What I Learned in Year Two of MY "Security Journey"

Back to Blog

What I Learned in Year Two of MY "Security Journey"

I’m two years into Security Journey as Co-Founder and CEO. We’ve already beaten the odds by surviving our first and second birthdays, for which I am very thankful. This has been a year of new product releases, customers, connections, and lessons learned. We are still bootstrapping our product development efforts and learning on the fly. As my first year summary, this is a raw and wide-open view into Security Journey’s second year of existence.

If you want a bit of history you can read where this story began with “The Day I met John Chambers… and Quit.” and “What I Learned in Year One of MY “Security Journey“.

Here is my list of lessons learned in Year 2 as CEO of Security Journey:

  1. 112 hours of work per week is not required for success. Don’t get me wrong, I spend a lot of time focused on my startup. BUT, I also run a martial arts school (that I do for fun) and coach my daughter’s high school basketball team. My work-life balance is about flexibility. This does sometimes translate into working strange hours and getting things done at 10 PM, but I’m okay with that.
  2. Bad health habits are easy to develop and blame on the startup. Yes, there is more stress than a normal job. This is not a valid excuse for skipping exercise and making poor food choices. I’ve put away my habits of healthy eating and exercise, and I realize that I must change in year 3 to truly be successful.
  3. Serving both the individual and Enterprise markets is difficult. When we started, our vision was to provide both an individual application security training option as well as a solution for Enterprise. I’ve learned (through mentors and self-examination) that it is difficult to serve both markets well, and that our sweet spot is in the small / medium / and large Enterprise space.
  4. Product development and consulting are different hats and must be prioritized separately. In past years I’ve blended these two activities together and focused more on consulting. For year 3, I’ll dedicate more time to product development while still working with the consulting customers that have contributed to our success.
  5. Partnerships with other startups provide limited returns. In our first two years, we’ve had different partnership opportunities arise with other startups, and none of these have come to any form of fruition. I’m learning that at this stage, it’s better to focus on the things we can control, versus spending time developing a company to company partnership. For year 3, if there is money laying on the table, then we can talk.
  6. Sales require dedicated blocks of time. I’m still not as hyper-focused on the sales process as I must be. I’ll continue to develop this and focus specific amounts of time each week on sharing our solution with new potential customers. I’m good at speaking at conferences and meeting potential customers through that avenue. I struggle to develop leads outside of that channel.
  7. Finding the right freelancers is crucial. We are a small startup (2 people) and do not have a dedicated development team. For us, freelancers are how we get new features developed and test automation built. We’ve worked with some freelancers that did not make the cut and others that are awesome. (Our current group is awesome!) The right freelancers allow us to move our product forward while still managing the bottom line.
  8. Marketing does not require a huge budget. While still at Cisco and traveling the globe to promote product security, my friend Tony Vargas jokingly pointed out that he and I were marketing people. This was so true then, and even more true now. Marketing for us does not mean spending 10’s of thousands of dollars per month. We approach marketing by hosting the Application Security PodCast and speaking at various security conferences around the world. We use a tool called MeetEdgar to manage our social media accounts and re-post evergreen content, all automatically.


Share on social media: 

More from the Blog

DevOps security culture: 12 fails your team can learn from

Will DevOps and DevSecOps still be relevant in 50 years? Today's DevOps technology will be long gone, but some cultural pieces may still be around. My best guess on the part of DevOps that will still exist: DevOps security culture.

Read Story

6 ways to develop a security culture from top to bottom

Of course, every organization has a security culture. If they say they don’t, they are either lying or afraid to admit they have a bad security culture. The good news is that any security culture can positively change how the organization approaches security. But culture change takes time, so don’t expect your members of your organization to overnight become pen-testing Ninjas that write secure code while they sleep. With the right process and attitude, you’ll get there.

Read Story

Correct answers in our security belt programs

I've been working on Security belt programs for 10+ years. I've had the privilege to help build the Cisco Security Ninja program. I'm also continuing to develop our security belt platform at Security Journey. I've created over 500 pieces of learning content. I've created material and the assessment questions that go with it.

Read Story

More from the Blog

6 ways to develop a security culture from top to bottom

Of course, every organization has a security culture. If they say they don’t, they are either lying or afraid to admit they have a bad security culture. The good news is that any security culture can positively change how the organization approaches security. But culture change takes time, so don’t expect your members of your organization to overnight become pen-testing Ninjas that write secure code while they sleep. With the right process and attitude, you’ll get there.

Read Story

Correct answers in our security belt programs

I've been working on Security belt programs for 10+ years. I've had the privilege to help build the Cisco Security Ninja program. I'm also continuing to develop our security belt platform at Security Journey. I've created over 500 pieces of learning content. I've created material and the assessment questions that go with it.

Read Story

The carrot and the stick: Security rewards and recognition

How do you incentivize people to participate in your security program? Are you using a carrot or a stick? Security rewards and recognition are crucial for the success of your security belt program.A security belt program is a level-based, achievement-oriented security educational experience. By creating a program with multiple levels, you provide your learners with the opportunity to make their way through the “journey.”

Read Story
Need more information about Security Journey? Get in touch

Ready to start your journey?

Free Demo