13 February 2019
I started Jemurai 7 years ago. It seems fitting to write a reflective post about what has worked well, what has not worked so well and how it felt along the way. I hope it is interesting.
Honestly, when I started Jemurai there were three main reasons.
Let’s take those briefly in order.
My wife and I are both ambitious, but anyone who has met both us knows that she is the brains in the family. She’s literally finding new ways to detect and treat disease every day. I love her for all of her dedication to her work and, as I did when I took her name, I have always been committed to break out of typical roles and be the man behind the successful woman.
So, I spent time getting the kids to and from school, activities, and friends houses. I did grocery shopping, laundry and meals. I had what I thought were funny ideas about being a trophy husband, but that’s kind of a joke considering … well … me not being anything like a trophy. Luckily, my wife appreciates the rest of me all right.
In the early days, there wasn’t so much inherent pressure to work more so this really worked out well for our family. I could work 20 hours at a client and they believed I was splitting time with other clients. I did always feel a little bit dirty that clients tended to assume that I was with another client rather than working part-time. Somehow that seemed to really change the way people responded to the idea. Like if you were part-time, you couldn’t be serious. I imagine many women in the same position wouldn’t get the same “benefit of the doubt” if you could call it that. (Note - this is one of many areas where I feel like I had an inherently easier path than others might have … just calling it out because its there)
Anyway, I was part-time and I was serious. And I had the best time with my kids and built an amazing relationship with them. I also made it easier for my wife to do the same. We got better quality time as a family. It was like an investment that put money in the bank so that since then I have been able to draw when needed without even worrying about where my judgment will fall.
As the business has grown, this foundation of family has helped tremendously.
One of the challenges at the day job was that I wasn’t learning anything new on an organizational front. I didn’t have budget responsibility. I didn’t get to fight for dollars and resources, win, lose and learn. Now maybe that should have felt like a blessing or a gift, but I knew that if I wanted to grow I needed those at bats to learn.
I would go so far as to say that I wasn’t growing as a leader.
In 2012, software security was well established but many developers still didn’t know very much about security and the ideas around DevOps and bridging communities were just coming out. As a strong developer that was willing to talk about development and work from that point of view, I believed I could bring the security message to developers in ways that I didn’t see out in the world.
I like to invent things and change the way people think.
All of these provided ample reason to consider starting my own thing. I would recommend it for anyone that is self directed - provided you have a way to get work when you want it. Also, I was lucky in several ways. My wife was able to provide a financial security net. I was in a field where I had lots of connections and the billing rates were already quite high. With this recipe, the risk was digestible. Obviously, that risk equation is very personal. This is a second spot to call out the advantages and privileges I had in doing this.
I started trying to build a product called Honeyfield. The idea was to build libraries that would make it easy to “booby trap” an application with fields that would detect attacks and report on them. I wrote a wordpress plugin and thought that naturally everyone would start buying it. I still suffer from variations of the “If we build it they will come” mentality, but this was the earliest most naive instance. Needless to say, with only an engineering focus, that product went no-where.
I also had a former colleague (who I respect and look up to to this day) running a consulting company that said “Yeah, Matt, if you start a security business we will totally look into using your services.” I thought I had a customer. I didn’t know anything about selling, closing the deal, understanding client budgets, or any of that.
I managed to survive these early days partly because of the support I had but also because of engagements that I won doing consulting work. Turns out there is a fair amount of overlap between being good at software consulting and being good at very complicated security consulting.
So for years, I did consulting projects where we invented technologies or processes to help companies do a better job with security.
After a few years, it became obvious to me that the security field was booming. I thought to myself that it would be silly to stay in this field and not take a swing for the fence. Ironically, I would also tell people that my business was succeeding in spite of me because of the positive business climate. As an engineer, I could always tell you the 50 ways something would go wrong.
When we grew, it wasn’t just raw demand. We had sales help. I learned a tremendous amount from a dedicated salesperson who I met with every morning. He basically taught me how to do sales on the fly. I’m sure he was frustrated because I couldn’t give him better structures to build into but we made a spreadsheet to use as our first CRM. We targeted 100 companies then went to go get meetings. It was clumsy but it worked, generally.
