Columbus Startups – A Security Perspective

hello everyone and thanks for joining us at the closing keynote at security b-sides it's been a trying five months for many of us going from commuting every day seeing our friends and family hanging out at events like this to at least in my case barely leaving the house in five months i i think we're super fortunate to have such a strong community in organizations such as besides columbus to help keep these things going the community is super important and organizations like besides columbus help sustain the community so thank you thank you for being here thank you for supporting the community and especially thanks to the panelists here for agreeing to continue to participate in the conference

i'm really excited for our conversation here today and really how we're going to start first is just do some quick introductions and i'm super excited too this all-star panel has nearly a hundred years of combined experience like how often do you sit in a room with some folks and have nearly 100 years of experience and that's just incredible and even better it's some of my favorite people so super excited to be here talking with you and the panelists here today first of all i'll introduce myself uh my name is warner moore i i've built over six security programs and security and privacy programs in some cases i'm losing count at this point many of them have been in security

or really tech startups and young companies growth companies and this includes innovative companies such as check out cover my meds bolt penguin after building a bunch of security programs i decided to switch things up a little bit and founded a strategy consulting firm called gamma force and right now i'm serving as virtual cso for smart columbus and d plants today we have so many tenured and respected folks in the industry at first i i'd like to quickly introduce each of you and then i'll give you a moment to share anything more you'd like to share about yourself it could be professionally or your favorite anecdote of the week whatever it may be first i i'd like to introduce jesse

throw jesse is a technologist and among the first security personnel that were hired at cover my meds he got to see the security program built from virtually nothing to help create security operations capabilities in the organization as a security engineer and now he is managing the security operations team i'm excited to have jesse's perspective with us today is there anything else you'd like to add to that jesse uh other than i think you just called us old there a minute ago [Laughter] um no it's good it's great to be here uh it has certainly been a journey both come from my meds and and elsewhere in my journey um cmm has come a long way and we you know

became the largest unicorn as it were to exit the market at billion four um now the subsidiary of mckesson corp that brings a whole other series of interesting challenges that we have learned to adapt to and modified the security program since accordingly going from uh inc 500 a fastest growing company to a fortune 5 uh mckesson's one of the biggest companies in the world i i'm sure there's all sorts of fine stores there thank you jesse next i i'd like to introduce matthew brendan o'connor uh matthew uh goes by brandon so i'll be referring to you properly here on out brendan and i have known each other for a long time and it's funny he's worked

with all sorts of different organizations and we kind of used to poke poke at each other between startup life and different sorts of professional life and after having such a tenured career brendan decided to be the first security person at root insurance route insurance is a well fast growing tech startup here in columbus ohio and they are a unicorn in startup land that means valued at a billion dollars or more so they're a pretty big deal and uh while brendan's experience as the first security person at a growing unicorn startup i'm super excited to have on the panel with us here today since then he's joined checkpoint security anything you'd like to add there brendan

well i'd just like to thank you and the other members of the panel i've known you guys for quite a while uh jesse and i haven't crossed paths too much but we definitely have cross paths before us but it's good to see you and sean today and happy to join the panel so much for being here brendan now i i'd like to introduce sean science uh sean uh like the other panelists and we've known each other for quite a while and in columbus and we have such a great cyber security community as demonstrated by all of you here at besides columbus today sean has a seasoned and diverse career having served as a marine a consultant an engineer and leader for

companies across industries currently sean is serving as a security architect for a series a startup that is growing fast and that tech startup complex i i'm excited to hear some of the lessons he's going to be sharing with his us from his time there today anything you'd like to add sean well it's funny jesse was talking about the transition from a standalone startup to a corporate organization and the last two years i spent at virgiv kind of doing the opposite where virtiv spun out of emerson and became a startup and so i think it'll be interesting as we're talking to see just the different perspectives on kind of that same journey in both sides of it

that 100 years of experience coming out i'm going to keep that going yes we're old we get it [Music] well in a startup things are often greenfield what that means it's a black slate you can do what you want right uh what are some opportunities or thoughts on building new security programs or solutions in a startup would you kick us off with your thoughts on that question please brendan oh absolutely um you're right it is entirely greenfield that was one of the things that really attracted me to working for startup i was thrilled with the idea of being able to get in and just build it like you said building security programs something you've done

