Understanding Your Idea: Vision and Mission Statement

When you start and grow a company you are often asked for a vision / mission statement. I went through this exercise several times with my team, analysts (like Gartner), my coach, etc. and I believe that understanding your vision is more important than you think for at least the following reasons: understanding why you do things helps you to 1) align you business, 2) explain your offering to prospects, and 3) re-invent your company whenever needed. Ultimately, it helps you to stay in the driver seat (vs. being driven by others).

I have read a lot about how to sharpen your vision / mission statement and can recommend to review 2 ideas from Simon Sinek - this is the best I have seen because it leads to clear and easy to understand messages. That does not mean that it is easy getting there, though.

  • Read the idea of framing a vision by a "Just Cause" that meets the following criteria: 1) for something, 2) inclusive, 3) service oriented, 4) resilient, and 5) idealistic.
  • The "Just Cause" is linked to your mission statement that can be derived following another of Simon's ideas: the "Golden Circle". According to Sinek many companies start messaging with the "what" they do, followed by the "how" and the "why". Since your customers expect an answer to "why are you here?" It's good to turn this around in your mission statement and start with the WHY.

This is not a one-time exercise. Share some brains around this approach and get started. And then refine it over time based on feedback and insights that you gain on your way. I will continue to share my experience about a corporate model based on your vision/mission statement that helped my former company grow over the years.

Number#9, Episode 001: Interview with Gary McGraw, PhD, about the state of security and successfully growing a business

In this1st episode of my podcast "Number 9", I have interviewed my friend and idol Gary McGraw about software security and what it means to grow a business. For the convenience of those that prefer to read, you find a transcript of the recording generated by a piece of software and reviewed by myself. I was surprised by the high quality. We have used a platform called Irius for the recording since we could not meet in person for obvious reasons. It depends on the line capacity and since Gary was sitting in a small cabin somewhere in the middle of nowhere, there are some outages in the recording - sorry for that. I learned it's smart to have no landline phone or any other ringing device in the room. The numbers you see in brackets are time-stamps for your convenience. I have also marked my questions in bold and key insights in italics. Hey ho, let's go!

Markus interviews Gary McGraw.

And here's the transcript.

Markus: [00:00:07] Gary, I'm pleased to have you on my very first podcast. I never did that before. I don't know whether I will do it again. [Gary making a funny comment on this]. So - I first learned about you and your work in the last century, when I read about your code scanner ITS4, which stands for "It's the software [00:00:37], stupid. Security Scanner" - as far as I remember.

Gary: That's right.

Markus: And I consider you a true pioneer in the field. And by the day I read about that, I knew what my profession will be in the next 20 years or so until this day.

Gary: Cool. Either cool or I'm feeling sorry.

Markus: Yeah, we argue about that [00:01:07] when we meet in person again. We have talked about that a few times before but what do you think when we talk about the modern term is "resilient" software not secure software these days. What should everybody do?

Gary: Well, look the main thing to understand is that in order for software to be secure, you have to set out to design [00:01:37] and implement it that way.

So the first thing to understand is you can't just take a piece of software and make it secure later in an economical way. The best way to do it is to build security in throughout the entire software development life cycle. And so as I explained in my book Software Security, there are a number of activities that you can put into your software development life-cycle. No matter whether it's [00:02:07] DevOps or waterfall or any ... doesn't matter goat sacrifice ... the idea of the touch points is if you have certain software artifacts, then you can check them for security. So I'll give you three examples. One touch point is code review. And by every single software project going to have code and you need to take a look at it for security bugs [00:02:38] a code scanner like ITS4 can be used for that or Fortify or Coverity. There are a number of commercial tools available now that were not around 20 years ago. So check your code with a code review tool.

Another touch point is to do architecture risk analysis or threat modeling. This is often overlooked especially today when people are doing DevOps and there are few tools for architecture analysis, although they're coming [00:03:08] around now, so that's something we see a lot of activity in in software security today.

And then the third touch point I want to focus on out of 7 is penetration testing. It's kind of funny, but everybody seems to start with pen-testing. That's not the one to do first. It's better to do code review. It's better to do architecture analysis, and then you can do some pen-testing later. So that's an example of what you have to do in order to build what you term resilient software [00:03:38] or secure software.

Markus: And it turns out that penetration tests are the thing that most people have in their checklist. "Oh, when we want to be secure, let's have a pen-test" and we both know that the journey starts then, it doesn't end there.

