Conversation
Highlights

From Consulting to Product: Key Lessons in Building an Enterprise Security Company

The journey from consultant to product company founder rarely follows a straight line. In a recent episode of Category Visionaries, IriusRisk CEO Stephen de Vries shared how a pivot from security consulting to building automated threat modeling software led to consistent triple-digit growth – and the critical lessons learned along the way.

The origins of IriusRisk trace back to Stephen’s early days as a penetration tester, where he noticed a fundamental shift in how companies approached security. “Companies were still sending us IP addresses, but increasingly they were sending us URLs,” Stephen explains. “They said, yeah, I don’t care about my infrastructure, I’ve got that protected…But we’ve written this unique application. It’s now live on the Internet. What are the security problems in this application?”

This evolution revealed a deeper problem: organizations needed to think about security during the design phase, not just after deployment. It’s a challenge Stephen likens to architectural safety in construction: “If you’ve ever built a house, you’ll know that the architect of that house plays a pretty significant role in the safety of it…in the software world, it’s now 2023, and now is the first time when we’re saying maybe it’ll be good idea that we look at the design of the things we’re building from a security perspective before we go and build them.”

But the path from identifying this opportunity to building a successful product company wasn’t straightforward. The team made what Stephen calls a “really silly, stupid mistake” that offers a valuable lesson for consultants looking to transition to product: they kept operating under the same company structure instead of creating a new entity for the product business.

“When you then apply for some of the grants that are available in the EU…or when you apply for things like startup accelerators, they will just ask you a very simple question, how old is your company?” Stephen notes. “And all of a sudden you’re being penalized because you started the software business maybe this year, but you’ve got seven years of history as a consulting firm.”

The growth strategy that emerged focused heavily on expansion revenue within existing accounts rather than just chasing new logos. This approach has driven consistent growth rates above 100% year over year. As Stephen explains, expansion revenue is “the most satisfying growth that we can have, because it’s not essentially a customer who’s gone through a demo and a pov and they maybe see through rose colored glasses.”

This expansion-first mindset requires involvement from every team. “When a customer does expand…it’s something that the product team did to build a feature that the customer needed or solve a problem that they had. It’s our customer success team that listened to what they needed and responded to. It’s our support team, it’s our sales team, it’s our marketing team.”

For founders navigating enterprise sales, Stephen emphasizes the importance of authenticity over conforming to investor expectations. “I think investors expect an overly optimistic Founder to always come through with, we’re going to change the world…And my personal style isn’t to present that way, so I’ll just present the numbers as they are.”

This approach might seem counterintuitive, but it builds trust. When investors see realistic projections backed by consistent execution, “they recognize that, yeah, this is something that’s trustworthy and it’s not crazy expectations with an over optimistic Founder.”

The future of software security is increasingly tied to architecture and design decisions, particularly as technologies like low-code and AI-generated code become more prevalent. As Stephen explains, “the act of writing little bits of code, little units of computation, microservices, functions, all of those things are going to become commoditized. What’s going to become less commoditized and where the interesting problem space is, how do I connect all that stuff?”

For technical founders entering the enterprise space, Stephen’s journey offers a crucial lesson: focus on solving real problems, maintain authenticity in your approach, and build for sustainable expansion rather than just initial sales. The market will reward substance over style.