before it was fantastic one of the things i'll tell you you're asking for lessons learned or things that i did one of the things that i took advantage of in the green field was to try to avoid point project point products since i had greenfield i decided that i didn't want to have 30 vendors i'd rather have three or four or five and that was a great experience just trying to find vendors that hit multiple problems and did it well and then work with them from the beginning to build the security program and the kind of vendors that work well with a young company or a more innovative company are often fundamentally different than the kind of

companies you see the logos you see in the these big corporations in our city around us do you have any thoughts you'd had on greenfield environments they're just um yeah i think one of the interesting challenges that we face with smaller security programs is adapting to the business i enterprise security is largely in some ways very aesthetic you know you've got this large-scale problem and you know most organizations build piles of bureaucracy to work around it especially as a startup or a smaller organization you your biggest strength is your agility your ability to adapt to change and the security program needs to kind of lean into that to some degree in order to ensure the business

is successful the way that i've historically approached it is i tend to take a very risk-based approach let's understand what the risk is and articulate that to the business and work with the business to figure out how best we can mitigate that risk the bang for your buck as it were seems to give us the best approach and allows us to continue to modify and continue that conversation as that risk changes as the organization grows and changes i love that jesse how can you support or enable the business that's something that's so often medicine and security teams these days and well and corporations are bigger companies sometimes we still get away with that right the department

of no uh is slowing down the business in a startup very young company and you slow down the business you probably won't be there very long so it's a really different a situation called truly but it's also an opportunity too an opportunity to innovate because you're not stuck with piles of legacy craft can you tell us about some unique opportunities where you've had to innovate in security and your broad and diverse background shot oh innovation yeah um just about every organization it's funny we're focused on talking about the startup lifecycle style but you know it's funny you know again playing on the 2 000 years of experience or whatever we have on the panel um now he's calling us old

well i think i get it on the game uh the the thing i've seen in my career is that security has gone from a checklist kind of function to a storytelling function right the most effective security programs understand how to translate you know what does the business care about to what is the technology need to deliver and you know so what i've seen a lot of times when it comes to innovation is people finally learning that you can't just walk in and spout off a bunch of tools and expect people on the other side of the table to give you the money for them um and especially in startup plans right where there isn't a huge bucket of money

to spend on things that don't drive the profitability or the bottom line of that company in its critical stages of growth uh coming into a new company that's only in the startup and saying i want to go out and you know buy you know qradar for instance right this huge very very versatile sim package you're going to drop a price tag on the on your founders and they're probably going to look at you like you have seven seven eyes right it's and they're gonna go what is this gonna do to make us more profitable and if you don't adapt to that quickly um that's a very different change from being in the enterprise world where i

have a 1.2 million dollar security budget this year what widget do i want to buy um and that mentality hopefully is also changing in the corporate world and i have seen a change away from that kind of mindset so that's where i see the biggest innovation is is learning to be better communicators and to better understand what our companies do because that's what a startup can teach you better than anybody else yeah i love that because that's ultimately what a startup's doing right and that's entrepreneurship it's solving a problem that uh companies or people care enough about to pay you to solve it for them you're not solving their problem you're not making money and you won't be around

much longer thoughts on a security innovation jesse um i definitely agree with sean there it is very interesting now being on the other end of that and one of the more recent challenges that i've had to embrace is helping one of the largest organizations in the world understand that difference is okay and give them that confidence and that transparency to move forward because at this point it's not you know the scrappy startup with the small founder who's accountable for the risk that we take on it's somebody far removed from the program at some sea level it ultimately is and they want things like data and that's totally understandable and acceptable and so we've had to kind of

build a little bit of process that didn't have before and that comes with its own fun as especially those who knew the place before start to grump about well it's not the way it used to be and helping them understand why it's important and why it matters so i guess that i guess that's my my takeaway my biggest note is the uh helping to understand the seek seek to why isn't just at the top level it's also sometimes at the bottom you need to help your fellow smes and peers understand why we need to do these things and win hearts and minds very insightful thank you brendan security innovation i really liked what jesse and tron both

