What I learned in Year Three of MY "Security Journey"​

Back to Blog

What I learned in Year Three of MY "Security Journey"​

Startups are challenging. They push you to the edge and back. I’m proud to say that Security Journey is continuing to grow as we complete our third year, and look into our fourth. We hired our first employee a few months back, to focus on sales. We are looking for a primary Senior Security Learning Consultant to help us deliver on our content roadmap for 2019.

Our customer reach continues to grow. With each new customer we engage with, we are finding that everyone has the problem that we solve. Everyone wants their developers to focus more on security. And we have their answer. We have done some custom security awareness content generation for a client, and are looking to grow that product line in year four.

Here is my list of year three lessons learned.

  1. A Salesperson does not equal offloading of all sales activities. When we hired Justin to lead sales for Security Journey, my thought was “Now we have someone in Sales; ahh, time for me to rest from Sales activities.” I was quite surprised to discover that having a dedicated salesperson has me more focused on Sales than ever before. Justin handles executing the Sales process, but as the startup CEO, I’m heavily involved in Sales, sharing my story and the product vision. I am the most qualified person to share my story.
  2. An Executive Coach is a worthwhile investment. My friend Andrew told me about his experiences working with an Executive Coach. As he was describing the process of working with a coach, I thought I would give it a try. My Exec Coach has been an excellent sounding board as I wrestle with various issues impacting Security Journey. A good Exec Coach is part therapist, part startup specialist, and part consigliere. I joke with him that 75% of the time the act of verbalizing what I’m dealing with causes me to figure out the answer on my own. All joking aside, my Coach has advised me well in year three. Thanks, Bob!
  3. Swimlane analysis is downright shocking. An advisor to Security Journey recommended that I go through a swim lane analysis. He challenged me to analyze all that I do, and separate each task into swim lanes or roles that I fulfill. This was downright shocking when I realized where my time was going and how little of my time was being dedicated to some things that I thought were very important. The swim lane analysis opened my eyes to the fact that we needed a salesperson, and it has also shown me the benefit we’ll receive from bringing on a Senior Security Learning Consultant and a full-time developer early in year four.
  4. Pitch decks are great even if you aren’t looking for money. We went through the exercise of creating a pitch deck, and the process was worth its weight in gold. We had to consider markets, pricing, staffing, competitors, and expense profiles. The method of building a pitch deck forced us to wrestle with some issues and ideas about our company. If we decide to fundraise, we are prepared with the right documentation, and if not, the work gained us a great appreciation for where we are and where we need to go strategically.
  5. Focus on what you can control. Help customers, chase opportunities, build an excellent product, and let the competitors do their thing. I’m a very competitive person. I don’t like to lose at anything. I learned this past year that there are things I can control and things I cannot. I need to focus on what I can control and let the rest take care of itself. Stressing over a new competitor does nothing to help Security Journey. We must focus on what we can control (building an excellent product that changes security culture) and let everyone else worry about them.
  6. Public speaking takes up a disproportionate amount of time. I love public speaking and sharing my security knowledge with the world, so this one hurts a bit. In years one – three I traveled the globe, speaking in Norway, England, and across the United States (RSA, ISC2 Security Congress, OWASP AppSec USA), just to name a few. I’m going to pull back on my public speaking in year four and focus on product development. I love to attend conferences to connect with friends and fans but need to limit this time investment in year four.
  7. Where company time is invested, the company must benefit. I created the Application Security Podcast with Robert Hurlbut a few years ago, and from the time we started, we focused on having it non-commercial. This past year I realized that Security Journey was sponsoring the podcast by paying for hosting, production, and some travel that benefited the podcast. I made the decision (after consulting Robert and a cross-section of our audience) to add an advertisement for Security Journey into the podcast and use it as a way to promote what Security Journey does.

This is what I learned last year. Please share this far and wide, and reach out if you think Security Journey could help your organization, or just to catch up. Here’s to a full and rewarding year four!

If you want a bit of history you can read where this story began with The Day I met John Chambers...and Quit, What I Learned in Year One of MY "Security Journey", and What I Learned in Year Two of MY "Security Journey".

Share on social media: 

More from the Blog

DevOps security culture: 12 fails your team can learn from

Will DevOps and DevSecOps still be relevant in 50 years? Today's DevOps technology will be long gone, but some cultural pieces may still be around. My best guess on the part of DevOps that will still exist: DevOps security culture.

Read Story

6 ways to develop a security culture from top to bottom

Of course, every organization has a security culture. If they say they don’t, they are either lying or afraid to admit they have a bad security culture. The good news is that any security culture can positively change how the organization approaches security. But culture change takes time, so don’t expect your members of your organization to overnight become pen-testing Ninjas that write secure code while they sleep. With the right process and attitude, you’ll get there.

Read Story

Correct answers in our security belt programs

I've been working on Security belt programs for 10+ years. I've had the privilege to help build the Cisco Security Ninja program. I'm also continuing to develop our security belt platform at Security Journey. I've created over 500 pieces of learning content. I've created material and the assessment questions that go with it.

Read Story

More from the Blog

6 ways to develop a security culture from top to bottom

Of course, every organization has a security culture. If they say they don’t, they are either lying or afraid to admit they have a bad security culture. The good news is that any security culture can positively change how the organization approaches security. But culture change takes time, so don’t expect your members of your organization to overnight become pen-testing Ninjas that write secure code while they sleep. With the right process and attitude, you’ll get there.

Read Story

Correct answers in our security belt programs

I've been working on Security belt programs for 10+ years. I've had the privilege to help build the Cisco Security Ninja program. I'm also continuing to develop our security belt platform at Security Journey. I've created over 500 pieces of learning content. I've created material and the assessment questions that go with it.

Read Story

The carrot and the stick: Security rewards and recognition

How do you incentivize people to participate in your security program? Are you using a carrot or a stick? Security rewards and recognition are crucial for the success of your security belt program.A security belt program is a level-based, achievement-oriented security educational experience. By creating a program with multiple levels, you provide your learners with the opportunity to make their way through the “journey.”

Read Story
Need more information about Security Journey? Get in touch

Ready to start your journey?

Free Demo