This is a multi-part blog series. If you haven’t already I encourage you to read the first two installments:
Part 1 - My First 100 Days in ProdSec at a Series E Startup
Part 2 - From gates to responsibilities
As mentioned in my previous posts, one of the key takeaways from The First 90 days was to understand that past performance and solutions will not necessarily help you in the future. I found this to be strikingly true at Highspot. As a consultant it’s easy to swoop in, find flaws, deliver a report, and move onto the next customer. When you don’t have to sit with your long term decisions or to maintain the day to day relationships, and when you don’t have time to fully understand the reasons and history for current decisions things are a lot simpler.
I fell victim to this when, wanting to create a roadmap for my team’s growth, I created an internal document I called “Highspot Product Security Culture and Staffing Goals.” The intention was to outline my vision for the team I’d build, our responsibilities, goals, and culture. I had built a large engineering team before and knew exactly the kind of culture I wanted to continue to have. I also had a number of examples of successful security programs that I had helped successfully roll out to other companies in similar situations.
After I wrote up this “manifesto” for my team I circled it around to a number of senior leaders at Highspot to get their feedback. The feedback was extremely good, and highlighted a number of structural changes I needed to make.
I had four key takeaways from this experience; understanding the culture of feedback, how to structure your proposal, the mechanism of change, and the scope of work recommended. An amazing aspect of Highspot is our deep seated Guiding Principles. These are principles that I’ve found myself wanting to pursue and internalize my entire career, it’s awesome to see them codified and followed by the organization. You can learn more about all of these principles in this Company Culture blog post.
Culture of Feedback (Open and Real)
We provide candid and constructive feedback. We avoid politics and say what we really think.
First consider how your peers are comfortable giving feedback. Is it better to make a best effort proposal to be debated no matter how far from the final result it may be? Or is it better to call a live meeting to discuss a direction, then take the notes from there to create the initial proposal? Alternatively, do your peers feel comfortable giving you feedback, would they rather you start on your work, then they can provide feedback along the way.
Feedback is a critical component of success, so figuring out how to elicit that feedback in a respectful, comfortable way is a cornerstone of leadership. Radical Candor explores these concepts deeply.
In my example I started out thinking I’d first write a proposal as a document and solicit feedback on the document. While this is a well established process at Highspot I should have spent more time discussing my proposal with individuals 1:1 to get closer to a final solution that would integrate with Highspot’s culture and structure. Highspot also uses Office Hours to solicit feedback and discuss proposals. The Directly Responsible Individual (DRI) shares their proposal and invites anybody who would like to attend or ask questions to a meeting. During that meeting we go over the proposal quickly, then field questions. This is a great way to quickly arrive at a better solution. Sometimes one person’s question will help others think of other questions and solicit wider feedback than you’d otherwise get.
Photo by Daniel Klein on Unsplash
Structure of Proposals (Collaborate Across Boundaries)
We ignore the org chart to bring together the right people regardless of team, role, or level.
Highspot uses a modified version of Amazon’s famous one pager (sometimes called a two pager or six pager). Although they’re called a “One Pager” at Highspot I have yet to read one that is actually only one page long. The length is inconsequential, it’s the structure and format that matters here. These documents include seven sections: Problem Statement, Goals, Options, Requirements, Examples, and Rollout Plan. Following this format makes it clear to the reader what problem you are solving and why, and how you are proposing to solve the problem.
When I wrote my proposal I hadn’t been here long enough to understand the proposal format, so I used a more narrative format. When I shared this with the leadership team who is comfortable reading many One Pagers per day was far less efficient for them. It led them to ask a lot of questions like “What is the problem we’re solving here, exactly?” and “Are there other options we can explore?” as they tried to fit my proposal into their mental model.
Highspot’s One Pager format is highly efficient solution focused. As a senior leader myself it helps me to quickly grok a new topic from a new team and be as effective and helpful as possible in a very short amount of time.
Photo by Isis França on Unsplash
Mechanism of Change (Make it Happen)
We act with urgency and are willing to move mountains.
Understanding how change happens in your organization is critical to success. Everybody may agree the change needs to happen, but without somebody who understands the key players and culture to drive the change in an acceptable way it may never gain traction and languish or die after months of general agreement.
My proposal focused on an end state, not on the roadmap to get there. At Highspot we use the concepts of a North Star, Click Stops, and a Directly Responsible Individual or DRI. The North Star is the ideal end state. The Click Stops are milestones toward the North Star. Our founders came from Microsoft, so I assume that’s where the terminology came from, but it’s a great way to discuss shippable features along the way to your ideal state and to make sure you have a stakeholder to make it happen.
Understanding a company’s mechanism of change is critical if you want to make change.
Scope of Work (Invest Wisely)
We constantly challenge the way we invest our time and resources, striving to maximize impact.
When building a proposal is it more important to include all possible research, options, projects and goals, or does your organization value having small bite size chunks of information that can be decomposed or reassembled as needed.
My proposal was too big. I modeled my proposal after the final deliverables I would write as a consultant. The final deliverable has to include everything you want to say with the understanding that the document may be decomposed or tackled piecemeal by the customer. In this case I was both the author and the customer. Breaking it down into smaller pieces would have allowed me to tackle each challenge with the right scope and audience. It would also allow me to properly prioritize my efforts. After all, creating a beautiful security belt program to drive excitement around my training is not as important as creating the training itself.