Gary: That's right. And you know, I think that penetration testing is good, you should do it, but it should not be the only thing you should do [00:04:08]. And if you're going to start out with the software security initiative, you really shouldn't start with pen-testing. That's not how to get started.

Markus: Well, when I speak with people these days after having sold my own company and I know that you did the same a while ago. So you grew your company Cigital and let me know whether the number is true up to 400 people [00:04:38] by the end of the day or over many many years. It starts with I don't know some guys in a garage over a beer and then over night you are 50 then 100 and finally 400. [00:05:08] What do you remember as a remarkable tipping point in that growth journey? Is there anything you remember where you had to reinvent the company, bring some people in, get others off?

Gary: Yes, that's a really good question. So I can think of three important things that helped us to grow to 400 people. The first is that the founder that founded Cigital, the two Founders actually, really did a great job getting the company started and grew it to a certain size, [00:05:38] but they basically hit the wall around 50 people. So at that time we had major crisis inside of Cigital and we had to hire a new CEO and I got put on the board. It was a long story best told over beers and not in the podcast. But in the end we got past that and it took a realization that though the founders were great, they were not the sorts of people that were going to make Cigital what we all wanted to make it including [00:06:08] them. Their capabilities ended around 50 people or so. So that's one thing that was an important lesson. I don't know if that happens to all founders, but it does seem to be common enough that it's worth mentioning.

The other decision that we made from say 50 to 250 people and then beyond was to run an open book company where we showed everybody, what the revenue [00:06:38] was, what the expenses were, ... we didn't talk about people's salaries, but we put all of the numbers for all the divisions in a very big spreadsheet up on the wall every month and we let people ask questions about what was going on. Because we did that we taught people how the company actually ran and made money. We showed them what kind of impact their own activities had, they could see how much budget they were burning [00:07:08], what the results were, whether that was good enough, and that open book philosophy was really fantastic. The one funny thing about that is almost every time we would put the number up somebody would ask again: "What's EBITDA?" and we would have to explain that's earnings before interest and depreciation and whatever - every single time we say it's a proxy for cash. But so that goes [00:07:38] to show even if you see the numbers every month, it doesn't really mean you know what they're saying. That's two things.

And then the third thing that I think was really important for us at Cigital. We really cared about customers. We were a consulting firm. And so the success of our customers was super important and as a result, our customers really liked us and they told other people about us and so we spread [00:08:08] by word of mouth. This was particularly important in the financial services industry which is very tight-knit. And so, you know, that kind of word of mouth and customer success was very important for us. Those are three kind of things that I think were critical to our success that I would watch out for.

Markus: Yeah, that's very insightful. So bringing people in [00:08:38] or getting them out is something that I have experienced, too. We tried that open book thing and we got the same questions every time so I think I did that once a month or so. So as you know, I have never learned that, I'm an engineer. But in the meanwhile, I can sing this song. So we are sitting on different sides of [00:09:08] the big point. I assume you are at home in West Virginia. [Gary: I'm in Virginia not West Virginia, but very close to West Virginia] Okay, so I'm in the Frankfurt-Heidelberg area and I think we have both experienced cultural difference between North America, which is different if you see west [00:09:38], middle, and eastern America. But there are some different differences between America and Europe. What's your take on this? What do you need to consider? I remember that situated wanted to do some work over here to starting in the Netherlands. What was your impression on that?

Gary: Well, so we actually ended up with a very big staff in Europe of about 40 or 50 people by the time we were done [00:10:08] and several offices. What is funny is that I think that North America and Europe have more in common than they have differences when it comes to business because my view is that it's about relationships with your customers. So you really have to have a trust relationship with your customer and you have to be there. So one of the important things to know about doing business in Germany [00:10:38] is that you had better be there. You can't just zoom up and go. "Hey, how's it going? I'm sitting here in New York City. How's everything in where are you again? Germany? Oh, yeah..." that doesn't work. You have to go to Oktoberfest with somebody and have a beer stein and eat some bratwurst and build a real relationship. So I think that understanding the culture comes with that close [00:11:08] contact and that close contact and that relationship building is important on both sides of the pond. Just to give you an example at Cigital, we did a lot of work with JP Morgan Chase in New York City, and we had people living in New York City delivering there. We knew the executive extremely well. At the time Jim Routh was there and Jim and I have been doing business together for you know, almost 20 years now [00:11:38] and we've had our ups and downs and relationships but mostly ups. But we really knew each other and we could talk very openly about what needed to happen in plan and work the politics and work the budgets and all that together. And then in Germany, we had the same thing happen. It wasn't me this time but we developed a very important relationship with Daimler. And the way to do that was to be there in person. So I came over and gave a big talk for their [00:12:08] CTO Summit and then we had people that were delivering services and we really spent a lot of time with the CISO over there understanding what was worrying the CISO and how helping him get his vision established at Daimler. And so both of those accounts which were very big accounts for Cigital in the end were built through relationships. And they were on different sides of the ponds and they involved eating [00:12:38] different things and drinking different things. It was still people on both sides.

