Scroll Top

Defining Cybersecurity in Economic Terms with CEO Joe Saunders

In this episode of “Disciplined Trouble Makers,” host Scott Shagory engages in a captivating conversation with Joe Saunders, the CEO and founder of RunSafe Security. Together, they delve into the dynamic world of cybersecurity and tech entrepreneurship. From addressing the pressing need for memory safety in the government sector to navigating the intricacies of building a resilient tech company, Scott and Joe share insights and valuable lessons learned from their experiences in the industry. Join them as they explore the significance of memory safety, discuss the nuances of tech company growth, and highlight the power of improv in fostering effective communication and teamwork. This thought-provoking episode provides a unique perspective for tech leaders and entrepreneurs, offering a deep dive into the ever-evolving landscape of technology and innovation.

Quotes

“You want to make other people look good. Whether it’s your customer, a colleague in a meeting, or anyone else, the goal is to be selfless and create opportunities for others to shine.” -Joe Saunders

“One of the most important things that I’ve learned is having a really good framework about who you are and who your company is.” -Joe Saunders

Featured in this Episode

Joe Saunders
CEO, RunSafe Security
LinkedIn: https://www.linkedin.com/in/joesaunders/
Website: www.runsafesecurity.com
Podcast: https://pod.co/lessons-from-the-school-of-cyber-hard-knocks

Chapters

00:00 – Introduction
00:15 – Building Resilient Software: RunSafe’s Mission to Eliminate Vulnerabilities
05:27 – Adapting Economically in an Uncertain Landscape
09:35 – Shaping Intent and Navigating Economic Perspectives
14:12 – Aligning Efforts and Educating on Vulnerabilities
15:05 – Selling the Future: The Complex Process and Buyer Education
18:41 – Discussing Gremlin’s Solutions for Tech Companies
24:32 – Cash Flow Positive and Yearning for Growth Opportunities
27:08 – The Importance of Effort: Going Above or Below the Line
31:27 – Shifting Towards Open Source: Software Trends in Embedded Devices
34:13 – The Open versus Closed Source Debate: Perspectives and Insights
37:50 – The Art of Improv: Making Others Shine in Collaboration
41:09 – Embracing Mistakes and Fostering Resilience in a Learning Culture
47:14 – Learning through Experience: Structure and Risk-taking in
53:01 – Conclusion

Produced by Heartcast Media
http://www.heartcastmedia.com

Transcript

Scott Shagory:

 

Hello, and, welcome to the Disciplined Troublemakers podcast. I’m your host, Scott Chigauri. Our core goal here at DT is to provide insight and tangible value to CEOs and leaders of tech companies large and small. We cover critical ground around scale operational fitness, acquisition, and creating great companies. Today, we’ll be talking with, Joe Saunders, CEO and founder of RunSafe Security. RunSafe was founded in 2015 by Joe and CTO Doug Britton, to help protect embedded devices and systems from exploitation. Joe’s also an adviser on several start ups, A partner with NextGen Venture Partners and a graduate of U Michigan and also, George Mason University here in Northern Virginia. Joe, welcome to the podcast, and thank you for carving out some time to, chat with us today.

 

Scott Shagory:

 

I really appreciate you.

 

Joe Saunders:

 

Be here, Scott. I I really appreciate being on your episode. So I look forward to the discussion and and love the the podcast theme.

 

Scott Shagory:

 

Yeah. Thanks. Thank you, thank you very much. So let’s let’s go ahead and dig right in because You and I met through Michael Wellman back in 2018 or 2019. And one of the things that really struck me about you guys in the early days And then, you know, writing about you when I, you know, had a blog and that and that sort of thing was that, you know, a core thesis of unsafe is really You guys define threats in economic terms. You don’t tell a story of good versus evil or etcetera like that. Others, certainly, plenty do that did them and continue to do now. So, you know, for your ideal Prospect and customer.

 

Scott Shagory:

 

How does the shift in, you know, how you guys Talk about economics as opposed to the, you know, we’ll call it good and bad. You know, what is the impact on their decision to either work with yourselves versus other solutions in the marketplace and how that’s kind of I’ll I’ll I’ll comment afterwards, but how that setup kind of unfolds for for you guys and and what you do.

 

Joe Saunders:

 

Well, you’re right, Scott. I think kind of the founding story of RunSafe was Looking at all the problems with cyber security stem from you know constantly having to chase and chase and chase vulnerabilities and come up with new ways to fix things and patch things as you go and Identify known signatures and just kind of keep chasing you’re constantly on the treadmill. And a common thread between me and Doug then was that that sounds exhausting, chasing and chasing and chasing. We wanted to fundamentally change the concept and The idea was to come up with a solution that would not only protect against known vulnerabilities, but also against unknown vulnerabilities And almost future proof your technology from cyber attacks. And so we wanted to eliminate entire classes of exploitation, not individual exploits themselves. And so with that, when we talk to our customers to answer your question kind of directly, Is they think about it in operational terms, how much savings do I have by smoothing out my passing process, By getting rid of the madness of, identifying a vulnerability, immediately developing a fix, immediately pushing that out, Knowing that at every step, there’s a delay and there’s probably some drop off and people don’t apply all the patches, they fall behind on their versions. And so that model is broken economically. And so we wanted to demonstrate a way to bring an economic model that was more sound, Which was to take entire classes of vulnerabilities off the table from exploitation and do it in a way that doesn’t slow down developers, It doesn’t cause you to chase every single vulnerability, every single exploit as it comes out.

