In this1st episode of my podcast "Number 9", I have interviewed my friend and idol Gary McGraw about software security and what it means to grow a business. For the convenience of those that prefer to read, you find a transcript of the recording generated by a piece of software and reviewed by myself. I was surprised by the high quality. We have used a platform called Irius for the recording since we could not meet in person for obvious reasons. It depends on the line capacity and since Gary was sitting in a small cabin somewhere in the middle of nowhere, there are some outages in the recording - sorry for that. I learned it's smart to have no landline phone or any other ringing device in the room. The numbers you see in brackets are time-stamps for your convenience. I have also marked my questions in bold and key insights in italics. Hey ho, let's go!
And here's the transcript.
Markus: [00:00:07] Gary, I'm pleased to have you on my very first podcast. I never did that before. I don't know whether I will do it again. [Gary making a funny comment on this]. So - I first learned about you and your work in the last century, when I read about your code scanner ITS4, which stands for "It's the software [00:00:37], stupid. Security Scanner" - as far as I remember.
Gary: That's right.
Markus: And I consider you a true pioneer in the field. And by the day I read about that, I knew what my profession will be in the next 20 years or so until this day.
Gary: Cool. Either cool or I'm feeling sorry.
Markus: Yeah, we argue about that [00:01:07] when we meet in person again. We have talked about that a few times before but what do you think when we talk about the modern term is "resilient" software not secure software these days. What should everybody do?
Gary: Well, look the main thing to understand is that in order for software to be secure, you have to set out to design [00:01:37] and implement it that way.
So the first thing to understand is you can't just take a piece of software and make it secure later in an economical way. The best way to do it is to build security in throughout the entire software development life cycle. And so as I explained in my book Software Security, there are a number of activities that you can put into your software development life-cycle. No matter whether it's [00:02:07] DevOps or waterfall or any ... doesn't matter goat sacrifice ... the idea of the touch points is if you have certain software artifacts, then you can check them for security. So I'll give you three examples. One touch point is code review. And by every single software project going to have code and you need to take a look at it for security bugs [00:02:38] a code scanner like ITS4 can be used for that or Fortify or Coverity. There are a number of commercial tools available now that were not around 20 years ago. So check your code with a code review tool.
Another touch point is to do architecture risk analysis or threat modeling. This is often overlooked especially today when people are doing DevOps and there are few tools for architecture analysis, although they're coming [00:03:08] around now, so that's something we see a lot of activity in in software security today.
And then the third touch point I want to focus on out of 7 is penetration testing. It's kind of funny, but everybody seems to start with pen-testing. That's not the one to do first. It's better to do code review. It's better to do architecture analysis, and then you can do some pen-testing later. So that's an example of what you have to do in order to build what you term resilient software [00:03:38] or secure software.
Markus: And it turns out that penetration tests are the thing that most people have in their checklist. "Oh, when we want to be secure, let's have a pen-test" and we both know that the journey starts then, it doesn't end there.
Gary: That's right. And you know, I think that penetration testing is good, you should do it, but it should not be the only thing you should do [00:04:08]. And if you're going to start out with the software security initiative, you really shouldn't start with pen-testing. That's not how to get started.
Markus: Well, when I speak with people these days after having sold my own company and I know that you did the same a while ago. So you grew your company Cigital and let me know whether the number is true up to 400 people [00:04:38] by the end of the day or over many many years. It starts with I don't know some guys in a garage over a beer and then over night you are 50 then 100 and finally 400. [00:05:08] What do you remember as a remarkable tipping point in that growth journey? Is there anything you remember where you had to reinvent the company, bring some people in, get others off?
Gary: Yes, that's a really good question. So I can think of three important things that helped us to grow to 400 people. The first is that the founder that founded Cigital, the two Founders actually, really did a great job getting the company started and grew it to a certain size, [00:05:38] but they basically hit the wall around 50 people. So at that time we had major crisis inside of Cigital and we had to hire a new CEO and I got put on the board. It was a long story best told over beers and not in the podcast. But in the end we got past that and it took a realization that though the founders were great, they were not the sorts of people that were going to make Cigital what we all wanted to make it including [00:06:08] them. Their capabilities ended around 50 people or so. So that's one thing that was an important lesson. I don't know if that happens to all founders, but it does seem to be common enough that it's worth mentioning.
