From Mary Poppins of Security to Startup Founder: Laura Bell-Main's Journey

Laura Bell Main:

I enjoy chaos. I enjoy change. I’m not the person you ever hire to turn a handle on a very boring machine, that’s not me, but if your machine is slightly on fire and you have no idea where half the parts are, I’m probably your girl.

Cole Cornford:

Hi, I’m Cole Cornford, and this is Secured, the podcast that dives deep into world of application security. As a consultant, Laura Bell Main earned a reputation for being the Mary Poppins of security. She would swoop in, fix problems with a big bag of magic tricks, but recently she made the leap from consulting into founding a product company called SafeStack. She secured funding from the venture capital firm, Blackbird, and now runs this online training platform to help engineers design secure software.

In this episode, Laura and I chat about the challenges of becoming a startup founder, the current state of AppSec training and education, Laura’s vision for SafeStack’s legacy and plenty more. So let’s jump right in.

Hey Laura, how are you going?

Laura Bell Main:

I’m good, Cole. How are you doing?

Cole Cornford:

I’m excellent. I had Thai beef salad I made. I’ve learned that peanuts actually go everywhere if you try to crush them really, really finely so I need to figure out a nice way to chop peanuts in the future

Laura Bell Main:

Sandwich bag and hit them with a rolling pin.

Cole Cornford:

See, you’re already coming up with solutions, Laura.

Laura Bell Main:

Yep, there we go. We’ve pivoted to a cooking podcast all of a sudden, but we can fix it from here.

Cole Cornford:

Yes, yes. I’m all about talking about cooking though, but seriously, that’s a really smart idea. I’ve known to do that with marinade. You just get your beef with chicken or whatever and throw it in the bag and.

Laura Bell Main:

You just mash it all around in a bag. Yeah.

Cole Cornford:

Yeah, but I would never have thought about doing the same thing with like-

Laura Bell Main:

Also works with biscuits if you’re making a cheesecake and you want to make a biscuit base, so there you go.

Cole Cornford:

I did want to make cheesecakes because my daughter, Sydney, she really likes cheesecakes and it’s getting to the point where I’m just, she picks up the entire cheesecake at Cole’s and just puts it in the trolley without asking me, and now I’m reluctant to do that, so I want to turn it into a cooking hobby with her instead.

Laura Bell Main:

Yeah, she’s my kind of people.

Cole Cornford:

Okay, cool. So the first question I ask pretty much everybody that comes onto my podcast is what kind of bird are you and why?

Laura Bell Main:

So I’d love to say that I was a kakapo, which is an mountain parrot in New Zealand, but actually I’m really not. I’m not that cool. I’m going to choose a gray warbler.

Cole Cornford:

Ooh.

Laura Bell Main:

Now, a gray warbler in New Zealand is a teeny tiny little bird. Nobody ever sees it, but you’d hear it all the time and not know what it was. So when I first moved to New Zealand, I thought the gray warbler sounded like a murder bird. It has this really crazy, creepy tune, and that’s kind of how some people think about security. It’s like this weird thing at the side that they notice occasionally. So I think that kind of seems quite fitting that it’s not the main event, it’s quite a shy little bird, but you’ll know it’s when it’s there and it’s an important part of the ecosystem.

Cole Cornford:

I like that. It makes a lot… because if you think about most startups and scale-up institutions, it’s only when they get to 200 to 300 people that they end up saying, “Hey, we need to hire a full-time security resource.” So you are right that you are that one little bird on the back of the rhinoceros just hitting them repeatedly, trying to get them to move in the right direction.

Laura Bell Main:

Absolutely. Trying to avoid the poop.

Cole Cornford:

So you’ve been in security for a very long time. Where have you come from? What’s your background, Laura? Tell all our listeners about you and-

Laura Bell Main:

Well, very few of us in security actually ended up being here by choice. We kind of just wind up here and that’s cool. A lot of cool people wind up here.

But I started out as a software developer at the early age of 17, and I did COBOL development for taxation systems as an apprentice, because for various reasons I couldn’t go straight to college or university and go do that route. So I’ve done lots of different types of software from physics nerd stuff with CERN through to big government organization stuff to PHP and terrible web applications.

Then one day I had a job as a Java developer, which was pretty terrible anyway, and I found I was really good at poking things in ways they weren’t intended to be used. My boss was lovely and he said, “Hey Laura, that’s cool and all, but it’s really annoying. Please stop it and if you can’t stop it, there’s a security team over there that do this for a living. Have you considered security?”

So off I went to work in a literal basement, and that was many, many, many moons ago now. Over that time, I’ve sort of created a career path for myself that is part software engineer and part security person. So I try and bridge the two worlds.

