Sunday, November 29, 2015

That One Meeting Every Founder Has

Every founder I’ve spoken to has had that one meeting; the one that shakes the foundation of what you’re doing and makes you take a few steps back to re-check the ground you’re standing on.

I’ve had a several such meetings, each one at different phases of growth and each one opening up a new direction of thought and improvement.

Having started Security Brigade way back in the day before “start-ups” were the fad, we were very fortunate and got to meet a lot of very interesting and knowledgeable people with great amounts of industry experience.

The earliest such meeting I can recall was on 21st June 2008. It had been a little over a year since we started the company and I had the opportunity to meet with Sumit Chowdhury, who was at that time the CIO at Reliance Communications.

I walked into that meeting an over-confident hacker who thought he understood security, business and everything in the middle. I walked out of that meeting a broken founder who realized he had a lot to learn and a lot to do.

At this point in the business – I was 20 and we really hadn’t given much thought to the business plan. It was all about vulnerabilities, audits and hacking.

Getting back to the meeting – we walked into the room and did our basic pitch. Followed by the pitch were a whole series of questions from Sumit.

What’s your USP? Why should we go with Security Brigade as opposed to the range of other vendors out there?

You’re a small company today and you’ll be personally involved in each audit. What happens when you grow? How will you continue to deliver great audits when you have 20-30 auditors working for you?

It was naïve, but honestly we had never thought of these things at that stage.

I walked out of that meeting promising to come back better prepared with these details. I walked out of the office complex, hopped into a black-and-yellow and found my way straight into the business section at Crossword (Yes, we bought books in physical stores back then :P).

I picked up a copy of Differentiate or Die by Jack Trout and read it cover-to-cover several times in the next week.  Over the next several weeks we began to reevaluate our business, understand our competition, understand our customers and started formulating the direction we should go in as a company.

We came up with a USP – In a market filled with automated scan vendors, let’s be a vendor that focuses on business logic and manual testing. We elaborated on this with specific features –

  • Beautiful in-depth reports with descriptions that actually mean something
  • Step-by-step POCs so developers learn as they fix
  • Recommendations that are specific to a customer’s development language and platform as opposed to a generic “apply patch and do input validation”.
  • And most importantly we formalized our audit process to focus on business Logic flaws. These are flaws that are impossible to detect with the scanner and can have the most incredible and high-value business impact when exploited. 
We revamped all our documentation; we changed our audit processes and really ingrained these points into the DNA of the company.

The second point Sumit raised was a more challenging question and definitely more difficult to address:

How do you build a quality focused, expert driven, service oriented company that can scale?

Strong business processes, enforced workflows, accountability and metrics. That was our answer and that’s how we started building Lemon – our In-house audit workflow management system. Today, 7 years later Lemon is an “Everything management integrated system” for us.

Slowly, over the years, we dedicated more and more resources to Lemon, adding more and more capabilities. It started with Project Management ,Task Management, Reporting and grew into Vulnerability Management, Test Case Management, Workflow Enforcement, Approval Tracking, Quality Checks, Automation Management, Intelligence and Business Reporting, Sales, Marketing, Billing, Accounts, and so much more.

The idea was – literally – For Lemon to be an ‘exoskeleton’ that would allow our auditors to focus on the real intelligent portion of audits, while everything else would be automated. By building a lot of checks-and-balances, metrics and a lot of self-learning into Lemon, we were able to ensure that with each audit, we improved as a company. Every mistake or missed vulnerability was addresses with a code-push as opposed to a discussion. All in all, Lemon has successfully allowed us to grow over the last 7 years without impacting our quality in any way.

I’ve said this time and again: As a company, we would have died if we hadn’t built Lemon. There is no way an audit company with more than 5-10 consultants can sustain quality or delivery consistent audits without such a platform in place.

I’ve always found it interesting how such seemingly random meetings have had such a huge impact on the direction and success of this company. I’ve never had a chance to speak to Sumit about this, and its strange that after all this, he probably has no idea on how much his questions influence the direction of this company.

I’ve had a few other such meetings since – the most recent one focusing on business growth metrics, company health tracking and 5 year planning. But that’s a post for another day.

Cheers - Yash