Developer experience is one of most important things for a Head of Engineering to care about. Is development safe and fast? Are developers proud of their work? Are our processes enabling great collaboration and getting the best out of the team?  But sometimes, developer experience doesn’t get the attention it deserves. It is never the most urgent problem to solve, there are lots of different opinions about how to make improvements, and it seems very hard to measure.  At Tessian the team grows and evolves very quickly; we’ve gone from 20 developers to over 60 in just 3 years.  When the team was smaller, it was straightforward to keep a finger on the pulse of developer experience. With such a large and rapidly growing team, it’s all too easy for developer experience to be overshadowed by other priorities. At the end of 2020, it became clear that we needed a way to get a department-wide view of the perception of our developer experience that we could use to inform decisions and see whether those decisions had an impact. We decided one thing that would really help is a regular survey.  This would help us spot patterns quickly and it would give us a way to know if we were improving or getting worse. Most importantly it gives everyone in the team a chance to have their say and to understand what others are thinking.  Borrowing some ideas from Spotify, we sent the survey out in January to the whole Engineering team to get their honest, anonymized feedback. We’ll be repeating this quarterly.  Here are some of the high-level topics we covered in the survey. Speed and ease To better understand if our developers feel they can work quickly and securely, we asked the following questions: How simple, safe and painless is it to release your work? Do you feel that the speed of development is high? !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");

You can see we got a big spread of answers, with quite a few detractors. We looked into this more deeply and identified that the primary driver for this is that some changes cannot be released independently by developers; some changes have a dependency on other teams and this can slow down development.  We’d heard similar feedback before running the survey which had led us to start migrating from Amazon ECS to Kubernetes. This would allow our Engineering teams to make more changes themselves. It was great to validate this strategy with results from the survey. More feedback called out a lack of test automation in an important component of our system.  We weren’t taking risks here, but we were using up Engineering time unnecessarily. This led to us deciding to commit to a project that would bring automation here. This has already led to us finding issues 15x quicker than before:

Autonomy and satisfaction We identified two areas of strength revealed by asking the following questions: How proud are you of the work you produce and the impact it has for customers? How much do you feel your team has a say in what they build and how they build it? !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");

These are two areas that we’ve always worked very hard on because they are so important to us at Tessian. In fact, customer impact and having a say in what is built are the top two reasons that engineers decide to join Tessian.  We’ve recently introduced a Slack channel called #securingthehumanlayer, where our Sales and Customer Success teams share quotes and stories from customers and prospects who have been wowed by their Tessian experience or who have avoided major data breaches (or embarrassing ‘Oh sh*t’ moments!).  We’ve also introduced changes to how OKRs are set, which gives the team much more autonomy over their OKRs and more time to collaborate with other teams when defining OKRs. Recently we launched a new product feature, Misattached File Prevention. Within one hour of enabling this product for our customers, we were able to share an anonymised story of an awesome flag that we’d caught.

What’s next? We’re running the next survey again soon and are excited to see what we learn and how we can make the developer experience at Tessian as great as possible.

Building on our existing ISO 27001 security certification, Tessian is excited to announce that we have achieved Service Organization Control 2 Type 2 (SOC 2) compliance in the key domains of Security, Confidentiality and Availability with zero exceptions on our very first attempt. Achieving full SOC 2 Type 2 compliance within 6 months is simply sensational and is a huge achievement for our company. It reinforces our message to customers and prospects that Information Security and protecting customer data is at the very core of everything Tessian does.

The Journey We began the preparations for SOC 2 in September 2020 and initiated the formal process in October. Having previously experienced the pain and trauma of doing SOC 2 manually, we knew that to move quickly, we needed tooling to assist with the evidence gathering and reporting.  Fortunately we were introduced to VANTA, which automates the majority of the information gathering tasks, allowing the Tessian team to concentrate on identifying and closing any gaps we had. VANTA is a great platform, and we would recommend it to any other company undertaking SOC 2 or ISO 27001 certification. For the external audit part of the process, we were especially fortunate to team up with Barr Advisory who proactively helped us navigate the maze of the Trust Service Criteria requirements. They provided skilled, objective advice and guidance along the way, and we would particularly like to thank Cody Hewell and Kyle Helles for their insights, enthusiasm and support. Tessian chose an accelerated three month observation period, which in turn, put a lot of pressure on internal resources to respond to information requests and deliver process changes as required. The Tessian team knew how important SOC 2 was to us strategically and rallied to the challenge. Despite some extremely short timeframes, we were able to deliver the evidence that the auditors needed.  A huge team effort and a great reflection of Tessian’s Craft At Speed value. What Next? Achieving SOC 2 Type 2 is a crucial step for Tessian as we expand further into the large enterprise space. It’s also the basis on which we will further develop our compliance and risk management initiatives, leading to specialized government security accreditation in the US and Europe over the next year or two.

