When your startup needs to scale – the execs

It’s been over a decade since I joined my first startup. During that decade I’ve certainly learnt a lot, and one of the biggest takeaways is that at different stages of startup life you need to bring different people on board.

In my experience the biggest blocker for startup’s growth is a stagnant mindset of its founders, who resist making changes in their leadership team. Often, it’s exactly an ability to make tough calls of this nature that differentiates startups who thrive and the struggling ones.

It is super tough to part ways with the people who helped you get to the place you’re at now. Even working with them on transition to different roles and responsibilities is tough. After many wins and losses, after years of grind people get accustomed to their position and you get accustomed to working arm in arm with them.

Yet as a startup founder, an executive or a board member, you need to do the necessary and make peace with the truth being that what brought you here won’t take you to the next level. And it’s always about the right people in the right roles.

I myself stay away from early stage startups for exactly this reason. I’ve realized that having had spent most of my career working on startups who have already found their market fit and needed people to coordinate startup’s accelerated growth, I should stick to my guns and work with startups which are already there.

It’s easy to fall for an idea that if you grew organizations to hundreds of employees, then managing the early-stage startup from the ground up is going to be nothing but a peanut. I’ve met many wildly successful executives who made this exact mistake. They overestimated their ability to adapt and underestimated the nature of challenges bothering early-stage startups.
You could say that if I’ve seen other people fail I’d grow wiser, right? Yet there you go, I’ve made this very mistake myself.

See, it’s hard to operate on a very tight budget, even more so if you’re used to being more relaxed with money. Just because you grew one organization from 14 to 70+ employees, another from 80 to 120+ employees doesn’t mean you’ll be as capable when you join a startup having 6 employees and able to hire maybe one or two employees per quarter.

While the middle-management can adjust quite easily, the people in senior leadership positions often have built a certain mindset and skillset which allows them to repetitively achieve success while joining organizations of the same level; at the same time being the reason for their crash and burn situation at startups on a different level of maturity.

Your first software architect could’ve been the greatest technology leader even when you were starting out, but it doesn’t mean she/he will be able to manage the technology organization which grows fivefold – which is when you need to bring in a seasoned CTO.
Your CMO who helped you find your market fit, may not be a leader you need if your ambition is to expand globally and build a product for tens of thousands of users vs current hundreds.

Next time you find your organization stuck with seemingly no ways to grow, look at your leadership team, including yourself. It’s easy to miss the right moment in which you should re-evaluate your team, because you may trick yourself into thinking that any growth is good and even tho slow, you’re moving forward so you’ll somehow make it all work out in the end. You may or may not and hope has never been a good strategy.

That’s why I recommend startup operators to evaluate the leadership team on at least quarterly basis. It’s unusual that your needs in terms of staff would change drastically over 3 months, and that’s why it’s valuable to have this process in place because it allows you to take action and react to a situation which could become a problem few more quarters down the road. When you know that your startup will be in need of leaders capable of exploiting new market opportunities, you can start coaching them or have them work with someone who’s been there and learn how to prepare for what’s coming. Being prepared has never been a bad strategy.

Still, it’s easier said than done. It’s hard to change people’s habits. It’s even harder to change people’s mindset. And nine out of ten times it’s completely unnecessary, because people who’ll be struggling in a forced transition could be working on a success of a different early-stage startup. Letting people go sometimes is just the only right thing to do, for the benefit of all of you.

So, bring in the experts. Bring in the seasoned professionals who’ve been there and done that.
It’s never too early to start thinking about challenges of this nature, because changes in top leadership team will affect the culture, stability of your company and overall atmosphere.
You need or will need to make the necessary changes, so don’t leave it to a chance. Embrace the startup nature and know the necessary.