 

Joe Saunders:

 

And the good news is we pick the vulnerabilities that we take off the table that MITRE and others have said are the greatest software weaknesses in software today that lead to the most devastating attacks and are the most common vulnerabilities that exist, you know, today.

 

Scott Shagory:

 

Yeah. No. And and that makes that makes a lot of sense. I mean, from my standpoint, thinking about it also from kind of a a marketing, Sales and even strategy point of view is just that, you know, when each of us just as human beings are in a some sort of fear based state, Either we’ve placed ourselves in that or others have placed us in that. You know, what’s the most logical decision to make? It’s to make no decision at all, which means to make no buying decision. And I just in talking with even not so much technology teams and so forth, but even just others where they know security is a big deal. It has become even, you know, obviously, more important whether you’re following the administration’s initiatives and things and executive orders because you have to or because you just plain care. Often, firms will just scare the bejesus out of someone or a team, and then they just won’t decide at all because they don’t know quite what to decide.

 

Scott Shagory:

 

And the safest thing you do is just to kind of pull back. So, I guess, for me, the the principle behind it beyond what you have described in just strict economic terms, which I used to, and, you you know, we’ve talked about this in the past in a former life. I was, you know, head of a NOC, and we had a variety of, Obviously, security vulnerabilities on top of, you know, 20 other things that were everything was a crisis. You know, the economics, the practical economics that you’ve described is Yeah. I mean, make makes makes huge sense. I just find sometimes I think from the other side of it where you’re, Again, trying to sell a service or a product or whatnot, you know, frightening people into a decision is usually a very, very tough thing to do to do consistently and then to scale around that. It’s just I I just think it’s a really tough and rather Short sighted way of of of doing things, at least to build a company anyway. Yeah.

 

Scott Shagory:

 

Yep. In terms of, You know, who runs safe’s ideal client is? Because I’m sure that has changed and morphed and grown since 2015. And when when I wrote about you guys for the first time, I think Again, in 2019, I’ll have to check. Is are you guys focused on large enterprises and governments or large national governments, or is it smaller firms? And I guess, You know, where do you guys start? Either from a revenue perspective for that company or where the government agency is if it’s a budget like DOD or however they’re Slicing and dicing. Now what is for my audience and other CEOs, what does that look like for you guys?

 

Joe Saunders:

 

So we focus in on, Protecting software across critical infrastructure. And the owners of that infrastructure are buying all sorts of software products that they deploy Into that infrastructure. So our ideal customer and our target market is all those OEMs, all those product manufacturers Who build and ship devices and that really is across all the sectors of critical infrastructure. So today, we’re protecting software embedded on engine controllers for, engine control company. We’re also protecting firmware that goes on major computer server platforms. And so we are also protecting, you know, as you say, things for the government. So we’re protecting, You know, vessels that go on water for the Navy and, you know, the F22 is something we’re protecting for the Air Force. And then other products or other platforms for the US army.

 

Joe Saunders:

 

And they all have embedded software On various weapons programs, where when that device is in theater, it needs to operate and so resilience is a key thing. But if you go back to all the product manufacturers, part of their decision making process. And that would include folks like Schneider Electric, To are shipping things into energy grid or an industrial automation manufacturing plants. So folks like that to produce technology that get installed inside a broader aspect of infrastructure across critical infrastructure, in In fact, is our customer. And to the previous point, one of the things that is of interest to them is how they make their security decisions when they’re looking at hundreds, if not thousands of products That they ship out into that infrastructure. And so they need to make governance decisions, best practices, compliance decisions, Customer demand decisions, and just, you know, ongoing persistent threats that would undermine their products. So unfortunately, that last 1 is where the scare tactics come in. But the customers we sell to are tracking a lot of those players and they’re very fearful, without us scaring them.

 

Joe Saunders:

 

We like to talk about economic terms, But we actually help them create resilience from those bad actors.

 

Scott Shagory:

 

Yeah. And and that makes makes a lot of sense. And and and you guys have talked about that, you know, either, In other venues on the podcast, stuff like that in terms of just how I just think language, as we all know, language shapes Intent, it shapes our focus and what we what we prioritize. And I just think, you know, the economic conversation just Roots things very, very differently, and I just think it’s really powerful. And it’s it’s nice to have, you know, folks like yourself at RunSafe just Consistently share it’s not even sharing a message. It’s like a full philosophical approach to problem solving, that just ends up again, just having, I think, anyway, all sorts of productive benefits. To dig into the the tech a little bit here for a generalized, you know, audience and so forth, you know, memory vulnerabilities remain, and I’ll put this in quotes, a Great option, for bad actors to exploit. You know, do you think that the biggest opportunities here in terms of changing the game around this is really kind of on the hard side.

 

Scott Shagory:

 

So, you know, it’s tools, it’s automation, it’s making things as frictionless for someone or a team as possible. Or do you think it’s really on the softer side, meaning kind of a a cultural or awareness and understanding of the software’s end users and the pressures that they feel within the context of the work environment that they that they have. Because there’s kind of, I won’t call it a debate, but, You know, there’s a lot to, you know, potentially talk there, and I’m curious about how you guys or how you and the team at RunSafe think about that.