“I can’t ….” “I’m an anxious person.” “I’m bad with numbers.” “I don’t understand the technical stuff; it’s just not for me!” Sound familiar? These are the limiting beliefs of someone stuck in what Dr. Carol Dweck, Stanford University psychologist and author of Mindsets: The New Psychology of Success, termed “fixed mindset.”  The problem with a fixed mindset If you’re in the “fixed mindset” camp, you most likely avoid challenges, don’t like failure (flag! can be prone to sandbag), ignore feedback, and believe you’re stuck with what you’ve got: your intelligence, talents, and abilities.  You’re simply what you are. People in this camp often rely on talent alone and will spend time looking for praise and recognition vs building on past successes, seeing the silver lining in failures, and getting better. If you say out loud that you’ll never understand the technical stuff … your team will believe it and more importantly, YOU will believe it. The opportunity to learn will end there. The very language we use to describe our limitations makes those limitations a reality.  This can be especially limiting when it comes to doing things out of your comfort zone. Why mindset matters when you’re out of your comfort zone  The mindset you have will likely how you react when you’re out of your comfort zone.  To keep it simple, there are likely only three directions you’ll gravitate towards when you’re out of your comfort zone:  Flight: You’ll freak out and run the other way, seeking shelter and safety  Fight: You’ll get angry, irritated, or annoyed by the situation  Freeze: You’ll freeze in your tracks, not able to move the conversation forward, hoping no one notices  This is where a “growth mindset” comes in.

The learning zone: A growth mindset You want to find space between the trigger and your response (i.e. fleeing, fighting or freezing) where you can plant your feet firmly on the ground, step into the chaos, and try to learn from the difficult situation. If you’re in the “growth mindset” camp, you believe your intelligence, talents, and abilities can grow through Grit & Perseverance (a Tessian value!).  What you’re born with is just the foundation, which cultivates an insatiable desire in you to continue learning and improving.  How is Tessian championing a growth mindset? In the last year, we created a Global Leadership Team (GLT) to help our people work on personal and leadership growth. 

We focused on growth mindset because an essential part of scaling a hyper-growth start-up is building a culture where your people are unafraid to set moonshot goals.  But to set these ambitious moonshot goals, we also need to be comfortable with failing fast, iterating, and continuing to build. As Simon Sinek says “What good is an idea if it remains an idea? Try. Experiment. Iterate. Fail. Try again. Change the world.”  At Tessian we want to change the world of cybersecurity. During our GLT sessions on growth mindset, our biggest takeaway was that we need to change how we view our failures. This change of mindset takes time, but we’ve already begun relishing in challenges, because mistakes and setbacks aren’t a reflection on us — just on our preparation and current ability, which are adaptable. We can grow! Tips to help you adopt a growth mindset We’re creating a culture where our leaders are open to feedback, accountable for their own growth, and resilient to take on new challenges — we are seeing the impact of this with increased creativity, innovation, and bottom-line growth. So, how can you adopt a growth mindset? Here are three of the core “growth mindset” tenants we implemented: Openly recognize and reward the value of learning from failure with your team. Failure is inevitable when it comes to running a team. So when you’re running a retrospective, it’s a good idea to openly speak about your own failures and those of the team, plus the lessons you learned. This will help create a culture where failure is recognized as a learning tool. Result? Your team will be encouraged to grow and take innovative risks. Embed a company or leadership value that focuses on perseverance. A great organization doesn’t grow overnight. The fruits of growth require time, which means perseverance is key. We found having a company value around “Grit & Perseverance” helped to better embed this concept throughout our teams. We speak about it at our Town Halls, Weekly All Hands, and Performance Reviews. The company is clear on how important it to push through failure, treat obstacles as challenges, and persist in spite of difficult situations to produce more impactful results. Pay close attention to the language you use in 1:1s with your direct reports and team meetings. Top tip: Remove the “you can’t” mindset and adopt a “how can you” mindset with your team. Also, think about moving from “this was a failure” to “we failed, this is what we learned, now let’s go make this even better”. Everyone has desires, and most of us can channel our efforts toward diligent work. But the ability to overcome constant failure has proven to be the distinguishing factor between ‘good’ and ‘great’. Language will help motivate your teams to keep coming back from failures; they will feel it’s safe for them to fail. (Hint! This is all about psychological safety). If you want to learn more about growth mindset, here are some of our favorite resources: Everything written by Dr. Dweck is great! But if you’re going to read or listen to anything, we’d recommend you watch this TedTalk or read this HBR article. We found it helpful to check out how other start-ups were using “Growth Mindset” to develop their leaders and found this article on Microsoft helpful We love everything from Farnam Street, and found ourselves coming back to this article, Creating a Growth Mindset in the Workplace again and again Farnam Street has done a great summary of the two different mindsets here Inspired by this article? Share it with your network on LinkedIn and Twitter! Or, if you’re looking for more insights into how we work at Tessian, subscribe to our newsletter below.