said and i'm going to try and combine them a little bit sean said stories are a great way to get security across and make it more holistic and jesse was talking about a risk-based approach my experience with startups and innovation and security is is very interesting and you learn this lesson if you're in i.t or information security long enough and you progress enough you learn the lesson that the business is much more important than what you do and that you're really only there for the business but in a startup you learn that lesson very fast and you learn it very very thoroughly so it was very interesting to realize that risk started with the ceo cto cfo

chief legal officer and it went down from there so we had to keep in mind we you know there were certain security functions that we could not do right away even though they might have been considered slightly basic because you weren't sure whether the doors are going to be open two weeks from now and i'm talking very early startup obviously as time goes on and as you start to meet goals and see yourself doing very well then things change and you start to advance you start to mature your program it's just really interesting to see how it's totally focused on risk you're in the same way that you do in a fortune 500 company where

you stack your risks and you address the ones that are the highest and the most impact but it's just it really is much more sharply focused on the innovation that happens in the startup you you just cannot do certain things until a little bit more maturity is gained in the business not even in the security program yeah in the business right because if the business isn't working well your paycheck might not be working those fundamentals become so much more real in environments like that absolutely so in startups right operating on burn rates where you're spending more money than you're making spending investors mon money no and that's in later stage right and earlier stage concept c um

there aren't always big budgets or big vendors so like sean exampled earlier you know showing up and talking to the founders with a a six-figure uh cost for a technology or vendor product and well that that just might not work not not in a young company judy even in a later stage company that might not work that's a lot of money when you're not publicly traded what are some ways you've tackled security solutions with less resources and you want to kick us off with that one shot sure um so i guess one of the things that happens in startups that's a little bit different i think than in the corporate world is my hiring practices were different

right i would hire for utility rather than speciality in in that world uh because i needed to solve multiple problems with a very finite pool of people and when i couldn't find people who could do those specific things i grew them i would find somebody with a lot of potential and i threw a lot at them and that that's stressful but i think everybody comes out of that experience probably stronger practitioners so solving problems that always meant you know looking at the tool bag and making sure you had you know kind of the alton brown mentality in a kitchen you never want a tool that does one thing right a tool needs to do two three or four

things to be useful and to have it in your drawer and i think that that's a lesson that a lot of corporate security people could learn like that thoughts on small budgets big solutions jesse now this is one that you know all too well since you and i live to a good chunk of it cover my meds um i definitely agree with sean uh we would sometimes hire differently than you would in a large corporation you would grow people and that is really awesome when it succeeds watching you know your peers growing change in that way um i think part of that becomes you get very creative with your solutioning you don't have that you know the 1.2 million

dollar it budget you've got a customer is demanding or compliance requirement is demanding that we solve a thing how do we check the compliance check box and actually drive value is often the you know business driver for that kind of a thing in that in that time frame and so you get creative and so it becomes a lot of at least in our world became a lot of building open source tooling and taking a bunch of bailing wire and duct tape and bundling it together to build something that was it was something we were proud of it was awesome and it's on right it was you know a little janky but it worked and it worked well for our purposes

yeah you fight scale right and and the problem you risk with the startup is if you have explosive growth in that first two or three years that solution you built to solve the problem that first year may fall apart as soon as you get success and then you have to redo it and and yeah that's that's always fun i guess is the best way of putting it it isn't its own way i think my my favorite analogy on that one uh we set up a on-prem mail solution using a it was a basic aha set up and it's male you don't think about it right fast forward i think it was two and a half years we discovered that we were

sending so much email that we were tipping over the relay and so we had to go and rebuild the aha for i think it went from two to five nodes and all the additional things that you have to add around dns and whatnot for it to do the load balancing scale at that point it was totally a start-up kind of problem i suspect at this stage you joined root insurance budget budgets might not have been constrained but i'm sure it was maybe a culture shock relative to big corporate budgets any lessons you'd like to share on that subject with this trend then i think that the budgets were pretty well established by the time that i