 

Joe Saunders:

 

Well, this problem that we solve has been around for 40 plus years. And so, on the one hand, training and awareness, and some of those softer Skills around cultural aspects of value and security and things like that. Those are always extremely important. The flip side is, you know, the hard tools give you a means to dramatically change, dramatically reduce the attack surface and change the game to free up resources to do other things. And so I think it’s I hate to say it’s both. And if you wanted me to choose, I would still Take a step back and say, what has really changed the game since this has been a problem, memory based vulnerabilities have been around since the eighties. And they comprise in compiled code, they comprise 60, 70% of the vulnerabilities. Many people aren’t even aware that they exist.

 

Joe Saunders:

 

So there is an educational aspect. But what I would say is, in the past year, The US government has gotten so serious about this problem. The NSA has issued guidance that people need to solve this problem. The National Cyber director has included memory safety as one of its core tenants in the National Cybersecurity Strategy. CISA has included it In secure by design, secure by default programs. The DOD is taking steps To protect against software vulnerabilities that are memory based that we talked about, in Congress has asked for oversight Regarding memory safety, all this has happened in the past 12 months. The previous 40 years, The government was not calling this out. And why is that? It’s because, people fear that critical infrastructure, I’ll go to the fear of common, They fear that critical infrastructure is vulnerable.

 

Joe Saunders:

 

Now, national security fears for a single company is not the driving force. That’s the government’s driving force. So finding ways that are economically sound that achieve A dramatic reduction in the threats or I’m sorry, in the risks, really is a significant change. So, I think The education, the awareness in the drive from the US government is actually going to change, how people view this problem In a very profound way. And so, I think there are soft angles, I think there are hard tools angles, and I think the government Focusing in on the problem for critical infrastructure certainly helps as well.

 

Scott Shagory:

 

Yeah. I I think, you know and I would agree. It’s an important clarification where In this, maybe one of few instances where fear has been a genuine driver of not just regulation, but Alignment, enforcement, etcetera. Everything’s kind of lined up in a way that you would that would be ideal in a very compressed period of time where there was genuine urgency And a desire to actually solve the problem being driven as opposed to just screaming at each other, which were which can happen quite a bit on Capitol Hill. So, yeah. Agreed. Agreed there. In terms of you’ve mentioned you’ve mentioned in your answer education a couple of times, which is leads right into to the next one that I’ve got here where, you know, a lot of cyber teams spend a lot of time educating, you know, bringing someone up to speed on the issue or issues, how their Technology works, feature set.

 

Scott Shagory:

 

They eventually get to, you know, obviously selling someone’s future to them. But it’s, you know, it’s really often at significant cost, not just the money, but the Time, just the the whole process is just very often complex. For for you guys in the embedded space And I I you know, obviously, DevSecOps and with, you know, what you guys do with, you know, with with what is a very typically technically educated buyer, but also has other challenges to it. You know, what does that look like? How much education do you end up having to do Either generally speaking, and I’m sure you do a lot of education, whether it’s on your podcast or in other areas broadly, but then, You know, with, you know, your sales team, you know, how you align your marketing, things like that. What does what does that either look like for you guys or Yeah. What does that really look like for you guys?

 

Joe Saunders:

 

So we’ve done a couple different things. We, We did something from a product perspective that I think dramatically changes the discussion. And so with that, what we’ve done And I know you know this, we released a product called Gremlin that begins with generating a software bill of materials. And the reason that that is relevant is because I first need to know all the different individual components that are in my product. We have One customer makes a really small piece of firmware code. It has a 1,000 components in it. 800 of those components come from the open source world and 200 components of the 1,000 are components that they build themselves. The value added that manufacturer make.

 

Scott Shagory:

 

That’s a lot even at 200. Okay.

 

Joe Saunders:

 

Yeah. And and so that’s not uncommon. We have other customers that have many more packages that go into their Platforms and products, but that’s a good representative sample. So with that, if I could show you those 1,000 components, And which ones have all the vulnerabilities and which ones can be immediately taken off the table from exploitation, which of those vulnerabilities. Then all of a sudden, we’re talking about data, about your products, and not even about the technology. We’re just saying, here’s the output from your product, Here are the vulnerabilities associated with it. And look out of 1,000 components, there’s 1200 vulnerabilities and, You know, 900 of them we take off the table. So would you like to go further with that? And that is very powerful.

 

Joe Saunders:

 

You’re talking about data then. It’s a much different equation than saying, the risk of your exploitation is this, and in the field, we’ve seen this zero day And look, it got it got explained it over here, you know, kinda chasing yesterday’s news. Well, here’s what’s in my product. And the best thing is All these companies wanna use software build materials now because it improves code quality. It improves understanding the vulnerabilities. It shares information with their customers, And it standardizes a way for everyone in the software world to communicate, including those that are concerned about security. So that has dramatically changed our ability To have discussions because we’re talking about your products and not having to explain, The types of vulnerabilities that we protect against. So that was, that’s been a very, very significant change.

 

Joe Saunders:

 

And we invested in the software bill materials to help illustrate why, you know, prevention’s needed with our security protection products as well.