The other decision that we made from say 50 to 250 people and then beyond was to run an open book company where we showed everybody, what the revenue [00:06:38] was, what the expenses were, ... we didn't talk about people's salaries, but we put all of the numbers for all the divisions in a very big spreadsheet up on the wall every month and we let people ask questions about what was going on. Because we did that we taught people how the company actually ran and made money. We showed them what kind of impact their own activities had, they could see how much budget they were burning [00:07:08], what the results were, whether that was good enough, and that open book philosophy was really fantastic. The one funny thing about that is almost every time we would put the number up somebody would ask again: "What's EBITDA?" and we would have to explain that's earnings before interest and depreciation and whatever - every single time we say it's a proxy for cash. But so that goes [00:07:38] to show even if you see the numbers every month, it doesn't really mean you know what they're saying. That's two things.
And then the third thing that I think was really important for us at Cigital. We really cared about customers. We were a consulting firm. And so the success of our customers was super important and as a result, our customers really liked us and they told other people about us and so we spread [00:08:08] by word of mouth. This was particularly important in the financial services industry which is very tight-knit. And so, you know, that kind of word of mouth and customer success was very important for us. Those are three kind of things that I think were critical to our success that I would watch out for.
Markus: Yeah, that's very insightful. So bringing people in [00:08:38] or getting them out is something that I have experienced, too. We tried that open book thing and we got the same questions every time so I think I did that once a month or so. So as you know, I have never learned that, I'm an engineer. But in the meanwhile, I can sing this song. So we are sitting on different sides of [00:09:08] the big point. I assume you are at home in West Virginia. [Gary: I'm in Virginia not West Virginia, but very close to West Virginia] Okay, so I'm in the Frankfurt-Heidelberg area and I think we have both experienced cultural difference between North America, which is different if you see west [00:09:38], middle, and eastern America. But there are some different differences between America and Europe. What's your take on this? What do you need to consider? I remember that situated wanted to do some work over here to starting in the Netherlands. What was your impression on that?
Gary: Well, so we actually ended up with a very big staff in Europe of about 40 or 50 people by the time we were done [00:10:08] and several offices. What is funny is that I think that North America and Europe have more in common than they have differences when it comes to business because my view is that it's about relationships with your customers. So you really have to have a trust relationship with your customer and you have to be there. So one of the important things to know about doing business in Germany [00:10:38] is that you had better be there. You can't just zoom up and go. "Hey, how's it going? I'm sitting here in New York City. How's everything in where are you again? Germany? Oh, yeah..." that doesn't work. You have to go to Oktoberfest with somebody and have a beer stein and eat some bratwurst and build a real relationship. So I think that understanding the culture comes with that close [00:11:08] contact and that close contact and that relationship building is important on both sides of the pond. Just to give you an example at Cigital, we did a lot of work with JP Morgan Chase in New York City, and we had people living in New York City delivering there. We knew the executive extremely well. At the time Jim Routh was there and Jim and I have been doing business together for you know, almost 20 years now [00:11:38] and we've had our ups and downs and relationships but mostly ups. But we really knew each other and we could talk very openly about what needed to happen in plan and work the politics and work the budgets and all that together. And then in Germany, we had the same thing happen. It wasn't me this time but we developed a very important relationship with Daimler. And the way to do that was to be there in person. So I came over and gave a big talk for their [00:12:08] CTO Summit and then we had people that were delivering services and we really spent a lot of time with the CISO over there understanding what was worrying the CISO and how helping him get his vision established at Daimler. And so both of those accounts which were very big accounts for Cigital in the end were built through relationships. And they were on different sides of the ponds and they involved eating [00:12:38] different things and drinking different things. It was still people on both sides.
Markus: Yeah and I miss that a lot. It's okay to see each other, to hear each other, but meeting in person in the same room or on a table sharing some beers ... we need that sooner than later.
Gary: We do and you know you and I developed our own relationship with that way in person. We've [00:13:08] had some very great times together and we've done some of the good things because we trust each other and we have that relationship. So that's that sort of goes to show you.
Markus: Yeah. Yessir. So one of the ideas of the podcast is to share some advice for the young guns which are out there with great ideas and who are bold enough to start their own company [00:13:40] and that plan to grow - sometimes growth is something that's surprising you are successful. You are 5 people, 10 people, 20 people and I think that's one of the differences that I have seen between Europe and North America is that most people over here see it very critical of finding it difficult to grow with external help ... with [00:14:10] some funding. I believe that funding is very important to overcome certain barriers or to overcome certain hurdles in growth. What would be your advice to young founders that want to grow their business and that plan to raise some money?