There’s an (unfair!) perception in the industry that most CISOs are skeptical, or at least conservative, when it comes to adopting the latest security technology. But the role of the CISO is evolving. It’s no longer to simply “own” risk. Today, they’re also tasked with educating and informing everybody within the company – including the C-Suite – on the risks and what can be done to mitigate them.  In this fast moving world, it’s no longer possible to be passive. Only those who are open-minded (and ideally progressive) will protect their company from the most advanced threats. A year of firsts  The security industry is moving in a different direction. We need only look back at the last 12 months to see why: COVID has raised the profile for security.  A greater attack profile has caught the attention of executive teams, and they are looking to CISOs to respond. But, it’s not all bad news. Just as cybercriminals see opportunity in disruption, CISOs have an opportunity to play a bigger role at the executive level. The digital transformation has been accelerated. The shift to remote working means an increased attack surface. Today, security teams must support whole departments of remote workers as they engage with technology in their kitchens, bedrooms, and coffee shops. CISOs need to do more than send the occasional email or facilitate annual training to raise awareness about cyber threats.  Ransomware is an ever-growing threat. In fact, almost a third of victims pay a ransom, which means the stakes are higher than ever.  Attackers have improved the implementation of their encryption schemes, making them harder to crack. And, rather than simply encrypting critical data, some criminals now steal sensitive data and threaten to release it if the ransom is not paid.  With so much changing, CISOs have to adapt fast and adopt new technology to succeed. Gartner calls this period of early adoption a “hype cycle”.  And, for any new innovation, early publicity produces a number of success stories — often accompanied by scores of failures. Some companies take action; many do not. Where do you stand? The technology balance Both inside and outside of security, there are plenty of arguments both for and against new technologies:

Given the rapidly evolving threat landscape, though, CISOs should be pushed harder than most to commit fully to the leading edge of security innovation. After all, “nobody got fired for buying IBM” and “fortune favors the brave“, right? The next generation of security  More and more CISOs are choosing to be brave. Why? It comes down to the modern way this next generation of security is being designed and built.  Today’s security benefits  are focused on cutting the risk out of early participation while amplifying the benefits. At the heart of the change are two related trends:  Next-generation security services  The advancement of machine learning The next generation of security services has removed the need for CISOs to be experts on negotiating IT project. Instead, they can focus on managing the risks to their business.  For example, with cloud services, the costs of infrastructure – and efforts of supporting it – are completely removed as the services you buy are scalable to match the business. Cloud services also require no maintenance or professional assistance beyond an internet browser. The cloud means that the hurdles and expense associated with “trying out something new” are hugely mitigated. And, because these next-gen security services are hosted on the cloud, you’ll always have the latest version.  There is only one “copy” of these software tools. That means upgrade cycles have come down from once a year to multiple times a day. Better still, these services connect to one another. This equates to a shallower learning curve for users, faster time-to-market, and the flexibility to bolt on future tools that suit the way you want to run your operation.

Legacy technology vs. machine learning Whereas legacy technology uses rule-based techniques to secure organizational risks, new providers leverage machine learning to provide accurate, automatic protection, and visibility against advanced risks, otherwise impossible to detect with legacy systems. Machine learning’s goal is to understand the structure of the data and fit theoretical distributions to that data that is well understood. And, because machine learning often uses an iterative approach to learn from data, the learning can be easily automated. Passes are run through the data until a robust pattern is found. In an ever-evolving security world, this allows for the identification of specific risks. By using machine learning algorithms to build models that uncover these connections, organizations can make better decisions without human intervention. For example, identifying anomalous behaviors that form part of the most advanced threats in the enterprise. The benefit for CISOs – and their security teams – is clear. Lower time commitment to identify and remediate issues and more accurate reporting on the risks to the business. These next generation tools also achieve something legacy systems can’t and don’t: they share de-identified data between customers to ensure everyone is protected, even from threats that haven’t (yet) been seen in their own network. The benefit? Organizations continually – and automatically – improve their protection against an ever-changing threat environment. Low risk, high reward  Finally, like never before – and because these services are in the cloud – security leaders are in a position to switch on new services at low risk, without any upfront investment.  With no upfront CapEx, chances are that your first steps will be below any procurement ceiling too – so PoCs become simple to execute. It becomes rational to test a service or strategy with a small team before rolling out more broadly.  And, because the barrier to try (and switch!) for these early adopters is so low, “try before you buy” is a prevalent trend. With low switching costs, the software developers behind the scenes have a wholehearted commitment to making the trial period compelling enough to convince you to take the next step. They have skin in the game and understand that happy customers dictate whether or not a product is successful. This lowering of barriers, enabling of small-scale testing, and offsetting of cost should all make it a little more tempting for CISOs to take the leap and occasionally try for first-mover status. Because adopting innovative practices has never been so low-risk and the rewards are well-worth it.  To name a few… improving your security posture, reducing admin, and protecting your employees from ever-evolving threats.