Cole Cornford:

A lot of parallels to me. It’s actually scarily paralleled. I also started in tax.

Laura Bell Main:

That’s where all the cool kids come from.

Cole Cornford:

I know. And with COBOL.

Laura Bell Main:

Oh, wow. See, there we go. There’s a correlation here. Perhaps that’s like the dream thing to push you to do literally anything else in the world.

Cole Cornford:

You just need to start in tax then find a way to move into Java development. For me, it was .NET after that.

Laura Bell Main:

Oh, there you go.

Cole Cornford:

… in the Agile team. They’re like, “You’re really good at breaking these, so maybe you should go into the AppSec function we have.” And then they did stick us in… We had a room called the Lab, which is just one of these meeting rooms that they had just stuck four servers in and it was stinking hot. I loved it because in Canberra, it reminded me of Newcastle.

Laura Bell Main:

Ah. It’s a little microclimate in your lab.

Cole Cornford:

Yeah, the rest of the office is 23 degrees and the lab’s 30, so I’m at home in a 30-degree-

Laura Bell Main:

Fantastic.

Cole Cornford:

Yep. Literally ran there running fortify scans for a few years.

Laura Bell Main:

Nice.

Cole Cornford:

So it’s crazy to me that we’ve had such a similar journey as regards to.

Laura Bell Main:

Yeah, especially as we couldn’t have been further away from each other physically because that early stage I was in the Midlands in the UK, so literally on the other side of the planet having the same adventure. I think we forget, regardless of where you are in the world, how similar pathways can be and the challenges can be the same.

Cole Cornford:

AppSec is such a weird… I feel like every person I’ve interviewed who is currently working in applications security or DevSecOps or whatever, product security I guess as well, comes from just usually quite diverse unique backgrounds. I’ve known project managers who’ve come into it. I’ve known people who just are pure software engineers, cryptographers who’ve just said that, “Math is boring. I’m going to go teach software engineers about insecure randomness. Wait, there’s tools to find it?”

Laura Bell Main:

Like three people just stop listening. Just the three cryptos in the audience were like, “Oh no, I’m gone.”

Cole Cornford:

“I’m out. I don’t want to go to AppSec. I have to actually talk to people.”

Laura Bell Main:

Oh, so mean. So mean.

Cole Cornford:

It’s all right. I’m very harsh in this podcast to people. So that’s one of the things that’s always confused me is, I’ve tried to work with a lot of the New South Wales and Australian governments to try to find a pathway to move into DevSecOps in Australia. And over last year, we kind of came together and realized that there’s not really any core pathway into it. And I don’t know a single person who has had a formal education way into AppSec outside of ending up in a graduate program and they just get accidentally assigned into an AppSec team and then they learn how to run check marks or something. That’s not really going to work to deal with our pipeline problem, right?

Laura Bell Main:

And it’s interesting because half of me is like, “Yeah, we need a pathway,” and the other half is that people like me and you are good at what we do because of the diversity of experiences we had before we got to AppSec. So it feels sometimes like it’s definitely a really high need role, but it’s not one necessarily that you could learn. I don’t know, maybe I can be proven wrong on this, but it would be hard to teach it straight at university and just come straight out into AppSec if you haven’t been in the dev space or around it for a while first.

Cole Cornford:

I was at a careers fair at Newcastle University and everyone was coming to my stall, because it was bright pink and everyone else was black and red and… I like my colors bright pink. All of them wanted to take away my toy Galah, but I wasn’t going to give it away, because I’ve learned from running careers fairs in the past that they will take everything.

Laura Bell Main:

Oh, absolutely. They’ll strip your stand to the bare frame if you let them.

Cole Cornford:

Yeah. So I’ve lost 30 Galahs at one career fair and then realized that that was a tremendous waste of money.

Laura Bell Main:

Well, what you did is create a very exclusive Galah collection. So it’s now limited edition one of 30.

Cole Cornford:

That’s it.

Laura Bell Main:

So they’ve all known quadrupled in value.

Cole Cornford:

So UTS is going to have a great time. But I was there and I had a lot of students come up to me, because my company is Galah Cyber and the reason that I chose cyber rather than Galah apps or Galah security, Galah InfoSec or something like that, I chose cyber because it’s a bit meaningful to people. And if I ever wanted to branch out of application security in the future, then I don’t need to rename my company or have a parent company or whatever, we can always go do that.

So there’s a lot of students who came up with a Master’s of Cybersecurity background and spoke to them and most of them didn’t actually do any software engineering. And they’re like, “You’re a cyber company.” And it’s like, “Yeah, but we’re here to win hearts and minds of developers and that doesn’t work if you can’t talk to language.” Right?