Markus: Yeah and I miss that a lot. It's okay to see each other, to hear each other, but meeting in person in the same room or on a table sharing some beers ... we need that sooner than later.

Gary: We do and you know you and I developed our own relationship with that way in person. We've [00:13:08] had some very great times together and we've done some of the good things because we trust each other and we have that relationship. So that's that sort of goes to show you.

Markus: Yeah. Yessir. So one of the ideas of the podcast is to share some advice for the young guns which are out there with great ideas and who are bold enough to start their own company [00:13:40] and that plan to grow - sometimes growth is something that's surprising you are successful. You are 5 people, 10 people, 20 people and I think that's one of the differences that I have seen between Europe and North America is that most people over here see it very critical of finding it difficult to grow with external help ... with [00:14:10] some funding. I believe that funding is very important to overcome certain barriers or to overcome certain hurdles in growth. What would be your advice to young founders that want to grow their business and that plan to raise some money?

Gary: Well, I've actually written about this and given talks about this very subject and I came up with things that are [00:14:41] ... I wrote an article called "Seven things I've learned about running companies" that I wrote really before Cigital even got bought by Synopsys. So I would encourage people to look that up if you just type in "seven seven things start up Gary McGraw" it'll be the first it on InformIT. But I think the one I want to emphasize with you is this. It's very easy when you're a little company and you've got to meet [00:15:11] payroll and you have expenses to forget what you're doing and chase only money. You say, "I gotta have money. Oh, no, what we'll do whatever we need to do will take your dog for a walk. We'll cook you dinner and clean your bathroom for money." Don't do that. Only do what you're supposed to do for money. Don't do any other stuff. If somebody says, wow, you guys are really good at programming. [00:15:41] Can you just program this one thing for us? Say no, keep your eyes on the ball of what you want to do and do that for your customers, not anything else. That's a very, very important lesson. It's just called keeping your eye on the ball and it often involves adult supervision. So that's one kind of long example.

Let me tell you the 7 things very quickly. Okay, here they are. I'm just going to run past them quickly [00:16:11]. (1) Learn to think and write and communicate, (2) build a big network and travel and meet people. (3) Follow the categorical imperative from Immanuel Kant which says if you do that to other people they're going to do it to you. So do the right thing. (4) Know what it means to look into the hole and say "ah, we may not survive" and not panic, (5) be patient [00:16:41] and be consistent and develop a rhythm and know that this is not a sprint. It is a marathon and you got to pace yourself and breathe right and go for the long-term. (6) Have fun and do what you're passionate about. Really, fun is important. If you're not having fun, what's the point? (7) Utilize your network of people including people that have gray hair like you and me and build great stuff and the world will find your [00:17:11] great stuff if you build it. So those are my big pieces of advice in that article.

Markus: Yeah, and I did that while you introduced this and simply typed that into my browser and everyone who repeats that will quickly find a write-up of this. Just a note on that categorical imperative. I have seen something similar like this. Sometimes you win, sometimes you lose. And sometimes it's the other way around. [00:17:41] So be gentle to even competitors.

Gary: Absolutely. And people who think that business is the "art of war" are wrong. It's not. Business is "I want to get this done" and "you want to get that done" and together we can walk for a while because we have the same direction.

Markus: When we talk about [00:18:12] raising money sooner or later you have to first people who speak a different language, financial language, and bring spreadsheets on the table, that's not much effort, just need to spend 23 hours of the day and filling this form and that form and blah blah blah. What would you consider a deal breaker in such a discussion?

Gary: [00:18:44] Well, I mean number one, is that you? Should never bullshit. So, if you're somebody speaking a different language there (I can hear your phone). If someone else speaking a different in the VC meeting or whatever and you don't understand - tell them. "I don't understand what you mean. What are you talking about? What do you mean EBITDA? I don't know what that is." It's okay not to know [00:19:14]. Don't bullshit. Don't make stuff up. Up and don't just pretend that you know what they're talking about. If you don't it's much better to ask questions, understand clearly, and show that you're a smart person that may have different kinds of experiences than the people that are going to fund you. So that's the number one lesson: no bullshit!