In the spirit of the late-90’s classic, 10 things I hate about you, here are 10 things I hate about how my industry thinks about Diversity: Assuming Diversity = Inclusion 1D-diversity: focus on only one of gender, race, sexuality, etc. Diversity as just a hiring problem Inclusion as just a People/HR team problem Ending the convo after unconscious bias training PR without follow-through Leaving D&I to the affinity groups Assuming Equality = Equity Lack of measurement  The Zero-Sum Game I could talk about any of these, but the zero-sum game is the one that doesn’t get spoken about anywhere near enough. An example: The gender gap in tech

Here’s a simplified version where we take gender as an example.  To make the numbers easier to understand, let’s imagine that the tech industry is 75% male, 25% female (this is generous; women make up c. 24% of Technology positions). Every Tech company:  ‘We want a 50/50 gender balance’  Does dedicated diversity sourcing, asks for diverse shortlists, shouts a lot about diversity, has a fancy policy, etc etc. Also many Tech companies:  Does nothing to improve the gender diversity of the overall industry pool This is crazy. If there were 100 tech workers in the whole world, 25 were female and 75 were male, and there were two 50-person tech companies out there… if one of those companies actually achieved a 50/50 gender split, the other company would be at 0/100.  This is, at best, a local, not global success.  The tech industry’s diversity push is one never ending tug of war, yet this is the zero-sum game and the approach most tech companies take. So what does really caring about diversity look like?  TL;DR: bringing up a more diverse next generation.  Stereotypes are insidious and start at an early age – way before workers enter the workforce, even before students pick their disciplines in school that affect how they enter the workforce. There’s even evidence to suggest these stereotypes are there before children even learn to read.  And these stereotypes tell minorities that technical, high-paying jobs in tech aren’t for people like them. We’re only going to solve the diversity problem in tech by going to the source, where there are two issues:  Not enough diverse people entering the technology workforce (whether out of school or switching later in life); and  The pipeline is leaky – diverse candidates are more likely to exit the tech industry (for caring duties, personal reasons, or discrimination) than those in the majority. Inclusion initiatives should help with the second facet – and there’s been great work by many tech companies to shift to more human-first working patterns, practices and policies to shore up the leaks. But there is a lot of work to do to combat the first challenge & get more people into tech in the first place.

What you can do to support diversity in tech So, tech companies out there, here are three things you can do to get us out of this zero-sum game: 1. Support early-age initiatives Awareness of future career opportunities in diverse populations is a challenge. At Tessian, we’ve been working with organisations such as the WISE Campaign’s Young Professionals’ Board whose mission is to inspire, engage & advocate for the next generation of STEM (science, technology, engineering and maths). Gisela Rossi, Tessian Engineer & WYPB member has been supporting initiatives such as the Tara Binns book series working to break down stereotypes in children aged 5-11, and running competitions to engage children in these industries. There are many great organisations out there such as the WISE Campaign, and STEM.org, but don’t just donate dollars – donate voices, and donate time. 2. Go back to school On that note, volunteering initiatives are powerful. We encourage our Tessians to take volunteer days & outreach to schools to raise the profile of voices in tech, and evangelize that tech can be for anyone. Don’t just leave it to teachers – show the promise of these roles to the next generation, don’t just tell them about it. A quick tip is to reach out to local schools – especially those that lack the resources to explore these subjects. Local alumni speakers who are actually in these industries are a quick and simple way to show children that there are real opportunities out there for all people – including people like them.  3. Grads Grads Grads (& Career Changers) Yes, you need diversity at the top too, but if all your roles demand 5+ years of experience, the next generation of diverse candidates is never going to arrive.  As soon as you reach a critical mass, you need entry-level programs and paid internships – and yes; they have to be paid, because unpaid internships are only viable for those who can already afford not to bring in earnings.  What about at Tessian? At Tessian, we were less than 15 people when we hired our first intern, and we’ve run paid internships (sometimes in full blown programs, sometimes ad-hoc) and brought in young talent ever since. And we’re hiring our next engineering grad intake now. Yes – it’s going to eat up some management time, but in my view, any tech company with a decent cash balance that isn’t running either paid internships or entry-level programs, isn’t taking diversity seriously in a meaningful sense. Doing the right thing, and running a human first company can be hard; the benefit of the initiatives will be felt by the tech industry in 10 or 20 years’ time, not the tech industry of today.  The ROI in your one to three year business plan isn’t going to bear the fruit of these initiatives, but folks, we have to solve this: we have a huge skills gap in tech and cyber security, where there are high paid jobs sitting vacant for lack of interest and training.  As an industry with so much promise and so much investment, we need to stop looking inwards and start looking outwards to the global tech ecosystem, or our diversity initiatives will just be us forever chasing our tail.