Social Skills For Information Security Professionals: The Preface To My Book

On my motives for this book

How and why – I believe – can my story make your life easier

It’s been roughly 11 years since I’ve started commercially working in IT, out of which 7 were profoundly dedicated to InfoSec, a field in which I truly believe there is a lot yet to be done and that each individual can make a difference by their contributions. Similarly to the careers of so many of us, I’ve made a plenty of mistakes that had put my career at risk, significantly slowed down my growth, significantly lowered the income, as well as had negatively impacted my health and personal life. Although making mistakes should be an expected part of any worthwhile career, I had certainly not expected that along the way I’ll taste so many different flavors of life.
I’ve had my ups and downs, but I always tried to ensure that whoever was involved, came out with something beneficial to them. Despite having good intentions in my heart, not always was I successful in demonstrating that well. To me, everything I’ve been doing was always about bringing value to others and being the most productive person in the room, long before I have realized that I’ve had been doing it all wrong and my hunger for success was my biggest obstacle. But as the saying goes, “obstacle is the way”, which is why I’m grateful for all of it, and I really want to share my experiences with others, so they can save themselves some trouble and get smarter faster than I had. I wish I’ve had a resource that would guide me through at least the basics of human interactions and effectiveness in the business world. So here it comes. A book that I wish someone else gave me 11 years ago.

I want to be really upfront and transparent with you. Although the companies I’ve worked for were very satisfied with the outcome of my work, to me it came at the cost of my professional and personal relationships. Without any doubt, I can say that because of my stubbornness and improperly directed hunger, I’ve wasted a ton of my potential as well as burnt some potential in others. And that feeling sucks. Realizing that while chasing greatness I’ve had a negative impact on a quality of life of a few people around me, as well as looking at my own life and noticing how much health and energy I wasted – it just sucks. But it sucks in a different way than most things in life suck. It’s not about discomfort this time, but about an actual pain, because while I’ve got compensated quite fine for my around the clock grind, I’ve forgotten about the most important currency we have access to in our lives – time and health. If you’ve got good health and you’ve got time, you have all the resources necessary to makes something great happen. Assuming obviously, that you’re resourceful and can actually understand the value of these powerful two. That’s what I want to be the leading point of this book, i.e. how to achieve your goals quickly, yet without compromising quality of yours and others’ life. I respect your time, which is why I wanted to keep this book as concise as possible, cutting out the fluff each time I’ve noticed any. If this book takes you 2 hours to read, and it saves you as little as 1 day of your life – I’m all set. My mission is accomplished and I’ll feel good about it, because there is no bigger mission than saving lives. This is one of the reasons I’m publishing this book for free. I’m making fair amount of money on selling my time to the corporations, and I want these lessons to reach as many people as possible and help them preserve their time and health. I can make money by other means, but the opportunity to help people improve their health and relationships is so rare, and so huge, that I couldn’t let myself to agree for commercial publishing. I’ve been sharing my knowledge for the past 5 years all over the Internet, at conferences and meetups; and those few voices generous enough to share with me that I’ve helped them improve their lives, are the biggest reward one can get for their work. That’s what I hope this books will do for you – help you achieve your goals at lower costs of all involved stakeholders at all facets of life. I don’t want to monetize on this book. I want you to learn from it, and then for you to monetize newly acquired knowledge by improving as a professional and getting compensated well for your effort.
You don’t owe me anything and I don’t expect anything from you. You’ve already given me enough than I’m audacious to ask – your time and attention. Thank you for that, and if you still want to do something for me, then please share your experience and knowledge with others. Help you peers, show them your perspective and help them grow by exposing them to various point of views. Pass your knowledge to others, so they have it easier than you had. To help them avoid the mistakes you’ve made and so that they can save their time and use it to build something bigger or experience other thing life has to offer. Standing on the shoulders of giants. That’s what it all is.
I guess at this point you can already smell how much I dislike wasting time and reinventing the wheel 🙂

How and why – I believe – my story can make you avoid personal and professional suffering

