#309 The Entrepreneurial Spirit in Cybersecurity: A Conversation with Brittany Greenfield

Mehmet: Hello and welcome back to a new episode of the CTO show with Mehmet. Today I'm very pleased welcoming the CEO of Wabbi, Brittany. Brittany, thank you very much for being with me on the show today. The way I love to do it is I keep it to my [00:01:00] guests a little bit, give us this introduction and the journey and why you started Wabbi.

Brittany: Well, the journey is still ongoing, but I appreciate you having me here today. Um, I started Wabbi, which is in the application security space. Um, because I realized the need to bridge the gap between security and development, um, not to say that it's, I think both sides have always gotten the short end of the stick when it comes to integrating security into the software development life cycle.

Um, you know, development wants. The, the autonomy to make educated decisions like they do about every other step of the, the development process and security needs, the accountability that their policies were followed. So what Wabbi does is we manage the application security posture by orchestrating and automating the application security life cycle as part of the software development life cycle.

Um, so that could be everything from [00:02:00] queuing up testing when the developer checks in their code for PR to prioritizing vulnerabilities to, um, to, you know, even gating code if it wouldn't match, if it wouldn't pass the security review. Um, and so we, we've been at it, as I said, the journey is always ongoing as you certainly know, uh, founder journey is never ending.

Um, and we really love it. We work with large mid market to fortune 500 companies. And, you know, I think for me, um, my. Founders journey personally, I've always been somebody that has looked at market opportunities and said, how do we go fix this pain and led the teams to it? And I just got so frustrated when I heard companies talking about building taller walls and deeper moats and getting better laser beams for their sharks.

And nobody was focused on the foundation where nine out of 10 breaches come from. And that's the code. 

Mehmet: Absolutely fantastic. And you know, uh, I love to hear these stories. I will ask you more [00:03:00] about. The founder's journey, but the first question, you know, I'm always curious to, to, to know, and in this case, it's a specific domain, which is cybersecurity.

You know, Brittany, cybersecurity is a very broad market. Some people, they say it's a crowded market also as well, but you took this I would say courage decision and you decide to go into cyber security. Was there anything specific that attracted you actually to go and find the gaps that you just mentioned and choose cyber security rather than And other like maybe hot trend or other technology, um, field, but why 

Brittany: it's a great question.

So I love cybersecurity. You're right. I call cybersecurity an alphabet soup, right? And you, and there's always a new one [00:04:00] coming. Because as technological innovation moves forward, cybersecurity always has to be one step ahead of it, right? AI right now is a great example. There's a ton of AI cybersecurity companies coming out because we have to figure out how to defend against whatever the next innovation is.

Um, but what actually attracted me to it is I I've always been an enterprise software and I think unfortunately the denominators changed more than I care to admit. But when I founded Wabbi, I've been out. Side of cyber security longer than I've been inside of it, and I found cyber security just to be a place where it wasn't just about how do we make sure we get the full value of the innovations that we're creating in the broader realm of technology.

But also, how do we, how. It's a place of intellectual curiosity, right? There's no one of the reasons you point out. It can be a very crowded space because there's no one right way to solve some of these problems and some of these pains. And so you have a [00:05:00] lot of just really interesting problem solvers across all components of cyber security.

That's what's really driven me to be in the industry and has kept me in it for sure. And made it the place where, you know, I know. Never occurred to me that I might found a company and I went, of course, it's going to be here because it's the place where I can go find a real problem and bring together a lot of great minds that are passionate about tackling it.

Mehmet: That's good to hear, Brittany. Now, let's go a little bit dive in into what you do in the domain specific about because as I was saying, cybersecurity is very broad. Now, what you tackle is mainly. The application lifecycle, right? So software development, lifecycle, SDNC, and, you know, have, have you seen like now people realize that actually security is, you know, a key component to put it there, [00:06:00] or do you see still, you know, people are, are, you know, not.

They need to have the application security in that life cycle that, you know, you solve that problem with. So how did you see the reaction of the market of accepting? Because, you know, usually when we talk about solutions like yours, Brittany, so we talk about DevSecOps, right? Like development security operations.

So have you seen like this space matured or do you think we're still in early stages? 

Brittany: So I think we are, I'm going to give, I'm going to talk out of both sides of my mouth on this. We've both hit maturity and we're still early days. Um, you know, that first generation of DevSecOps created what I lovingly term as the DevSecOps hairball, where as organizations were adopting DevOps, security did what it tends to do.

And as you already pointed out, there's a lot of tools in the security market and went, Oh, you've got a DevOps [00:07:00] tool. That's really cool. I've got a tool to secure it. And what it did was it created too much data and not enough actionable information. So in the pursuit of DevSecOps, we ended up overwhelming both development and security organizations with, with just too much stuff.

Right. Nobody, it was a human capacity issue, but also what we really needed was context to be able to apply stuff. Right. Today in Boston, it's 48 degrees. That is a very warm day. Right. But if I told you it was 48 degrees in Dubai during the day, you'd probably say, Oh, my God, I need to pull out my jacket, right?