Laura Bell Main:

E., And I think we’re at a stage of maturity that this is a normal thing. There’s a lot of Masters of Cybersecurity programs now globally and that’s wonderful to see, but they have come from that more traditional background. So their syllabus looks a lot like the CISSP and those security qualifications we’re used to. They’re really great for preparing you for a SOC role or going into consultancy or governance risk and compliance, much like the CISSP and the wider certification space hasn’t really embraced application security or security development, we see the same in our masters. So I think until as an industry, AppSec really starts to define what good looks like, we will continue to this gap, which is a bit of a shame really.

Cole Cornford:

Yeah. And that’s also really difficult, because I find that what good looks like is entirely based on risk for each type of organization and the people that are building software have very different needs to one another. So a bank has extremely different ways and scale and approaches than a small FinTech that’s just… Even though they both work in finance.

You might be able to get away with focusing on developer-led education and doing threat modeling in person with teams at the FinTech because usually it’s people who are highly qualified engineers really care about what they want to do, equity and options in their company and just are really engaged. It might not be the case if you’re going to an enterprise of 40 to 50,000 people or something and it’s like, “How do I get all of these people on this journey as well?”

What looks good for one might not look good for the other. So the bank might actually be very upset if they’ve only trained 20% of the workforce instead of a hundred percent, even if the content’s meaningful for that 10%.

Laura Bell Main:

Yeah, and I think we do this a lot in AppSec, and I think it’s a side effect of being a young field, that we have these design patterns, these models of how security should work, so DevSecOps or whatever it is, and we look at the examples and the people who are standing on stage telling us how to do it and writing books, but they all come with the bias of the environment that they were formed in. So if they came from a large government department or if they came from Netflix or if they came from these giants, all of the patterns they develop are suited to that sort of structure and that sort of resourcing.

Then if you are a smaller organization just starting out, you still need to achieve the same goals, but you can’t just take that pattern and put it into your team. It’s not going to work. Much in the dev space a few years ago, everyone started doing React when that was all new and shiny, but all of the initial patterns were developed by Facebook, which was trying to scale to 10 million users a minute. So you had an application that three people and your nan was going to see and visit every week, trying to scale and use design patterns that were far in excess of what really should be used at that scale. I think there’s an adaptation period in play at the moment where we’re trying to size application security to different team sizes and environments.

Cole Cornford:

It’s like we need maybe a DevSecOps reference architecture for different scale organizations, really?

Laura Bell Main:

Mm-hmm.

Cole Cornford:

You’re right, I meet a lot of people in our discipline who are usually very competent people who’ve just got a couple of ways of viewing the world and it’s fine. They just haven’t had the experience of working at different scales yet, or just trying something and watching it crash and burn. Nothing like failing miserably with a program rollout.

Laura Bell Main:

It’s character building. Character building.

Cole Cornford:

It is. And I hear a lot of people go, “Ah, Facebook? They just wrote their own static analysis tool. They got Zoncolan. Let’s just do that. It goes incremental scans and it’s built for PHP or .Hack,” or whatever they use there.

Then you go back to that person, you’re like, “So you’re going to hire three full-time PhDs at half a mill each to get that and then maintain it indefinitely and then convince every engineer globally to use this and be on the same tech stack? Because that’s for the proprietary custom language hack. It’s not even something you can take to market, because I don’t know, anyone outside of Facebook who even uses Hack, right?

Laura Bell Main:

No, they live in… It is almost a little world of their own. These larger organizations, they get to a scale where it does make more sense for them to do their own thing to meet their needs, but for the rest of us, we need to see the tools around us and pick the ones that really make sense for what we’re doing. And that’s very rarely going to overlap with someone like Facebook.

Cole Cornford:

Yeah. So I’d see the other one was Netflix or Chaos Engineering. It’s a common one I see. Even if we go all the way back to the nineties with IBMs, do you know the shift left graph? People were using that Spruce product nowadays and talking about how it’s going to solve all their problems.

I mean, if you are a, let’s say the tax office in Australia, you basically have a release that’s in line with when the next legal tranche of taxation things comes out, which is usually an annual process. So technically, you can kind of do a waterfall, because you have a one-year project, right?

Laura Bell Main:

Yeah.

Cole Cornford:

So you have a lot of agile sprints that are actually just like little waterfalls?

Laura Bell Main:

Yeah.

Cole Cornford:

That makes sense to me for the ship left graph, but if you’ve got a reasonable CI and CD, the cost of making a change is not that big. So when you see people spruiking, then it’s going to be a thousand times cheaper to deal with a breach compared to if you’re running a static analysis tool in CI. I’ve figured it’s actually maybe one and a half times because you just, I’ll do another pull request and run your CI now and different institutions, you know?