Infosec is a stressful job and if not managed properly leads to unhealthy situations which surely can end up with a long-lasting burnout. Burnout is one of the most painful experiences in the life of a professional, especially a good one who is self-aware enough to realize how much of a potential they had and how it just got destroyed. There are many critics saying that the job-related stress in industries such as IT isn’t worth discussing, but I call that a dangerous misconception. You couldn’t get more wrong in thinking that we’re not under high pressure. InfoSec is one of those industries where many things are totally out of our control, and you can’t really sleep well – ever. Many of us got so engaged into the work we do that we started compromising other parts of our lives, introducing unhealthy imbalance. Precisely such imbalance led . So I can relate to all of us, who had experienced tough times. That’s one of the reasons I believe in this book so much. It’s not that it contains any secret knowledge, or that I’m such an egocentric writer. Heck, I’m not even a native speaker english speaker, so I realize my shortcomings, yet I am still ready to take the heat, because I believe in its value. I believe that this book can help – at least to some extent – my InfoSec friends who have struggled, struggle or will struggle with the challenges I’ve been struggling for many years. I hope this book answers some of the questions we ask ourselves and will turn out helpful especially to those of us, who have nobody to turn to for a practical and non-judgmental advice. Writing the book has certainly help me in understanding some concepts better and instilling them deeper into my mind, so I have the answers handy whenever I need them. And I need them pretty much on daily basis, so having this handbook on my computer allows me to stay in sync with reality and remain calm and humble.  

The tough experiences had made me who I am today, and with many bad outcomes, I’m getting more and more comfortable with helping others avoid my mistakes. Losing relationships, not taking care of my health which resulted in life-long illnesses and daily pain which decreases the quality of my life, had all contributed to the process of reinventing myself. Moments of the truest joyfulness were these where I’ve learnt that something can be done better. That I can do better and I can be better to other people. It’s thanks to those moments that I’ve used to reinvent myself, I’ve been able to achieve long-lasting fulfillment.

I know I’m starting to sound meta and all that corny stuff, but I decide to still leave it here as I’ve met people who will get to feel the hope again while relate to my story. I’ve got good news for you though. Only the foreword contains so little substance.
Please feel free to use this book whatever way you like to. You can read it as a regular book in its entirety or using it as a reference handbook, with easy to navigate index which allows you to jump into specific questions and answers.

Almost nothing worthwhile comes without pain or some sort of suffering so I’ve came to the point where I accept my mistakes and allow myself to live without blaming myself too much for making them. I advise you to look at things similar way, because holding to the past in which we weren’t as smart and wise brings nothing good. Looking at the future as a blank page, allows you to approach things differently and avoid repeating the old mistakes.
In the book, I”ll be guiding you through subjects that are very subjective and focus mostly on emotional intelligence and social skills, which can’t be as accurately measured. So you might feel like I’m yet another bozo, but you need to open your mind to fully benefit from it. I promise you that nothing in this book hasn’t been thoroughly tested, and each and every single chapter you find in this book describes lessons learnt from mistakes I’ve made personally in my career. I’m never talking about others, about things I’ve only read or heard about. Everything has been battled tested by yours truly and I believe most of it can be easily replicated into most working environments. It worked for me with minor contextual adjustments while working for companies from various countries on two continents with organisations ranging from a small services startups from Silicon Valley, through public institutions in Poland, to hundreds million dollars big corporations.

You need to sacrifice the present for the better future, but it doesn’t mean you need to sacrifice as much as I’ve had to. I’ve learnt a ton and I want to use that knowledge to help you make your professional life easier. I want you to be more effective and productive than I used to be all those years before I started taking the human aspect more seriously.