We tried other CRM’s. I’ve posted about that. None of any of that had anything to do with the growth though. We grew when we talked to more people and offered compelling solutions.
Unfortunately, we also experienced the negative side of growth. Having very quickly grown to 15 FTE with additional support staff and contractors, we then failed on three fronts at the same time:
With a clear definition of an offering, you can:
Now, to be clear, I’m not talking about Pen Tests here. We have processes there. I’m talking about custom encryption projects, custom security signal projects, custom graph directory modeling, etc. We resisted standardizing those so hard that our standard AppSec program offering continues to look like a choose your own adventure game. See my post over at Jemurai about that.
Since our consulting teams were busy doing the projects, I was myself basically our account manager. Not getting help on this hurt us tremendously because we lost touch with what some of the stakeholders needed. When it came time to do the next project or reinvest or discuss the next year’s plans, our client stakeholders did not feel enough love and attention from me. Now in my defense, I was busy doing a lot of things. I wasn’t just sitting on my hands. But this was an absolutely crucial activity that I should have spent more energy on - or really - hired people to help with.
When we grew fast, we grew with several 4-6 person projects. That felt great on one hand, but we didn’t realize that it also meant that we had to turn around and sell a backlog of 4-6 person projects. Again, we put time into sales but we had a lot of trouble really thinking about the offering in a more standardized way. Finding companies that want to spend a million dollars on an AppSec project isn’t necessarily easy.
At the same time, I was thrashing. I started to delegate more parts of sales to my sales team. While I still trust them personally, I was not sufficiently skeptical or scared of what could happen. I wasn’t thinking about risk enough. Also, I think we had almost too good a rapport. I was not critical enough soon enough. On the flip side, they were not screaming at me about needing better support or standardized offerings.
Ultimately, we lost some deals and didn’t have the pipeline to replace them and it really hurt us. We constricted back down to 5 FTE.
During the growth period, I hired a lot of people that were from my personal network. (Not my professional network) I would recommend avoiding that. Even though I think each and every one of them understands what we went through, I still bear the burden of having hired them and having to let them go. I have tried to be as transparent as I can be with the team about the business, and I think that helped. But I can’t go back in time and not grow. I took those risks and bear the responsibility for what happened.
Luckily, we stabilized continue to have a great core team. But hiring new people continues to be a loaded activity for me because I don’t want to make those mistakes again.
As the consulting business constricted, one thing I wanted to do was to build a SaaS based business with recurring revenue. I figured that if I could get out there and produce monthly subscription revenue, I would then be able to justify growing and hiring based on money we had a very strong handle on.
I also love building products. That’s where many of my roots are.
So we built JASP. It took tons of effort from across the team. We bootstrapped it while we did consulting projects. I can’t call it a great success because we still haven’t mastered sales and marketing at any scale. So that’s part of my current challenge is to really step back from the tech side and help us to find ways to better navigate the business side of our business. It’s good to have good connections and instincts. It’s better to add good partners and good processes to recognize the gap and address it.
One of the things that is hard about being an entrepreneur is that you have to write your own path every day.
Do I want us to be a hyper growth company? Do I want us to be a stable “do it my way” company? Uh … yes!?!
So we keep navigating these things the best we can. I think we’ll continue to offer services and pair that with improving product ideas. As the product ideas resonate, we’ll build teams around them.
I pointed to standardizing, account management and sales when I talked about mistakes we made when we grew. Those are deeply woven into who we are becoming. We are learning there.
I started Jemurai 7 years ago. That’s the longest I’ve ever spent in any one company. It’s not a coincidence.
I mentioned several times that I have been attacking this problem from a position of privilege and with many advantages. I want to stop and say that even with those advantages, this journey has been hard. It takes time, it takes guts, it takes sleepless nights, it takes decision making when there are no obvious (or even good) options. That being said, I expect to continue to embrace the challenge. I hope that we can also, through things like the Accountability Groups and others, help folks that don’t necessarily have the advantages that I do to go after the things they dream of.
I’ve made tons of mistakes and experienced some success along the way. I’m glad to say I wouldn’t want it any other way. I have a ton more to learn. In fact, as with programming, the more I learn, the more I know how much more I have to learn.