Number two is if you think that those funding people are assholes [00:19:44] they probably are. Go to some different ones. All of the funding people are not assholes, but some of the funding people are assholes. And you don't need the assholes in your life. Just stop the meeting and leave if somebody is an asshole.

Markus: That's a generic advice for life!

Gary: Exactly. You know, it's surprising that people think "oh, it must just be because they are bankers." No, no, no. No that's wrong. It's because they're an asshole [00:20:14]. And then the third thing is you don't need to do as much marketing as you think, so don't spend everything on marketing because when you're little, if you're doing good stuff, you're going to have too much business and not enough people. And you don't need to spin the marketing money to grow fast until you're a much bigger size say around - I don't know - 15 or 20 million a year EUR ARR then you [00:20:44] can start spending on marketing. But before that you don't need to do that. So those are my three pieces of advice about the money situation.

Markus: I went through a similar exercise by trying to raise some money. I think it took us three or four attempts to be successful in the end selling our company. What's [00:21:14] your view on: should the exit of the former owners of founders be planned? So, is that something "yes you stay here for 12 months or 24 months and then you are out" or is there an alternative plan where people say it might be smart to keep you onboard. So what's your take on this?

Gary: I have no opinion about this. I've seen it screwed up every [00:21:44] single way. Getting rid of the founders, keeping the founders - both can screw up. So there's no one answer to that. You have to just look at the culture of the company that is selling and whether or not it's going to remain without the central founder or whether it will blow apart. You have to make sure that the, you know, if you have an open book company and you start working for a closed book company things are going to be very [00:22:14] stressful for people who are used to information and they have no information. So I think that the cultural fit is more important than what happens to the founders and You know founders might think it would be fun to be in a new place, but I'll tell you from my own personal experience when my company got bought, it got bought by a public company and we were in a division, I was only 2 hops away from the [00:22:44] CEO of this huge public corporation, but I felt like I couldn't get anything done because of the bureaucracy. I was used to just doing stuff and I would think of something and then I would do it and if I needed budget, I would make it. "Poof". And I did not like the constraints of working for a large public corporation in all the bullshit and waiting around and so I was a bad cultural fit for a public corporation and I guarantee you I will never work for one [00:23:14] again. But I'm a really good fit for an entrepreneurial organization that needs to grow fast and to be nimble and to move quickly. So I'm not interested in turning cranks and making more money happen faster every quarter. I'm much more interested in changing the world and being out in the jungle with the machete hoping that one day the world will build some train tracks out that way and establish a little village and eventually [00:23:44] it'll be a city. So I'm much more of a machete guy myself.

Markus: Maybe the insight here is that it might be a good idea to think about what do you want from the former owner? Do you want them to continue to push something? Then you should enable him to push things - or not. Then you should be transparent on: you will be out in I don't know 12 months, 24 [00:24:14] months or whatever.

Gary: Sure. I mean, I worked like this. I just said "look, I'm going to give you three strikes, like in baseball." And if you have a strike with me, I'll tell you. That's a strike. Well, I sure don't like that. That's terrible. That's one strike. And in another strike happens. Oh, that thing that you did that doesn't work for me. That's another strike as to you got one left and then I'm out and that's the way I worked it for myself. Because I never worked [00:24:44] for a big corporation. It was fun. It was really fun to like press a button on the aircraft carrier and see what happened. Like what kind of missiles got launched, what kind of plane blew up? No, but they didn't really like that. Like who's this guy pressing buttons? I was like, I don't know. I'm pressing buttons because it's fun. No, but that's just me.

Markus: Oh, yeah, I like that idea of the three strikes. Maybe [00:25:14] that's an advice for everyone listening here to formalize something like that in your Sales Purchase Agreement saying, hey, so I had rules what I was not allowed to do. Maybe there can be some rules for what the buying company is not allowed to do.

Gary: Yeah, and you know the deal structure really impacts that I mean, I had the luxury of doing that because we had an all-cash [00:25:44] deal. I did not have an earn-out and I didn't have to like, you know, there wasn't stuff I had to do to make it a success. I cared about my people. I wanted to make sure everybody was comfortable and they had a good career path and that Cigital didn't just fall apart. We didn't want to abandon it and take all the money and run away. But at the same time we had the luxury of being able to walk away because it was just money in the bank over there.

Markus: [00:26:17] So we sort of touched the next two questions somehow so I skip them coming to the last one going back to our core passion security. What do you think? What's the next big thing around the corner?

