented a rule: updates within one week, no exceptions. We started quarterly security refreshers, fifteen minutes, everyone in the room. We created a culture where asking "is this email dodgy?" was encouraged, not mocked.
Kev - our operations manager, sixty-one years old, handlebar moustache, thought cybersecurity was nonsense - is now the most paranoid person in the building. He questions everything. He's become our human firewall.
That didn't happen because we bought expensive software. It happened because we made security everyone's job.
Stage Five: Invest in Your People
Here's where the magic happens.
Danny started as informal help. We put him on the books part-time. Then full-time. Then we paid for his training. Then we watched him become something extraordinary.
He's our Head of Technical Sales now. He speaks at national seminars. Clients specifically ask to work with him. He's twenty-one years old and he's worth more than any enterprise security platform we could have bought.
When you find someone good, invest in them. Training. Certifications. Opportunities. The return is immeasurable.
We took on an intern six months ago. Priya. Computer science graduate who couldn't find work in her field. Danny trained her up. She runs our internal IT now.
That's how you build a department. One person at a time. Growing your own talent instead of trying to buy it fully formed.
Stage Six: Let Growth Fund Growth
We didn't have money for an IT department. Until we did.
Cyber Essentials certification let us bid for government contracts. Government contracts meant steady income. Steady income meant we could invest in people. Better people meant better service. Better service meant more clients.
Each step funded the next step. We didn't need a war chest to start. We needed to start, and let the results build on themselves.
The naval contract that changed everything? It paid for Danny's first certifications. Those certifications helped us win more work. That work paid for Priya. Priya freed up Danny to focus on sales. Danny's sales are funding our new technician.
It compounds. But only if you take the first step.
Stage Seven: Formalise What Works
At some point, you look around and realise you're not winging it anymore.
We have documented processes now. Onboarding checklists. Security policies that actually mean something. Regular reviews. Proper job descriptions.
None of that existed two years ago. It grew organically as we needed it. We didn't hire consultants to write policies before we knew what we needed. We figured out what worked, then wrote it down.
Don't over-engineer the early stages. Let your processes emerge from reality, not theory.
The Roadmap Summary
- Admit where you are. Honest assessment, no judgement.
- Find your Danny. Someone curious and capable, already in your orbit.
- Get your baseline. Cyber Essentials as diagnostic and foundation.
- Build the habits. Updates, training, culture. Make security everyone's job.
- Invest in your people. Training, growth, opportunities.
- Let growth fund growth. Each step enables the next.
- Formalise what works. Document processes as they emerge.
Where We Are Now
Two years in. Proper IT department. Government and private sector clients. Speaking engagements. Industry recognition.
And it started with three laptops, no budget, and a teenager who learned from YouTube.
You don't need money to start. You don't need expertise to start. You just need to start.
The roadmap is right here. We walked it. You can too.
Jim Simpson is an SME Cyber Resilience Consultant with TransCrypt. Danny asked to be referred to as "twenty-one and a half" in this article. Request denied.
Ready to streamline your compliance?
Join hundreds of fast-growing fintechs building with Transcrypt today.
Join the WaitlistAbout the Author
"We are building the operating system for compliance. Transcrypt removes the ambiguity from regulatory frameworks, turning them into deterministic, executable code."