 

Scott Shagory:

 

Yeah. No. I mean, you know, I knew of Gremlin that that fills in a it fills in a number of gaps because it you know, and you know this as well as does many people who will listen to this where So many times, any tech company will go ahead and sell their features in their side of the on their side of the pie As opposed to, you know, really solving for being on the other side of that, you know, Venn diagram or pie if we were to kind of visually think about that for a minute, Where that customer is and then what those pressures happen to be, and then you’re selling essentially their future. So, technically, you’re educating them, but really what you’re doing is pointing out solutions that you offer with an environment and a world order that they already live in. They don’t need to change fundamentally. All of their processes or many of them can remain the same, and you just guys, you know, run safe if you will, Slots in and given the percentage of what you can do relative to the vulnerabilities that you share with them that they have, You know, it it it’s you make it so easy for them that it’s basically almost like a no brainer. How could we not, move forward something like this or at least have you guys be in the top 3 for some evaluation process that they might have because I’m sure there’s gotta be that with whatever platform they’re running or platforms. We certainly had ours, and it was just very stressful to try and figure out, okay, which vendor do we bring or vendors do we bring in? What type of platforms do we need to create to go ahead and vet the it just you know, it got the complexity of just doing that, just thinking about it was almost like a fitness regime where you’re like, oh, boy.

 

Scott Shagory:

 

I I got, you know, I gotta I gotta track my macros. I gotta do this. I get before I’ve even actually modified and stopped eating as much sugar, You know, it just ends up being just a huge stress test. It’s like, oh, boy. That’s just that’s just too much. I’d I’d rather do something else. That just seems too painful. So, Yeah.

 

Scott Shagory:

 

I I I I hear you both from, again, having run a knock in the past of just the stresses around that practically. It just is, That that’s a stress reliever right right there. Yeah. Cool. Cool. How do you guys I guess pivoting just a little bit here because you’ve talked about, You know, just a minute ago about how you guys, again, just do things. How do you guys think about success? I guess, Either individually, kind of as a team, and as a company. I know you have some, firm views about that, so to speak, I’m curious as to what those are for the audience because a lot of teams, you know, they’ll grow real quickly, but they’re not quite sure what then success is or how they should shape their individual team members, etcetera.

 

Scott Shagory:

 

And I know you guys have gone through that and, you know, come up with some, you know, ways of thinking about So if you’d be open to sharing it, that’d be that’d be great.

 

Joe Saunders:

 

Yeah. I mean, success from our perspective has many dimensions as you can imagine. Certainly success for customers, you know, the ability for them to reduce their operating costs and supporting their patching process and still increase resilience. So, with that, a good metric for us is Our customer churn rate, which is extremely low. So when we sign up new customers, they stay with us for the long haul, and, you know, ongoing basis. And so I think in all our years, we’ve lost, maybe 1 customer, you know, and it wasn’t even really for reasons related to our stuff. So I think that’s a good testament that we do what we say we do, that we deliver on their expectations and we set the right expectations. And for me, that’s probably most important.

 

Joe Saunders:

 

But even this year, then we had some goals As a company, and we wanted to we had 3 main objectives as a company this year. And that is first of all, we wanted to be cash flow positive. So we are generating and surviving. We’re not losing money, we’re making money. We don’t need to take outside investment unless we wanna grow faster, which we very likely will take in additional investment. But the whole idea, I think in today’s world is that you need to maintain growth And show profitability. And so I have, some of my board members and investors, have shared different investment bankers I’ve talked to in the past have taught me about the rule of 40. And the rule of 40 is the combination of your growth rate and your EBITDA.

 

Joe Saunders:

 

And if it’s at least 40 or more, you’re gonna get a really high valuation multiple on your company. And so we’re striving to always maintain that rule of 40, kind of goal. But so first goal this year was to be cash flow positive. Second goal was to dramatically reduce our sales cycle. And we did that by introducing our new product that begins with the software bill materials. So instead of waiting for people to deploy our technology, can we reduce that sales cycle? And we’ve done that. And then the third one is really to Leverage, and support what the government is investing in to achieve memory safety overall across critical infrastructure. And, you know, as I listed all the organizations that have, done so much, you know, CISA and NSA and Office National Cyber Director and DOD, they’ve done so much to try to reduce this great national security threat that Or risk that, you know, we wanted to find ways to contribute to that.

 

Joe Saunders:

 

So contributing into a broader mission That makes our society more, that makes society safer and our world safer is important for our company. And also, you know, keeps us aligned with what the government is doing today. So that’s also very important for us in terms of measuring success.

 

Scott Shagory:

 

Yeah. Nice. And, congratulations on the cash flow positive stuff. That’s nice, I’m sure it must must feel pretty, pretty pretty good to say the Say the least where, obviously, that has become a a deep focus, among many technology companies of of late, But, you know, beyond that, I just think it’s, yeah, it’s always a a great a great sign. So congrats to to you and the team for, probably stressing yourselves out to get there, but Nevertheless, a a big deal, so kudos to you for that. In terms of, I guess, continuing with the this theme a little bit here, you know, for growth opportunities that, You know, you’re excited about over the next 12 to 18 months. You know? I guess, what are they with what you’re comfortable sharing? And then, You know, is it true for yourselves, you think, exclusively, or is it a much bigger, bigger industry opportunity is As well in terms of what you’re looking at with embedded, DevSecOps and some other things that you guys are obviously doing with, with Alchemist and Gremlin so forth like that.

 

Joe Saunders:

 

Well, we just wanna keep growing. We’ve we’ve the last 2 years we’ve tripled our revenue 2 years in a row. I think this year in 2024, we hope to double, and that’s a big effort to do that. Now, with that said, You know, that that’s hard to do, but we’ve been doing things from a company perspective That I think, gets to sort of the heart of our company culture. And it sort of begins with this knowledge that we, you know, we have this mantra, this badge of honor, and we say internally at run which is to plow the dirt with your face. And it’s kind of a it doesn’t sound like a big scale story, but what it but it actually is.