Gary: Well, what I've been working on for the last two years is artificial intelligence and machine learning security and I actually formed an institute [00:26:47] called the Berryville Institute of Machine Learning. You should know that Berryville is a town of about 2,000 people which has more cows than people. And the institute has been studying machine learning from a security engineering perspective and making quite a big splash. In fact recently, I'm proud to say that we got a grant from the open philanthropy people for $150,000 for or this year to do whatever [00:27:17] we want to do in our machine learning security space. Because they feel like what we're doing is that important that we are in some sense keeping an eye on big companies using machine learning like Microsoft and Google and Amazon and everybody else who are using machine learning like crazy and who have very good machine learning security people, but there are also huge corporations that are a little bit greedy and [00:27:47] care less about things like ethics and bias and other aspects of AI that are super important to understand. So we've been working on that hard and I guess my brain is just steeped in that. I'm just filled all the way to the brim with machine learning security stuff. And I absolutely love it. It's a very new field. It reminds me of software security in around 1998, which it was a long time ago. [00:28:17]

Markus: And I learned that a good podcast should be around 30 minutes. We have 28 minutes done and that was a very nice concluding word, Gary, many thanks for your time.

Gary: Yep, it's my pleasure. I can't wait till I see you person, Markus.

Markus: Same here. We have a lot of drinks to catch [00:28:47] up.

Gary: Indeed. Talk to you later.

Interview: the pandemic as a chance - my own COVID19 mask factory, part 2

The first part of this interview with Christian Herzog was more about the topic COVID19 itself, here in the 2nd part we shed light on the topic of the foundation.

Christian, you spent many years in leading positions at large IT companies. What made you decide to start your own company?

There were several reasons that came together, so that from one idea the German Mask Factory was launched:

  • The trigger was certainly that we privately in the middle of the 1st lockdown ourselves faced with the problem of getting masks and disinfectant and that was only available at horrendous prices and long delivery times. We then briefly considered importing some ourselves through a contact in Asia. However, we then considered whether and how we could produce masks ourselves in Germany, also in order to reduce the supply dependencies we had experienced ourselves. So the idea was born.
  • We then did the math and tried to look at it from all sides, as far as that is possible in such an unpredictable and volatile market environment. We saw a great and sustainable opportunity in it, if we position ourselves correctly.
  • It also gave us a bit of a boost that it was something "meaningful" and we definitely see a point in doing something that is important and good for society.
  • And in the end, at least for me, the time was simply ripe to do something new. I'm sure you've experienced this too ... I wasn't dissatisfied with my previous job and it was also fun most of the time. But it lacked a bit of fulfillment. For me, what I do has to have meaning, and lasting meaning. If you already invest a lot of time of your life and heart blood in a job, then it should also be something you believe in and stand up for. Something you burn for and can develop passion for. And I think that was one of the main triggers. On the one hand, to see something that makes sense and that I can get excited about, and on the other hand, to have something where, if you're honest, the air was a little bit out.
The founding team: Christian Herzog and Andreas Mühlberger

You reacted to the pandemic with your foundation and acted very quickly - how much planning and how much risk was involved in your thought processes?

Yes, that happened quite quickly. We made the decision that we wanted to start in early April 2020. Then we had about 2 months to plan, to clarify issues such as financing, location, plant, material, our own time, certification, etc.. Then at the beginning of June we sat with the notary and incorporated the company and then in September we already started production. So in less than 6 months we have set up a medical device manufacturer, created 120 pages of technical documentation and a QM system, found a partner who can reliably supply us with good nonwoven material, and set up a production facility.

With a roadmap like this, I think it's clear - and time was really of the essence here - that you can't deal with the risks every day. At the beginning, we thought about what could go wrong and defined the maximum financial framework that we were prepared to invest. And we set ourselves a timeline by which we wanted to have achieved certain things, or where we wanted to lay our cards on the table again.

Our plan is to manage as far as possible without outside capital in the first phase and to ensure that the company is self-supporting from the outset. This means that we invest cautiously and from the capital that we generate. This is simply because the market in which we are currently operating is very difficult to plan and is strongly driven by the pandemic and political decisions. This means that we are constantly adjusting our plan and making decisions at short notice. For example, we had planned to produce special smaller children's masks and had also pre-planned this with the manufacturer of the production plant, but postponed the whole thing for the time being because there is currently no market for us.

The factory - brought to the front door.

What were the biggest hurdles in the founding process?

