Nicht nur grün reden, sondern machen: Strom aus Wasserkraft.

Eigentlich findet jeder es wichtig, ökologisch zu handeln. Denn wir haben nur die eine Natur und der Mensch setzt ihr ordentlich zu. Während oft nur sehr viel geredet und über Verbote aller Art nachgedacht wird, habe ich hier ein Projekt gefunden, in dem angepackt wird: es geht um Strom, der aus Wasserkraft gewonnen wird.

Wasserkraft hat viele Vorteile. Es entstehen keine Abgase. Wasser ist nahezu unbegrenzt verfügbar. Und die Flüsse fließen stetig (anders als Sonne und Wind). Die Nachteile bisher waren, dass Wasserkraftwerke einen großen Eingriff in die Umwelt erforderlich machten – denken Sie an einen Stausee oder ein Kraftwerk quer über einen Fluss mit Schleusen, etc.

Der Ansatz der Metropolstrom NW ist es, auf nicht-invasive Technologien zu setzen, die sich umweltverträglich in Flüsse einbringen zu lassen. Und dies dann durchaus flächendeckend in der Republik. Hier werden sgt. Flussturbinen oder River Rider (von der Firma Enertainer Energy) eingesetzt, die sich leicht positionieren oder komplett versenken lassen. Zitat: “Der Wasserstrom ist grundlastfähig. Man könnte dadurch in Deutschland ca. 2 Millionen Haushalte über Wasserkraft mit Strom versorgen. Hinzu kommen rund 9.900 Kläranlagen mit zusätzlichem Potential.”

Ich finde das ein tolles Projekt, da es helfen wird, eine Energiewende herbeizuführen mit Technologien, die effektiv sind. Und das nicht morgen, sondern genau in diesem Moment. Aus diesem Grund habe ich mich als stiller Teilhaber an dem Projekt engagiert. Das schöne dabei ist, dass man auch eine ordentliche Rendite (>6%) erzielen kann, wie auf der Webseite des Unternehmens anschaulich dargestellt wird.

Working on (not in) your Company

I wrote about a focus on growth of companies. My thoughts are around small and medium sized businesses, because that’s my personal background. Some of the ideas might work there, too, but I don’t know. Also, I don’t like the additional, political dimension in larger companies. I wrote about shaping your Vision and Mission and developing a growth model. Building on that I write about operationalizing this working on your company. Yes, it’s “on” and not “in”. If you still work in your company, your company is either not ready for this phase or you are a poor leader who cannot delegate, focus on strategy, and thinks he is better than the rest of the team.

If you have established your growth model, you should communicate about it at all levels in order to align all forces of the company (see the podcast with Gary McGraw about the importance of communication and transparency). There’s also a certain communication rhythm: annual kick-off, quarterly review, and review in day-to-day operations. Determine meaningful goals to each aspect of the different dimensions and track them. The Objectives and Key Results (OKR) framework can be a good tool for this since it connects your goals (“what do you want”) to success (“when have I reached the goal”). It’s also good to have more abstract OKRs for the company and drill them down to each individuals work.

See this example for more context. On our growth path we have decided to enter new territories for extending our global reach. We have identified the different regions and walked through the dimensions of our growth model clarifying what is needed to be successful. This is an iterative process like this:

  • People: who do we need on the ground to manage the operation? Is it with our own people or with a partner? What are costs for these options?
  • Go-to-market: are there cultural differences that need to be considered in Marketing and Sales? How do we get visible in the new region? What are the first target customers?
  • Delivery: how do we deliver? Onsite? Remotely? Through partners? And how do we establish trust in the delivery approach?
  • Cost: what’s the investment needed to get it done?
  • Revenue: what’s the expected revenue (minimum and maximum)?
  • etc.

Drilling down each dimension leads to goals and results. For example, you can define marketing campaigns (example: 3 per quarter) and say that results should be a certain number of marketing collaterals, scheduled Webinars, and attach the expected number of new leads to this. Additional OKRs should be added when assigned to the team doing the job.

This is for sure over-simplified. The overall process needs focus, focus, focus, and your full attention. Don’t give up when things take time and when you see some sort of resistance. Understand the obstacles, remove them, and communicate again. I have used the model for many years and it became a powerful tool understanding the impact of key decisions. Work with the model, communicate, and adjust it whenever needed. And you will see that success is no longer luck, but the result of working systematically on the company.

Towards a comprehensive Growth Model

After starting a business, things change. You realize that the garage days are over and that you need to make a decision – do we want to grow this leading a market? Or do we let it be as it is. As entrepreneur my DNA is set to growth and I like to share what happened to my company after we have shaped vision and mission more clearly.

Early 2017 we had 80 people working for the company. I was one of the leaders always thinking about strategy (vs. reactive things based on the day-to-day business). I was often asked: where do you and your company (which has been the same for many years) want to be in 5 years. With help of a mentor (I will write about the idea of mentoring later) I have developed a multi-dimensional growth model that helped me to further grow the company, look for growth capital, and finally sell it. I will outline the key ideas in the following:

A natural starting point are the financials. You know your year-on-year growth from the past, you know your costs, and based on that data you can project how the future might look like. You can use conservative data (organic growth – we had an average YoY growth of 25% over several years) and more aggressive curves assuming that you can invest in certain areas.

And this leads directly to follow-up questions like driven by bottleneck thinking: what hinders me to further grow the company and what do I need to do closing the bottleneck? If I do that, what would be the next bottleneck? And so on. A second layer is: what would unleash new revenue streams that you don’t have today (new products, new sales territories, etc.) and how do you get there?