Understanding these concepts can potentially enable you to see a bigger picture and gain richer point of view. Please bear in mind that nothing is set in stone and that my experiences may be different from the things you’ve had a chance to experience in your career. So to limit the amount of anxiety and misunderstanding, let’s create a healthy narrative for this journey of ours. I want this book to be an inspiration for you, showing you yet another perspective of someone who gotten his hands dirty, not a predefined set of rules one must follow.  Use it as a doof for thought, a content for consumption and a spark to initiate something bigger and adjusted to the to culture of your organization and your personality. Your personality matters. Just because something had worked for me and is indeed a sane way to do things, doesn’t mean you’ll want to follow the same path. Things that come to me easily now may come hard to you, and that’s all fine. We are different, so embrace what’s best in you and use that to achieve what you want to.

How to squeeze maximum value out of invested time in reading this book

This book isn’t an ideal picture of the world. It never intended to be. It was meant to show us ways in which we can be more practical and effective. To show you how we can abandon the fears, imposter syndromes, anxiety and stress – or at least reduce it significantly, by small tweaks in a way we operate on daily basis. I want this book to be practical, so I recommend you to read this book slowly and don’t rush into next chapters. Please read a chapter and give yourself some space to reflect on it. Try to remind yourself a situation to which a chapter would apply and outline counterarguments to what I’ve written. Then find a right balance for you and find the best way for you to navigate through life. I’m not right, and you’re not wrong. We’re both doing our best, and sometimes the best solution is in the middle of two perspectives, of two totally different individuals. You do you.
After all while we’re expected to bring value to the business and help it make more money so if you’re still employed, then apparently you must be doing something right! However, regardless of how much we like or dislike our job currently, we can make ourselves like it more. We can make others like us more and we can reduce the anxiety of a whole system.
But for that to happen, we must improve our social skills, especially communication skills at scale.

I believe that security professionals can’t achieve their greatness at the workplace, if they’re not being actively supported by all stakeholders across the entire organization and if other employees don’t feel ownership for the organization’s safety. Security just must one of the core values of corporate culture. Each time I have joined an organization, where security professionals wanted to do everything themselves, they miserably and painfully failed shortly after.  Fighting a broken security culture without any support from the top leads to burnouts for InfoSec folks and creates general anxiety, irritation and a toxic atmosphere within an organization. No one wants that to happen, yet so often we end up in exactly such situation.

Right, but what about Secure SDLC you may ask? To me Secure SDLC is more technology centric, while DevSecOps is more human and culture centric. I may even write a book on secure SDLC one day, but we have a lot of great content on that matter already, so it’s not a priority by any means. To me, helping people understand the DevSecOps culture is much more important task, although they are very powerful couple, and I believe in the long run, one cannot exist without the other. I would even say that many companies have magnificent SSDLC, but it could be so much better if the operators understood that each business, is a human business first and you can boost whatever you’re doing by involving more people and making them care about it.
I’ve met many people who understand how to implement SSDLC principles into their organisations, however not many know how to build the DevSecOps culture which can bring their SSDLC or whatever they’re doing on the totally next level.
I’ve spent over 5 years working on implementing DevSecOps culture at the organisations I’ve worked at, because I believed that with so limited resources doing things together is the only way to go. We all hit a point in which we can’t scale anymore, which is why we must seek help of others. And to get such help, it’s good to provide it first. Be the leader people will happily look up to and many doors will open. And by working all together we can do much more and do it much better.
SSDLC is fabulous piece of art, and I wish more companies adopted it since 2002 when Microsoft officially announced it. I really with, because we’d be in a completely different shape as the whole industry. But we haven’t so we must add something to it, that will fill the gaps with a work that doesn’t cost much every single one of us. Collaboration and empathy is something that’s not that complicated or expensive if we only decide to take one step forward each and every single day.
With a right attitude the culture is something that can be created in the background, while we can use our technical competence to enhance our SSDLC workflows and incrementally improve resilience of the organisations we work for.