Laura Bell Main:

There’s a bit we never talk about in the shift left thing in DevSecOps is, what about those tools that aren’t in active development right now? So ones that aren’t being built. Every organization big and small, has projects they’re working on right now and projects that don’t need any changes. They’re foundational. We might call them legacy, but it’s not really. It’s foundation pieces.

Or what if you outsourced your development to a specialist software development firm and they only do work on it when you pay them to? So in between those times, there is no build process that’s running. We’ve got to make sure that we don’t leave out a whole category of tools and applications by ignoring those ones that are not currently being built every day multiple times a day. We need to still find ways to, well, do we need to retrofit and just build them anyway because well, we could do that, or what are the hygiene practices we need once code stops being actively developed?

Cole Cornford:

A lot of the big institutions in Australia works on a project delivery model. So you’ll say we’re funded for 20 million or something to hire a bunch of devs to go solve one business challenge. Usually, that way is to create a new system or update an existing one or collab a bunch of different systems, right?

Laura Bell Main:

Mm-hmm.

Cole Cornford:

At the end of the day when a project finishes, it goes back into BAU operational mode, which is bare minimum patching and maintenance until the next project comes along and whoever knows how long to actually solve all of those problems. I find that if a lot of companies work in this product model where they just have a bunch of products that are worked on indefinitely instead of the project-based ones, they’re usually going to be far more mature as far as AppSec goes because it’s a continuously iterative process versus you start and stop and then this is the point in time at where security stopped as well as every other non-functional requirements.

Laura Bell Main:

Yeah. I feel like one of the things we need to do in those early stages of planning our AppSec programs is really understand which of these models we’re in. We could be in some weird hybrid. It could be very unique to us that there’s some projects we have, they behave like this and some are more like this. So the AppSec program we develop is built for that cadence and not for the ideal cadence that everyone else is supposed to have.

Cole Cornford:

It’s always, I see so many people who just read what everyone else does on the internet. But until you’ve done it in practice at a bunch of different places, you have to suffer through it. You have to really suffer.

Laura Bell Main:

I’m getting the theme of this is, you will suffer for AppSec and you will fail and that will make you stronger.

Cole Cornford:

Yes. Although, I was talking to one of my friends actually who he was laughing at me, he was like, “Cole, why did you pick a career in application security? Because as a software engineer, you just get 50% of the wave error and then you’re having fun and you don’t have really any blockers or whatever, but with AppSec, you’ve got no authority or accountability or ability to influence things and you’re just struggling to get other people to do stuff for you. So why would you take the harder route that pays less?” And I’m just like, “That’s a very good question, isn’t it?”

Laura Bell Main:

Yeah. Absolutely is, AppSec the domain of masochists and how did this happen? Look, I know why it is that I’m there and that’s because I have an instinct in me that says, there are problems that I can solve and see, and if I can’t actually make the change, then I need to find somebody who can make the change. If I can’t convince anyone to make the change, I can’t keep doing it. So I always struggled just being purely on engineering that I could see these security challenges and I couldn’t get the urge to fix it out of my head. So for me, I really do think that I’m better placed supporting other folks and just doing this bit that really does tend to fit around the edges or in unusual places, but yeah, it’s not the best life plan when you’ve got family and whatnot.

Cole Cornford:

I mean, it’s a bit better than being on call constantly at a SOC or-

Laura Bell Main:

True.

Cole Cornford:

… having to work 50 hours a week flying around the country doing software sales or something, which you are doing right now, actually.

Laura Bell Main:

Yes, but we don’t judge because friends don’t judge each other. But yeah, well, I do sell things.

Cole Cornford:

I’m a salesman too. I get it.

Laura Bell Main:

Yeah. So I’ve crossed the divide. I have a product company and we’re on a mission to make application security education a part of every organization. So from teeny tiny organizations that are two people in a dream, all the way up to banks and airlines and things. So now I live in this world where there’s one thing to be a consultant and you can talk to someone, come on in, make some changes, do your job, go home at the end, wonderful.

But when you move to a product and what you’re saying is, “Hey, I know how to do this and I’m going to provide something that can do it for you or for instead of me,” it’s a really different game, and it makes you really think about how you measure success and how you measure the change you make and where this fits into the world.

Because as a person who’s done in-person training and consultancy for a very, very long time, I know I can do that very, very well, but when you deliver a product to someone, there’s no saying that that’s going to have the same impact that’s going to be adaptable to the different circumstances it finds itself in. So yeah, it’s tricky.