Apocalypse, maybe. And, you know, that's the context that we were missing in that first generation of DevSecOps. So I'd say DevSecOps has hit maturity in terms of people understanding that it is the norm of how you actually pursue software development today. The same way that we say DevOps is the norm of it and why 80 percent of [00:08:00] organizations have adopted DevOps now.

But where we have the immaturity still is specifically in my domain, which has its own alphabet soup called Application Security Posture Management. And the, and where people are, are still grasping with the idea. Is that they kind of really actually just finished their DevOps, DevOps processes, and they band aided together DevSecOps as part of it, and they're realizing that at scale, their band aided approach to actually integrating security into DevOps is failing, and that's where they need, just like all the other development infrastructure technologies that they have, they need that application security layer.

As part of that staff, if anything, good application, security, posture, management, probably looks a little bit more like a DevOps platform than it does your more traditional cyber security platform because it's about understanding what the application security [00:09:00] process is. For a very specific application and then deploying, automating and orchestrating that process.

And that's where we're seeing the market have just 5 percent of adoption when we closed out 23, but it's going to hit 40 percent by 26 because they realize that this isn't just a cyber risk. This is a project delivery risk. 

Mehmet: That's great to hear that from you, Brittany. Now, For the audience who might not be very much, um, you know, familiar with with with application security.

So if you can just tell us about what are some of the threats. So because you know, when we say threats in cyber security in general, a lot of things, right, you know, the first thing come to mind, like, People like even non technical people now they know about it like DDoS attacks, ransomware and so on.

When we talk about your domain, so what are like the major threats? And if you can tell [00:10:00] me how you help organization actually to prevent and protect from 

Brittany: it. It's a great question. So traditionally and people aren't wrong about this, but traditionally people go, Vulnerabilities are application security.

Hey, and those vulnerabilities, you know, like, I think still today, we haven't had a major pure application security breach since log for J those vulnerabilities are the opportunities that adversaries have to access the code and propagate. Another kind of attack. It could be DDoS. It could be just purely exploiting the vulnerability to access data.

But however, and I think, you know, to your question about maturity, this is what's changed. And since we founded Wabbi is that people have accepted you can't fix everything. In fact, you know, I want to say, as of last year, about 40 percent of log for J vulnerabilities, We're still out there, right? [00:11:00] Because organizations have realized that you can really only fix about 5 percent of any of your vulnerabilities is within a release cycle and about 15 percent are going to get fixed later and the rest of the 80 percent have to be left out there to be monitored.

And this is where application security looks a lot more like development. Is that it's really about that process. And when we talk about the application security life cycle and why WAPI manages that, because. Any security that has to be coded is application security. So if you need your firewall configured a specific way to defend against a DDoS attack, you've got to tell the developer to do that at some point in time and implement a control.

And that's where I think application security has always been a little bit of a redheaded stepchild was it wasn't just about the proactive security, but it's about the process of security. And making sure the right person does the right security activity at the right time. And if they [00:12:00] don't much similar to development, it then gets prioritized to be done later, or the risk is inherently accepted.

And so application security is. The realm of how you implement all of those security requirements and then proactively identify and mitigate the risks that your code poses, which could be a vulnerability that's found, or it could be. a control that was or was not implemented. 

Mehmet: Absolutely. And, you know, thank you for bringing the topic of log4j.

You know, it was the hot thing and, you know, it's one of the great examples that cyber security is a more complex than, you know, the simple things that you, we, we just discussed now, because here you have the supply chain and, you know, like this is part of the supply chain that can be inside the application.

So I love when I hear Uh thought leaders like yourself, Brittany, talk about this because I think we need the [00:13:00] awareness yet Yet there is a myth. Tell me if it's a myth or we're gonna bust this myth now Especially when I personally speak with developers So especially if they are doing still in the early stages, they are doing like an MVP or something like this You tell them about okay.

I think you should secure this this way and even Might not be directly, you know, related to the core functionality of the application. It's like, just for example, okay, have you secured that like from authentication perspective? Oh, okay. We're going to do this. If we're going to focus on the security now, this is going to like make our lives miserable because we're going to spend more time.

Is this a myth? Or is it like really something they have to focus on? 

Brittany: It is something that they have to focus on. And this is where, and, and really actually what Wabbi was born out of. It's not fair to tell developers that security is their job and make them wade through 5, 000 pages of policies to figure out exactly Which security thing they have to do at this time.

If we [00:14:00] could make all developers, security experts, we could fix our 3 million and counting cybersecurity professional shortage, right? That's not the problem. The problem is that we have to find a way to make sure I'll use exactly your example, because I talk about it all the time, right? Your security requirements for some beta.

Project are going to be very different than your security requirements for your crown jewel. Yes, you want in some beta project. You want to get that prototype out there. You want to under you. You want to make sure people are trying that. And maybe it's not working with real data versus that crown jewel.

You're willing to slow down on. This is why we actually talk about. Terms of application security in terms of, um, delivery risk, not just breach risk. And so what's your priority? What is an organization's priority on getting that beta thing out? That's speed. That's pure raw speed. Make sure the developer knows that.

