The power of discipline

In all my years as an entrepreneur, sportsman and private individual, I have observed that discipline is a virtue that can help you move mountains. For me, discipline is therefore a positive term. It means "the mastery of one's own will, feelings and inclinations in order to achieve something."

Discipline is important to achieve goals. If you want to be successful, I think discipline is essential. Because success is rarely luck, but the result of perseverance (do not stray from the path), consistent action (decide and do) and personal responsibility (vs. blame always the others). It is quite possible to provoke success, and therefore happiness, with discipline. A positive cycle to the freedom and self-determination created by discipline.

Applied to oneself, one moves from discipline that is often externally determined to self-discipline. Wikipedia says: "Several long-term studies in recent decades found that the level of ability to self-discipline in childhood, as determined by tests and examinations, was a sure indicator of diverse success in later adult life." I have always considered myself to be very (self)disciplined and can only confirm this from my perspective and career.

In the following articles I write about my experiences with discipline and where it can lead. Privately and at work. Examples of this are manifold:

  • Coffee withdrawal (just went through this in the context of the next topic - I can already tell this takes a lot of discipline for a techie).
  • Fasting
  • Digital fasting
  • Writing a diploma thesis (is called Bachelor and Master today, isn't it)
  • PhD thesis
  • Build a house
  • Various sporting goals, e.g. finishing a triathlon
  • 30 Days Kettlebell Challenge
  • Start a company and make it big

I'm already looking forward to the follow-up articles on this topic, but now it's time to get out into the air. Because the sun is shining and I have to enjoy it. What is your attitude towards discipline?

Selling Security Insights: "...and your baby is ugly."

I'm into software security for more than 2 decades. And I spent a lot of time not only thinking about products in that space but also selling them. And selling security is one of the toughest tasks because we don't talk about something that people want badly. Like an iPhone. Or a PlayStation. Or a new car. It's selling something people think they don't need it. Because nothing bad has happened so far, right? Over the years I have observed some tactics to turn this point of view around and entering a dialogue. Here are my thoughts ordered from "not a good idea" to "usually works out".

  • Selling the ugly baby
    Being not secure is nothing you can see. It does not necessarily hurt. Thus, security companies tend to scan the customers IT environment and show them the results. If nothing or only little has been done to protect the assets, there's typically only one answer: you are doomed. There are hundreds and thousands of issues, the management reporting shows a red flag. From a technical point of view this seems to be brilliant because the scan has revealed the status so effectively. From the customer's ego point of view it like visiting young parents and telling them that their baby is ugly (I can't remember when I have heard this metaphor the1st time, but it works well). And that is something parents don't like. They love their baby. They have cared for their baby. And it's ultimately the most beautiful human being on earth. Facing a customer with such a story leads to nothing but rejection. It's no surprise that the turnover rate from such an initial analysis to offering a solution is a very stony road.
  • You are all idiots
    It's getting even worse if the consultant executing an initial analysis starts to abuse the customer. They dissect each and every issue and tell the customer how smart they are and how stupid the customer and his team is. They mock them asking how could it be that this and that has not been addressed, even young kids would do this (sure, young kids usually own IT landscapes with dozens / hundreds of apps). It can even happen that such consultants turn customers into ridicule by publishing some findings from an assessment in open forums ("believe it or not, these idiots have implemented Identify & Access Management and think they are secure."). Nobody likes a know-it-all, nobody likes a smart-ass. Besides that - it doesn't help the customer at all knowing that everything is shiny red - most of them sort of knew that already.
  • The path to happiness
    If you have data of an initial assessment, use it wisely. In my past life as owner of a security company we have collected 400+ customer assessments and derived a benchmark from that. What we did wrong was to compare bad outcome (from the 400+ scans) with bad outcome: "Hey, we did that in the past many times and your baby is as ugly as any other baby." It's much better to take samples from customers that have used the solution for several years and that have made some progress in adding more and more protection for their assets. Make this your reference and benchmark any new assessment against this. If doing so, you are in a position to show the path to happiness: "You are here and others using our solution are there. We are here to help you to improve over time. And by the way - here are 10 quick wins that you can implement in no time. And then we take it from there working on a road map." In short: you start to sell confidence that bad things will be good, there's evidence that it works, and there's a plan how to get there. Better?

Let me know whether you have fallen into traps as mentioned above or whether you have learned how to move on and started to sell happiness. It's another story to position a first touch meeting making it most successful for both the customer and the solution provider. Another article for another day.

Understanding internal growth risks

The growth of a company is threatened by external and internal risks. We have already talked about external risks, today we are talking about some typical risks that come from within - i.e. from within the own organization. Internal risks can often be more dangerous than external ones because they are a) more likely to happen and b) can be immediately damaging. The good news: it's definitely easier to take action. Here are risks I've encountered time and again in my career as a company founder and CEO - each is definitely worth a separate article, but here are some initial thoughts:

  • We've always done it that way
    When their company grows, it leads to change. And many people don't like change because it requires them to leave their comfort zone. Changes can lead to insecurity and ultimately to high resistance. This can only be countered by communicating on different levels and on a regular basis why the changes are necessary, how it will be done and what needs to be done (by everyone).
  • That doesn't work
    Sounds like the previous point, but it has a different quality. Especially in technical companies, the technicians often have the upper hand and quickly judge that new ideas can't work. They come up with umpteen reasons why something won't work. For creative people who want to make the company better, this can be frustrating. I recommend introducing rules here that everyone must propose at least 2 solutions. Because there is usually a way to turn things around. It also makes sense to go into such a brainstorming with a wishful idea and a more modest idea, so that there is already a basis.
  • Toxic employees
    I have seen time and time again that a few employees actively stir up trouble against changes, colleagues or even customers. This happens subtly in the coffee corner, at lunch or even outside in their free time. There's nothing wrong with being critical of things. But criticism should always take place "in the cubicle". And in the forums provided by the company. Otherwise, the climate in the company becomes more and more "poisoned" and more and more people do everything, but no longer care about the company's goals. There are people who seem to see their purpose in life in causing trouble (instead of looking for a company that suits them better - I've never understood that). If you have created the framework for (constructive!) criticism and this still happens again and again, only one thing will help: you should part ways with toxic employees quickly and by any means necessary.
  • Applying a double standard to company values
    Everyone who starts out small first lives by their own values in the company. The more people join the team, the more important it becomes to derive the company's values from them so that everyone can identify with them and align themselves with them. This can easily be forgotten, but for most employees it is an important tool for their own self-image within the company. However, it is a big mistake if a two-tier society develops and the values are applied differently - because then you lose support within the company over time, and rightly so. Respectful treatment of customers and employees is a value that you would expect everywhere, but which can quickly be lost, especially when new "managers" come on board who are only out to benefit themselves. Another example is that everyone is expected to be the "owner" of their tasks, but is effectively left alone with this and can therefore only lose.

The order corresponds to my view from "not good" to "really bad". If you know more - feel free to share your insights in the comments section.

Welcome, Mr. Murphy!

The post image for this article shows a core drill from the construction phase of my house. I want to use this example to show that things go wrong - in other words, Murphy's Law applies. I then transfer that to a few simple thoughts that have helped me run my business.

Why is there a hole in the core? Because pipes for a residential ventilation system were laid in the ceiling. Then the concrete was poured. And it turned out that the hole for the bathroom downspouts didn't quite fit, so they had to re-drill. And then it was kind of obvious that one of the pipes was hit nice and centered. I kept the drill core because it shows nicely why things go wrong in real life:

  • Everything looked good in the plan.
  • The masons, however, seem to have strayed a few inches from that.
  • The pipes were not marked, so drilling was a bit of a "gamble".
  • No one talked to anyone before the drill.

This could have been avoided by controlling the implementation, communication between the actors and adjusting the plan. In the life of a contractor, the interactions and complexity are incomparably higher than in this construction example. It will therefore not be possible to take everything into account in advance during planning. Rather, it is important here to a) identify all relevant risks, b) discuss manageable measures, and c) regularly review both and adjust as needed. The process can look like this:

  1. Relevant risks: as an entrepreneur, you should be aware of the risks that could affect the continued existence of the company. Both external and internal risks need to be considered. I will discuss internal risks in another article. Typical external risks are: global crises such as the financial crisis (it doesn't always have to be a pandemic that leads to a shift in expenditure), a competitor entering the market with a better product or competitive prices, unsuccessful integration following a company acquisition and the associated departure of key employees.
    There are certainly many more and these can usually be adequately named in a suitable discussion. It can make sense to establish a person or a team as the "devil's advocate" with the task of being "paranoid". Limiting it to one person or team is important to prevent doomsday thinking from spreading throughout the company (this is a typical internal risk).
  2. Focus and communication: The list of risks must be prioritized. Because it will hardly be possible to address them all. After all, the main task of a company is to bring great products to the market and not to worry more and more about risks. It should be named which risks are likely, which ones would particularly hurt and what can be done about them with reasonable means. For example, the entry of a competitor (which will inevitably happen if you are successful) can be countered by good customer relations, a clear roadmap, and continuous innovation. The risks as well as the related measures should be communicated regularly and in an appropriate manner (this is again a separate topic).
  3. Review and adjust: the risks themselves should be reviewed 1-2 times a year. More often is not necessary in my opinion, otherwise you lose focus. The measures themselves should be looked at more often - are we doing enough, for example, to be ahead of the game, how do we determine this (define key figures!) and where do we need to readjust.

When this is taken into account, Mr. Murphy can even become a welcome guest to ensure that you don't rest on your laurels and keep moving forward.

Understanding Your Idea: Vision and Mission Statement

When you start and grow a company you are often asked for a vision / mission statement. I went through this exercise several times with my team, analysts (like Gartner), my coach, etc. and I believe that understanding your vision is more important than you think for at least the following reasons: understanding why you do things helps you to 1) align you business, 2) explain your offering to prospects, and 3) re-invent your company whenever needed. Ultimately, it helps you to stay in the driver seat (vs. being driven by others).

I have read a lot about how to sharpen your vision / mission statement and can recommend to review 2 ideas from Simon Sinek - this is the best I have seen because it leads to clear and easy to understand messages. That does not mean that it is easy getting there, though.

  • Read the idea of framing a vision by a "Just Cause" that meets the following criteria: 1) for something, 2) inclusive, 3) service oriented, 4) resilient, and 5) idealistic.
  • The "Just Cause" is linked to your mission statement that can be derived following another of Simon's ideas: the "Golden Circle". According to Sinek, many companies start messaging with the "what" they do, followed by the "how" and the "why". Since your customers expect an answer to "why are you here?" It's good to turn this around in your mission statement and start with the WHY.

This is not a one-time exercise. Share some brains around this approach and get started. And then refine it over time based on feedback and insights that you gain on your way. I will continue to share my experience about a corporate model based on your vision/mission statement that helped my former company grow over the years.