When we set out to define our values, we asked our people what being a Tessian meant to them. The value that was born out of this – now our first and foremost value – is Human First.  Human First is the value we’d always had but never captured in words. As soon as it crystallized, it was everywhere. Within weeks you would hear it in every other meeting, it would be the first question in every decision that touched our people, and it merged completely into how we think about our mission; even more than being a cutting-edge technology company, we’re a cutting-edge human company, building for human beings as they are, not how security standards want them to be. So what does it mean to be a Human First company in the age of coronavirus? Like many companies a lifetime ago (March 2020) we went remote overnight. A formerly office-first company, we’d naively expected lower productivity & that everyone would be more relaxed not having to travel to and from the office every day. We were so wrong.

A couple of weeks in, once the novelty of an extra hour in bed had worn off and we had realized that being remote wasn’t stopping work getting done, we started to pick up on themes – people working later and later, more and more questions in our employee engagement platform about mental health, self care, and dealing with stress.  We talked a lot more about our Employee Assistance Program and we told people they should still try & take their paid leave. But compounded by being confined at home, those who managed to take leave found that they couldn’t help but gravitate back to their phone & laptop, with email & messaging pinging throughout the day (and night, since we’re an international team). Our Tessians couldn’t switch off with no-where to go and the spectre of their inboxes piling up and up. We knew we needed to stop saying things, and needed to do something big, fast. So we shut down the Company. (For a day.) Why? Let’s roll back a moment. We asked people why they were struggling to switch off, and we listened to their fears of letting their teammates down with so much work going on, and the creep in hours to find overlap time with their international colleagues.  We realized that unless all our Tessians – from the CEO, to our newest graduates – were all offline, it was hard for anyone to be offline. Enter Refreshian Day.

Refreshian Day is not a vacation or holiday day. It’s a paid day we give to our Tessians, to do what they need to do to take care of themselves, when all Tessians are offline, together. When we know our people have been, or will be, working even harder than usual to bring our vision to life, it’s important to give something back. Our first Refreshian was in July; our second, October. And today we’ve announced our third in February 2021.  We ask only two things of our people on Refreshian day: Don’t work Take time to take care of you Being human means one size never fits all, and our Tessians have variously taken long walks, spa days, watched sunsets, crafted pottery and baked a lot (lot, lot) of bread. Being a human first company means giving our people the space and time to revel in what makes them unique – even if it means shutting everything down from time to time.

How would you spend your Refreshian day? Join us and find out.

Over the past few months, Tessian has been taking steps towards creating a more diverse and more inclusive place to work.  Why? Because We’ve acknowledged that we’re not as diverse as we want to be. But, we’re committed to making a change.  Why is this so important to us?  Of course, there are many reasons (just a few mentioned by our very own Tessians) but the two main drivers are for:  The individual: it’s the right thing to do. Diversity is infinite and everyone should feel valued for who they are and have the opportunity to bring this to work.  Our future: With diversity of thought, we can be a better Tessian. This will enable us to not only challenge the status quo and stay ahead of innovations, but also create opportunities for more people to be a part of our journey.  We know this isn’t something we can change overnight, but we’re already making small positive moves in the short-term as we work towards those bigger, long-term changes.  Most importantly, we simply want to make a difference where we can. This is an industry-wide problem. That means it involves every single one of our Tessians. So, where do we start? We believe the first step is understanding and awareness, combined with action and change. This is what prompted us to begin our Diversity and Inclusion learning journey.  The Journey  We partnered with Jeff Turner to build and deliver our D&I learning journey for everyone to experience together – to learn, connect and come together as one company.  Two key aims for the program were:  Shared understanding: Part of the training was to socialize D&I terms; to not only get everyone ‘speaking the same language’, but also to create a safe environment for people to ask questions and learn about each other’s different perspectives.  Building connections: We chat to some of our colleagues every day. But, how many times do you get the response ‘Good, thanks’ when you ask someone how they are? I bet almost every time! We wanted to give people the chance to build connections across departments at Tessian and encourage people to share deep experiences that they otherwise might not have.  The program consisted of three sessions (described very high-level below) and each were delivered two weeks apart:  Diversity: Appreciating our differences and knowing that everyone brings value to the workplace.  Unconscious Bias: Accepting that everyone naturally has their own biases which have formed over time based on our life experiences, preferences, education – all the things that make us who we are. And importantly, recognizing that we can make the unconscious, conscious by challenging our own biases when making decisions.  Building Inclusion: Consciously ensuring our behavior is inclusive and learning how to appropriately call out exclusive behavior including microaggressions.  There were 25+ people involved in each session. Importantly, these people dialed in from all around the world. This enabled the sessions to be interactive. We also learned from feedback that these smaller, diverse groups made people feel safe and encouraged everyone to share their personal experiences. No judgement.  But we didn’t want these sessions to be the only place where people talked about Diversity and Inclusion.  To ensure the conversation continued throughout the business, we sent out pre-reads with three key learning objectives and three things to think about ahead of the session and post-reads with the top three takeaways and suggested follow up actions. 