And that maybe you're telling them the correct security thing to [00:15:00] do as part of the feature requirement. That's what our platform does. This. But, but you're not actually going to block the PR if the scan hasn't been completed or something. You're just accumulating the record of it. Versus you get to your crown jewel and you want to make sure every step of that application security program and requirements has been completed because that creates bigger problems for you down the, down the road, right?

Right now we work with the telco. They say nine out of 10 times they give the pass because they haven't been able to engage. Engage developers and even find out if they did the right thing. Now, this is the myth that I want to debunk here and to bust is, I think people think developers don't care about security.

We are, this is when we talk about the DevSecOps maturity thing, that Developers actually do care about security. The problem is that they haven't been given a practical way to know what [00:16:00] the security thing is to do. And then the other myth to debunk here is that security teams don't care about the feedback from development.

They just want the security thing done. And we actually in our annual continuous, our last year's annual continuous security report found that 79 percent of development teams report that their security teams do actually acknowledge and respond to their feedback. But the problem has been without automation, and this is where our realm of application security posture management is coming into its sweet spot.

There hasn't been that automation when you have 100 developers for every one security. Person. A lot of times it feels to development. Like exactly what you said, you've got to do it this way. Well, that's just because security hasn't been able to get back to them or even understand maybe what they're developing so that they can say, Oh, I get it.

Right. You're dealing with a batch import. I know that it has. P. I. I. [00:17:00] Um, but you can't have a 15 minute time out. Let's work together. That's really how we're actually going to solve this problem by creating those feedback loops between the two teams. So I think we've hit the, as we know, as technologists, we've hit the, um, you go people process, then tools.

We've come over that people hurdle, and now we're in the world of process. Um, and the tools will get. absorbed into it. 

Mehmet: Who owns that, Brittany, just out of curiosity, like who, who should be the, 

the 

Mehmet: persona that driving application security? 

Brittany: That is a great question. I would say it is both the VP of engineering and the CTO.

Um, you see it differently in different organizations. Some has to do with where somebody came from. Came from, um, if a CTO was an ex developer that became a security wonk and moved into the security side, they very much own it with a passion. [00:18:00] Um, but, you know, VPs of engineering have known that this was a problem for a long time.

And they just. I hate to say this, they got away with the pass because. They're so much closer to delivering on the customer promise, even if it is back end software. Um, so I think it really, we have 1 customer that actually jointly secured budget between software part of me between development and security because they understood that this had to be jointly owned between the 2 to meet both of their strategic goals as.

Disparate as they may seem at sometimes where security's job is to say stop block I don't want anything from coming in and development's job is how fast can we get something out? 

Mehmet: That's really cool. Now again out of curiosity because You know, anything related to cybersecurity, as I was telling you before, I want to understand, you know, uh, from this perspective, how fast can [00:19:00] these people you just mentioned, this person you just mentioned, can realize Is that investment?

Because in cyber security, you know, Brittany, like the main thing when they go to justify, you know, the budget, you get what I mean, 

Brittany: right? 100%, right? You can't. This has always been the challenge in cyber security. Let me give you the ROI. Of the tools that I've invested in and by proving the thing that didn't happen because I invested in tools and a strong strategy didn't happen and how bad it would have been if it happened, right?

You know, they, they've always been asked to sort of prove ROI on this mystical, mystical thing that they did a good job of making sure never happened. And, you know, it's one of the really cool things about application security is that because it's tied to development. You have a hard R. O. Y. On it, as well as on the cyber security side, right?

If you optimize so you talked about speed, good implementation of application security and A. S. P. M. You can [00:20:00] realize it within a week, right? Because you're getting because you're tied into the development pipeline. So when you're asking somebody to do something, it's part of their existing feature for specs or part of their backlog.

And you know how long those stories are. take, right? So you get the productivity gains on the development side, and then on the security side, a, you know, one of our customers says that their team of three allowed can do the work of 8 to 10. And that's because they have the immediate reduction in manual work and, quite frankly, reduction in firefighting.

Some of them call it dumpster firefighting. And so that's the really cool thing about application security is that because we're not tied. Just to reduction in breach, right? We actually rarely talk about reduction in breach. It's sort of implicit in the fact that if you're doing good hygiene by running a good application security program, um, and fixing the right vulnerabilities at the right time, you're less likely to get breach.

It's really actually now tying to those same [00:21:00] metrics that development has always relied on, which is project delivery. And that's a huge win for both sides. And it makes the story of why security is important. Um, so much, so much more tangible for both sides of the equation. 

Mehmet: Yeah, this is exactly the answer I wanted to hear.

Brittany: I promise you didn't pay me to say that. 

Mehmet: No, because, uh, At some stage I was sitting on, on the other side where I was pitching, you know, and, and this is what the customers want to hear, right? So they want to hear, you know, something that can justify, they are convinced, but of course they need to go maybe sometime to the upper management, to the board, maybe sometime if it's a bigger project, you know what I mean, right?