I found that besides financial planning (revenue, cost, margin) the following dimensions should be considered: people, go-to-market approach, portfolio, innovation, and delivery. I will write on those topics later.

Such a comprehensive growth model helps you to better understand your company. You will find out that the different dimensions that are interdependent and that changes on one end have an impact on other ends. Understand that and you get into control of your planning and execution. Such a model is also not static but helps you to move forward strategically and adjust it whenever needed. I will talk about working with the model, too.

Mord wegen Kaffee-Entzug

Kaffee gehört für mich seit dem Studium, also Ende der 90er Jahre, zu meinem Leben. Ich konnte nur so viele Vorlesungen überstehen, bei denen sich der Professor wenig Mühe gegeben hat und die daher einfach nur langweilig waren. Später im Beruf war der Kaffee dann ein Begleiter für viele spannende Stunden, wenn wir an der Uni etwas neues erforscht, in der Firma etwas erfunden oder an einem vertrackten Deal gearbeitet haben. Am Morgen gehört der Kaffee zur Aufwachroutine und bei Meetings (mittlerweile per Web-Session) ist er nach wie vor integraler Bestandteil. Am Wochenende gehört ein guter Kaffee zu einem Genussfrühstück. Warum also in aller Welt sollte man daher vom Kaffee ablassen? Ich hab das gemacht und will hier darüber berichten (ja, ich habe es überlebt!).

Kaffee gehört zu den sgt. Genussmitteln. Wir brauchen diese nicht zum überleben, sondern konsumieren sie, weil sie schlicht eins machen: sie schmecken gut und sie sorgen für (kurzfristiges) Glück. Darin liegt auch die Suchtgefahr begründet, je nach Genussmitteln unterschiedlich ausgeprägt. Deswegen habe ich aber nicht auf Kaffee verzichtet, den ich liebe es, Kaffee trinken. Es war vielmehr eine Empfehlung im Rahmen eines 1-wöchigen Heilfastens auf jedwedes Genussmittel zu verzichten. Und ich kann daher bestätigen, dass Kaffee a) süchtig macht und b) der Verzicht zu echten Entzugserscheinungen führen kann. Bei mir waren das vor allem anhaltenden und teilweise heftige Kopfschmerzen, aber auch Ruhelosigkeit, gefolgt von Schlappheit und einer gewissen Reizbarkeit. Das wurde erst nach 2-3 Tagen besser, ich habe es aber mit viel Disziplin geschafft. Immerhin eine Woche lang.

Was hat es mir gebracht? Ich sehe (mindestens) folgende Vorteile:

  • Bewusste Wahrnehmung von Körper und Geist: Du lernst wieder mehr, auf die Signale zu achten und dementsprechend zu handeln.
  • Konzentration: fokussiertes Arbeiten ist durchaus auch ohne Kaffee möglich. Nutze lieber eine Pause, um den Kaffee zu geniessen, anstatt ihn nebenbei literweise in dich rein zu kippen.
  • Natürlicher Flow: ohne Kaffee lernst Du, den Flow Deines Biorhythmus zu folgen. Arbeite im Hoch, ruhe Dich im Tief aus.
  • Besserer Schlaf: bei mir wirkt Kaffee 100% und ich kann nicht einschlafen, wenn ich nach einer bestimmten Uhrzeit noch eine Tasse zu mir nehme. Ohne Kaffee kann ich schlicht besser schlafen und die Batterien aufladen.

Wie geht es denn jetzt weiter?

Für immer auf Kaffee und andere Genussmittel zu verzichten. Dafür bin ich zu sehr Hedonist (ein weiteres Thema für einen weiteren Artikel). Der geplante und kontrollierte Entzug hat mich aber Achtsamkeit (noch ein Thema!) für den Genuss gelehrt: den Genuss bewusst genießen. Ich habe seitdem die Kaffeemenge deutlich reduziert und genieße seither jede Tasse doppelt und dreifach. Das gilt für mich mittlerweile auch für viele andere Genuss- und Lebensmittel. Falls ihr auch mal auf so eine Idee kommt, lasst mich wissen, ob ihr es geschafft habt, ohne einen Mord zu begehen.

Die Kraft der Disziplin

In all den Jahren als Unternehmer, Sportler und Privatmann habe ich beobachtet, dass Disziplin eine Tugend ist, die einem dabei helfen kann, Berge zu versetzen. Für mich ist Disziplin daher ein positiver Begriff. Er bedeutet “das Beherrschen des eigenen Willens, der eigenen Gefühle und Neigungen, um etwas zu erreichen.”

Disziplin ist wichtig, um Ziele zu erreichen. Wenn man erfolgreich sein will, ist ist Disziplin meines Erachtens unabdingbar. Denn Erfolg ist in den seltensten Fällen Glück, sondern das Ergebnis von Beharrlichkeit (nicht vom Weg abkommen), konsequentem Handeln (entscheiden und machen) und Eigenverantwortlichkeit (vs. Schuld sind immer die anderen). Es ist durchaus so, dass man mit Disziplin den Erfolg und damit auch Glück provozieren kann. Ein positiver Kreislauf zur Freiheit und Selbstbestimmung, die durch Disziplin geschaffen wird.