tried you

typical zoom problems so i think i was employee number 240 so by that time the budgets were fairly not constrained but still i was very conscientious of it you never want to have a security budget that's so big that you're drawing attention i mean that's a very bad thing in any size company so we were trying to be innovative with how we dealt with things root had a very great advantage in that they had some really really brilliant developers who had done a lot of block and tackle before i got there and they were available to assist as well so they if we had a security concern with something that they were doing they were able to come and work with us and

figure out a solution sometimes it was some extra code sometimes it was reconfiguring some stuff in the cloud provider they were just really really good at it one of the challenges we had that really made the difference was we didn't use active directory which is very very interesting when you're trying to be an innovative small company and move forward try to get a huge vendor or even a medium vendor to understand in the beginning of the meeting that you don't use active directory you actually have a lot of meetings to end quickly but that was a small challenge one of the innovative things that we did for budget and for solving that problem was we actually used the same community that

we were part of we very often found ourselves looking to startups we also did as jesse said we open source was a big thing at root but we also turned to startups we turned to companies that were in the same boat or maybe earlier stage startups even and found that they had really innovative solutions that could help the startup community with their problems in innovation i love that you mentioned that and um tech executive circles and well locally we have such diverse companies often i'll be surrounded in a room by uh folks who work at some of the biggest companies in the city and one of the things i always share is it is our responsibility

to support young companies if we gripe about a lack of solutions or a lack of innovation that solves that problem there are plenty of areas in our businesses that are lower risk where what would make a big impact with a young company and be a potentially competitive advantage for us would be a relative small drop in the pocket and budget pocket so that is so true brendan i i think it is incumbent on us all to help support the larger ecosystem along those lines i when we talked jesse brought this up we talked about building things uh growing people and that that is so very true and i think those are universal lessons um and a lot

of the young companies i worked with uh cover my meds we deeply held that value of growing people um but it's really different right in a lot of shops it's how do we find this vendor to solve this problem how do we support the solution that we bought um it's a common model i'm sure most of us are familiar with it in a young company it's not only how do we solve this problem but how do we do it best more efficiently best for us and often that's a combination of building it a combination of growing people and i i'd say like some of the coolest solutions i've seen built to solve real problems for in startups

hey can you share with us jesse as some things you built or or problems you've solved using a different approach than just calling up a vendor and throwing money at them um so i think my best example uh so my job before covering my meds we were a pretty big splunk shop that was my primary goal test there was to build up the splunk enterprise security program and when i transitioned to cmm we you know you didn't have the seven digits to throw at splunk and that was the right call um but especially for a rapidly growing company we couldn't hire people fast enough so we needed something and uh at the time i joined it was

alienvault i believe was the the sim that they had in place it was barely able to keep up at that point with the palo alto logs much less all the other things i wanted to add to it so we went and we found looked at options hadoop was a little too heavy it was the other thing that i was kind of familiar with so we found elastic and so we built an elastic search cluster and this was mind you the elastic 1x days 20 was like pre beta so it had its clunkiness they've smoothed many of the edges out since then but we built a nice i think it was a three or five node cluster to be able to

ingest at that scale all of our log data and then all the effort spent to normalize it and that was it was it was a fun project but it was it was a lot of work and we ended up throwing it all away for i think it was like three years later we bought splunk yeah there's a certain skill where it doesn't always make sense uh that's for sure it's um always i i there's been some vendor solutions where they cost so much it got to a point where i'm like huh i can build a team to build this for less than i'd pay you a year i have literally told vendors that in the past like you cost too much i can go

higher in fte and i will do it too brendan any build stories you have from your startup experience or or otherwise solutions you've solved by building things yeah actually it lends itself from what i was talking about before without having active directory we had an identity access provider that we used um really great solution but they work better i guess you could say with active directory so we had a little bit of a hurdle and the solutions that were built were built to make that work better and uh it was homegrown um a guy on my team who was phenomenal i don't want to mention his name but he knows who he is if he's listening he was