Cole Cornford:

Yeah, I’ve always been kind of scared to move into that route and I think it was good that I moved into consultancy first. So my plan, which is a long plan is, I know you’ll love it, is probably do consulting for five, seven years, see where I’m at, because at that point, Galah will be around 10 years old, right?

Laura Bell Main:

Mm-hmm.

Cole Cornford:

Don’t know what the go is. Maybe I exit, maybe I get aqui-hired, maybe I just spin off another part of it to fund, who knows? But I’m anticipating that application security will grow.

Laura Bell Main:

I think so. Look, software rolls the world now. Everything we do, I’m genuinely excited by the cool technology that’s being built. I think it’s a cool time to be in tech and every bit of it needs securing.

Now, what’s changing though is cybersecurity and application security doesn’t need to look the same for all of these places. So there’s massive opportunity to provide AppSec in a way that really works for different teams and styles and organizations, which right now all of our solutions are kind of homogenous. They’re kind of all samey and aimed at the enterprise. So if you do decide to go down that route, don’t, it’s incredibly a silly idea, but if you do, there’s a huge space.

Cole Cornford:

Yeah. I’ll just have to figure out how do I deal with a bunch of kids who need to go to little athletics on Frank Friday nights or something as well as… Yeah, that’s why I like the consulting realm is, I’m with a young child, well two young kids basically, I can go spend time with them even though I do have days where I get absolutely smash work and I’m working like 8:00 AM till midnight. There’s other days where I can be extremely intentional and be like, “I’m here, I’m present. This is how it is,” instead of stressing.

Laura Bell Main:

See, I don’t think that’s just a consulting thing, because the nice thing about building a product company is, you can build it intentionally. So I have a 4-year-old and a 10-year-old, and I’m the same. There are things that are non-negotiable for me and that’s going to those things that matter. That’s being there for breakfast, it’s being there for dinner 99% of the time. While I do have to travel a little bit for conference speaking, doing booths, that kind of thing, it’s really, the bar is very high for what is worth me doing.

My littlest person, she’s got her first rugby game this weekend. So all this week we’re at home throwing a ball around, we get stuck in, because I don’t see the point in doing anything in this world, AppSec or otherwise, if you are going to compromise on the things that make life enjoyable and an amazing adventure for us.

Cole Cornford:

It’s why we think about what is the purpose of why we start these businesses. And it’s good that media and mission aligned with the idea that we build software, software here is generally out to make humanity better in some capacity. It’s why-

Laura Bell Main:

Mostly.

Cole Cornford:

… mostly. I know that there’s some dark sides out there. We work in security, we’re aware of the other side, but in general, people try to build software to solve problems.

Laura Bell Main:

I’m on the fence about whether ROBLOX counts as good or evil yet. So just saying my lines are quite fuzzy on this, but yeah, absolutely, on the whole, we’re trying to be good.

Cole Cornford:

Yeah. And we’re both extremely mission-focused people, because we want to just really help people write software in a way that’s secure, that protects their users, protects their customers, protects them as individuals, makes things safe to interact with so-and-so forth. It’s all sorts of ways because like you said, Andreesen Horowitz did 6, or was it 20 years ago or software, and he said same thing, software is eaten the world, right? I’m all about that. But at the same time, we started a business so that we can make money, because we need to do that so that we can facilitate the other things we want to do in our lives. Right?

Laura Bell Main:

Exactly. Like eating.

Cole Cornford:

And eating. I need to cook Thai beef salads more often. Beef’s expensive. Maybe Thai chicken salad is a real thing. I don’t know.

Laura Bell Main:

Who knows? Come back for more episodes of security cooking.

Cole Cornford:

That’s it, that’s it. But yeah, I really want to make sure that my daughters aren’t going to be in a situation where I’m not going to be able to provide for them if they ask for me, “Hey, I want to learn robotics.” I’m not going to say we’re going to go to Aspen every year, but that’s a couple of-

Laura Bell Main:

Well that’s just so last year, darling.

Cole Cornford:

Oh, sorry. I don’t know what the current one is. What’s-

Laura Bell Main:

I have no idea either.

Cole Cornford:

No idea. We’re not part of-

Laura Bell Main:

We go camping as a family, we’re a camping family, so I have no idea what the fancy folk do, but we like to occasionally buy nice ice cream. I want to be able to say to my girls, “Hey, yeah, we can have a treat night tonight. We can go out to the movies. We can go get some ice cream. We can just relax and enjoy a moment.”

And I think the way we describe it at SafeStack is that we are full profit but with purpose. You have to say it in that order, because it’s not a shameful thing that you want to make a business that makes money, that employs people, that creates good opportunities. But then you can use that in a really mindful way to help causes or help purposes that drive you from here.