Gary: Well, I've actually written about this and given talks about this very subject and I came up with things that are [00:14:41] ... I wrote an article called "Seven things I've learned about running companies" that I wrote really before Cigital even got bought by Synopsys. So I would encourage people to look that up if you just type in "seven seven things start up Gary McGraw" it'll be the first it on InformIT. But I think the one I want to emphasize with you is this. It's very easy when you're a little company and you've got to meet [00:15:11] payroll and you have expenses to forget what you're doing and chase only money. You say, "I gotta have money. Oh, no, what we'll do whatever we need to do will take your dog for a walk. We'll cook you dinner and clean your bathroom for money." Don't do that. Only do what you're supposed to do for money. Don't do any other stuff. If somebody says, wow, you guys are really good at programming. [00:15:41] Can you just program this one thing for us? Say no, keep your eyes on the ball of what you want to do and do that for your customers, not anything else. That's a very, very important lesson. It's just called keeping your eye on the ball and it often involves adult supervision. So that's one kind of long example.
Let me tell you the 7 things very quickly. Okay, here they are. I'm just going to run past them quickly [00:16:11]. (1) Learn to think and write and communicate, (2) build a big network and travel and meet people. (3) Follow the categorical imperative from Immanuel Kant which says if you do that to other people they're going to do it to you. So do the right thing. (4) Know what it means to look into the hole and say "ah, we may not survive" and not panic, (5) be patient [00:16:41] and be consistent and develop a rhythm and know that this is not a sprint. It is a marathon and you got to pace yourself and breathe right and go for the long-term. (6) Have fun and do what you're passionate about. Really, fun is important. If you're not having fun, what's the point? (7) Utilize your network of people including people that have gray hair like you and me and build great stuff and the world will find your [00:17:11] great stuff if you build it. So those are my big pieces of advice in that article.
Markus: Yeah, and I did that while you introduced this and simply typed that into my browser and everyone who repeats that will quickly find a write-up of this. Just a note on that categorical imperative. I have seen something similar like this. Sometimes you win, sometimes you lose. And sometimes it's the other way around. [00:17:41] So be gentle to even competitors.
Gary: Absolutely. And people who think that business is the "art of war" are wrong. It's not. Business is "I want to get this done" and "you want to get that done" and together we can walk for a while because we have the same direction.
Markus: When we talk about [00:18:12] raising money sooner or later you have to first people who speak a different language, financial language, and bring spreadsheets on the table, that's not much effort, just need to spend 23 hours of the day and filling this form and that form and blah blah blah. What would you consider a deal breaker in such a discussion?
Gary: [00:18:44] Well, I mean number one, is that you? Should never bullshit. So, if you're somebody speaking a different language there (I can hear your phone). If someone else speaking a different in the VC meeting or whatever and you don't understand - tell them. "I don't understand what you mean. What are you talking about? What do you mean EBITDA? I don't know what that is." It's okay not to know [00:19:14]. Don't bullshit. Don't make stuff up. Up and don't just pretend that you know what they're talking about. If you don't it's much better to ask questions, understand clearly, and show that you're a smart person that may have different kinds of experiences than the people that are going to fund you. So that's the number one lesson: no bullshit!
Number two is if you think that those funding people are assholes [00:19:44] they probably are. Go to some different ones. All of the funding people are not assholes, but some of the funding people are assholes. And you don't need the assholes in your life. Just stop the meeting and leave if somebody is an asshole.
Markus: That's a generic advice for life!
Gary: Exactly. You know, it's surprising that people think "oh, it must just be because they are bankers." No, no, no. No that's wrong. It's because they're an asshole [00:20:14]. And then the third thing is you don't need to do as much marketing as you think, so don't spend everything on marketing because when you're little, if you're doing good stuff, you're going to have too much business and not enough people. And you don't need to spin the marketing money to grow fast until you're a much bigger size say around - I don't know - 15 or 20 million a year EUR ARR then you [00:20:44] can start spending on marketing. But before that you don't need to do that. So those are my three pieces of advice about the money situation.
Markus: I went through a similar exercise by trying to raise some money. I think it took us three or four attempts to be successful in the end selling our company. What's [00:21:14] your view on: should the exit of the former owners of founders be planned? So, is that something "yes you stay here for 12 months or 24 months and then you are out" or is there an alternative plan where people say it might be smart to keep you onboard. So what's your take on this?