Exactly. And 

Brittany: it's also a more stable security strategy, right? At the end of the day, not just an application security, the CISO's job is to make sure. Or that the that he has the right security strategy to [00:22:00] match the risk profile of the organization and risk is bigger than just. Cybersecurity, right? And when, when it becomes easier and easier to tie it back to that, uh, then it becomes easier to justify a budget.

We know, I think we're in a current environment where cybersecurity is not getting grown budgets, pardon me, decreased budget, but they're not growing their budgets. And, um, and so how do they justify those things that they know are core and application security really is that foundation that says, how does my company risk align, align with my security risk.

allows for the justification of that. 

Mehmet: Now, uh, Brittany, also something I wonder, uh, there is a say that every company, even if they are a software company or not, they are becoming a software company somehow. So are you seeing a increase in the need for such solutions, not only with the With the houses where usually they have their own [00:23:00] development teams.

Are you seeing like a surge in in having in house? Uh development within organizations 

Brittany: 100 i'll give you an example There's a retailer we work with and you would think of them And it's not even a retailer that you would necessarily think of as being traditionally e commerce They're more in the arts and crafts space.

And so you think of that as a very tangible thing. You walk in and you pick out your markers and everything. And even they have a significant in house development team because for them, software is competitive advantage. And that is very much to your point that every company is a software company. You talk to Starbucks, they say, look, we're a software company.

Our software just ends up spitting coffee out at the end of our code, and that is where, you know, I think the scalability of security becomes even more important nowadays that you may actually have some of these companies that are software companies, but not in the traditional realm of [00:24:00] software, and it's their understanding.

That a product that this is about a productivity gain. Um, and there's still, they're never going to run, you know, the size of development teams that Amazon and Google are, or, but they want to get the most out of their development team. Cause they want softwares about part of delivering on their customer promise.

Their customer promise is one. That we're securing your information, but two, we're constantly delivering innovation to you. And that software is powering that innovation. So I think security, it's not just, um, lip service, right? For a long time, you'd see certain companies in, in certain industries say, Hey, I'll put words in their mouths.

I don't want to open up Pandora's box. Don't worry. I've done checkbox compliance. I've got my PCI certification. And now that, you know, people are getting. Closer and closer to the root of it, which again, is the code it. Um, you know, they're understanding the strategic benefits of goods application security and the fact that it can [00:25:00] allow them to maximize the value of the development teams.

They've invested in. 

Mehmet: That's good news to hear, you know, because we need more of of this awareness. Uh, in, in the market and speaking about the market, and this is something I found out when I was preparing. So, you know, in a short time, considerably, you know, Wabbi was named in, in the Gartner, uh, hype cycle for that.

So this is a, a great milestone. And I think the, you know, when, when you see. The analysts, the garters, the IDCs, you know, the foresters talking about this. So this is also help, uh, Brittany in increasing the awareness for the need for such solutions, right? 

Brittany: Exactly. You know, it's one of these things that we can talk about it.

I talk about it actually with our development team very often because they're part of helping us prepare and making sure we're on time when we have to, when we have to go present and you know, it's so important. You highlighted this about cybersecurity. It's a crowded [00:26:00] space and across, across the whole realm of it.

And it's so important, the research that these folks do, because the pain is out there, right? They didn't need a paper. Organizations did not need a paper to be written about the pain. What they need is guidance on. Oh, there is a solution out there. And, you know, Wabbi was really a pioneer in this space because I wanted to make sure when the market was ready, right, when we're sort of at that, that crest of the market, we had the best solution on the market.

And so we were ahead of it, and I couldn't tell you how often, even 2 years ago, we'd call somebody and they go. I had no idea that I didn't just have to build this in Excel, right? Like, maybe I might have had this conversation even six months ago. And, you know, and, and they didn't know. And this is where, you know, both the research that's being done by the Gartners and the IDCs, as well as Their ability to bring together the broader trends [00:27:00] of a market and define it and say, there is a solution for your problem.

Do not suffer alone. It's really helpful to an organization like, like ourselves and, you know, and it gives us sometimes it gives us something to push back on. Right? We would argue that there's a lot of folks that are just in the risk based vulnerability management and space that are in a S. P. M. And, you know, but, but, you know, Yeah.

Having that swim lane is so critical to helping organizations actually solve their problems, even though sometimes it crowds it more. 

Mehmet: That's, that's, uh, also great to hear. Now, Brittany, you touched base a little bit on, um, you know, AI at the beginning. The question I'm asking for, anyone who's in this space, especially founders like yourself.

Um, we know that also the bad guys are using AI, right? So, so how are you seeing in the domain you are in us, the good guys, we can leverage [00:28:00] AI and other emerging technologies, but mainly AI because it's the, the, the mainstream everywhere now. So how, how you think AI can, um, help more into securing this space and how you're planning or maybe you started to leverage AI in your own product.

Brittany: Yeah. So, so I think there's two sides of this. Oh, excuse me. I just knocked out.

Can you see me? 