If you go just all-in on the purpose, then either you need to run a nonprofit and go down that route and that’s fine, but it’s a very different path, or you’re going to end up burning out and ending up in a really difficult position, because the purpose part is very energy draining. So you need to make sure the business is functional and happy and healthy to be able to make sure you’ve got that extra energy to put into the purpose part.

Cole Cornford:

I was reading a book and I need to probably continue reading books, but right now I’m really stuck on this, because Thucydides’ The Pyloponnesian War so.

Laura Bell Main:

Really?

Cole Cornford:

Yeah.

Laura Bell Main:

Oh no.

Cole Cornford:

For now, it’s great. I love it, but I have other books I’ve, well, pick up and put down, but that one I’m particularly interested in at the moment-

Laura Bell Main:

All right. Cool.

Cole Cornford:

… for very weird reasons that mostly it’s that they’re very good at debate, but away from that-

Laura Bell Main:

Cool. Yeah.

Cole Cornford:

… I read another book. It was by Unilever’s CEO. I think that he recognized maybe about 15 years ago that his businesses basically, needs to be putting purpose and profit together and that they can have a lot more successful company if they consider the needs of their customers, the environments, their stakeholders, and try to balance all of them at once and not just go for profit at all costs, because I feel like a lot of the challenges that we’re facing have come from, I don’t know, you could say late stage capitalism that I try to avoid political fights.

Laura Bell Main:

Well I really enjoyed the book by the original founder of Patagonia, Let My People Go Surfing. It’s a really great read and it’s about the journey of that company and how it began and how the founders wanted to make sure that their impact and legacy wasn’t hurtful to the planet. It is quite a real book, but it’s a really great one if you are running a company for understanding that you have the power to make those decisions.

I think sometimes we feel compelled to do things the same way as everyone around us, but there’s a lot of examples out there of where you don’t need to and you can still hit those great objectives. You can still grow an amazing company, you can still make a change in the world.

Cole Cornford:

Yeah, I just got to remember, you can’t just do the VC-funded-to-the-moon, get on the rocket ship kind of thing, or you are a funded background as well, so you must have some investors to share that kind of vision with you.

Laura Bell Main:

Yeah. So yeah, we’ve got Blackbird on our cap table. Blackbird are very impact focused and what’s nice about that is, that they really understand what drives us and when they share an alignment on that, they like technologies that are changing the world or fixing the world or helping people in some way. And so when we have conversations with them, we’re able to say, “Hey, here’s why we’re doing a thing and here’s how the business side of it works and here’s how the mission works” and they can bring both sides of that to the conversation.

So I don’t think it’s impossible. I think you just have to be very intentional in the relationships you form and in your strategy for how you’re going to grow both sides of profit and purpose at the same time.

Cole Cornford:

You had to hear from Laura, guys, you can balance profit and purpose. And investors, they’re not always out just to make tremendous amounts of money, there are a few out there who are good eggs, especially bird companies.

Laura Bell Main:

Yeah. They still want to make tremendous amounts of money, just saying, but yeah, but they want to do it without being jerks. So yeah, you just have to kiss a lot of frogs.

Cole Cornford:

So I want to go back to you a little bit. So how have you found progressing from being… Because did you do consulting for last 10, 15 years or something?

Laura Bell Main:

Yeah, both for other agencies, so small security boutique companies and for KPMG and as an internal consultant for organizations on a couple of occasions. So yeah, I did that for probably 12 years all up, going from a junior and things like penetration testing and in-person security engagements, right up to large project security architectures.

Cole Cornford:

So what was your journey like during the consulting experience? Because I got into consulting without really having any background in it. I pretty much always worked as an internal staff member before I decided, “Oh yeah, I’m just going to start my own business. Oh wait, that’s what a consultancy is, isn’t it?” So I didn’t think this through very much.

Laura Bell Main:

I think there were some benefits to some of the places that I did consultancy. So KPMG, whether you like Big Four or, not by the by, but they have a very well-oiled machine when it comes to how consultancy works. So you can learn a lot by just sitting and watching and being part of that and understanding it matters how many hours billable a person has in a month and how you find ways to link other services together and those kind of things. It wasn’t for me longterm, but I definitely got value from understanding how that particular sausage was made.

Then on from that, what I found was consultancy, some of my customers used to say that I was Mary Poppins of security. What I would come in is, there would be chaos and I would come in and look around me and go, “hmm. This is not okay.” And then I would pull open my bag and pull out some things from it and fix the chaos. And when they didn’t need me anymore, I would just sort of vanish into the distance.