There are always hurdles ... which ones are the biggest is hard to say. One hurdle that many start-ups have to deal with is awareness. At the beginning, we focused a lot on local marketing in the region and, for example, organized a fundraising campaign for schools right at the start of the school year. And we get great feedback from almost all of our customers. Those who know us and have bought our masks once will stay with us and buy again. In other words, our strategy of having a high-quality product that you can trust is working. But in terms of Germany as a whole, we are simply not known enough. We still lack the reach and presence.

I think in general, things happen every day at every startup that weren't planned that way. Good and bad. And it's important to just keep going, to solve the problems when they come, to take the opportunities when they are there, not to give up, but to just keep going and not lose sight of the big goal, the long-term plan.

The business has taken off and you have proven that the plan is basically working. But I don't think this story is over yet. At what point would growth capital make sense and what would you use it for?

I think that growth capital could make sense for us very soon. At the latest when the pandemic situation returns to normal somewhat towards the summer, the market will also change again and then we will have to invest in two areas.

First and foremost, in our brand, marketing and sales activities. We absolutely need more reach and awareness. Ultimately, our product and its better features distinguish us from the many competitors, especially Asian ones, who sell purely on price. To achieve this, it is important to be able to explain the difference and to create an awareness of good quality in the market. I like to compare this with the organic market ... not everyone cares about organic products in the food sector. But there is a growing percentage of the population that cares about sustainable agriculture and species-appropriate, organic animal husbandry and values chemical-free food. Today, for many, a mask is simply still a mask. And our challenge is to create awareness and understanding among our potential customers that there are significant differences here and what the benefits are.

And beyond that, we need more production capacity, which ties up capital but also enables us to implement our innovative ideas that are currently still in the drawer. Both in the direction of further automation of production and with regard to special product innovations.

Interview: the pandemic as a chance - my own COVID19 mask factory, part 1

About a year ago, Corona began to become an all-encompassing and omnipresent part of our lives. During the loosening phase of summer 2020, I was amazed when my college friend Christian Herzog placed a pack of mouth-nose masks on my desk. "Made in Germany," he said, "I now have my own factory." As the evening went on, it turned out that this was no joke - here's the 1st part around the start-up idea. Because I think it's very exciting to act in such a dynamic environment and also to create something good with it. The 2nd part is about the foundation itself: what drives you to take such a step, how did the planning go, what problems did you encounter and what happens next?

Christian, you are co-founder, co-owner and managing director of "Deutsche Maskenfabrik" since 1.9.2020. You produce medical mouth-nose protection masks (MNS) in Germany. What goals are you pursuing with this?

Our goal is to make ourselves less dependent on Asian imported masks and to offer people in Germany a safe, high-quality product that they can trust and that protects them. That's why, for example, we only use fleece materials made in Germany for our masks. And our customers notice the difference immediately - the masks are much more comfortable to wear, don't smell and the earbands hold. Furthermore, it is also important to us that we produce as sustainably as possible. For example, we do not pack in plastic bags but in classic folding cardboard boxes and we are working on take-back and recycling concepts for bulk buyers of our masks to reduce the waste generated by the used masks.

Input: the materials for the masks.

We see enough experts on TV. However, you are working on the implementation and have intensively familiarized yourself with the topic of COVID 19. How do you assess the pandemic and what is still to come?

You can see quite clearly from the infection figures that the current, very tough measures are helping and the numbers are going down. So I hope that the lockdown can be brought back down a little bit soon. Also, I think the spring and summer will bring us some relief. We've already seen in 2020 that infection numbers go down when it gets warmer. On the other hand, the virus is not just going to go away. We can see how difficult it is and how long it takes to vaccinate the entire population. I am therefore afraid that COVID 19 will keep us busy for the whole year and beyond. Moreover, mutations of this virus have already occurred and there will probably be new pandemics in the future.

On the other hand, this pandemic will also change us as a society. I am convinced that, for example, air travel and travel, especially in business, will not come back as strongly as it did before the pandemic. Businesses and employees have seen how digitization can help them work efficiently, even without having to physically meet in the same room all the time. And that will bring change. For some it will be positive, for others rather less so, when I think of hotels that live off business travel, for example. But last year, we achieved our climate targets for the first time - ultimately due to the two lockdowns and the reduced travel. An exceptional situation such as this global pandemic always offers opportunities to bring about change.