Mehmet: Yes. Don't worry. Sorry about that. Um, 

Brittany: so, so, um, uh, my power cord was loose and my whole system just went down for a second. Um, so anyway, so we see it from two sides, right? The obvious win across all industries with AI is productivity gains. Um, however, I think, and I have this conversation all the time.

Um, I think people are so excited about AI that they are jumping blindly headfirst into it, right? We already know AI is a little wonky. [00:29:00] Um, and then on top of it, to your point, ain't no different than How you have adversaries when there's a single vulnerability all trying to attack just that vulnerability.

Well, what do you think the adversaries are going to do now? They're all going to if you're Googling how to protect against a certain kind of vulnerability. What do you think the adversary is doing? Figuring out your game plan in advance? Um, and and personally, 1 of the things we did immediately was roll out a policy that said.

Look, if, if it's, if you were willing, it's the equivalent of something that you would go search for. I live in Excel, so I'll use Excel as an example, right? Hey, somebody has always built the Excel formula that I want to use. So why create it when I'm doing something complex when I can go find somebody else's inspiration.

Great. So for our development team, if you want to go use a I to give you inspiration, that's fine. But you absolutely cannot paste your code into it. [00:30:00] Um, and you know, the reason is very simple. A lot of these a I rules. Actually take take control of your code and becomes another place that your code can become exposed.

So I caution people to say use AI with temperance. We even actually saw some burnout early on, right? It was like cool for six months and we're coming back, right? Figuring out the right way to integrate it into our own processes. But from a security perspective, I think this is where now more than ever or to capture the good.

While protecting against the bad, you really have to understand the context of your applications, right? So it could be back to your early example of, hey, we're doing some kind of prototype project. We want to get it out quickly. That may be fine to use a bunch of code, but as the application advances in terms of.

Risk profile. [00:31:00] That's where you then need good application security and the orchestration of it to make sure that the right controls are being put in because by the time you get to your crown jewel, you probably don't want a ton of AI generated code, if any at all in there, and then you're going to have different layers of app AI security tools on top of that as well to scan to make sure it's not something that had accidentally been put into AI.

Um, so I think that's where. You, you have to address both issues at the same time. Yes, we do want to use AI in development for productivity gains, but we're going to have to gate it and we have to know when the right times are to gate it. Because overall, if we think about the philosophy of DevOps, it's not just about speed, it's actually about efficiency and the earlier you learn something, the more efficient you can be to get something out so you don't have a surprise at that.

I think to me, that's the. So called problem of a I [00:32:00] and how we can best defend against those guys that are sitting in a I going, how do I attack this vulnerability? Right? Um, so I think that's that's really I look at it very weirdly. I'm very aware of it. And I look at it very weirdly for that reason. But it brings a lot of it's.

The AI security tools are also still very young and this is where process is really going to play a big play. 

Mehmet: Yeah, absolutely. And you know, like I'm fan of, for example, focusing more and which is, it's the core of DevOps actually focus more on automation rather than focusing on AI because, you know, uh, automation became, unfortunately, in my opinion, underrated with the big.

You know this hype around the AI, of course, I'm not saying AI don't use AI. I encourage people to use AI as well but when I share anything I say think automation before you think AI because It's it's like start with automation then try to add the [00:33:00] AI thing to it, you 

Brittany: know We were talking with one of the analyst firms that you just mentioned And they were reviewing their results from their latest survey about what everybody wants in their application security tools.

Guess what? They wanted AI. And I said, like, can we have an honest conversation here? Did I miss a transition? And did everybody get that automation and orchestration in place to actually maximize their teams? They said no, but they want AI. So for us, one of the things that we've looked at AI from is really almost, um, more of that in our product.

We specifically call it guided decisions. And I talked about, we can't make developers. For security experts overnight, and nor should they be right because their specialty is development, right? And security person specialty is security. And so, really, for us, the role of eyes, how can we make some make the sabi is our AI bot?

You know, how can [00:34:00] we make savvy more and more helpful? And, you know, I've always said, we're the guardian angel on their shoulder, help them understand why they have to do something. Oh, it's not just that Wabbi prioritized this vulnerability and it's in your backlog now. It is. Um, it is in your backlog for this reason, that reason and this reason, which may be different for developer a versus the developer B wants to know.

Oh, hey, how long do you think it's going to take me to fix this? Because I'm trying to figure out my workload and how I manage this sprint. And that's really where we can give more of that guided intelligence. And I think that's where again, We're both on the same page here. You've got to have that automation and orchestration in place first, because otherwise you're just going to end up with a big AI hairball instead.

Mehmet: Absolutely. And, uh, you know, this is why I tell people, okay, embrace the technology, but first try to, maybe you don't need that advanced thing to solve the problem. So it might be solving it. Right. The [00:35:00] 

Brittany: problems are much more fundamental. I say it all the time. There are no new problems. There are just new applications of old problems.

I talked about my pre cyber life. I was in the ERP space and it's, it's very much impact like relational databases. It is very much impacted how I look at the application security space. Cause to me, this was a data into actionable information issue, right? How do we find all bring together all the, this disparate data that needs to have different things done with it at different times into a single.