Auf sich selbst angewendet, kommt man von der oft fremdbestimmten Disziplin zur Selbstdisziplin. Wikipedia sagt dazu: “Mehrere Langzeitstudien der letzten Jahrzehnte ergaben, dass das in Tests und Untersuchungen ermittelte Maß der Fähigkeit zur Selbstdisziplin in der Kindheit ein sicheres Indiz war für vielfältigen Erfolg im späteren Erwachsenenleben.” Ich schätze mich schon immer als sehr (selbst)diszipliniert ein und kann das aus meiner Sicht und meinem Werdegang nur bestätigen.

In folgenden Artikeln schreibe ich über meine Erfahrungen mit der Disziplin und wo das hinführen kann. Privat und im Beruf. Beispiele hierfür sind vielfältig:

  • Kaffeeentzug (habe ich gerade im Kontext des nächsten Themas durchgezogen – ich kann schon jetzt sagen, dass das für einen Techie seeeeehr viel Disziplin erfordert).
  • Heilfasten
  • Digitales Fasten
  • Diplomarbeit schreiben (heißt heute Bachelor und Master, nicht wahr)
  • Doktorarbeit
  • Haus bauen
  • Diverse sportliche Ziele, z.B. einen Triathlon finishen
  • 30 Tage Kettlebell Challenge
  • Firma gründen und groß machen

Ich freue mich schon auf die Folgeartikel zu diesem Thema, jetzt geht es aber erstmal raus an die Luft. Denn die Sonne scheint und ich muss das genießen. Wie ist Deine Einstellung zur Disziplin?

Selling Security Insights: “… and your baby is ugly.”

I‘m into software security for more than 2 decades. And I spent a lot of time not only thinking about products in that space but also selling them. And selling security is one of the toughest tasks because we don‘t talk about something that people want badly. Like an iPhone. Or a PlayStation. Or a new car. It’s selling something people think they don’t need it. Because nothing bad has happened so far, right? Over the years I have observed some tactics to turn this point of view around and entering a dialogue. Here are my thoughts ordered from “not a good idea” to “usually works out”.

  • Selling the ugly baby
    Being not secure is nothing you can see. It does not necessarily hurt. Thus, security companies tend to scan the customers IT environment and show them the results. If nothing or only little has been done to protect the assets, there’s typically only one answer: you are doomed. There are hundreds and thousands of issues, the management reporting shows a red flag. From a technical point of view this seems to be brilliant because the scan has revealed the status so effectively. From the customer’s ego point of view it like visiting young parents and telling them that their baby is ugly (I can’t remember when I have heard this metaphor the 1st time, but it works well). And that is something parents don’t like. They love their baby. They have cared for their baby. And it’s ultimately the most beautiful human being on earth. Facing a customer with such a story leads to nothing but rejection. It’s no surprise that the turnover rate from such an initial analysis to offering a solution is a very stony road.
  • You are all idiots
    It’s getting even worse if the consultant executing an initial analysis starts to abuse the customer. They dissect each and every issue and tell the customer how smart they are and how stupid the customer and his team is. They mock them asking how could it be that this and that has not been addressed, even young kids would do this (sure, young kids usually own IT landscapes with dozens / hundreds of apps). It can even happen that such consultants turn customers into ridicule by publishing some findings from an assessment in open forums (“believe it or not, these idiots have implemented Identify & Access Management and think they are secure.”). Nobody likes a know-it-all, nobody likes a smart-ass. Besides that – it doesn’t help the customer at all knowing that everything is shiny red – most of them sort of knew that already.
  • The path to happiness
    If you have data of an initial assessment, use it wisely. In my past life as owner of a security company we have collected 400+ customer assessments and derived a benchmark from that. What we did wrong was to compare bad outcome (from the 400+ scans) with bad outcome: “Hey, we did that in the past many times and your baby is as ugly as any other baby.” It’s much better to take samples from customers that have used the solution for several years and that have made some progress in adding more and more protection for their assets. Make this your reference and benchmark any new assessment against this. If doing so, you are in a position to show the path to happiness: “You are here and others using our solution are there. We are here to help you to improve over time. And by the way – here are 10 quick wins that you can implement in no time. And then we take it from there working on a road map.” In short: you start to sell confidence that bad things will be good, there’s evidence that it works, and there’s a plan how to get there. Better?

Let me know whether you have fallen into traps as mentioned above or whether you have learned how to move on and started to sell happiness. It’s another story to position a first touch meeting making it most successful for both the customer and the solution provider. Another article for another day.

Interne Risiken beim Wachstum verstehen

Das Wachstum einer Firma wird durch externe und interne Risiken bedroht. Über externe Risiken haben wir schon gesprochen, heute geht es um einige typische Risiken, die von innen kommen – also aus der eigenen Organisation. Interne Risiken können oftmals gefährlicher als externe sein, da sie a) wahrscheinlicher und b) unmittelbar schädlich sein können. Die gute Nachricht: es ist definitiv leichter, Maßnahmen zu ergreifen. Hier sind Risiken, die mir in meiner Laufbahn als Firmengründer und Geschäftsführer immer wieder begegnet sind – jedes ist bestimmt einen eigenen Artikel wert, aber hier sind erste Gedanken dazu:

  • Das haben wir schon immer so gemacht
    Wenn ihre Firma wächst, führt das zu Änderungen. Und viele Menschen mögen Änderungen nicht, weil sie ihre Komfortzone verlassen müssen. Änderungen können zu Unsicherheit und letzten Endes zu hohem Widerstand führen. Dem kann man nur entgegnen, in dem man auf verschiedenen Ebenen und regelmäßig kommuniziert, warum die Änderungen notwendig sind, wie das angegangen wird und was (von jedem) getan werden muss.
  • Das geht nicht
    Klingt wie der vorangegangene Punkt, hat aber eine andere Qualität. Gerade in technischen Unternehmen, haben oft die Techniker die Oberhand und urteilen schnell, dass neue Ideen nicht funktionieren können. Es werden zig Gründe gefunden, warum etwas nicht geht. Für kreative Menschen, die die Firma besser machen wollen, kann das frustrierend sein. Ich empfehle hier Regeln einzuführen, dass jeder mindestens 2 Lösungsvorschläge machen muss. Denn es gibt meistens einen Weg, Dinge zum positiven zu wenden. Es macht auch Sinn, mit einer Wunschidee und einer eher bescheidenen Idee in solch ein Brainstorming einzusteigen, damit es bereits eine Basis gibt.
  • Toxische Mitarbeiter
    Ich habe es immer wieder erlebt, dass einige, wenige Mitarbeiter aktiv Stimmung gegen Veränderungen, Kollegen oder sogar Kunden machen. Das passiert subtil in der Kaffeeecke, beim Mittagessen oder sogar außerhalb in der Freizeit. Es ist nichts dagegen zu sagen, wenn Dinge kritisch gesehen werden. Kritik sollte aber immer “in der Kabine” stattfinden. Und in den Foren, die die Firma zur Verfügung stellt. Ansonsten wird das Klima in der Firma immer mehr “vergiftet” und immer mehr Leute machen alles, aber kümmern sich nicht mehr um die Ziele der Firma. Es gibt Menschen, die Ihren Lebenszweck darin zu sehen scheinen, für Ärger zu sorgen (anstatt sich eine Firma zu suchen, die zu ihnen besser passt – ich habe das nie verstanden). Wenn man den Rahmen für (konstruktive!) Kritik geschaffen hat und dies trotzdem immer wieder geschieht, hilft nur eins: von toxischen Mitarbeitern sollte man sich schnell und mit allen gebotenen Mitteln trennen.
  • Firmenwerte mit zweierlei Maß anwenden
    Jeder, der klein anfängt, lebt in der Firma erstmal seine eigenen Werte vor. Je mehr Leute ins Team kommen, desto wichtiger wird es, daraus die Werte der Firma abzuleiten, sodass sich jeder damit identifizieren und daran orientieren kann. Das kann leicht vergessen werden, ist aber ein wichtiges Instrument für die meisten Mitarbeiter für das eigene Selbstverständnis im Rahmen der Firma. Es ist aber ein großer Fehler, wenn es zu einer 2-Klassengesellschaft kommt und die Werte unterschiedlich angewendet werden – den dann verliert man – mit Recht – mit der Zeit den Rückhalt im eigenen Haus. Respektvoller Umgang mit Kunden und Mitarbeitern ist ein Wert, den man überall erwarten würde, der aber schnell verloren gehen kann, gerade wenn neue “Manager” an Bord kommen, die nur auf den eigenen Vorteil aus sind. Ein anderes Beispiel ist, dass gefordert wird, dass jeder der “Owner” seiner Aufgaben ist, damit aber faktisch allein gelassen wird und somit nur verlieren kann.

Die Reihenfolge entspricht meiner Sicht von “nicht gut” nach “ganz schlimm”. Wenn Sie mehr kennen – teilen Sie gerne Ihre Erkenntnisse im Kommentarfeld.

Herzlich Willkommen, Herr Murphy!

Das Beitragsbild zu diesem Artikel zeigt eine Kernbohrung aus der Bauphase meines Hauses. Ich will an diesem Beispiel zeigen, dass Dinge schief gehen – also Murphy’s Gesetz zur Anwendung kommt. Ich übertrage das dann auf ein paar einfache Gedanken, die mir geholfen haben, meine Firma zu führen.

Warum ist da ein Loch in dem Bohrkern? Weil Rohre für eine Wohnraumlüftung in der Decke verlegt wurden. Dann wurde der Beton eingebracht. Und es hat sich herausgestellt, dass das Loch für die Fallrohre des Badezimmers nicht ganz gepasst hat, sodass nachgebohrt werden musste. Und dann war es irgendwie klar, dass eins der Rohre schön mittig getroffen wurde. Den Bohrkern habe ich aufgehoben, weil er schön zeigt, warum Dinge im echten Leben schief gehen:

  • Im Plan sah alles gut aus.
  • Die Maurer sind aber anscheinend ein paar Zentimeter davon abgewichen.
  • Die Rohre waren nicht verzeichnet, sodass die Bohrung ein gewisses “Glücksspiel” waren.
  • Niemand hat vor der Bohrung mit jemand geredet.

Durch Kontrolle der Durchführung, Kommunikation der Akteure und Plananpassung hätte das vermieden werden können. Im Leben eines Unternehmers sind sind die Wechselwirkungen und die Komplexität ungleich höher als bei diesem Bau-Beispiel. Es wird daher nicht möglich sein, alles im Vorfeld bei der Planung zu berücksichtigen. Es ist hier vielmehr wichtig, dass a) alle relevanten Risiken identifiziert werden, b) handhabbare Maßnahmen besprochen werden und c) beides regelmäßig auf den Prüfstand gestellt und bei Bedarf angepasst wird. Der Prozess kann aussehen wie folgt:

  1. Relevante Risiken: als Unternehmer sollte man die Risiken kennen, die den Fortbestand der Firma beeinträchtigen können. Es sind sowohl externe, also auch interne Risiken zu betrachten. Die internen Risiken beleuchte ich in einem weiteren Artikel. Typische externe Risiken sind: globale Krisen, wie die Finanzkrise (es muss nicht immer eine Pandemie sein, die zur Verschiebung von Ausgaben führen), Markteintritt eines Wettbewerbers mit einem besseren Produkt oder Kampfpreisen, misslungene Integration nach einem Firmenkauf und damit verbundene Abwanderung von wichtigen Mitarbeitern.
    Es gibt hier sicher noch mehr und in geeigneter Runde können diese in der Regel auch hinreichend benannt werden. Es kann Sinn machen, eine Person oder ein Team als “Teufel’s Advokat” zu etablieren, dass die Aufgabe hat, “paranoid” zu sein. Die Begrenzung auf eine Person oder ein Team ist wichtig, damit sich das Weltuntergangsdenken nicht in der ganzen Firma verbreitet (das ist ein typisches, inneres Risiko).
  2. Fokussierung und Kommunikation: Die Liste der Risiken muss priorisiert werden. Denn es wird kaum möglich sein, alle zu adressieren. Schließlich ist die Hauptaufgabe eines Unternehmens tolle Produkte auf den Markt zu bringen und sich nicht mehr und mehr um Risiken zu kümmern. Es sollte benannt werden, welche Risiken wahrscheinlich sind, welche besonders weh tun würden und was man dagegen mit vertretbaren Mitteln unternehmen kann. Dem Markteintritt eines Wettbewerbers (der unweigerlich erfolgen wird, wenn man erfolgreich ist) kann man beispielsweise durch gute Kundenbeziehungen, eine klare Roadmap, und kontinuierliche Innovation begegnen. Die Risiken sowie die zugehörigen Maßnahmen sollten regelmäßig und in geeigneter Weise kommuniziert werden (das ist wieder ein eigenes Thema).
  3. Prüfen und Anpassen: die Risiken selbst sollen 1-2x im Jahr neu betrachtet werden. Öfter ist m.E. nicht nötig, da man ansonsten den Fokus verliert. Die Maßnahmen selbst sollten öfter betrachtet werden – tun wir genug, um z.B. die Nase vorn zu haben, wie stellen wir das fest (Kennzahlen definieren!) und wo müssen wir nachjustieren.

Wenn dies berücksichtigt wird, kann Herr Murphy sogar zu einem gern gesehenen Gast werden, um sicherzustellen, dass man sich nicht auf seinen Lorbeeren ausruht und immer weiter voran gehen kann.

Understanding Your Idea: Vision and Mission Statement

When you start and grow a company you are often asked for a Vision / Mission statement. I went through this exercise several times with my team, analysts (like Gartner), my coach, etc. and I believe that understanding your vision is more important than you think for at least the following reasons: understanding why you do things helps you to 1) align you business, 2) explain your offering to prospects, and 3) re-invent your company whenever needed. Ultimately, it helps you to stay in the driver seat (vs. being driven by others).

I have read a lot about how to sharpen your vision / mission statement and can recommend to review 2 ideas from Simon Sinek – this is the best I have seen because it leads to clear and easy to understand messages. That does not mean that it is easy getting there, though.

  • Read the idea of framing a vision by a “Just Cause” that meets the following criteria: 1) for something, 2) inclusive, 3) service oriented, 4) resilient, and 5) idealistic.
  • The “Just Cause” is linked to your mission statement that can be derived following another of Simon’s ideas: the “Golden Circle”. According to Sinek many companies start messaging with the “what” they do, followed by the “how” and the “why”. Since your customers expect an answer to “why are you here?” It’s good to turn this around in your mission statement and start with the WHY.

This is not a one-time exercise. Share some brains around this approach and get started. And then refine it over time based on feedback and insights that you gain on your way. I will continue to share my experience about a corporate model based on your Vision / Mission statement that helped my to grow my former company over the years.

Number#9, Episode 001: Interview with Gary McGraw, PhD, about the state of security and successfully growing a business

In this 1st episode of my podcast “Number 9”, I have interviewed my friend and idol Gary McGraw about software security and what it means to grow a business. For the convenience of those that prefer to read, you find a transcript of the recording generated by a piece of software and reviewed by myself. I was surprised by the high quality. We have used a platform called Irius for the recording since we could not meet in person for obvious reasons. It depends on the line capacity and since Gary was sitting in a small cabin somewhere in the middle of nowhere, there are some outages in the recording – sorry for that. I learned it’s smart to have no landline phone or any other ringing device in the room. The numbers you see in brackets are time-stamps for your convenience. I have also marked my questions in bold and key insights in italics. Hey ho, let’s go!

Markus interviews Gary McGraw.

And here’s the transcript.

Markus: [00:00:07] Gary, I’m pleased to have you on my very first podcast. I never did that before. I don’t know whether I will do it again. [Gary making a funny comment on this]. So – I first learned about you and your work in the last century, when I read about your code scanner ITS4, which stands for “It’s the software [00:00:37], stupid. Security Scanner” – as far as I remember.

Gary: That’s right.

Markus: And I consider you a true pioneer in the field. And by the day I read about that, I knew what my profession will be in the next 20 years or so until this day.

Gary: Cool. Either cool or I’m feeling sorry.

Markus: Yeah, we argue about that [00:01:07] when we meet in person again. We have talked about that a few times before but what do you think when we talk about the modern term is “resilient” software not secure secure software these days. What should everybody do?

Gary: Well, look the main thing to understand is that in order for software to be secure, you have to set out to design [00:01:37] and implement it that way.

