Rohit Sethi of Security Compass: 5 Things I Wish Someone Told Me Before I Became a C-Suite Executive
Ruthlessly Prioritize -Despite what your agenda may be, your organization can only handle so many initiatives at once. The only way to succeed is through prioritization.
As part of our series called “5 Things I Wish Someone Told Me Before I Began Leading My Company” I had the pleasure of interviewing Rohit Sethi.
Rohit Sethi joined Security Compass as the second full-time employee. As CEO, Rohit is responsible for setting and achieving corporate objectives, company alignment and driving strategy to execution. Rohit specializes in building security into software, working with several large companies in different organizations. Rohit has appeared as a security expert on television outlets such as Bloomberg, CNBC, FoxNews, and several others. He has also spoken at numerous industry conferences and/or written articles on major websites such as CNN.com, the Huffington Post and InfoQ.
Thank you so much for joining us in this interview series. Before we dive into our discussion, our readers would love to “get to know you” a bit better. Can you share with us the backstory about what brought you to your specific career path?
I graduated with a computer science degree in what was possibly the only era where that degree was not in high demand: the dot com collapse. I was passionate about building things, but my career options were limited at the time. The timing coincided with high-profile accounting scandals that led to the passing of the Sarbanes-Oxley act in the U.S. The law forced companies to focus on their internal controls around areas like accounting and IT risk management. This in turn created a lift in demand that consultancies were eager to fill, which created job openings for eager new grads. I found myself joining one of those consultancies focusing on information security right out of school, though it wasn’t the software development path I envisioned. Eager to retain some of what I learned in school, I found there was a nascent specialty called “application security” that brought information security principles to software development.
I discovered that much of what I learned in school would directly lead to vulnerabilities in software that could be exploited to cause all kinds of harm. Of course, I wasn’t alone in learning these poor coding practices. Millions of software developers were writing billions of lines of code, many of which were flawed from the beginning. There were, and continue to be, headlines in the news on a regular basis where the root cause of a data breach can be found in vulnerable code. Once I realized it, I became passionate about changing the way software was built to include security from the start.
Can you share the most interesting story that happened to you since you started your career?
I’m driving down the street of a mid-Western town in the summer of 2007. In the passenger seat is Nish, the founder of Security Compass. We are on our way to meet a multinational financial services company and present our proposal for a very large engagement. It’s the first time we are selling directly to a company, not as a subcontractor to some other security firm. The prospective client has summoned together a few very busy executives to meet with each vendor in person. We are a three-person company at the time, Security Compass is not yet a brand anyone knows, and none of the execs have ever met Nish or I. Suddenly we feel a bump. In my anxious state I managed to drive over a curb on a left turn, resulting in a flat tire.
I look at Nish in horror. We are still a 20-minute drive away from the client, and the meeting is in 30 minutes. Neither of us know how to change a flat tire. We immediately call the rental company, who tells us roadside assistance will be there in half an hour. It’s 2007, we can’t pull up a YouTube video to explain what to do. We know there’s a spare tire in the trunk but we’re not sure we have a jack or a wrench. Had it been another person in the car with me, they would have likely lost their mind. They would have screamed at me for screwing up the opportunity of a lifetime. Not Nish though. He looks at me calmly and said, “we’ll get through this”. It is in this moment that my entire perspective changes. It dawns on me as I witness Nish’s reaction that directing anger on something that has already happened is of no value; and that we can’t afford to waste them on things that don’t matter.
Eventually roadside assistance comes and changes our tire. We arrive at our meeting 90 minutes late, with dirt from our failed tire change covering our suits. By some miracle, our prospective clients make the time to meet us. They aren’t angry. Instead, they find our story amusing, perhaps even memorable. Instead of feeling defeated or upset, we remained focused on our pitch and we end up winning that deal. It becomes one of our first marquee logos and produces enough revenue for us to hire more people and expand the business. For me personally, I began to understand the mindset of a leader.
Is there a particular book that made a significant impact on your leadership style? Can you share a story or an example of that?
Many books have significantly impacted my leadership and management style. One that I like to reference frequently is “The Five Dysfunctions of a Team” by Patrick Lencioni. The premise of the book is that highly effective teams exhibit a series of behaviors that product results. Ineffective teams exhibit the converse, or a series of “dysfunctions” that lead to inattention to results.