really really good with this solution mention his name it's a compliment unless he wouldn't like it i don't know okay okay i probably shouldn't but yeah he was he was really great at it he developed the system and it was getting kudos everywhere it was essentially tied into hr so when they hired and onboarded role-based access controls all the sas applications were granted right away it went into the tool and did its work and it didn't rely on active directory so that it was a phenomenal piece of work that we did from this ground up and i think there were some people at the company who were questioning the time to build until it was done

and then it was obvious that we just saved a hell of a lot of money time and effort because we didn't have to roll out active directory that was a great great situation it's funny folks hear that and it's probably mind-blowing no active directory i've made a conscious effort to avoid it and uh really the past five years because with young companies greenfield environment modern technologies and solutions it doesn't usually make sense i agree it's the sas applications that everyone is using nowaday and if you're in a company that doesn't think they're using sas applications you probably are and you just don't know it yet uh and that's just the honest truth get get like a firewall check or you know sas

application check you'll be shocked i can tell you early on in route it was probably around 250 to 300 employees we ran a firewall check for about an hour and we were sure we had somewhere around 30 to 40 sas applications we could count officially a certain number and then we figured there'd be more there was more than double what we thought as a fairly generous and we knew that would happen because that's the story that everybody tells it wasn't shocking it was actually slightly lower than i thought it might be in a nightmare situation but this tool helped a lot it helped gather all those um various resources it helped us identify them it helped us

correct them bring the identity under proper controls it was really well done that's great yeah there are so many great modern identity solutions now that didn't exist before there are really multiple good ones to choose from no one's paying me so i'm not going to name drop them i want it anyway right but there are a lot of good solutions out there so uh well hey before we continue anything you'd like to add to that subject sean it's funny because my example is a combination of both jessie and brendan's situation um we're working with startups and and this is in my consulting days as well as my employee days right um putting together for small organizations that you know

this is a hosted platform for web pages the company i was working with at the time and they don't they don't have an active directory they also don't have a sim so we're having to find a way to solve that problem at the same time because their customers are coming in and wanting to audit right from compliance perspectives and they're going so how do you manage these things and the answer that they have is well there's a form on a desk that i give to somebody in hr and then something happens and it's magic and we don't really know um which is very typical in the startup world right it's magic that anything gets done on a daily basis

but so we ended up doing something like um building a security onion appliance that also fed into an elastic stack right and we knew day one we started this project knowing this is going to get thrown away in a year right that was the premise and when we sold it to management we said look we're using open source tools this will not scale as the company grows but right now you need to hit your compliance objectives so these are the tools that we can put in place to do that and you know for a directory we had they were a google customer and they're like well just use google's directory we're like yeah well there's some limitations

there um and they were largely a mac shop so let's just add further complications to all of these pieces and everybody's afraid of ldap so you're not ever going to have them stand up a linux ldap especially when they've got exactly one security person that's not a consultant on staff and they know they can't support it so we had to be innovative like brendan said we went and actually brennan and i worked together on on some of the investigations he was doing early on in his time peru but we ended up looking at a lot of the same kind of startups because again there's that need to feed back into startups when you're a startup

and we found you know outside of the open source solution we found a directory provider that again this is a one or two year solution ex expect that it's going to burn out its usefulness and just plan for it and and that was again the business conversation great thoughts um one thing i'll just mention quickly is i i hear so so often that elk doesn't scale i i know a dude who took it to nearly a petabyte so it scales maybe you can scale it or not but it's a pretty sweet solution there's a lot of good open source solutions out there that scale but it requires a higher bar of engineering talent so if

that's not the kind of organization or team you're building it might not be a good fit um along those same lines and we've been talking around this subject with a lot of young companies over the past five or so years many of them are cloud native an internet connection with no physical infrastructure how do you approach security differently in these cloud native environments uh sean kicks us off on this well that's easy you put the onus of security on the application platform and then you monitor and manage those controls the the idea of a coffee shop network is foreign to a traditional security person right and that your corporate network would be a coffee shop