Others described me like a marriage counselor where I was able to come in and have conversations and ask direct questions that they couldn’t, or didn’t feel able to have themselves. Sometimes, being a consultant and being the outsider can be really powerful in those environments, because if they don’t feel psychologically safe enough to have them or there’s a reason they can’t have them themselves, we can make a lot of change just by being impartial to that system, not held to the long-term political repercussions of something.

So yeah, I enjoy chaos, I enjoy change. I’m not the person you ever hire to turn a handle on a very boring machine, that’s not me. But if your machine is slightly on fire and you have no idea where half the parts are, I’m probably your girl.

Cole Cornford:

That’s a great background. I think there’s a lot of things to unpack there, but it sounds to me like you’ve gone through to full scale of having to start out basically associate handle, turning work all the way up to effectively winning additional work for your business and then being able to use that to fund your time to solve meaningful problems.

Laura Bell Main:

At its biggest, when SafeStack did consultancy, which was a number of years ago now, I think we were at seven consultants. So yeah, we’ve gotten to the point where I’d seen it from end to end. I don’t think for me, running a consultancy is a long-term thing that I want to scale to a big thing. It’s not my happy place, but you get a heck of a lot from building it up and understanding how it works.

Cole Cornford:

There you go, guys. All right, go to consultancies. I know a particular one that’s probably going to be hiring in the new year, so a bird-themed one, bright pink, so you know who to reach out to.

Laura Bell Main:

It’s a mystery.

Cole Cornford:

But if you’re looking for a product company, I think I know another AppSec product company over on just across the pond [inaudible]. Yeah.

Laura Bell Main:

Absolutely.

Cole Cornford:

Moving to SafeStack then, how has that transition to being a founder? I imagine that, like you said earlier, product is a fundamentally different ball game. I know we’ve had conversations in the past where we’ve talked about how to do sales and stuff and I know that consulting of just turning up to someone and then basically wining and dining them for free to six months and then they give you an SOW, doesn’t work in product land at all.

Laura Bell Main:

Oh no. I miss my consulting days. I would literally go to a nice coffee shop in Auckland. I would buy the cake and the cup of tea and somewhere in the next month, work would happen and it was glorious. It’s cake based commerce. It was wonderful, but it’s really different in product. Particularly, we sell to development teams, so we provide a subscription to education platform. So what we’re trying to do here is prove value, prove ongoing value, and also get folks to tap into spend that they may not have necessarily ever had budget for. Training and application security doesn’t tend to have a defined category.

Being a founder, well, I’ve gone from being… The sales skills I needed as a consultant were, understand what I do well enough as a consultant to talk about it and then work a couple of tools to make sure I could send out a statement of work or whatever. It wasn’t particularly complex.

For me now as a founder, from the early days when I was literally still writing code, building the platform, building courses, I now have to really go deep in marketing, into sales, into partnerships and strategies, into financial literacy. So going much further than just your standard balance sheet and going into forecasting and financial modeling and looking at churn and unit economics, all of which are not things that are from my background. They’re all things I’ve had to learn in the last two and a half years.

It’s really interesting. I sometimes joke I used to be a security person because sometimes it feels that way, because I’d say six hours out of eight on a day, I’m probably focused on things that are building the business rather than helping directly with security anymore.

Cole Cornford:

I’ve had someone tell me that I should stop seeing myself as an AppSec consultant and more as an influencer now. And I’m just sitting there being kind of sad and happy simultaneously.

Laura Bell Main:

People throw a lot of shade at me for this for, I do things on social media, I talk at conferences, I experiment with videos. Some of it’s rubbish and some of it’s okay and you know what? I don’t care anymore. Influencing people and changing how they think or giving them something that lingers in their brain so they change their behavior is a superpower.

While influencers as the community and the TikTok hype cycle is definitely not my jam, in every field, we need people who influence others, because that’s how we make change. So yeah, go with it. Go bold and love the haters. They’ll do their job.

Cole Cornford:

I’ll go wear bright pink, do podcasts, do conference talks, and just get out there.

Laura Bell Main:

Yeah. Absolutely no shame in it.

Cole Cornford:

Have you found it a challenge to get away from the tools and get more into the headspace of, how do I just grow a company?

Laura Bell Main:

Yes, but because I miss the tools.

Cole Cornford:

Ah, yes.

Laura Bell Main:

It’s always tempting to go back to the things you’re really confident about. I know how to do these things really super, super well, but now I have to do these things which are hard and make me scared or I need to do more research on. So my brain wants to do the things that are fun and well-know, and what it needs to do is over here. But I find ways to mix the two.