Gary: I have no opinion about this. I've seen it screwed up every [00:21:44] single way. Getting rid of the founders, keeping the founders - both can screw up. So there's no one answer to that. You have to just look at the culture of the company that is selling and whether or not it's going to remain without the central founder or whether it will blow apart. You have to make sure that the, you know, if you have an open book company and you start working for a closed book company things are going to be very [00:22:14] stressful for people who are used to information and they have no information. So I think that the cultural fit is more important than what happens to the founders and You know founders might think it would be fun to be in a new place, but I'll tell you from my own personal experience when my company got bought, it got bought by a public company and we were in a division, I was only 2 hops away from the [00:22:44] CEO of this huge public corporation, but I felt like I couldn't get anything done because of the bureaucracy. I was used to just doing stuff and I would think of something and then I would do it and if I needed budget, I would make it. "Poof". And I did not like the constraints of working for a large public corporation in all the bullshit and waiting around and so I was a bad cultural fit for a public corporation and I guarantee you I will never work for one [00:23:14] again. But I'm a really good fit for an entrepreneurial organization that needs to grow fast and to be nimble and to move quickly. So I'm not interested in turning cranks and making more money happen faster every quarter. I'm much more interested in changing the world and being out in the jungle with the machete hoping that one day the world will build some train tracks out that way and establish a little village and eventually [00:23:44] it'll be a city. So I'm much more of a machete guy myself.
Markus: Maybe the insight here is that it might be a good idea to think about what do you want from the former owner? Do you want them to continue to push something? Then you should enable him to push things - or not. Then you should be transparent on: you will be out in I don't know 12 months, 24 [00:24:14] months or whatever.
Gary: Sure. I mean, I worked like this. I just said "look, I'm going to give you three strikes, like in baseball." And if you have a strike with me, I'll tell you. That's a strike. Well, I sure don't like that. That's terrible. That's one strike. And in another strike happens. Oh, that thing that you did that doesn't work for me. That's another strike as to you got one left and then I'm out and that's the way I worked it for myself. Because I never worked [00:24:44] for a big corporation. It was fun. It was really fun to like press a button on the aircraft carrier and see what happened. Like what kind of missiles got launched, what kind of plane blew up? No, but they didn't really like that. Like who's this guy pressing buttons? I was like, I don't know. I'm pressing buttons because it's fun. No, but that's just me.
Markus: Oh, yeah, I like that idea of the three strikes. Maybe [00:25:14] that's an advice for everyone listening here to formalize something like that in your Sales Purchase Agreement saying, hey, so I had rules what I was not allowed to do. Maybe there can be some rules for what the buying company is not allowed to do.
Gary: Yeah, and you know the deal structure really impacts that I mean, I had the luxury of doing that because we had an all-cash [00:25:44] deal. I did not have an earn-out and I didn't have to like, you know, there wasn't stuff I had to do to make it a success. I cared about my people. I wanted to make sure everybody was comfortable and they had a good career path and that Cigital didn't just fall apart. We didn't want to abandon it and take all the money and run away. But at the same time we had the luxury of being able to walk away because it was just money in the bank over there.
Markus: [00:26:17] So we sort of touched the next two questions somehow so I skip them coming to the last one going back to our core passion security. What do you think? What's the next big thing around the corner?
Gary: Well, what I've been working on for the last two years is artificial intelligence and machine learning security and I actually formed an institute [00:26:47] called the Berryville Institute of Machine Learning. You should know that Berryville is a town of about 2,000 people which has more cows than people. And the institute has been studying machine learning from a security engineering perspective and making quite a big splash. In fact recently, I'm proud to say that we got a grant from the open philanthropy people for $150,000 for or this year to do whatever [00:27:17] we want to do in our machine learning security space. Because they feel like what we're doing is that important that we are in some sense keeping an eye on big companies using machine learning like Microsoft and Google and Amazon and everybody else who are using machine learning like crazy and who have very good machine learning security people, but there are also huge corporations that are a little bit greedy and [00:27:47] care less about things like ethics and bias and other aspects of AI that are super important to understand. So we've been working on that hard and I guess my brain is just steeped in that. I'm just filled all the way to the brim with machine learning security stuff. And I absolutely love it. It's a very new field. It reminds me of software security in around 1998, which it was a long time ago. [00:28:17]
Markus: And I learned that a good podcast should be around 30 minutes. We have 28 minutes done and that was a very nice concluding word, Gary, many thanks for your time.
Gary: Yep, it's my pleasure. I can't wait till I see you person, Markus.
Markus: Same here. We have a lot of drinks to catch [00:28:47] up.
Gary: Indeed. Talk to you later.