 

Scott Shagory:

 

And that’s punishing to me, but, yeah, I hear it. Yeah.

 

Joe Saunders:

 

Basically, you need to you need to go engage. You can’t like think about things, you need to go talk to people, You need to go talk to customers and really understand what’s driving them. And you might learn a thing or 2 if you go talk to a customer, that’s the bottom line. And so with that, we also have a couple principles that kind of drive our company culture to support our scale and our growth. And that is, Something I call above the line versus below the line. And above the line are all those principles that help you achieve A high growth company the right way. And that is, having a standard product that is meets the product market fit. Being able to build that and deploy that easily, so our customers can deploy in like 15 minutes.

 

Joe Saunders:

 

They don’t have to do a lot to get going. So a bunch of things like that add up to being above the line for us. Below the line is a bunch of custom work that a lot of hands On different code that you know, and maybe, you know, what happens in those cases is quality assurance suffers, Delivery schedules slip, customers are disappointed, expectations aren’t always clearly set. And so there are things that sort of drag down our business That are below the line. And so I say that because as a company, everybody in our organization knows the difference above the line and below the line. And so the entire organization knows what kind of business we do wanna do and what kind of business we don’t wanna be. And so with that, that sort of empowers everyone in the organization to keep us on path for the growth that we want, and it’s the growth in the right way. And I think that’s part of what contributes to us being profitable and being around for the long haul for our customers Is that we really know what our identity is and everyone kind of lives and breathes that.

 

Joe Saunders:

 

So those are a couple of things we’re doing internally to help fuel that growth, but within the market, I think we’re only scratching the surface. I think the government tailwinds In terms of solving for memory safety, we have customers that have thousands of products and their only alternative today is to rewrite all those products Into memory safe languages and that’s just not feasible. Nobody wants to invest in rewriting a product, it will take time and money. So if you can achieve memory protection without rewriting a single line of code, that’s a huge value add for our customers. And then it also matches where The government wants to go into, successfully protecting critical infrastructure in general.

 

Scott Shagory:

 

Yeah. No. I mean, I think that makes a lot of sense. I mean, there’s just As everybody knows, just a a ton of software out there that, you know, again, just maybe gets periodic updates, but that’s pretty much it. And yet, there’s just a huge vulnerability around there. So, so definitely, yeah. You know, you hear everyone talk about, You know, grinding away, but, I’ll have to start using your, plow with your face. That’s that’s awesome.

 

Scott Shagory:

 

You know, it just is such a a visual, of you know, there’s such a strong visual with that too. It’s just, it’s tough to miss. But I think, again, you know, more seriously, You know, it’s it’s very understandable how with a team you could absolutely build alignment around that. No one’s gonna not understand what that is and have an immediate image in their head that they will Never never forget even as they talk with each other virtually and so forth as opposed to let alone being in the office. So, yeah, kudos to you for for that one there. So, well, cool. Cool. Let’s go ahead and take a short commercial break, and we’ll be right back.

 

Scott Shagory:

 

Purple Finch Group helps technology CEOs innovating at the edge of chaos create operational fitness across their technology stack and team of talent. Achieving significant and measurable scale, selling your story, and finding time to think and plan can feel like a bridge too far. So if you’re a CEO whose company has found product market fit but is struggling or you’re a CEO whose company is looking to accelerate existing momentum, We can help with proven blueprints for optimal scale. Shifting from incremental addition to exponential multiplication can be absolutely achieved with less effort and stress. To get in touch, I can be reached at Scott with 2 t’s at Purplefinch Group.com. Now back to the interview. Alright. We’re back on Discipline Troublemakers podcast with, Joe for Brunsafe.

 

Scott Shagory:

 

Let me go ahead, Joe, and pivot a little bit more, and ask you about what contrarian views you have about the embedded security space and about DevSecOps, because obviously there are lots of opinions, particularly around DevSec. But I’m curious, you know, given You’ve been in this space a long time. You know, what either you have is a contrarian view or see, again, differently than maybe some other firms or other CEOs in the space.

 

Joe Saunders:

 

So I would say the biggest one is that the plate tectonics in the embedded software space are changing And they’re changing towards open source software and they’re changing towards open source software, understanding the software supply chain security risks. And for such a long time, there has been proprietary, operating system Software on which all these embedded devices are built. And there were good reasons for that. There were performance reasons and Security reasons and things like that, that, you needed to ensure that this little gadget did its thing extremely well and it was kind of locked down to only do a limited set of functions. The problem is, That has become expensive and it has shown that or it’s been shown that proprietariness, does have come with a number of security vulnerabilities. Some of the biggest vulnerabilities out there have been in real time operating systems, For example, and so with that, with the improvement in processing power and chips, And the ability to tailor Linux based operating systems for embedded use cases, And, really scale things down easily, then what that means is what might have been 20% of open source on your device You know, yesterday is going to be 80% like that example I gave earlier today. And with that, it sort of decomposes Your understanding of your entire security landscape, you need to understand who’s writing those components. Are those components updated consistently? What vulnerabilities are in those components? And so I think it’s becoming Instead of a Closed world is coming in the open world, but with that, the DevOps and DevSecOps discipline and really the supply chain security practices Are becoming as much about code quality as they are about security and you can have both.