but here we are every single day we live in this situation right now um even though there are a lot of corporations that are adopting solutions that you know can help with the remote work problem we've effectively just created an entire workforce working from a coffee shop on a daily basis and so the need to engineer controls at the application entrance your authorization and identity platform becomes much more important than a lot of people probably thought it was i love that it often in security we don't make the distinction between product and um operational responsibilities i i'm seeing more rumbling about product centric cso sizzo in the market lately and it's always been innate to me because if

we're building a technology solution be it an insurance platform supported by technology or a prior authorization platform uh that's supported by technology or uh ai and machine learning platform well it's entirely technology right well the features in the product that relate to security are so much more well maybe not more important but as important as the operational stuff and zoom had that lesson right uh not so long ago many of us in the security field are familiar with all the security features that were quickly introduced as we became more reliant on video conferencing technologies and it seems that in security we're often playing catch up right in startups it's often a new environment without legacy craft and

i at a past shop i i used to call it unicorn catching right because we solved some unicorn problems that uh an organization with 20 years of history wouldn't be able to at least would not be able to tackle easily it was difficult for us too but we could do it what are what are some unicorns that some of you have caught some problems you've solved that in most organizations you wouldn't be able to solve and this will be our last uh conversation before we move to closing thoughts i want to kick us off on this one jesse oh that's a hard one um if i had to point at one thing i would say the automation

and i will wholeheartedly admit that it's imperfect still to this day but we like i just mentioned earlier scaling at humans just doesn't work especially in a startup and so you have to build things intelligently and strategically in order to be able to keep up and so a lot of our pipeline is computers talking to computers and i think that's actually interesting for us in some of this conversation uh cover my meds is probably one of the last large companies that startups that have become a large company that built an on-prem infrastructure we have actual blades inside the data center doing actual bit fiddling and to be completely honest i can guarantee you if we had to rebuild it

today it wouldn't happen it would all go up in the cloud and we'd be leaning a lot heavier on sas applications and things to solve our problems that we just they simply weren't options back then the security model in the industry hadn't matured at that point to allow for phi type handling in most of those instances uh again warner is painfully aware of that whole conversation all we needed was about nine months and it would have been fundamentally different yep but the timing just wasn't there back then um so you you know if we had to do it today it would all be a bunch of apis talking to apis and that's actually the cool thing about a

lot of sas applications is it's all natively built in i had to spend so many conversations with vendors because the i literally told a vendor at one point i think it was around the laugh i'm willing to lose some operational control strength in order to allow for automation and i meant it as long as tool b met the job if it had the api strength long term it would be a better play in most cases and they just they were one of those old funny daddy companies i didn't understand it and their ui shows it because it looks like it comes from windows 2000 um so yeah it's it's a thing and i think that that's very important and

will continue to only become more so as we become security practitioners in the cloud first world so interesting right how things change with time i'm working with a technology company that's a hundred years old right this same engineering mindset the things look way different when you have a hundred year history to pull from brendan uh unicorns you've caught and then uh after that after your thoughts on this subject we will transition into uh sean who will uh be uh encouraged to share his closing thoughts absolutely so one of the challenges that we had at root was we not only were very innovative very fast and uh we were cloud native they had no data center at all so it was

very interesting as sean mentioned before the coffee shop mentality the office was a place where there were meeting rooms and your compatriots were easy to find if you wanted to get up and walk over to them but it wasn't necessary there was no application on premise i honestly don't recall if they had a single thing on-prem everything was a sas app or in cloud provider so one of the interesting problems that we had as a security team was how do you secure that when the office isn't important when the data center isn't important how do you actually get those devices to be secured so we built a lot of infrastructure in sas applications as well

in order to handle that which was exactly the right way to go because if you have somebody who is just going to be on the internet where they are is irrelevant even if they're in the office it's irrelevant you really have to do sas applications so that when they connect their agent if it's an agent base is going to check in and that was the way to do it we managed to do many many security features and functionalities that way and that was a lot of fun because you really you did gain some limits because some of the more entrenched vendors in the security field did not have that type of an offering yet but you really did have a lot of

opportunity with new startups and new innovations in the field and we were able to take advantage of a lot of it and build up client security because as i started we were a little bit different even though we were all that innovative and cloud first and everything we also had regulatory compliance so we had to control our end points to at a certain bar there was no if and about we had to do it and uh that was really the interesting unicorn chase that i had that's great thank you brandon yeah i i love the contrast uh between uh and the conversations uh jesse and brendan right because cover my mouth don't quote me on this is uh probably uh