Wearing masks is common practice in Asia, for example, even without a pandemic. Because it simply helps to avoid infections, especially where many people meet closely. At my former employer, we sometimes had sickness-related absences of up to 35% of the staff in some areas during a normal winter. Last winter, this was significantly less due to the Corona-related hygiene measures (spacing, hand washing, wearing masks). Therefore, I believe that masks in particular will have a place in our daily lives even after the pandemic. Certainly not for everyone, but there will be people in Germany who will attach importance to quality and local production and that is ultimately the area we are fighting for and which we would like to cover with our products.

Output: the finished masks ready for sale in the shop or for distribution.

As a professional, what is your opinion: which masks will help us, why and how?

In Germany, we actually distinguish 3 types of masks in public:

  1. OP or medical MNS masks - these are the masks that you know from the hospital, rectangular with these typical folds. Surgical masks have actually been tried and tested for decades and are made precisely for infection protection. If the masks are well made, i.e. the material doesn't stink and doesn't scratch and the ear straps are soft, then I can usually wear them comfortably for a longer period of time. And this is therefore also the mask that I would recommend in normal everyday situations.
  2. Then there are the FFP masks, which are currently on everyone's lips ... or above everyone's lips. They actually come from the field of occupational safety and not at all from medicine and are primarily used to protect against dust and other harmful substances, such as those that occur during grinding. FFP2 masks are also suitable for protection against infection and I would recommend them wherever I either have a particularly high risk of infecting myself or others or want to pay particular attention to protection. So e.g. in nursing homes, doctors' surgeries, etc. FFP2 masks protect particularly well, but they are also not as comfortable to wear and hinder breathing significantly more. Without a mask break, this can quickly become uncomfortable and also harmful for the wearer. Therefore it is always a weighing. In normal cases, for example in the office, I would rather advise to wear a surgical mask as often as possible and to change it more often, because they are also much cheaper than FFP2 masks.
  3. And then in Germany there is the term of the everyday mask or the makeshift mask. This is actually not a special type of mask, but the term originates from the first lockdown in March last year, when there were not enough surgical masks for everyone. That's when the politicians asked that we leave the good surgical masks for the medical staff and help ourselves, e.g. with homemade masks. This is how the term everyday mask or mouth-nose-covering came into being. This term actually stands for all other types of masks that have no specific proven protective effect. So from simple self sewn fabric masks, ski masks or even special fabric masks with filter inserts to a simple scarf that I pull over my mouth. These makeshift masks are currently only allowed in a few areas in Germany. In most areas, either an OP mask or an FFP2 mask is currently prescribed, both of which have a proven protective effect and of course both protect the wearer as well as others.

Interview: Thomas Köhler on due diligence, being self-employed and health

I have known Thomas Köhler for many years from the early days of Virtual Forge. At that time he was still managing director and partner of his own company. We have kept in touch until today, even if the paths were different.

The interview provides insights from the perspective of an investor and from the perspective of an entrepreneur seeking growth capital:

  • Only the correct assessment of future viability leads to a good valuation
  • Say NO when it doesn't fit
  • Do not neglect work-life balance and health in the medium term
  1. Tom, what happened next for you and how did our joint due diligence project come about?
    In 2006 it became clear that my ideas about the future of my company (development into a specialist for managed services) and those of the main shareholder (corporate IT concepts for medium-sized businesses) did not correlate. As a result, we parted ways and I sold my shares. After 15 years in my own company, it quickly became clear that a change to the "normal" employee life should not be my first choice. Fortunately, I have a large network, and so after a few months I joined a "boutique" management consultancy as a freelancer to devote myself to interim management.
    During this time I have not lost sight of the topic of security. Because I still considered it to be very promising (which I still do today), I often discussed with the owner and boss of the consultancy about founding a corresponding company. During a conversation with you, you mentioned the interest in an investor, so I then established the contact.
  2. You then carried out the due diligence of Virtual Forge - what is your experience and what can you recommend to an entrepreneur going through such a process?
    The actual investor must have understood and penetrated the business of the target company, otherwise he cannot adequately assess the future viability and will arrive at an inadequate valuation. I'm not a big fan of pure financial investors for start-ups since that time, in the light of things the said consultancy would have been one in your case. Surely there would have been interesting contacts, but basically the relation to your topic was missing.
  3. What have you done since then in terms of start-ups, projects, etc. that particularly excited you?
    After a warning shot to my health, I joined a company, a medium-sized logistics IT company with big growth plans. Due to its success, this company was then bought by a global player, so that I am now active there as an employed manager. However, I also founded companies again relatively soon: apart from supporting start-ups as a mentor, I deal very successfully with the topic of data protection together with a lawyer. This can be presented very well as a sideline and has many points of contact with security. It's just not possible to be completely self-employed.
  4. In hindsight, we didn't take the step at the time - our reason was that we didn't believe in the future or the story. Likewise, the valuation was just way too low. How is your retrospect?
    You were absolutely right. Apart from the financial aspect, it certainly wouldn't have fit in the medium term, for lack of reference to the topic. In addition: If the gut feeling is not right, one should not marry...