I brought the book to our leadership team and we hired a consultant to conduct a workshop. He asked us to answer a series of questions that resulted in an assessment against all of the five behaviors. As much as we thought we were a high functioning team, the self-assessment revealed that we had some shortcomings. For example, we didn’t really hold each other accountable. That shortcoming at the leadership team could single-handedly destroy a company. We worked hard on changing our culture by establishing clearer targets and expectations and being clear about accountability. We felt a sense of letting the team down when we didn’t hit our objectives, and we all sought to jump in and help one another when it became clear that objectives were at risk. It also meant we became much more deliberate about setting and measuring ourselves against those objectives. Ultimately it resulted in us having to make some difficult decisions about people who just weren’t the right fit for their role at the company at the time.
What do you think makes your company stand out? Can you share a story?
Fifteen years ago, our founder Nish had told me about a role with Security Compass. He wanted to grow his company and he wanted it to be different. He wanted it to not only be a place where we can all do well financially, but one where we can help society in a meaningful way — to help make software secure. This was at a time when very few people thought or cared about software security. He wanted to build a company where people looked forward to coming to work on Monday morning.
Sometimes people ask me, why have I stayed in one place for so long? Why do people choose to work here? I have always believed passionately in our vision: a world where we can trust technology. I got into computer science to build amazing technology, and since that time the world has created some of that technology, but there’s so much more we could do if we could trust the security and privacy of our data. In healthcare, IoT devices, government services and other areas, we could be pushing innovation further. A massive industry has grown up on making up for the fact that we don’t build secure products. But what if those products were built secure in the first place? That’s not to say security incidents will ever go away, but the reality is that so many breaches occur because of basic, preventable defects in products. This is something that I and so many of my colleagues care deeply about. Even if I’m not building those products myself, the idea that I could have an impact on empowering a more trustworthy future energizes me far beyond the career motivations I thought I cared about upon graduation.
The road to success is hard and requires tremendous dedication. This question is obviously a big one, but what advice would you give to a young person who aspires to follow in your footsteps and emulate your success?
I’m tempted to start a philosophical discussion about what “success” means, but I’ll instead just focus on the single most critical mindset change I had. This particular insight came from the book “Rich Dad / Poor Dad”. Despite its title, my key takeaway from that book is that you can either be the kind of person who complains about problems or the kind of person who solves problems. We are surrounded by complaints. Don’t get me wrong, occasionally expressing frustration is human nature. The problem is that the time and energy you devote to complaining could instead be used to improve yourself. The single most important attribute I see in an aspiring leader is the proclivity to find solutions to problems rather than lamenting about the choices of decision makers.
Often leaders are asked to share the best advice they received. But let’s reverse the question. Can you share a story about advice you’ve received that you now wish you never followed?
Being part of an innovative company can be really inspirational to employees. The business press is ripe with tales of companies that stagnated and lost their market position because they failed to innovate. They often advocate for formalizing an approach to fostering innovation. However, that same business press is less likely to publicize stories of companies that failed because they tried to do too many things at once.
In our early days, we embraced the spirit of innovation by adopting a formalized innovation pipeline. We even went so far as to commercialize one of those innovative offerings and turn it into a new service idea. However, what we failed to appreciate is that small companies with limited capital need to be incredibly focused to succeed. Launching a new service meant a distraction at the leadership level, as well as for shared teams like sales and marketing. We found ourselves competing for time and attention with multiple offerings where we hadn’t quite nailed product-market fit. Results across the board started to suffer, and we ended up shutting down the service and decommissioning our formal innovation process. The truth is, we were still an innovative company by our nature, and we didn’t suffer from the creative stifling common in larger companies.
Ok, thank you for that. Let’s now jump to the primary focus of our interview. Most of our readers — in fact, most people — think they have a pretty good idea of what a C-Suite executive does. But in just a few words can you explain what a C-Level executive does that is different from the responsibilities of other leaders?
The responsibilities of the role change significantly by the size of the company. The CEO of a one-person company, for example, does everything by definition.
I’ll share my observations of the present role of the C-Suite at Security Compass. The executive team is tasked with crafting and deeply understanding the organization’s overall objectives, defining a strategic plan to meet those objectives, assembling a world-class team of professionals in a given functional expertise, and inspiring and motivating that team to execute on the plan. It’s important, for example, our leader of People & Culture to understand our revenue and bottom-line goals because they will affect decisions about people.
What are the “myths” that you would like to dispel about being a CEO or executive? Can you explain what you mean?