I hope the lessons shared in this book will save you – and everyone around you – a lot of anxiety and trouble. I wish I had access to such a resource when I was starting out, which I believe could’ve helped me prevent the damage that has happened otherwise. It’s never too late to learn and improve, so I’m still extremely grateful for an opportunity to have experienced so many things and that now I can share it for benefit of others. I hope this book helps you navigate through social interactions with lower stress and more fruitful results and although this book summarizes the most important lessons learnt over the past decade, I’ll be still happy if it saves you a single day of your life.  

Let’s get started already! 🙂

Working in the office 8h per day should be dead by now

Most of companies who claim they’re hiring the TOP TALENT yet don’t offer remote work are truly delusional.

What’s the meaning of term TOP TALENT precisely? People in radius of 5miles from you office?

Office work is a relict of the past where most duties required people to be present on-site and do the physical work for 8 hours.

Nowadays, especially with tech companies there are close to 0 reasons to demand from employees to show up in the office 8×5.
Those who have put any effort into learning what are the cognitive capabilities of human being would clearly know that an employee tasked with creative work such as software engineering is not capable of doing it 8hours straight and their productivity drops significantly after about two thirds of that.
So what’s the sense of demanding from people to commute 2h hours to the office and then spend them 8 hours even tho they’re empty after 5-6?
There is none, but most companies and managers don’t give a shit about that. You’re a worker, they own you and they’ll squeeze everything you’ve got out of you, so that when you leave the office you have no energy to live and make a ruckus in the world or even seek another place to work because you’re too drained. You must take what they give you, appreciate it beyond its value and comply with all the norms.
Is there a downside to this for those companies? Absolutely yes. Their behavior limits their growth potential and they’re making less money than they could. They end up with class C employees to soon enough replace them to class employees, because all of their best people used rests of their sanity to escape the toxic environment. Companies that act this way are already on a downhill path and competition in tech world is so huge that they’ll be quickly kicked out of business.

Bad corporate culture => Only C-Z employees are left => Weak product and services =>No way to fight with a huge competition who actually figured out the employement game=> Corporation is gone from the business, and for a good reason

Remote working is clearly the future because not only it is cheaper for a company and more humanitarian for employees when they dedicate their time to the company by working not with hidden costs of commute and what not.

Surely plenty of people won’t qualify for remote positions. It requires a set of abilities such as self-discipline, isolating from home environment, so the transition would take a long time not only for employers but also for some employees. However, not offering it or being so strict in terms of employement is taking away an opportunity for you to attract great employee and for them to join great organisation and fulfill their dreams.

And it’s all in name of what? Rigid corporate policies created by reckless and incompetent HRs and managers led by outdated rules and those who have never put their nose into a book on humans to learn how they can adapt to everchanging world and societies? You really believe it’s worth losing a 1000Xer employee who’ll feel fulfilled and hence motivated to deliver work in amounts no one else would?

It’s not for uneducated executives to decide whether given employee can work remotely or not. It should be a decision coming from the team and signed by direct manager, because those are the only people who really know if the physical contact is needed on daily basis and if that person delivers the work. If they ship the work, if they’re in good relations with the team, why would anyone care if an employee is working from Thailand or crowded and ugly office space.

I know that most of people have no realistic empathy or haven’t studied sociology, psychology or human capital management – which is pathetic, because there is no bigger gift & responsibility than leading people – so they can’t realize that happier and more relaxed employee leads to better results for the company and even their willingness to work overhours if needed.

Life is simple, more you give is more you get. If people feel happy about the workplace and feel that company respects them and wants good for them, they’ll be happy to give more of it back.

Summarizing, unless you’re a Facebook, Google, Microsoft where people are eager to relocate just to work for you, you’re being delusional with claims that your company is hiring TOP TALENT.

Not even close, not even local talent, because even local talent will choose more modern and flexible companies – even if they don’t plan to take advantage of it.  Look at your competition, if someone is dedicated to work in your city, aren’t there any other great businesses to work for?