So when you do marketing to developers, when you sell to development teams, you’ve got to be really authentic and you’ve got to have good quality content and that can’t just be fluff. So I have to keep myself in the tools to make good content. So I’m still coding, I’m still running security tools, I’m still building bits and pieces, but with the intention of, it’s supporting what I need to do in the business. So there’s a way to link it together.

Cole Cornford:

That’s why I do a lot of blog writing, because I always feel with conference talks, I can kind of get away with just having good humor and understanding my material well enough. But with a blog, having to edit the content to be extremely clear and short, I feel like people who are good writers far and away are a lot more noticeable than people who can just go and do a conference presentation. And your blog post is going to go on forever basically. Someone will come across it four years later and be like, “I was really good.”

Because every time I go on Hack and News, it was like an article written in 2007 or something and I’m like, “Oh, okay. This guy was pretty prescient.” But yeah, I’ve been trying to do that recently. What I kind of struggled with was, I wanted to have Llama as a language model.

Laura Bell Main:

Oh, not the animal.

Cole Cornford:

I love llamas. I just want to get a bunch of llamas and write blog posts about them. So I get the language model and then basically, can feed it content about how to do security well from some kind of online source. And then when a developer introduces something into their IDE that it’s based on what’s in their IDE already, they get some kind of content that’s pushed back up. See? So I think of product ideas as well, except I’m not smart enough to actually monetize them.

Laura Bell Main:

You spelt stupid wrong. It’s not a smart thing.

Product development’s hard. Ideas are easy. I have a literal list of ideas, of things I want to build and some of them could be actually commercially okay, but it would be absolute madness to take on another one. So yeah, keep the ideas, the ideas are cool and play around with them, but once you make that leap to product, it is a big jump. You’ve got to be ready and you’ve got to love what you’re building so much that you will get out of bed every day for 10 years so you can be an overnight success one day.

Cole Cornford:

I love that. The 10 years to be an overnight success, so how far are you in your journey? You are three years in?

Laura Bell Main:

Three. We have a long way to go.

Cole Cornford:

Got seven more years to be the overnight success, but I feel like I really do think that SafeStack is going to be a great company and you’re going to take over the world one day.

Laura Bell Main:

Maybe. Or the way that I phrase it to the team is, we want to be that little pencil note on a recipe. So when you look at a recipe and somebody scribbled on, “Add sugar here, don’t do this bit, it’ll go wrong,” nobody really understands why that’s there or where it came from or they don’t know that it was great granddad 17 years ago, but they know that things get better if they follow it.

If we do what we do, well then security will be just part of how software developers think. So my legacy isn’t a unicorn company that everyone remembers forever, it’s a change in behavior that means that we’ll have secure software for years to come. So who knows? We’ll see where it goes and I’m having fun until then.

Cole Cornford:

So having a legacy like Loren Kohnfelder who made digital certificates or Adrian Porterfield who got the traffic lights in Google Chrome to address what sees https compliance. Those things where we nowadays have extremely good security improvement somewhere, because someone’s gone and done the hard jacker and I’m hoping that SafeStack can do that too.

Laura Bell Main:

Yeah, me too. A friend of mine said something really poignant yesterday. He said that we only talk about it as technology when it’s new to us. Then before that, for the people who were there when it was happening, it’s just how we do things. And so I look forward to AppSec going from being this big thing that we need buzzwords and that we need specialists to, it’s just part of how we build quality software.

Cole Cornford:

That sounds good. All right, well thanks so much, Laura, for coming on to the podcast. Been an absolute pleasure. Anything that you would like to say as we wrap up?

Laura Bell Main:

I would. I’m going to do a little bit of a plug too, nothing commercial though.

Cole Cornford:

Go ahead.

Laura Bell Main:

So we are running a program here at SafeStack called One Hour AppSec. So we’re asking teams all around the world to give just one hour per sprint. Sprint is 80 hours, so it’s not very much time to do a little bit of AppSec. We’re even giving you all of the bits and pieces you need to get started on a program to follow.

So if you go to onehourappsec.com, you can sign up. It’s just a newsletter, there’s no spam, there’s no weirdness there, and just join along with currently 125 others who are committing to just doing a tiny bit of AppSec to hopefully make that future we’re all building a bit more secure.

Cole Cornford:

All right, there you go. One Hour AppSec, everyone. Go have a listen. All right. Thanks so much Laura.

Laura Bell Main:

Yeah, thanks for having me, Cole.

Cole Cornford:

Thank you for listening to this episode of Secured. We hope you enjoyed today’s conversation. Don’t forget to follow the podcast on your favorite platform and leave us a review.

Want some more content like the above? Why not subscribe to our newsletter? At galahcyber.com.au/newsletter and get high quality AppSec content straight to your mailbox.

Stay safe, stay secure. I’ll see you next episode.