 

Joe Saunders:

 

And then I think in the end, You can be secure and you can be open, and you can have high code quality. So, You know, if anything I think is you can have the best of both worlds. You can be open and you can be secure. And I think that is driving Major change in the industry, I think it’s reducing costs. And I think it’s also kind of changing the software development world a bit. As, you know, people are looking at vulnerabilities in their software and improving code quality.

 

Scott Shagory:

 

Yeah. No. I remember Years ago, I’ll go back, 15, 20 years ago, you know, big debates with my client and other stuff like that around Open versus closed source. It was always an or, never an and. And so you were always making kind of some very big tactical strategics trade offs as To what you think you could or couldn’t do and then accepted, you know, implicitly then a degree of blindness. Where where did you wanna be blind and not know What you didn’t didn’t know and didn’t have control over, and you just yeah. You just you you ultimately, at the end of the day, you you’ve made some very big trade offs, but everybody else did the same thing. You didn’t have any other choices because it was yeah.

 

Scott Shagory:

 

It was an or world instead of an and world. So, Yeah. Yeah. Powerful powerful to see, though, some of the changes now too. So as a Linux guy, I’ll I’ll disclose my, my my Linux, Enthusiasm here. I’m a Mac guy, but I I like I’ll I’ll you know, I grew up, cut my teeth on on on Linux. So, There there are scars and there are joys there too. So, but, anyhow

 

Joe Saunders:

 

See, you’ve plowed the dirt with your face too.

 

Scott Shagory:

 

I oh, yes. I did. Yes. Implemented the 1st Linux set of systems for my client back, 20 years ago this year. Old Kickstarter files. Wow. That was painful. I learned a lot, but I have to tell you, yes, I absolutely plowed my face with with that.

 

Scott Shagory:

 

Yes. 12 hours a day, 6 days a week, it was, Yeah. It was it was interesting. Glad I don’t do that anymore. Thank you very much. You know, speaking of kind of a Contrarian mood. Something, you know, that I found really interesting about, you know, something here that you guys have done is you’ve Set up an improv class, you know, internally with OneSafe. And, you know, you guys have goals around that around, you know, listening skills, Teamwork, creativity, etcetera.

 

Scott Shagory:

 

I’m really curious. What led you guys or what led you or the leadership team and folks at RunSafe to go ahead and start that, and how has that evolved for you guys as a way to, Again, grow, remain agile, be creative, etcetera. It sounds like you probably have had some fun with it too. So, you know, what’s the what’s the story behind the improv class?

 

Joe Saunders:

 

Well, it’s it’s super exciting that we do improv and I we we do it periodically. We do it at our annual meeting. We do it throughout the year. And The the really the inspiration came from my, assistant. Her name is Alex and she is a professional actor And she does improv all the time. She does sketch comedy, she does stand up, she’s, you know, comedic actor, and, you know, does very, very well at it. And when she and I were talking one day, we’re talking about sort of the benefits of improving. You start to live to it, you know, certainly creativity and stuff like that.

 

Joe Saunders:

 

But just how you approach improv has so many lessons for business. One of the principles of improv is yes and. And so the whole idea is that you’re open And you’re gonna add to the conversation. And by doing that, you’re creating a dialogue between people. But if The opposite is you say no, but it doesn’t work that way. Then you’re shutting things down and you’re hurting that creativity, you’re hurting that mode of communication. So yes, Ian is a powerful principle from improv. And we wanted to sort of share that with the company and do all that.

 

Joe Saunders:

 

Another really important principle of improv, think about a basketball team, we think about football team, we think about Any sports team or any athletic team of any type in improv, it’s no different. You want to make other people look good. So you might wanna make your customer look good, you might wanna make your colleague look good in a meeting, you might wanna make and so the idea is to be selfless and to give the opportunity To others to let them kind of shine. And so looking for those moments where other people can step in Score the score the basket or make the catch or what have you cause you’re a team. And so, In improv, you try to set other people up to be able to make the jokes. And so you want them to look good. If it’s all about you and you’re trying to be funny and you’re dominating, then you’re not creating a cohesive team, and you’re probably not all that funny in the 1st place. But it’s sort of that give and take between 2 people that creates a real authentic moment That becomes really funny.

 

Joe Saunders:

 

And so, I don’t know, there’s a lot of business lessons, but I have to say it was Alex’s idea And Alex does the training, she’s really good at it, our team likes it and there’s really, really good applied business skills. And so If the government shuts down this year or another year, we have thought about Offering for fun, improv training for folks who may wanna do some other things with their time. So those are, you know, because we think the power is so great, we would love to share it with others in different ways.

 

Scott Shagory:

 

Yeah. No. I I I think it’s really great. I I think too, you know, comedy and things like that of of which, You know, I’m personally not not not very good at, you know, it it absolutely for improv, you have to be in the present moment. You know, so much of our time is either spent in the past. We’re thinking about the future, worried about the future. And with that is a story or oftentimes It ends up weaving in our fears and doubts as opposed to being in the present moment with 1 or more people to really kind of share and exchange. And when you can do that and do that in a business context whether it’s with yourself, your customers, supply chain, etcetera like that.