What did we learn?  We’ve had exceptional feedback following the completion of this program and already feel like it has had a positive impact on our company culture.  The essence of the feedback is that the program genuinely encouraged deep self-reflection and learning. People have told us that not only have they already learned things that will change how they behave going forward, but that it’s been an amazing bonding experience with their colleagues – which means even more in this period of remote worklife.  A few direct quotes from our employees: “Best D&I session I’ve had – it didn’t focus on the more obvious points of diversity but delved much more deeply into what makes each of us different.” “IT WAS BLOODY AWESOME.” “I love these sessions, they challenge your perceptions and make you know other people you work with better. I am honestly sad that there’s only one left.” It doesn’t end there… As we’ve said, there’s no quick fix here. We have to keep working together to enable change.  Our culture is highly collaborative and that’s why it’s so important to us that we’re co-creating solutions and actions with Tessians as we go – to find out what they want, what they need, and how we can learn together along the way.  Here are a few ways we’re continuing to push forward:  Inclusion competition: We’ve asked people to submit their ideas for what we can do to create a more inclusive place to work. Ideas will be judged based on potential impact, scalability, and originality. We’ve already received some great entries so far. Watch this space!  ‘Managing Inclusively’: In 2021, Jeff will be back to deliver an additional session exclusively for our managers. Here we will go even deeper – talking about privilege and the power that we disproportionately hold as managers, and how to use this power to create change. D&I report: For the first time ever, we’ll be internally publishing a D&I report to share key metrics and what these metrics mean. Transparency is an essential component. We expect to uncover a lot of home truths that will lead us to building the right solutions for Tessian. We have a long way to go on this journey of creating a better Tessian and a better world. We will continue to share as we go along, and would love to hear from anyone interested in coming on this journey with us.

What a year! As 2020 draws to a close, we wanted to take some time to reflect on some awesome wins and what we’ve learned through a tumultuous year. I’ll try my best to not mention “Zoom fatigue”, “the new normal” or “unprecedented”.  Here goes nothing. 2020 in numbers 👨‍👨‍👧‍👧 We spent more time with our customers than ever before with >1000 customer review meetings taking place 💻 We onboarded our 200,000th employee on to the Tessian platform  ❌ We detected or prevented 450,000 misdirected emails and advanced spear phishing attacks, and over 2,000,000 data exfiltration attempts for our customers  🌍 We started working with some incredible new customers across the world – Cordaan, GoCardless, and Schroders PW to name just a few 📣 35 customers took to the stage at various Tessian events to speak about their approach to Human Layer Security and security culture