So the first thing to understand is you can’t just take a piece of software and make it secure later in an economical way. The best way to do it is to build security in throughout the entire software development life cycle. And so as I explained in my book Software Security, there are a number of activities that you can put into your software development life-cycle. No matter whether it’s [00:02:07] DevOps or waterfall or any … doesn’t matter goat sacrifice … the idea of the touch points is if you have certain software artifacts, then you can check them for security. So I’ll give you three examples. One touch point is code review. And by every single software project going to have code and you need to take a look at it for security bugs [00:02:38] a code scanner like ITS4 can be used for that or Fortify or Coverity. There are a number of commercial tools available now that were not around 20 years ago. So check your code with a code review tool.

Another touch point is to do architecture risk analysis or threat modeling. This is often overlooked especially today when people are doing DevOps and there are few tools for architecture analysis, although they’re coming [00:03:08] around now, so that’s something we see a lot of activity in in software security today.

And then the third touch point I want to focus on out of 7 is penetration testing. It’s kind of funny, but everybody seems to start with pen-testing. That’s not the one to do first. It’s better to do code review. It’s better to do architecture analysis, and then you can do some pen-testing later. So that’s an example of what you have to do in order to build what you term resilient software [00:03:38] or secure software.

Markus: And it turns out that penetration tests are the thing that most people have in their checklist. “Oh, when we want to be secure, let’s have a pen-test” and we both know that the journey starts then, it doesn’t end there.

Gary: That’s right. And you know, I think that penetration testing is good, you should do it, but it should not be the only thing you should do [00:04:08]. And if you’re going to start out with the software security initiative, you really shouldn’t start with pen-testing. That’s not how to get started.

Markus: Well, when I speak with people these days after having sold my own company and I know that you did the too a while ago. So you grew your company Cigital and let me know whether the number is true up to 400 people [00:04:38] by the end of the day or over many many years. It starts with I don’t know some guys in a garage over a beer and then over night you are 50 then 100 and finally 400. [00:05:08] What do you remember as a remarkable tipping point in that growth journey? Is there anything you remember where you had to reinvent the company, bring some people in, get others off?

Gary: Yes, that’s a really good question. So I can think of three important things that helped us to grow to 400 people. The first is that the founder that founded Cigital, the two Founders actually, really did a great job getting the company started and grew it to a certain size, [00:05:38] but they basically hit the wall around 50 people. So at that time we had major crisis inside of Cigital and we had to hire a new CEO and I got put on the board. It was a long story best told over beers and not in the podcast. But in the end we got past that and it took a realization that though the founders were great, they were not the sorts of people that were going to make Cigital what we all wanted to make it including [00:06:08] them. Their capabilities ended around 50 people or so. So that’s one thing that was an important lesson. I don’t know if that happens to all founders, but it does seem to be common enough that it’s worth mentioning.

The other decision that we made from say 50 to 250 people and then beyond was to run an open book company where we showed everybody, what the revenue [00:06:38] was, what the expenses were, … we didn’t talk about people’s salaries, but we put all of the numbers for all the divisions in a very big spreadsheet up on the wall every month and we let people ask questions about what was going on. Because we did that we taught people how the company actually ran and made money. We showed them what kind of impact their own activities had, they could see how much budget they were burning [00:07:08], what the results were, whether that was good enough, and that open book philosophy was really fantastic. The one funny thing about that is almost every time we would put the number up somebody would ask again: “What’s EBITDA?” and we would have to explain that’s earnings before interest and depreciation and whatever – every single time we say it’s a proxy for cash. But so that goes [00:07:38] to show even if you see the numbers every month, it doesn’t really mean you know what they’re saying. That’s two things.

And then the third thing that I think was really important for us at Cigital. We really cared about customers. We were a consulting firm. And so the success of our customers was super important and as a result, our customers really liked us and they told other people about us and so we spread [00:08:08] by word of mouth. This was particularly important in the financial services industry which is very tight-knit. And so, you know, that kind of word of mouth and customer success was very important for us. Those are three kind of things that I think were critical to our success that I would watch out for.

Markus: Yeah, that’s very insightful. So bringing people in [00:08:38] or getting them out is something that I have experienced, too. We tried that open book thing and we got the same questions every time so I think I did that once a month or so. So as you know, I have never learned that, I’m an engineer. But in the meanwhile, I can sing this song. So we are sitting on different sides of [00:09:08] the big point. I assume you are at home in West Virginia. [Gary: I’m in Virginia not West Virginia, but very close to West Virginia.] Okay, so I’m in the Frankfurt-Heidelberg area and I think we have both experienced cultural difference between North America, which is different if you see west [00:09:38], middle, and eastern America. But there are some different differences between America and Europe. What’s your take on this? What do you need to consider? I remember that situated wanted to do some work over here to starting in the Netherlands. What was your impression on that?