 

Scott Shagory:

 

I I just think, you know, I think we could all agree, You know, it could be it can be very, very powerful. So, yeah, really, really interesting. I’ll have to think about that some more too. So, maybe take an improv class at some point, but that’s, That could be a little stressful, but but fun. But but could be could be fun. One other piece along the creativity side is you I wanna make sure we should adhere, and I’ll include in the show notes in the bottom is you you guys started a podcast, if I recall correctly, in 2020 sometime called School of of Heart Knox. What do you enjoy most about having a a company podcast? And, you know, what have you what have you either learned or shared and so forth like that with with that podcast? I’m curious.

 

Joe Saunders:

 

So, You know, the genesis, first of all, I have to give credit to Alex again, because

 

Scott Shagory:

 

she’s the secret sauce,

 

Joe Saunders:

 

She is. We I do this thing internally about what I call school hard knocks for all employees. And the whole idea is to share The 25 biggest mistakes I’ve made in my career and what I learned about it. And the whole idea is to make it Safe for people to push the envelope and not be afraid to make mistakes in the whole ideas. If you make a mistake, it’s okay. We’re going to learn from it, Then we’re all going to be more resilient organization because of it and people are going to push the envelope, they’re going to feel comfortable standing up for what they think is right and doing The right things for the company, etcetera. And so, Alex had the idea that we should turn that to the external world And future security leaders and talk about their biggest lesson or their toughest lesson or they’re one of the things they really had to learn, You know, a hard lesson from and what’s great is you get all this perspective from leading security leaders, You know, who had really interesting careers and everyone has the same thing. They’ve made mistakes in their career.

 

Joe Saunders:

 

They things they had to learn a tough lesson from, and the idea is it sort of humanizes everybody. Like we think someone who’s achieved all these great things in their career must be perfect, but they’re not there. They make mistakes Just like I do. Just like Alex does. Just like

 

Scott Shagory:

 

Oh, yeah.

 

Joe Saunders:

 

All my colleagues. Maybe not you, Scott.

 

Scott Shagory:

 

Maybe you are. My list is longer than your list, dude. We we we couldn’t even start. Yeah. Yeah. As long

 

Joe Saunders:

 

as you’re What what I get most out of it is the reflection people have on some of the mistakes they’ve made and what they’ve learned about it. And it’s just really powerful. It’s really interesting because we all share that in common and that makes the world a better place as well. It’s more resilient if we’re looking out for people who have made mistakes or people are vulnerable and sharing mistakes that they’ve made and They’re willing to talk about it. So I think it makes for a better world talking about it and plus we can all learn from other people’s mistakes. So that’s ultimately the benefit.

 

Scott Shagory:

 

Yeah. No. And I think particularly with and it doesn’t matter, I think, which I’ll call it which venue we happen to be in. Just as human beings, there’s a a lot of Shouting at each other, right now pretty much everywhere with what seems like every single topic, even picking out milk at the food store or something simple as what Feels like it’s simple as that. So the more of that, I think around just being able to have a place to share some of those things, particularly, again, as you Rightly pointed out, you know, you see somebody and when you think of, you know, respect or elevating somebody, I don’t wanna say maybe pulling them on a pedestal, but, you know, acknowledging the Competence, the hard work, all of the achievement and everything, we we do tend to it’s it’s easy to gloss over some of the bumps in the road and to have people, You know, share that in authentic way, I think, is just really it’s very powerful. And people, as you say, can connect to it. We all can. Absolutely.

 

Scott Shagory:

 

Myself myself included. So So yeah. So I guess, you know, kind of wrapping up here a a a little bit here, do you have, You know, before we get to, you know, contact details and things like that, any, I guess, any even final words of advice or wisdom wisdom for my listeners who are gonna be primarily CEOs, who will also be leaders in the tech space, who may eventually be, you know, be a CEO at some point in terms of Starting and running their own cyber company. I I know that’s a very loaded question, which could go in lots of different directions. But I think, again, you know, you’ve you’ve Experience lots of struggles with RunSafe. You’ve obviously experienced a hyper growth over the last couple years. Kudos to that Being cash flow positive, just some big ticket items there too. So you’ve experienced all of it so far.

 

Scott Shagory:

 

You know, what does You know, in any words of kind of either wisdom or advice on that front as it relates to a a cyber company?

 

Joe Saunders:

 

I think one of the most important things that I’ve learned is having a really good framework about who you are and who your company is. And sort of that, you know, what are the principles? What’s the underlying philosophy of the company? What are those things you fall back on to help make decisions. And I think rather than having things that appear to be arbitrary, I think having a sense for why we’re going in a certain direction, why decisions are made and what is that collective Kind of goal and what is that framework in which you operate? For us, we have a product strategy we call three ten n. We have above the line below the line principles. We have plowing the dirt with your face. We have company goals that we set at the start of the year. We have principles that people adhere to. We’re very forgiving when mistakes are made because we know we’re gonna learn from them.

 

Joe Saunders:

 

And all of those things collectively add up to make Decisions in tough times easier because it’s within a framework. And for me, that’s been, I don’t know, super exciting to kind of Realize that when you do have a framework, decisions are not arbitrary that you have collective buy in. The organization will see, You know, how you think about them as the CEO. But more importantly, as a CEO, you see that everyone has this common framework for how they’re operating And that can just be powerful because I think it just puts all this discussions on such a positive, Emphasis point of emphasis. And I think knowing what those principles are and how you the framework in which you operate It’s just so important. So that’s my biggest recommendation. Probably one of my lessons to learn how to do that. You know, for me personally, It’s been very gratifying to see it play out and be helpful to everyone in the company.