Balancing the immediate need vs. the long voyage
Possibly the most difficult challenge I faced within the first 100 days of starting at Highspot was triaging and prioritizing my work when everything feels like a priority. A single torn sail is a much smaller issue when you have a spare.
A friend asked me the question “How you build a plan while still managing day to day fire drills. Sorting out priorities in an environment where everything seems important. AND how you figure out what risks don’t need attention yet. How you can feel good about, and communicate, when you shouldn’t be doing something (yet or maybe ever) when ideally you really want to get it done” My response to that series of questions was:
I absolutely use this approach.
I also have a handful of other tools that helped me through. I’ll group these into two sections: Generic Tools which I think any person could use and Specific Tools, which apply more to my role or to security.
Generic Tools
Copious Notes: One skill that’s paid dividends from consulting is my ability to take meaningful notes during a meeting. I include who was on the call, our topic, goals, outcomes, next steps and more. I always title the meeting the same as the meeting invite with the date included. This makes finding notes faster and easier next time. I do not use any kind of tagging or folder system, instead I rely fully on my memory for keywords and search.
Eisenhower Matrix: I love the Eisenhower Matrix (EM). By grouping tasks into quadrants by urgency and importance you can quickly understand what must be done and when it needs to be done. When coming up to speed at Highspot I frequently use this mental model to schedule my time.
Prioritized ToDo list: If we’ve had more than a 15 minute conversation about time management we have had a conversation about my ToDo list. I keep a prioritized todo list broken into three sections: today, this week, and later. My team at Highspot uses daily stand-ups to keep each other honest and on track. My ToDo list keeps me honest to myself and there’s nothing better than checking off that last thing for the day or week. (Note: my later list is growing far, far faster than I can complete them. However, the list is still prioritized and as a hire I have a clear list of tasks to delegate; have I mentioned we’re hiring?)
OKRs: our team uses quarterly and annual OKRs to make sure that we’re keeping our eyes on the Objectives for the quarter and year. We follow the Measure What Matters model, so our Objectives are clear but lofty. My ToDo list aligns with our OKRs or with newly incoming tasks prioritized by the EM.
Specific Tools
Risk Triage: my whole life revolves around risk. Risk feeds into the EM using a simple calculation of Likelihood x Impact. Risk can slot nicely into the EM and can provide guidance for when an issue needs to interrupt any other ongoing work. A single high risk vulnerability becomes a Priority 0 issue that needs to be addressed until it’s remediated. We ended up developing a custom risk metric for Highspot to help with this triage.
History of the request or issue: There are some improvements to security that we can make that are an ongoing conversation. Some issues we’ve known about and there are good reasons for them not being remediated yet (impact to customers, integrations, compatibility, etc.) Some features could be improved for future clarification and resiliency, but don’t warrant an immediate fix. Understanding the history of the issue gives context that can be helpful in triage.
Tradeoffs: Balancing the risk with the history of the issue, the likelihood discovery, the negative impact of the issue against the negative impact of the important feature and growth work is a difficult calculation to make. Some lower priority features may never be built, while other lower priority security issues may need to be fixed, although on a longer timeline.
History of failed or proposed solutions: Again, as a consultant it’s easy to swoop in to make recommendations (Turn on HSTS and CSP! How hard could it be?) I get to work with the smartest people I’ve met in the industry, so many issues or security improvements may already be known, but there are good reasons they’re not yet remediated. I need to understand the constraints so I can make targeted well founded recommendations (with a clear North Star and Click Stops!)
Changing the trend line: A huge win is to simply change the trend line. What can we do to slow or stop the number of incoming issues of a certain category? If I’m getting hammered by one category of issues I’ll roll out training on that topic immediately, follow it up with guidance, linter improvements, tooling and more to make sure I never see that category again.
Photo by Glenn Carstens-Peters on Unsplash
Summing up
Taking this new position at Highspot has been an amazing experience so far. It’s provided new challenges and new opportunities for growth. I am certain this growth and change will continue throughout my first year. I look forward to updating this article as I round the corner of a year. No matter if you are starting at a new position as an Individual Contributor, Manager, or Senior Leader at a new organization, spend time understanding the culture and process that already exists. Take your time to understand the past challenges and solutions and apply your perspective and knowledge to propose new solutions and paths forward. Create a set of goals for yourself for your first 30, 60, 90 and 100 days when you first join the new organization, but be flexible and understand there will be a steady stream of unforeseen new demands on your time and energy. Use a method of triage like the Eisenhower Matrix to understand what you need to do now, later, or what you can delegate.
In security there are a lot of tools, methodologies, and other cultural changes that can be very beneficial. Play to your organization’s strengths to improve the culture of security. Introduce changes in tooling, automation, assessment, training and more that show the best value and least disruption. Don’t be afraid to change direction if things aren’t working.
Taking a new job is a bit like training for a new sport. At first you’re working new muscles and are learning a lot. You’ll be sore and feel like you’re behind, but you’ll quickly come up to speed by spending the time and sticking to your plan.