What I Learned in Year 5 of MY Security Journey – It's now OUR Journey!

Chris Romeo
Chris Romeo
CEO & Co-Founder

While the year 2020 is not one we'll soon forget, this was a year of extreme growth for Security Journey.

We doubled in size, from four people to nine. (And yes, we did this without venture capital.) We moved into our first office and built our production studio. It's incredible what a team can achieve with passion and an innovative, security culture-changing product.

Here are a few key growth lessons I've learned over the past year.

1.  A strong team creates more than its individuals.

As we've grown from four people to nine, we've seen the value in a strong team and the magnification of output. A strong squad creates so much more than a collection of individuals.

I've watched our application security engineers work together to deliver JavaScript / Node.js content and a brand-new course on RSecurity for Data Scientists. All in a concise amount of time. Because of this, we will dramatically ramp up our content release schedule in 2021.

As we welcomed a new marketing lead, sales and marketing have connected and strategized about how we're going to rock 2021.

A strong team works well together and looks for opportunities to serve each other. We're building this culture.

2.  Choosing new team members is everyone's responsibility.

On the heels of my item about a strong team is the process of choosing new team members. I've seen firsthand the power of including the existing team when selecting new team members.

At my first professional security job at Arca Systems, we had a process of interviewing as I had never seen before. When I interviewed for my role, I visited the offices and spent the day speaking with seven different people from various functions. Arca's idea was to have a candidate talk to enough people that they would let it slip at least once if they were not the right fit. I joked with the HR manager about if my final interview would be with the custodian to discuss my cleanliness habits.

What I learned and have now applied at Security Journey is that we have a cross-sectional group of people interview a candidate (at this stage, that means everyone). During the wrap-up call, everyone can say thumbs up or thumbs down. If anyone says thumbs-down and has a valid reason, that candidate is off the table, no matter how much I as CEO think they are the best option.

Strong team members build strong teams that fit the culture.

3.  Growth requires spending money.

You might read this and think it's common sense. As a bootstrapped company, the growth of headcount must track to increase in revenue. Over the past year, I've realized that there are times in the bootstrapped company's life where we must step out and go for it. We cannot track a specific equation for growing the team based on a fixed amount of money. Sometimes we must take chances and project what the future will hold. Then as a team, we go after it and hit our target.

4.  There is a time for new features and a time to focus on stability.

As our platform has grown, our need to focus on performance and user experience has increased. When your daily user count grows exponentially, you must evolve the platform to keep up.

This year, I've learned that sometimes, as an engineering team, we must put the new features off to the side and focus on platform stability. Platform stability is not always the most exciting part of what we do, but it's paramount to ensure that our platform is performant in all situations.

5.  It is easy to do Marketing haphazardly, but a structured approach and investment drives lead generation.

As a startup, you can't have everything all together from the very beginning. For us, marketing was something that we always did, but haphazardly.I spend time speaking at various industry events, and we do the Application Security Podcast, and we have a website and webinars, etc.

Bringing in a marketing lead that is now bridging all these things together is almost priceless. I'm excited about what our marketing lead can do by taking all the content and projects we've done in the past and turning them into a coordinated marketing approach.

6.  Being an AppSec Practitioner is our superpower.

When I look across the security education industry, I see companies that exist because venture capital exists. Someone had an idea, they pitched the idea, got an investment, and now are building a product or solution. The only thing they're missing is the experience in delivering the end-result they're selling.

At Security Journey, we're a practitioner-led company of people that have been there/done that. We live and breathe Application Security and how to teach it better. We've built security culture-changing programs at scale for the largest companies on earth.

As we solve more and more complex security culture/education challenges for our customers, one of our superpowers is that we've done this before, at scale, and that experience is a powerful advantage.

7.  Add value to your customers by bringing them together.

We began a group this past year called the Security CultureCollective. This group represents the program leadership of all of our customers.We gather once a month to discuss a specific topic related to security culture.We talked about security rewards and recognition, had various members present their programs and even talked about running successful virtual events.

We're building community and value for our existing customers by bringing them together in a trustworthy environment focused on collaboration between professionals who share the same need for security culture. We're genuinely bringing this group together for their benefit. Changing security culture can be a monumental task – and assisting our customers to achieve their goals goes way beyond our training platform.

(Yes, only existing Security Journey customers are allowed to participate.)

8.  It's better to lead than follow, and people love something natural and not contrived.

When I think about marketing efforts, I chuckle as I see everyApplication Security company getting into the podcast game. We've been running the Application Security Podcast for 5+ years now. As the rest of the industry focuses on "catching up,"they build podcasts concentrating on them and their agenda.

Our podcast focuses on interviewing exciting people doing exciting things in AppSec. We've never made it about us, always about the learning and sharing of knowledge. I started the podcast because I wanted to meet more people in AppSec and learn from them.

I'm thankful for our loyal base of fans that listen to the podcast to learn from us. Because of this, my goal for Security Journey has always been to create content designed to share knowledge and give back to our community.We do this in our platform, but also through the podcast, blogs, and speaking events. Our growing content team and I will continue this in 2021 and beyond.

These are my learnings from last year. Please share this far and wide and reach out if you think Security Journey could help your organization. Here's to a fun and rewarding year six!

If you want a bit of history, you can read where this story began with The Day I met John Chambers… and QuitWhat I Learned in Year One of MY "Security Journey", and What I Learned in Year Two of MY "Security Journey", What I Learned in Year Three of MY "Security Journey", and What I Learned in Year Four of MY "Security Journey.

Share on social media: 

More from the Blog

Why Vulnerability List Methodologies Matter (And why we trust CWE & OWASP)

Application security lists, like the CWE Top 25 and Owasp Top 10, help focus on specific weaknesses or vulnerabilities within your system. But, do you understand their approach to ranking? If not, can you really trust them? Some vulnerability list ranking methodologies bias one aspect of security over another, and some may not work with partially unknown vulnerabilities. 

Read Story

Be afraid of the Ruby on Rails Supply Chain

As the complexity of applications increases, so does your reliance on open source and third-party software libraries. With the compounded usage of open source, an expansion of the attack surface is underway. The increased threat is evident in recent high-profile attacks targeting the software supply chain. These types of attacks threaten organizations indirectly by targeting third-party vendors that provide you with software. Can you vouch for the security state of every library in your Rails applications? 

Read Story

DevOps security culture: 12 fails your team can learn from

Will DevOps and DevSecOps still be relevant in 50 years? Today's DevOps technology will be long gone, but some cultural pieces may still be around. My best guess on the part of DevOps that will still exist: DevOps security culture.

Read Story

More from the Blog

Be afraid of the Ruby on Rails Supply Chain

As the complexity of applications increases, so does your reliance on open source and third-party software libraries. With the compounded usage of open source, an expansion of the attack surface is underway. The increased threat is evident in recent high-profile attacks targeting the software supply chain. These types of attacks threaten organizations indirectly by targeting third-party vendors that provide you with software. Can you vouch for the security state of every library in your Rails applications? 

Read Story

What I Learned in Year 5 of MY Security Journey – It's now OUR Journey!

While the year 2020 is not one we'll soon forget, this was a year of extreme growth for SecurityJourney. It's incredible what a team can achieve with passion and an innovative, security culture-changing product. Here are a 8 key growth lessons I learned over the past year.

Read Story

DevOps security culture: 12 fails your team can learn from

Will DevOps and DevSecOps still be relevant in 50 years? Today's DevOps technology will be long gone, but some cultural pieces may still be around. My best guess on the part of DevOps that will still exist: DevOps security culture.

Read Story
Need more information about Security Journey? Get in touch

Ready to start your journey?

Free Demo