 

Scott Shagory:

 

Yeah. And I think it’s one of those things to, you know, highlight your Kinda school of hard knocks is that’s tough to learn in business school. It’s tough to learn, I think, just, if you will, intellectually or academically, you’ve gotta, Grind your face in the earth a little bit. You know, Jeff Bezos has talked about that with Amazon and the I forget if it’s 16 or 17 principles, from memory and that what they have. And, again, it’s just designed to create structure boundaries, safety, an honor system, You know, in any variety of things that that one feels the team leadership team feels is relevant. And it is. It’s it’s it’s kind of like guardrails, But also safety and where we want you to take risk, where those opportunities are, and what you can do individually and then as a team and then, you know, so forth as to what that what that is. I I always think those are really very helpful and and and powerful here.

 

Scott Shagory:

 

Yeah. I guess my my last question for you is always, Both for you and for for the audience is, you know, do you you know, for maybe a challenge or two that you’ve got over the next 12 months, that you might like help with or might like guidance or assistance with. If there is anything, know, when you’re comfortable sharing it, you know, depending on who listens to this and might reach out and say, hey. I might be able to help Joe with that. So Let me let me reach out to him. Is there anything that that you or and or RunSafe would would like some assistance with?

 

Joe Saunders:

 

Yeah. I mean, there’s a couple major Major areas where we could use some help. We certainly are managing Products internally, and I think doing an okay job of that. But thinking about our product strategy for the long term is something that, You know, we’ve done as as a committee and, you know, kinda collectively, we use it as a way to align, you know, all of our different different areas, but a real product leader that can kind of think the same way we think, but but bring some additional perspective on Product led growth in certain areas like that can help us reach our broader adjustable market An efficient way is one area that we’re looking for. And I think challenging assumptions on the best way To drive sales is always a good thing. We can come up with new tools, we can come up with new analyses, We can come up with new solutions that get that sale going faster. But that’s something I’m always open to because I think the market has dramatically changed even just since COVID. But if you go back 5 or 10 years or 20 years, Go to market strategies are completely different.

 

Joe Saunders:

 

How you reach people is completely different. What message you need to deliver is completely different. What medium to reach them in completely different. And so I think we try to be innovative and we try to Stay current with the best tactics, but I think we could always use more help to do that. And so for me, some of those customer facing long term Product roadmap ideas to really drive our strategy and, you know, how best to engage our customers more completely something I’m always open to.

 

Scott Shagory:

 

Yeah. I know that and that both are perfectly understandable. And if you’ve tripled yourself twice, I I can only imagine from a product standpoint that, yeah, there’s been been been some been some stretching there, and so forth. And the other pieces makes Makes perfect sense too where it’s you know, so much has accelerated and changed just even with, you know, COVID, etcetera, and, Reaching out to those ideal prospects is just again, there’s on the one hand, a 1000000 ways you could do it, but on the other, again, what is The most effective and most meaningful for that prospect or that cost potential customer, you know, for for them as well and their team. So, Yeah. In in terms of, I guess, in in case someone can help you or wants to reach out, what would be the best way to reach out to? You want something like LinkedIn or etcetera or what would be best for for yourself in terms of reaching out?

 

Joe Saunders:

 

Yeah. I mean, I’m always accessible on LinkedIn, You know, Joe Saunders of RunSafe Security. But also if people wanna send me an email, they can reach me at joerunsafecurity.com. Always happy to hear from people and certainly always happy to engage with you, Scott. And if you have any referrals, we’d always take them. But with that said, I am very transparent and, I enjoy chatting with people. So if people, you know, wanna ask questions about what we’re doing or how we’re doing it or how they could help, I’m always happy to engage.

 

Scott Shagory:

 

Yeah. No. That that sounds great. Yeah. I I will give some thought to the the product side of things. I do know I can actually think of 1 or 2 people. So, Yeah, I actually might be able to possibly possibly help there. So, Yeah.

 

Scott Shagory:

 

So with that, let’s go ahead and I think we’ll go ahead and close out here. I really appreciate you carving out time Today to chat with, me to catch up with you about what’s been happening with with RunSafe over the last couple of years. Congrats on all the on the growth. That’s a A huge accomplishment, and, I’m sure if a little bit more than a little bit stressful. But at some point in the future, I’d really love to have you back on, on the podcast, and we could cover some other topics that we didn’t get a chance to cover today. And then, yeah, just see where you guys have have gone if you’re, if you are open to that.

 

Joe Saunders:

 

Yeah. Absolutely. Thanks for having me today, Scott, and thanks for all that you do. And certainly, look forward to chatting again on the podcast and otherwise.

 

Scott Shagory:

 

Yeah. Sounds great. Well, thanks very much, and we’ll be in touch. Thank you for tuning in to the Disciplined Trouble podcast, and we hope you found the episode valuable. If you did, please subscribe to the Discipline Troublemakers podcast on your favorite platform and leave a review. Putting this podcast together is a group effort, so I’d like to provide a shout out to Heartcast Media and their team for all of the assistance they provide with each episode. If you wanna get in touch with me directly, I can be reached at scottwithtwo t’s@purplefinchgroup.com. Purple Finish Group is the sponsor of this podcast.

 

Scott Shagory:

 

We have another podcast episode out very shortly. Stay tuned.