A little platform that can manage it and then segment out the workloads, right? That is not a new problem, right? That is a problem as old as time, right? That's where Ford's manufacturing line came from. And I'm sure if we go back to, you know, to caveman, people went and did the hunting and people did the cooking, right?

We've always had this segmentation of labor. So how, so focus on that first and solving that problem. And then the AI is going to be the gravy on top, right? [00:36:00] And then whatever the next thing is. 

So. 

Mehmet: Fantastic, actually, but I'm going to leverage something to switch gear, which you mentioned, you know, you said you were in the ERP.

Now, as a founder, Brittany, like, and this I'm asking you, because this is, I believe it's a skill, which is spotting me. Opportunities and then try to capitalize on this. So what's your process for spotting these opportunities? And I'm asking this questions to inspire fellow, you know, to be found. This 

Brittany: thing is, and I agree, it's a skill and and I it's I've been lucky that it is my skill.

Um, I think that there's two things to look at. One, you've got to be constantly talking to the people experiencing problems. They may be customers, they may be prospects, right? My founder journey, he, I was working for another cyber security space company in a totally different cyber space. And I was talking to prospects, analysts, [00:37:00] customers, and I was so, so frustrated that they were all talking about, as I said earlier, you know, taller walls and deeper modes, and nobody was talking about the root cause.

And that was sort of identifying that pain. Yet, if you talk to them, don't ever ask, do you want to buy my thing? Right? That's not identifying their pain. Ask them what is on their mind. And what I kept hearing from them was that they were investing in all these tools to build up their perimeter security, but their top of mind concern was how they managed.

All of these vulnerabilities that were growing exponentially in 2023, we had 26, 000 new vulnerabilities alone. And they saw this as like, this carbon monoxide that was just creeping up on them and was going to cause. A big problem in the future, and that's really how you can start to [00:38:00] identify a market, you know, before anybody gives a name to it.

The 2nd thing is that you need to look at the trends. And this is again, where our analyst friends are very helpful of the adjacent markets. So for us, the adjacent market wasn't actually application security. It was a little bit, but it was really actually about the completion, completion of the DevOps, um, realm and the transformations in that and realizing, as I mentioned earlier, that the way that they done security as part of not even a waterfall, but just sort of a, you know, in between DevOps world was no longer going to hold up at full scale.

So for folks out there that are trying to. Not just take that insight that they get from talking to a lot of people that live this truth every day, but go marry that with data to say, hold on 1 2nd, we're starting to see a little bit in the rise of importance of application security, but what we're really seeing is a transformation and how people.

Develop [00:39:00] the thing that then has to get secured and that's where I started monitoring the market and saying, hey, this is not, it's not just a good idea. You have to have a good idea at the right time. And because organizations were finished, we're, we're embarking on and starting to come into maturity in their DevOps transformations with sort of a multi year.

Finish trajectory. This was the right time to start the company. So we would be riding the wave with them rather than ahead of them or against them. 

Mehmet: Yeah, perfectly. You know, great advice. I would say now I know you, you, you talk about something which is again, I love to hear your perspective about it, which is the importance of grit and agility.

Yes. You know, if you can shed some light, because I believe 

and 

Mehmet: many people say like being an entrepreneur, being a founder is not like anyone's Possibility to be right. So so and not anyone can can be in that space. [00:40:00] And they talk about the grid. They talk about the mindset from your perspective, Brittany, because you've done now this and you've done it successfully.

So what's your what's your advice on that part about being having the grid? 

Brittany: Yeah, so the first thing is, and while I am thrilled that entrepreneurship and startups and everything has become part of the common lexicon, um, in our society, not just in technology, it has also become glamorized in the realm of Hollywood.

You know, everybody thinks that they can be an entrepreneur, which I believe everybody can be if they have that And what not, but it's not going to happen overnight, right? All of these overnight success stories. The one that I always like to talk about is Airbnb. People forget that they were selling cereal to keep the lights out on, on their dream, right?

Hey, none of these are overnight success stories. In fact, I think that the average stat says it's something like six to seven years before you [00:41:00] actually really get traction, which I get, right. It takes time. You have to iterate. You have to get that feedback. You have to, the market has to sync up with where you are.

Pandemics may happen and really, you know, that grid and agility, you've got to remember that, that. Entrepreneurship, and it could also be intrapreneurship in your organization. Being an entrepreneur does not necessarily mean founding a company. It could be that you are that person inside of an organization that's brought in to create change.

And it may not be massive scale change. It may be. Long tail change. But that's that's a form of entrepreneurship, too. So don't think to be an entrepreneur. You have to found a company. But the defining quality of being an entrepreneur and why you need this grit and agility is that entrepreneurship is the only place that overachievers go to fail 99 percent of the time, and you've got to be prepared for that ride and okay with it, because what you're going to learn from each of those failures, Allows [00:42:00] you to move forward in achieving whatever that goal is.