The single most common myth about CEOs is that they are often single-handedly responsible for a company’s success. It makes sense for people to feel this way because we’ve all grown up hearing stories about heroes and heroines and we crave seeing this reflected in the world around us.
A CEO has a role to play, particularly in crafting a vision, spearheading strategy, creating alignment and building a highly effective leadership team. However, CEOs play just a single role. If you look deeply at any successful company, you’d likely see many people who contributed very meaningfully to the company’s success — not just at the executive level. Unfortunately, it doesn’t fit the single hero narrative we’ve all come to crave.
What are the most common leadership mistakes you have seen C-Suite leaders make when they start leading a new team? What can be done to avoid those errors?
The most common error I’ve observed in executives is overcommitment. It’s common for new leaders to try and prove their worth by tracking to tackle many problems at once. We all craft strategic and operating plans based off of historical assumptions. What we can’t account for is unplanned work. New opportunities and challenges arise in the midst of quarterly or annual execution in every business. Perhaps it’s a new customer type that you don’t know to sell to, or a highly respected prospective employee that you don’t have a role for, or a major system failure that you rely on for day-to-day operations. The more you fully allocate your team to commitments in a given period, the less likely you are to either accept unplanned work or deliver on your commitments.
The best leaders set ambitious targets but leave enough wiggle room to handle some unplanned work. They push back on unplanned work when more important predetermined objectives are at risk. Yet they make explicit trade-off decisions and re-calibrate with other leaders on predetermined objectives when new information renders old priorities obsolete. They also clearly communicate the reason for change in direction to their teams, and they do not confuse buy-in with consensus.
In your experience, which aspect of running a company tends to be most underestimated? Can you explain or give an example?
The theme of prioritization is an important one. It’s easy to talk about prioritization in an abstract way, but it is much harder when you have to make decisions and live with the consequences.
Every year, we engage in a strategic planning process where we outline our long-term goals, set key metric targets, build a budget and hiring plan, and define a set of “do differently” initiatives that will help improve the business. I suspect that every year in nearly every company there are more potential initiatives than the company has capacity for.
Once when we were a smaller company, we realized that many of our managers were technical professionals who were never trained on how to manage people. This is a common problem for scaling technology companies. The impacts were very real: perceived career opportunities, unbalanced workloads, and overall employee morale all suffered. It was clear that we needed to invest in systematically training our frontline managers. However, that year, we could not make it happen. We were just setting up an HR department and we had foundational work to do first before we could meaningfully set up a robust employee development program. The result was that the problems I mentioned got even worse. Several people expressed frustration that we didn’t address this systematic concern. Yet, this is the byproduct of ruthless prioritization. Nobody can prepare for you how frustrating it is to have important problems that you know how to solve, but you simply can’t get to them right away. The more you live through these experiences, the more you begin to emphasize with other leaders who clearly must undergo the same trade-off decisions and live with ramifications. I encourage anyone entering a leadership position to connect with other leaders and learn first-hand that your prioritization struggles are not unique.
Ok super. Here is the main question of our interview. What are your “5 Things I Wish Someone Told Me Before I Began Leading From the C-Suite”? Please share a story or an example for each.
- Ruthlessly Prioritize
Despite what your agenda may be, your organization can only handle so many initiatives at once. The only way to succeed is through prioritization. Set a clear strategic direction with measurable results, ensure everything you do is aligned with that direction, and make clear how the priorities stack rank. For example, is top line revenue the most important metric for the company? How important is it relative to bottom line profitability? When you clearly define what matters most and what the company is focused on, everyone in the organization can make sensible trade-off decisions that align with the company’s focus. For example, should the marketing team prioritize revamping the website over redefining brand positioning? Should you seriously explore the new product roadmap idea? Ultimately, in order to execute on whatever capacity you have for new initiatives, you need to say no to most ideas.
2. Embrace The Entrepreneur and the Architect
I have come to believe that most executives naturally fall into one of two philosophies: entrepreneurs and architects. Entrepreneurs tend to be visionary and sense opportunity around them. They abhor bureaucracy and want to be as nimble as possible. Architects are big picture thinkers. They tend to think that the correct up-front planning and analysis leads to better results.
Few people fall neatly into either description, but in my experience nearly everyone has a natural aptitude for one or the other. I am naturally more of an architect. It probably explains why I was COO for five years before becoming CEO. For years I had a tough time seeing the value of the entrepreneur’s point of view in many areas. I used to see problems and always want to address systemic issues with holistic programs. Unfortunately, short term problems are real. Your company could go out of business if you don’t solve short term problems, and you don’t always have time to solve root causes.