Gary: Well, so we actually ended up with a very big staff in Europe of about 40 or 50 people by the time we were done [00:10:08] and several offices. What is funny is that I think that North America and Europe have more in common than they have differences when it comes to business because my view is that it’s about relationships with your customers. So you really have to have a trust relationship with your customer and you have to be there. So one of the important things to know about say doing business in Germany [00:10:38] is that you had better be there. You can’t just and zoom up and go. “Hey, how’s it going? I’m sitting here in New York City. How’s everything in where are you again? Germany? Oh, yeah …” that doesn’t work. You have to go to Oktoberfest with somebody and have a beer stein and eat some bratwurst and build a real relationship. So I think that understanding the culture comes with that close [00:11:08] contact and that close contact and that relationship building is important on both sides of the pond. Just to give you an example at Cigital, we did a lot of work with JP Morgan Chase in New York City, and we had people living in New York City delivering there. We knew the executive extremely well. At the time Jim Routh was there and Jim and I have been doing business together for you know, almost 20 years now [00:11:38] and we’ve had our ups and downs and relationships but mostly ups. But we really knew each other and we could talk very openly about what needed to happen in plan and work the politics and work the budgets and all that together. And then in Germany, we had the same thing happen. It wasn’t me this time but we developed a very important relationship with Daimler. And the way to do that was to be there in person. So I came over and gave a big talk for their [00:12:08] CTO Summit and then we had people that were delivering services and we really spent a lot of time with the CISO over there understanding what was worrying the CISO and how helping him get his vision established at Daimler. And so both of those accounts which were very big accounts for Cigital in the end were built through relationships. And they were on different sides of the ponds and they involved eating [00:12:38] different things and drinking different things. It was still people on both sides.

Markus: Yeah and I miss that a lot. It’s okay to see each other, to hear each other, but meeting in person in the same room or on a table sharing some beers … we need that sooner than later.

Gary: We do and you know you and I developed our own relationship with that way in person. We’ve [00:13:08] had some very great times together and we’ve done some of the good things because we trust each other and we have that relationship. So that’s that sort of goes to show you.


Markus: Yeah. Yessir. So one of the ideas of the podcast is to share some advice for the young guns which are out there with great ideas and who are bold enough to start their own company [00:13:40] and that plan to grow – sometimes growth is something that’s surprising you are successful. You are 5 people, 10 people, 20 people and I think that’s one of the differences that I have seen between Europe and North America is that most people over here see it very critical of find it difficult to grow with external help … with [00:14:10] some funding. I believe that funding is very important to overcome certain barriers or to overcome certain hurdles in growth. What would be your advice to young founders that want to grow their business and that plan to raise some money?

Gary: Well, I’ve actually written about this and given talks about this very subject and I came up with things that are what [00:14:41] … I wrote an article called “Seven things I’ve learned about running companies” that I wrote really before Cigital even got bought by Synopsys. So I would encourage people to look that up if you just type in “seven seven things start up Gary McGraw” it’ll be the first it on InformIT. But I think the one I want to emphasize with you is this. It’s very easy when you’re a little company and you’ve got to meet [00:15:11] payroll and you have expenses to forget what you’re doing and chase only money. You say: “I gotta have money. Oh, no, what we’ll do whatever we need to do will take your dog for a walk. We’ll cook you dinner and clean your bathroom for money.” Don’t do that. Only do what you’re supposed to do for money. Don’t do any other stuff. If somebody says, wow, you guys are really good at programming. [00:15:41] Can you just program this one thing for us? Say no, keep your eyes on the ball of what you want to do and do that for your customers, not anything else. That’s a very, very important lesson. It’s just called keeping your eye on the ball and it often involves adult supervision. So that’s one kind of long example.

Let me tell you the 7 things very quickly. Okay, here they are. I’m just going to run past them quickly [00:16:11]. (1) Learn to think and write and communicate, (2) build a big network and travel and meet people. (3) Follow the categorical imperative from Immanuel Kant which says if you do that to other people they’re going to do it to you. So do the right thing. (4) Know what it means to look into the hole and say “ah, we may not survive” and not panic, (5) be patient [00:16:41] and be consistent and develop a rhythm and know that this is not a sprint. It is a marathon and you got to pace yourself and breathe right and go for the long-term. (6) Have fun and do what you’re passionate about. Really, fun is important. If you’re not having fun, what’s the point? (7) Utilize your network of people including people that have gray hair like you and me and build great stuff and the world will find your [00:17:11] great stuff if you build it. So those are my big pieces of advice in that article.

Markus: Yeah, and I did that while you introduced this and simply typed that into my browser and everyone who repeats that will quickly find a write-up of this. Just a note on that categorical imperative. I have seen something similar like this. Sometimes you win, sometimes you lose. And sometimes it’s the other way around. [00:17:41] So be gentle to even competitors.

Gary: Absolutely. And people who think that business is the “art of war” are wrong. It’s not. Business is “I want to get this done” and “you want to get that done” and together we can walk for a while because we have the same direction.

Markus: When we we talk about [00:18:12] raising money sooner or later you have to first people who speak a different language, financial language, and bring spreadsheets on the table, that’s not much effort, just need to spend 23 hours of the day and filling this form and that form and blah blah blah. What would you consider a deal breaker in such a discussion?

Gary: [00:18:44] Well, I mean number one, is that you? Should never bullshit. So, if you’re if somebody speaking a different language there (I can hear your phone). If someone else speaking a different in the VC meeting or whatever and you don’t understand – tell them. “I don’t understand what you mean. What are you talking about? What do you mean EBITDA? I don’t know what that is.” It’s okay not to know [00:19:14]. Don’t bullshit. Don’t make stuff up. Up and don’t just pretend that you know what they’re talking about. If you don’t it’s much better to ask questions, understand clearly, and show that you’re a smart person that may have different kinds of experiences than the people that are going to fund you. So that’s the number one lesson: no bullshit!

Number two is if you think that those funding people are assholes [00:19:44] they probably are. Go to some different ones. All of the funding people are not assholes, but some of the funding people are assholes. And you don’t need the assholes in your life. Just stop the meeting and leave if somebody is an asshole.

Markus: That’s a generic advice for life!