Um, and I think that's really what anybody that wants to get into this world, whether they want to found a company, or they want to just be an agent of change in the organizations that they work in. They've got to remember that it's not all going to be smooth sailing. Because what you're doing is you're, you're pushing against the status quo and you have people that may not like that, but it's also hard to bring people in on your vision.

Um, and that's, that's to me, the real challenge of, of entrepreneurship and the founder's journey is that you've got to remember her that, that you're going to have a, it's, it's going to be a lot easier to focus on those failures than it is the successes. Flip side is make sure even the small wins you focus on.

I know one entrepreneur that has his daily to do list and he, and one of the wins that he has, did I read the paper and eat breakfast? Cause if I did that, [00:43:00] I got a win today. And you've got to sometimes remember those little things are, are just as much of wins as the big customers and the product launches and the funding and everything, because that meant.

You were taking time maybe even for yourself and that's just as important in the realm of founding too. So just be prepared for the journey. 

Mehmet: Absolutely. Just, just to, to, you know, highlight about two things you mentioned, how true and a hundred percent right they are. When you mentioned about the time, I would not mention the name of the company is very famous, but one of the very famous software companies in the infrastructure space I was telling one of my friends.

Do you know that this company was founded in the mid 1980s? He said no He said no way. I said yes, but it took them almost 10 years maybe To just have some traction and even they pivoted a little bit and said wow. I never knew this I [00:44:00] said Yeah, because it's not an easy thing. The second thing I want to, to, to add on what you said, Brittany, about, you know, you, you just give the right word for me, you know, entrepreneur or intrapreneur or whatever you want to go or want to promote even about not accepting the status quo.

And, you know, this is why sometimes they, they always tell me, okay, you always work in, in, in. corporate, I said, yeah, but I was always the guy who's challenging the status quo. Like, of course, I had the chance to work with startups who were just starting operation in, in my area here in Dubai and the Middle East.

And, you know, I was acting like doing everything. I was the pre sales guy. I was the sales guy. I was the marketing guy. So nevertheless, it's challenging the status quo because, you know, the question I asked Okay, I'll just give you an example. Why this frame is like this. Why we cannot like change something to make it better, right?

So to me, this is, you know, entrepreneurship. It's 

Brittany: pushing, you know, it's not just challenging the status quo. It's [00:45:00] pushing people out of their comfort zone, right? For anybody on, on, um, in your audience that's familiar, with the traditional growth matrix, right? What it is is that it's always hard to move away from the cash cow, right?

That cash cow pays your bills, keeps people employed, make, keeps you as a big brand name. But if you want to continue to be relevant and here I am in the Boston tech space and I'm sure a bunch of people have read innovators dilemma, right? Boston lost its role as the original Silicon Valley because we had companies that kept focusing on the cash cow rather than chasing the next rising star.

And that's really the role of folks like yourself and me, right? I was you as well, right? And I never thought it was so funny when I founded a company, I always say, I never thought I'd be a founder. I always thought I'd be the person that came in and grew it and everything. And they said, of course, Brittany, you were a founder.

You've been doing this for companies. He's yourself. You [00:46:00] just finally did it for yourself. And, um, and, uh, and so it's really about, there's two sides. One, you have to make people feel uncomfortable and in an organization. And that's okay. Right? Like. Are you actually, it could be prospects, it could be your own company, whatever it is.

Are you actually doing this the right way? Nobody ever wants to admit that they're doing it the wrong way. It's like, no, I eat healthy. Of course I do. Well, what'd you have last night? Oh, well, I had some fried food. But that's the exception. It's fine. It's fine. It's okay. But, but the other thing is that you have to bring them on.

The future journey, and I think that's the real magic of an entrepreneur and intrapreneur to say, imagine this next phase of life. The last change that you made was so wonderful. Imagine if we can make that even better. Sometimes that may be going off in a different direction. There's a big. Company in our space that's selling their software assurance come practice right now.

And it's really interesting. We don't begrudge them for it. In fact, we think it's [00:47:00] because they realize the high value of software assurance and application security that they know this is the right time for them to separate it out from the business. And, you know, and that's where You really, you just, you can't be afraid of the unknown.

I think that's really how it sums up, right? It may, it may not be a clear road to the unknown, but you can't be afraid 

of it. 

Mehmet: Yeah, absolutely. It's, it's, it's, you know, having the courage to take the unknown road, but their compass would be, I think what, what you're explaining, Brittany, is the, is the Purpose that they are after, like, what is their end goal, whatever you want to call it.

Like, I like to call it purpose. I like to call it, you know, like, Some people, they are different names, but it's their purpose. Their why, you know. Exactly. 

Brittany: Exactly. It's the purpose. It's the mission. And I say that that's critical, right? Look, you even talked about that. I know exactly what company you're talking about in the infrastructure [00:48:00] space.

And I could give you a bunch of NASDAQ darlings today that have very similar stories that are in the double digit billions that, you know, market cap. And, um, and it was 10 years before they were relevant. And, um, and, you know, but that mission, that purpose, that why is so critical because, you know, Because it's going to make sure everybody's beating towards the same direction, even if that direction changes a little bit, right?