15 plus years soul and the timing and then root is uh five ish years old right so a similar ethos a similar approach but just due to the timing the solutions are slightly different after i i don't spend much time with physical infrastructure these days let's just put it that way this has been such a great conversation i i appreciate all your thoughts and thank you so much for that um sean any closing thoughts before we wrap up yeah so we spent a lot of time talking about the challenges and the advantages of being in a startup and i i keep bouncing back and forth between consulting and startups in the last few years because

i find that a i learn the most when i'm working with startups and i'm challenged because i have very few resources and really interesting problems to solve so if you're somebody who's been in an enterprise role and you're feeling a little bit stagnant and you want to see where the next path in your career could go you need to consider startups they will give you the opportunity to just fail spectacularly and still learn something um when you often don't get that capability in a you know 200 year old banking institution right so that's that's the big takeaway for me in my experience in both startups and consulting is consulting teaches you a lot but a startup is really hit the

ground running and you learn and you can fail and it's good to fail much better than it is to succeed in many cases i i used to say three to five years in a startup a growth company and that's a key point a startup that's growing is worth 15 years in a corporation and depending on your role might even be a mini masters business as well in many mba jesse uh closing thoughts on startups and innovation i definitely agree with sean um one of the things that i especially now that now i'm a leader and not just as me but both as being a leader is that failure is it's not exactly encouraged but it's

part of the process we allow room for those people to stretch themselves and accept that you don't always get it right the first time and that's okay it's part it's ingrained in the startup mentality because you're doing this cool unknown thing as a business in general and part of that means that you have to build these spaces that in some cases there are no answers nobody nobody's done the thing before so there's no blueprint or guidebook or guru that you can go to and go how do i do the thing you're figuring it out as you go love that thank you jesse uh brendan closing thoughts uh i wanted to close with a little story

because it kind of summarizes some of what uh jessie and sean said and it talks about the agility and the innovation and speed and what you're able to do as a startup as opposed to a well-established company when i early on it root and this is purely coincidence i was passing in a hallway and i heard somebody from customer service walk up to a programmer as they were passing each other and need a brief conversation about something in our app that the customer said well why don't you do this and the customer service rep said you know that's a great idea and walked over to programming and this is about 10 o'clock in the morning i think

and just coincidentally again later on in the day like 3 30 or 4 o'clock or something but some seeing two people cross paths while i happen to be there and he was telling her how it was deployed so they were able because you know micro services and devops and just the speed of innovation they were able to make the little piece of code change that they needed to do exactly what that customer suggested to improve the customer experience they were able to do it really quickly get it tested get it pushed to production i was amazed i mean that was like just very refreshing to see that turn around because if you've been in corporate

america have you been in fortune 500 sometimes that takes you know a prop proposition in a meeting an approval you know a ticket that has to go through a system it has to be brought into testing for days and there's another team that's going to test it the the way that it works nowadays with the innovation is phenomenally fast and it's a great thing to see what a great story brandon speed of market right dev culture and practices devsecops if you're not embedding security into the automation practices cross-functional teams well i you might be falling behind as a business speed to market is worth so much that that customer was happy that paying customer right

yeah if you don't have capabilities like that in your organizations well you might be at a disadvantage incredible conversation thank you all we're going to hang out for another 10 minutes or so this is recorded and we're stopping our recording now but fortunately we're going to spend time with you live here at besides columbus i just want to acknowledge our organizers our volunteers our speakers our sponsors all the people here who came together to put this conference on for you when they could have just given up the people here in the community that are still going in this trying time deserve even more credit than before so please thank these people and please support them because it makes a big

difference right now thanks so much we'll chat live soon thank you