Trust is what makes the Team out of a group of co-workers

Everyone talks about it, but I haven’t really met many managers that would actually be committed to doing the work and building trust within an organisation.
Trust isn’t something that magically pops up when you talk about it. Trust is predicated on actions, interactions and leadership activities.
That’s one of the reasons why leaders are in so high demand – because they are capable of doing emotional work and building teams by creating honest relationships.
Basing on my experience there are very few leaders capable of creating healthy corporate culture and trust, which is a pity because it has a huge ROI. Let me tell you why. Continue reading “Trust is what makes the Team out of a group of co-workers”

Care – the most powerful quality in a workplace

Care drives everything

I don’t know a single person who would put 100% of his abilities into a work if he’s there only for a paycheck.
But I do know plenty of people who really care about the job they do, and whenever needed they’ll make themselves better educated, learn new skills, adjust personality, and all these in private time just to be a better performer in a workplace.

In general people don’t care about work if they don’t have to and most of us prefer to do bare minimum which will just preserve us from getting fired. This attitude changes drastically when one starts to care and sees the bigger goal in his actions.
It’s not that we human beings don’t care by default (although it’s true for some). I worked with many young people who immensely cared at the beginning of their career, but being exposed to constant ignorance and abuse just stopped.
To me lack of care comes from burnout and is a defense mechanism created to avoid emotional pain. If you care a lot and you’re abused, ignored and not appreciated it hurts a lot. It’s easier to not care in the first place and avoid any emotional relation with the work we do.

The thing is that you can’t make max out employee’s performance if he doesn’t care and if he doesn’t bring feelings to a workplace. More than this – most of great people can’t live in a state of careless work so they’re leaving broken inhuman organisations. Continue reading “Care – the most powerful quality in a workplace”

Employment expectations’ mismatch and recruitment pitfalls in InfoSec

This article is considered to be a follow-up to the “Hiring your first security professional”, so if you haven’t yet, I recommend you to read it before you continue with this one.

For a last few years there wasn’t a month when I haven’t read about InfoSec professionals shortage, security skills gap and what not. To give you a proper context I’ll rant a bit about why I don’t believe in those dramatic claims and then we’ll jump into action items for organisations that want to improve their recruitment processes.

If you already have a great security team, and you don’t have any problems with hiring then awesome and I’m happy for you. However, if you’re somewhat struggling with building an InfoSec Team, then it’s likely that you’re making some of the mistakes I described below.  Continue reading “Employment expectations’ mismatch and recruitment pitfalls in InfoSec”

Hiring your first security professional

I really enjoy attending security/business conferences. But it’s not that I’m going there to learn how to do security, because if that would be the case then I’d go for DEFCON or Derbycon and learn from top hackers on the planet. I go to business conferences because I want to listen to the problems others have and observe the way they’re approaching them.
One problem I see continuously since — pretty much — ever is a struggle of starting internal security department. Is it really that hard? May be, but how do you know if you’re keeping the same approach and attitude and make the same mistakes all over again? If your approach doesn’t work, maybe give this one a shot. Continue reading “Hiring your first security professional”

Root cause analysis haters, obedience lovers and myopic players

Oh, throwing money and people at a problem doesn’t solve it for good?
We’ve all been there and seen that. If you haven’t yet, then sooner or later you’ll find yourself(or someone else) in that position.
By the way, I get it that sometimes you just need more people to put in more working hours and get shit done. However, I want to talk about situations in which quantity doesn’t help and when you should think different.

During my consulting career I’ve seen countless number of times managers putting more people to work on a specific problem because it was still there or coming back after a while(regression). So they usually fell on a terrific idea, that they need to hire more people to work on it. So they had and have told new-hires to do the same thing all over again, but they were so close-minded that they didn’t even think that the problem may just not be there. It didn’t come as a surprise, that after a few months when checking something else,  I’ve noticed that the problem was still recurring. Continue reading “Root cause analysis haters, obedience lovers and myopic players”