Startups are challenging. They push you to the edge and back. I’m proud to say that Security Journey is continuing to grow as we complete our third year, and look into our fourth. We hired our first employee a few months back, to focus on sales. We are looking for a primary Senior Security Learning Consultant to help us deliver on our content roadmap for 2019.

Our customer reach continues to grow. With each new customer we engage with, we are finding that everyone has the problem that we solve. Everyone wants their developers to focus more on security. And we have their answer. We have done some custom security awareness content generation for a client, and are looking to grow that product line in year four.

Here is my list of year three lessons learned.

  1. A Salesperson does not equal offloading of all sales activities. When we hired Justin to lead sales for Security Journey, my thought was “Now we have someone in Sales; ahh, time for me to rest from Sales activities.” I was quite surprised to discover that having a dedicated salesperson has me more focused on Sales than ever before. Justin handles executing the Sales process, but as the startup CEO, I’m heavily involved in Sales, sharing my story and the product vision. I am the most qualified person to share my story.
  2. An Executive Coach is a worthwhile investment. My friend Andrew told me about his experiences working with an Executive Coach. As he was describing the process of working with a coach, I thought I would give it a try. My Exec Coach has been an excellent sounding board as I wrestle with various issues impacting Security Journey. A good Exec Coach is part therapist, part startup specialist, and part consigliere. I joke with him that 75% of the time the act of verbalizing what I’m dealing with causes me to figure out the answer on my own. All joking aside, my Coach has advised me well in year three. Thanks, Bob!
  3. Swimlane analysis is downright shocking. An advisor to Security Journey recommended that I go through a swim lane analysis. He challenged me to analyze all that I do, and separate each task into swim lanes or roles that I fulfill. This was downright shocking when I realized where my time was going and how little of my time was being dedicated to some things that I thought were very important. The swim lane analysis opened my eyes to the fact that we needed a salesperson, and it has also shown me the benefit we’ll receive from bringing on a Senior Security Learning Consultant and a full-time developer early in year four.
  4. Pitch decks are great even if you aren’t looking for money. We went through the exercise of creating a pitch deck, and the process was worth its weight in gold. We had to consider markets, pricing, staffing, competitors, and expense profiles. The method of building a pitch deck forced us to wrestle with some issues and ideas about our company. If we decide to fundraise, we are prepared with the right documentation, and if not, the work gained us a great appreciation for where we are and where we need to go strategically.
  5. Focus on what you can control. Help customers, chase opportunities, build an excellent product, and let the competitors do their thing. I’m a very competitive person. I don’t like to lose at anything. I learned this past year that there are things I can control and things I cannot. I need to focus on what I can control and let the rest take care of itself. Stressing over a new competitor does nothing to help Security Journey. We must focus on what we can control (building an excellent product that changes security culture) and let everyone else worry about them.
  6. Public speaking takes up a disproportionate amount of time. I love public speaking and sharing my security knowledge with the world, so this one hurts a bit. In years one – three I traveled the globe, speaking in Norway, England, and across the United States (RSA, ISC2 Security Congress, OWASP AppSec USA), just to name a few. I’m going to pull back on my public speaking in year four and focus on product development. I love to attend conferences to connect with friends and fans but need to limit this time investment in year four.
  7. Where company time is invested, the company must benefit. I created the Application Security Podcast with Robert Hurlbut a few years ago, and from the time we started, we focused on having it non-commercial. This past year I realized that Security Journey was sponsoring the podcast by paying for hosting, production, and some travel that benefited the podcast. I made the decision (after consulting Robert and a cross-section of our audience) to add an advertisement for Security Journey into the podcast and use it as a way to promote what Security Journey does.

This is what I learned last year. Please share this far and wide, and reach out if you think Security Journey could help your organization, or just to catch up. Here’s to a full and rewarding year four!

If you want a bit of history you can read where this story began with The Day I met John Chambers… and QuitWhat I Learned in Year One of MY “Security Journey”, and What I Learned in Year Two of MY “Security Journey”.