I think for a bit, talking about the glamorization of startups, that the term pivot became too, like, yesterday I was doing, I know one, I've met one founder. Yesterday I was doing educational AI, and today I'm doing office meeting booking. That's not the same mission, right? That was right. Because if you don't have that mission, that means you're not actually working towards solving a pain and the tides are going to change.

The, there could be storms along the way, [00:49:00] but if everybody has that mission, they're rowing in the same direction in the boat together. And you'll, you'll get there on the other end, no matter where the roads took you along. 

Mehmet: Absolutely. Now, Brittany, before we close, I like to ask the question and I asked specifically when I have founders with me on the podcast.

If you think about one piece of advice that you wished you knew before you started, what that would be? And this is something in a different way, what the piece of advice you keep to be founders 

with. 

Brittany: I, um, I, so the piece of advice that I Wish I known before I started was that investment in prioritizing my own time as a founder has a exponential return for the company.

I think especially founders, you said it yourself, right? You were a man of many [00:50:00] hats, right? Founders tend to be a little bit of that because we're used to, if we're pulling together the pieces of the puzzle, sometimes we have to solve the pieces of the puzzle ourselves. And there's this feeling as a founder that All my money needs to go to X spot, right?

Therefore I'm going to deprioritize myself because I can do it. I can do marketing. I can do back office, whatnot. What you don't realize is that every hour that your time isn't going towards setting that purpose, helping your team, working with customers is actually a drag on the business. And so go and find, and I think especially, We've really leveraged great fractional and remote talent.

Go and find that person that is going to be your wingman and do not let an investor dissuade you, right? Someone will go, Oh, you don't need a COO EA, whatever's going to help fill that hole for you is going to maximize your value to the company. And some of it. [00:51:00] Is also going to mean that it's going to free up free time for you as a human, because if you don't take that time to do the things that are still important to you, you are not performing for the organization because you are a whole person that has founded this company and you need to still do the things that make you a whole person because otherwise you just won't be at optimal performance.

And I learned that the hard way after nine months when I. craft and burn real, real hard. You get sick and you just, you lose that creativity that gets there. You need all pieces of your brain functioning, not just the work 

piece. 

Mehmet: Absolutely. And this is crucial because as a founder, you will be the CEO. So you are the captain of that ship and your mission is to take the ship to the safe Harbor.

So if 

Brittany: you hear it's, I love the captain analogy. Athletes, right. I love Serena Williams because she is very, when she was still, um, [00:52:00] competing, she was actually very open about the fact that she would take a rest day. And that rest day sometimes was laying on the couch, watching TV and right. And, you know, but you never doubted the fact that when she was training or competing, she was open.

Out there training and competing and some days you go, I just need to rest day to be on the couch. And I was like, that is really the model as founders that we should be following because somebody early on, like, how many hours a week do you work? You're like, of course, you're working 24 7 on this because your brain's going on it all the time.

It doesn't mean that. You shouldn't that you shouldn't take time to go do something else like a lot of books talk about it But I don't think we talk about it in our founder community enough to say you got to take care of yourself To be able to take care of the business 

Mehmet: absolutely Uh, there's a final question where people can find more about you and of course about Wabbi 

Brittany: Well, please don't hesitate to reach out to me on LinkedIn.

I'm easy to [00:53:00] find there. Um, or if you want to find out more and have more, more conversation about the application security and application security posture management space, you can reach us at www. Wabbisoft. com. That's Wabbi with two Bs. Um, and please reach out, just say why you want to chat. I always love to have these conversations and I'm happy to continue it with anybody, um, anybody out in your audience.

And I appreciate that. You giving me the chance to meet your audience. 

Mehmet: Oh, my pleasure. By the way, don't worry. The Every url you mentioned would be in the in the show notes. So we'll make the audience lives easier Brittany like, you know, I love these conversations Not because of the technology, of course, it's very important but because also to show You know what's behind what's the story behind and you know the story behind webby very obviously Please Mission driven.

Uh, it's a passion that you have. So thank you very much for sharing that. And it's [00:54:00] good also that we made very maybe in a shy way, awareness about application security and DevSecOps. So I hope like people will, uh, will benefit from it. And as you mentioned, if someone is interested to learn more, they can reach out to you and to your team as well.

So if they are interested in learning more about Wabbi, And at the end, this is how I end my, all my podcasts. So this is for the audience. Um, if you discover this podcast by luck, or if someone just send you the link and you get to this episode, thank you very much for passing by. I hope you enjoyed the conversation.

If you. Did please subscribe we are available on all the podcasting platforms and you are available on youtube also as well And if you are one of the loyal followers and loyal Uh people who keep you know, sending me their messages their suggestions. Thank you very much for doing so, please keep them coming I'm always open for suggestions and your comments And if [00:55:00] you are interested to be on the show as well, don't hesitate Geography is not a problem time zone is not a problem Brittany is in You know, in the U.

S. I'm in Dubai, so we can find a common ground to do this. And thank you very much for tuning in. Uh, we will meet again very soon. Thank you. Bye. Thank you.