Interview: Prof. Sebastian Schinzel on startups, entrepreneurship and future security issues

I have known Sebastian since the early years of my former company Virtual Forge. He has been teaching and researching applied cryptography and system security for many years and is co-founder of the Institute for Society and Digital (GUD) at Münster University of Applied Sciences. He was also North German Champion, German Vice Champion and Team World Champion in Biketrial. 

The interview with him turns around:

  • Stay creative with solutions, as no one can say how attacks will evolve
  • Staying authentic as a founder and entrepreneur
  • Strengthening the security industry in Germany and Good Ol' Europe
  1. Sebastian, you have witnessed the transformation of Virtual Forge from a group of idealists to a company. What influenced you the most from this time?
    Back then, we came to Virtual Forge from the Capture The Flag (CTF) team of the TU Darmstadt and therefore approached the first customer projects more like a hacker competition than a consulting service. Those were exciting and educational times. Then, when the CodeScanner CodeProfiler was developed, the transformation from a consulting-heavy pentesting company to a product development company began. This was indeed an upheaval, as product development requires completely different corporate structures. Penetration tests are very creative and usually relatively short projects, while product development requires years of structured development that only bears fruit after a longer period of time. I was shaped by experiencing this and being able to apply it to my current entrepreneurial activities.
  2.  You have already founded companies yourself. What goals did you pursue with them?
    The goal is to promote Germany as a business location and the IT security industry in Europe. There are many good people here, good training, many good ideas, but often too little courage to try the step to self-employment. This is probably one of the main reasons why Germany lags behind the USA in terms of innovative IT companies, for example.
  3. What makes a start-up successful for you and why can it go wrong?
    You need a good idea for a solution to a concrete problem in the market, a good team and customers with a concrete need for the solution. And a lot of stamina and a bit of luck. And preferably not a pandemic!
    Can you elaborate on that point a bit?
    For corporations, the pandemic often seems like a good excuse. It can be used as an argument for just about anything: Restructuring, downsizing, etc. For a startup, it's detrimental because funding is difficult, customers are unlikely to jump at new ideas, and it's also hard to bring people on board who are currently more concerned with job security (vs. going into a more risky startup).
  4. What is your opinion on the topic of "we stay as we are" vs. growth?
    One does not exclude the other. You can absolutely stay "as you are" and still grow. I guess it comes down to self-image: what is one? Do I want to improve the world by making computer systems more secure? Or do I insist that I can only improve the world through this one service or product? The latter may prevent me from improving the world because the service or product will not catch on permanently.
  5. And finally, a technical question: which topics are suitable for you, as a "security professor", for a start-up?
    Cybersecurity will continue to be relevant, even if other topics such as AI are currently dominating the funding landscape. Companies are constantly learning and therefore are a "moving target". While penetration testing was very innovative 10-15 years ago with few specialized vendors, today almost every consulting firm has penetration testing in their program as well. Founders should ask themselves: what service, what product will companies be asking for in 2-5 years? If you have a good idea for this and at the same time have some innovative companies with buying interest up your sleeve, then you should consider founding a company.
  6. Derived from this - which ones will it be in the next 5 years?
    Many companies have learned that preventing cyber attacks, e.g. by looking for and closing security holes, secure software development, etc. is not enough. If employees open the wrong attachment, the attackers have a foot inside the company and can spread from there. The current extortion Trojan gangs are highly professional and have high profit margins. Pure prevention through protection is no longer sufficient. Companies need to ask themselves:
  • How do I detect successful attacks in a timely manner?
  • How do I know the extent of the attack?
  • How can I stop the attackers from spreading further?
  • How do I reliably throw the attackers out of my network?
  • And of course: how do I rebuild my IT infrastructure if an attacker had already penetrated deep?

These are questions for which one needs specialized personnel, possibly also with on-call duty etc.. Most companies cannot handle this. Some of this can be outsourced to Managed Service Providers (MSP), but some of this knowledge must also be available internally.

Image source: Münster University of Applied Sciences, Wilfried Gerharz