Gary: Exactly. You know, it’s surprising that people think “oh, it must just be because they are bankers.” No, no, no. No that’s wrong. It’s because they’re an asshole [00:20:14]. And then the third thing is you don’t need to do as much marketing as you think, so don’t spend everything on marketing because when you’re little, if you’re doing good stuff, you’re going to have too much business and not enough people. And you don’t need to to spin the marketing money to grow fast until you’re a much bigger size say around – I don’t know – 15 or 20 million a year EUR ARR then you [00:20:44] can start spending on marketing. But before that you don’t need to do that. So those are my three pieces of advice about the money situation.


Markus: I went through a similar exercise by trying to raise some money. I think it took us three or four attempts to be successful in the end selling our company. What’s [00:21:14] your view on: should the exit of the former owners of founders be planned? So, is that something “”yes you stay here for 12 months or 24 months and then you are out” or is there an alternative plan where people say it might be smart to keep you onboard. So what’s your take on this?

Gary: I have no opinion about this. I’ve seen it screwed up every [00:21:44] single way. Getting rid of the founders, keeping the founders – both can screw up. So there’s no one answer to that. You have to just look at the culture of the company that is selling and whether or not it’s going to remain without the central founder or whether it will blow apart. You have to make sure that the, you know, if you have an open book company and you start working for a closed book company things are going to be very [00:22:14] stressful for people who are used to information and they have no information. So I think that the cultural fit is more important than what happens to the founders and You know founders might think it would be fun to be in a new place, but I’ll tell you from my own personal experience when my company got bought, it got bought by a public company and we were in a division, I was only 2 hops away from the [00:22:44] CEO of this huge public corporation, but I felt like I couldn’t get anything done because of the bureaucracy. I was used to just doing stuff and I would think of something and then I would do it and if I needed budget, I would make it. “Poof”. And I did not like the constraints of working for a large public corporation in all the bullshit and waiting around and so I was a bad cultural fit for a public corporation and I guarantee you I will never work for one [00:23:14] again. But I’m a really good fit for an entrepreneurial organization that needs to grow fast and to be nimble and to move quickly. So I’m not interested in turning cranks and making more money happen faster every quarter. I’m much more interested in changing the world and being out in the jungle with the machete hoping that one day the world will build some train tracks out that way and establish a little village and eventually [00:23:44] it’ll be a city. So I’m much more of a machete guy myself.

Markus: Maybe the insight here is that it might be a good idea to think about what do you want from the former owner? Do you want them to continue to push something? Then you should enable him to push things – or not. Then you should be transparent on: you will be out in I don’t know 12 months, 24 [00:24:14] months or whatever.

Gary: Sure. I mean, I worked like this. I just said “look, I’m going to give you three strikes, like in baseball.” And if you have a strike with me, I’ll tell you. That’s a strike. Well, I sure don’t like that. That’s terrible. That’s one strike. And in another strike happens. Oh, that thing that you did that doesn’t work for me. That’s another strike as to you got one left and then I’m out and that’s the way I worked it for myself. Because I never worked [00:24:44] for a big corporation. It was fun. It was really fun to like press a button on the aircraft carrier and see what happened. Like what kind of missiles got launched, what kind of plane blew up? No, but they didn’t really like that. Like who’s this guy pressing buttons? I was like, I don’t know. I’m pressing buttons because it’s fun. No, but that’s just me.

Markus: Oh, yeah, I like that idea of the three strikes. Maybe [00:25:14] that’s an advice for everyone listening here to formalize something like that in your Sales Purchase Agreement saying, hey, so I had rules what I was not allowed to do. Maybe there can be some rules for what the buying company is not allowed to do.

Gary: Yeah, and you know the deal structure really impacts that I mean, I had the luxury of doing that because we had an all-cash [00:25:44] deal. I did not have an earn-out and I didn’t have to like, you know, there wasn’t stuff I had to do to make it a success. I cared about my people. I wanted to make sure everybody was comfortable and they had a good career path and that Cigital didn’t just fall apart. We didn’t want to abandon it and take all the money and run away. But at the same time we had the luxury of being able to walk away because it was just money in the bank over there.

Markus: [00:26:17] So we sort of touched the next two questions somehow so I skip them coming to the last one going back to our core passion security. What do you think? What’s the next big thing around the corner?

Gary: Well, what I’ve been working on for the last two years is artificial intelligence and machine learning security and I actually formed an Institute [00:26:47] called the Berryville Institute of Machine Learning. You should know that Berryville is a town of about 2,000 people which has more cows than people. And the institute has been studying machine learning from a security engineering perspective and making quite a big splash. In fact recently, I’m proud to say that we got a grant from the open philanthropy people for $150,000 for or this year to do whatever [00:27:17] we want to do in our machine learning security space. Because they feel like what we’re doing is that important that we are in some sense keeping an eye on big companies using machine learning like Microsoft and Google and Amazon and everybody else who are using machine learning like crazy and who have very good machine learning security people, but there are also huge corporations that are a little bit greedy and [00:27:47] care less about things like ethics and bias and other aspects of AI that are super important to understand. So we’ve been working on that hard and I guess my brain is just steeped in that. I’m just filled all the way to the brim with machine learning security stuff. And I absolutely love it. It’s a very new field. It reminds me of software security in around 1998, which was it was a long time ago. [00:28:17]

Markus: And I learned that a good podcast should be around 30 minutes. We have 28 minutes done and that was a very nice concluding word, Gary, many thanks for your time.

Gary: Yep, it’s my pleasure. I can’t wait till I see you person, Markus.

Markus: Same here. We have a lot of drinks to catch [00:28:47] up.

Gary: Indeed. Talk to you later.