Over time, you can learn to appreciate and even embody the characteristics of the other philosophy. These days I am constantly trying to balance between my long-term thinking nature with the need to bias towards action and achieve the results that prove our previous long-term solutions are paying off.
3. Always Start with Why
People need to understand why the company is doing something before they agree to what and how they are doing it. I didn’t fully appreciate this in my early days. We used to simply provide employees a set of Objectives and Key Results (OKRs) and ask them to go execute. In feedback sessions they’d lament that leaders were sitting in an ivory tower and issuing edicts. We began to open up channels of communication, such as town halls and office hours, where employees could have more of a say. This helped, but feedback indicated it wasn’t enough so we started to embrace the “Always Start with Why” philosophy. We documented our strategy and outlined the rationale for our decisions, including a deep analysis of the previous year’s operating results, market analysis and honest assessment of our own capabilities. It required a degree of transparency that few company leaders were used to, but we embraced it. Afterwards, our strategies became clearer, and more employees understood the rationale behind our plans.
4. Fight Relentlessly to Hire the Best People
When we were small, we took many shortcuts in order to preserve cash. In the long term, that grit paid off as we went fourteen years without seeking external investment. However, some of the decisions were likely very expensive. For example, when we first decided to build a software product, we didn’t hire any executives who had experience shipping software. Instead, I took ownership of running the product division despite the fact that I had worked in consulting my entire career. It seemed like the right decision because of my domain knowledge of application security and strong enthusiasm for the idea. In retrospect, I made many rookie mistakes that a more experienced software executive wouldn’t have made. An alternative approach would have been to pair me up with a more experienced software leader. We repeated this mistake in some functional areas, where we hired smart but inexperienced people to run key operations. Absent strong functional mentorship, intelligence and enthusiasm weren’t enough for these leaders to build out the infrastructure we needed to scale.
Over time we made up for early mistakes by hiring effective leaders in every department. We would have achieved the results much faster if we had found a way to hire these people earlier.
5. First Break All The Rules
The Gallup organization conducted a 25-year research project with 80,000 managers to find out how managers could excel at realizing the potential of their direct reports. They documented their findings in First Break All The Rules. As the title suggests, the results of their comprehensive analysis are counterintuitive. One of the least intuitive findings is that you need to know the difference between talent, skills and knowledge. More specifically, you need to recognize that while skills and knowledge are teachable, talent is not. Another way to think about this is that you need to determine if an employee’s material shortcomings can be coached or not. The Gallup findings suggest that highly effective managers make quick decisions about people being the right fit, and quickly move the wrong fits out of the role if serious shortcomings are not coachable. This is the opposite of what most of us have been taught. We have been led to believe that with the right coaching and tools, you can make up for any weaknesses.
I didn’t understand this myself in my early years. I would hire technical professionals who were brilliant at their day to day jobs but couldn’t do essential reporting work to give to a client. I tried to teach them how to write effective reports, but no amount of my training would change their disdain for documentation. I simply thought I wasn’t training them properly and that better training existed. In retrospect, I could have been more successful if I re-defined their role such that we did not rely on them for reporting, or I simply hired people who had the right aptitudes.
In your opinion, what are a few ways that executives can help to create a fantastic work culture? Can you share a story or an example?
The classic hierarchical organization design was built before the advent of the knowledge economy. It was built where smart executives made all the decisions and the lowest level employees were cogs that could be replaced easily.
In many organizations today, the dynamic is different. Many workers are highly specialized, and their unique skills are often in great demand. An organization’s best employees are regularly sought out from recruiters. The idea that front-line workers are “cogs” is completely invalid in this reality.
Building a strong work culture starts with this realization. It means putting into practice the things that employees value, such as, transparency, having a voice, recognition, celebration and having an inspiring purpose. If you not only accept dissenting opinions, but actively seek them, you send a signal to your company that you’re always looking to make the best decisions for the company rather than protecting your own ego.
In our company we have a world-class leader of People & Culture. We use those words rather than “Human Resources” now because it more accurately reflects the things we care about. Having somebody accountable for and thinking about company culture, with specific measurable top-level goals such as employee engagement, helps show you are putting your money where your mouth is.
How can our readers further follow you online?
We have a podcast at podcast.securitycompass.com which I sometimes contribute to. You can also follow me on LinkedIn.
Thank you for the time you spent sharing these fantastic insights. We wish you only continued success in your great work!