Agility is key The security challenges the pandemic created for our customers were far greater than navigating the overnight transition to remote working. Email sending was up 129%, attackers pivoted quickly to COVID-related attacks, and employee uncertainty led to unconventional (and non-compliant) sending behaviors. We all had to pivot quickly. At Tessian, our CSMs ran consultative health checks with all customers, our Product and Data Science teams updated our end-user warnings to raise employees’ awareness of COVID-related attacks, and our Marketing team launched our remote-working content hub filled with blogs, guides and reports for customers to consult and share with employees. A true embodiment of craft at speed. Security came to the forefront 2020 was another year of security grabbing the attention of boardrooms, investors and mainstream media outlets. Specifically, the trend of having empathy for employees accelerated. This has led to the rise of technologies that work in the background – making employees’ lives easier and unburdening them from the expectation that they must also be security experts. As Tim Fitzgerald (CISO @ Arm) and I reflected on, everyone has gone through so much this year (personally and professionally), that security teams need to lead with an approach that helps empower rather than restrict their employees. What’s more, it was the year that Human Layer Security became widely recognized as the obvious and necessary direction enterprise security is headed, with Tessian being recognized by both Gartner and Forrester for the work we’ve been doing with our customers.  In short, when times got tough, our goal “to stop breaches, not business” became more important than ever.  Visibility of risk takes a whole new meaning in a remote world As we’ve touched on before, security teams have gone from managing a handful of offices around the world to thousands of home offices around the world. In this decentralized working model, visibility is more important than ever before. We identified that early and worked incredibly hard to bring our customers more visibility into their human layer security risks. From our customer conversations it became apparent that security teams were more stressed and stretched than ever. Rather than throwing more data at them, we needed to focus on surfacing the most relevant trends and actionable insights so that security teams could be more effective and efficient in reducing risk. And that led to our launch of our Human Layer Security Intelligence platform.  The best CISOs are culture champions The role of a CISO continues to evolve. No longer is it enough to implement top-down technology and hope for the best. The most forward-thinking security teams are building positive security cultures by appointing security ambassadors and asking management to drive awareness in their teams. More on that with my conversation with Kevin Storli (Partner @ PwC) here and from Mark Logsdon (Head of Cyber Assurance and Oversight @ Prudential) here. Your suppliers’ risk is your risk As Kevin and I also discussed, it’s no longer enough to inwardly think about your risk. You need to engage with your supplier ecosystem to ensure you’re on the same page. We’ve all seen the headlines about a recent high-profile supply-chain attack, and it’s likely that we’ll see more of these in the future. Security is a team sport and we need to all be vested in the security of others. 

Putting the “human” in Human Layer Security Finally, being human-first is one of the core values we live by at Tessian, I’m proud of how my team carried this with them day-to-day.  Before every interaction we asked ourselves two key questions: 1) Are we being genuinely helpful? and 2) Are we being deeply empathetic to our customers’ circumstances?  It’s about recognizing that each new customer win for us has been underpinned by forward-thinking security folks who are fighting to protect their employees against yesterday’s, today’s, and tomorrow’s risks. Each Quarterly Business Review is a story of helping those people who invested in Tessian do a great job and get the recognition they deserve. Each internal meeting is about understanding how we can support each other to succeed together. As a result, our relationships are stronger, and more people are protected by Tessian.  (Shout-out to Nick Mehta, CEO @ Gainsight, for his words of wisdom at our Q2 Town Hall and to Howard Schultz, former CEO at Starbucks,  at our Human Layer Security Summit – two leaders who are truly human-first and always lead by example.) Goodbye 2020, hello 2021 👋 From being hit by a pandemic to developing a more human-first approach to our customer relationships, it’s been a different kind of year. We’ve formed some amazing partnerships and been pushed in all the right ways by our customers. It’s important to reflect on how much we accomplished and learned, and of course, to say thank you to those who helped us along the way. Now, onward to 2021.

We certainly won’t be the first to have made this claim in the last nine months but…the world has changed. Yes – we’ll say it – these are unprecedented times. That’s why companies around the world are reinventing their approach to engaging with and supporting their people.   How has Tessian adapted so far this year?   So, what have we done at Tessian? A lot.  We’ve reimagined how we socialize and connect with Tessians all over the world (yes, there’s been bingo!). We’ve set up fully remote onboarding for the first time ever. We’ve even ever-so-briefly re-opened our London office, with super safe protocol and measures put in place to protect those of us who wished to return. We’ve done it all.   But undoubtedly the biggest challenge we’ve had to grapple with – and therefore the question we’ve had to answer – is this: What should the new world of work look like for Tessians when things start to return to “normal”?   We know for sure that our office of the future will be very different from our office of the past, but what exactly does it look like? And, more importantly, how do we support  Tessians while the future is still so unclear?   It’s been a journey, but we’re excited to finally share Tessian’s plans for the future. It’s looking bright – and full of choice.   What does the new world of work look like at Tessian?   Some companies pride themselves on being entirely remote. And there are no doubt benefits to this simplified approach. No office politics. And, decisions don’t get made “where the action is” (in the office) because, well, there isn’t one!   Others are still trying to retain an office that puts culture first. They want to create a space that fosters collaboration and offers the social benefits that are synonymous with a bustling office.   But we believe that both of these approaches – while possibly easier and with fewer risks to manage – miss out on one of the most important determinants of happiness and wellbeing in our lives: Choice. So, at Tessian, we’re excited to announce our new approach to the future of work: Choice First   What is Choice First?   Choice First enables Tessians and future Tessians to do their best work, in whatever way is best for them.   Put simply, we will be giving our team three options to choose from, with as few caveats as possible:

Why have we landed here (and not remote first, or office first)?   We have done extensive internal and external research, and there are three core reasons we believe this is the way forward.    1. Attract (and keep!) world-class talent    We know that the best companies in the world will be adopting remote options for employees while keeping hubs for those employees who prefer being able to work and socialize in the office. It’s about getting the best of both.    We want to be amongst these companies. That way, we can continue to attract and retain the best people.    Internally, having heard from our people (our Culture Council has done some great work here), some Tessians can’t wait to get back to the office.  We want to ensure that we still have this option in the future. In fact, some have even said they wouldn’t want to work for a company that didn’t have this as an option!   But some Tessians have experienced an enormously positive change in their lives since skipping the commute to the office every day. We need to ensure that we offer both.   Just look at the results of our most recent research report, Securing the Future of Hybrid Working. You can see employees really do want to be able to work from anywhere.   !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); 2. Diversity catalyst    This will open doors to new pools of diverse talent and will make room for every potential Tessian. We believe this will support us in creating a more diverse “place” to work by:    Opening up talent pools in different locations around the country (and world!) Allowing those who need to work from home for health reasons, or due to caring or other responsibilities, will be able to join the Tessian experience Enabling those who do want to enjoy the social elements of an office to do so  Learn more about why diversity is important at Tessian…from Tessians. Watch the video now.   3. Take care of Tessians and support wellbeing   Choice First allows people to be in control of their own working lives.  Which is a good thing. Why? Because what works for one person may not work for another.    Studies have shown that when employees are given the freedom to make the right choices for their career and their life outside of work, their holistic wellbeing will be greater.    Surprisingly, given how difficult this period of working from home has been, our own engagement data is backing up how not being in the office can increase wellbeing. We’ve had a significant (over 10%!) uplift in our company engagement scores against the “health” driver (which measures things like mental and physical wellbeing) since leaving the office back in March.    So, for people to do their best work, and have good holistic wellbeing, we need to enable choice around work locations and preferences.   What about the risks?    We all know that introducing a hybrid culture is not without its challenges. So we’re dedicating significant time and resources over the coming months to counteract these.   Just some of the key things we are thinking about are below.    Culture Inclusivity – How do we make sure people aren’t left out because they do or don’t work in the office? Communication – How do we make sure people feel connected to what’s happening at Tessian? Fun – How do we keep things interesting in a hybrid environment? Fairness – How do we make sure no one is positively or negatively impacted due to their choice? Ways of working Communication – When do we use synchronous vs asynchronous communication? How we work – Are hybrid working patterns different from office-based patterns? Security – How can we continue leveraging technology, policies, and training to keep our people safe, wherever and however they work?  Amplifying performance – How can we provide in-the-moment feedback and help Tessians do their best work, even when we’re not all together? Effectiveness – Does hybrid make it harder to get stuff done? Do we have the right tools in place to support everyone? What’s next?   There is still a lot of work to be done. We will be mobilizing our internal teams to make sure our current employees and future Tessians have clarity about their options. Of course, decisions don’t need to be made just yet.   Watch this space for more insights about our journey – we can’t wait to share it with you.

We believe this whole-heartedly at Tessian. That’s why we’ve made Customer Centricity one of our six company values, and why we’re making it – along with being Human-First – our focus going into Q4.  So, what does “Customer Centricity” actually mean?  It means that our customer’s success doesn’t sit with one functional team. Instead, it’s the entire company’s responsibility. It’s embedded into every role, across every team. It’s a part of Tessian’s company culture. Whether we’re launching a feature, or pursuing a partnership, we always ask “How does this help our current and future customers?”  Keep reading to find out why customer-centricity is more important now than ever, what we’re doing internally to ensure we’re being guided by this value every day, and what we learned from Nick Mehta, a guru of Customer Success and the CEO of Gainsight, during his live discussion with Tessian CEO and Co-Founder, Tim Sadler.  Why are we focusing on customer-centricity now? It’s been a tumultuous few months for businesses around the world which means that two of our values are especially relevant: Customer Centricity and Human First. They go hand-in-hand. Nick explained why.

Instead of just looking at the effects of COVID-19 and the economic downturn from our perspective, we’ve stayed laser-focused on what our customers are going through. The ultimate question that we’ve asked ourselves – and will continue asking ourselves – is “How can we best support our customers through this period?” How can we help? How can we show real value?  As we’ve said, we believe this is the responsibility of all Tessians. Nick does, too. “It’s not just about the customer success function or customer-facing roles. It’s all roles. Customer Success if about end-to-end customer experience, but everyone in the company touches that. In Finance, part of the customer experience is the invoice you send them and the collection emails you send. Those things matter a lot.  If you’re in Legal, the terms in your contract affect the customer experience. Are they friendly? Are they easy to understand? Even if you’re not talking to a customer every day, you can still look at customer data to help you do your job better,” he said. What are we doing internally to make sure we’re being guided by these values?  Here are steps we’re taking this quarter to show our commitment to our customers: We’re creating a more human experience for our customers. We’ve been thinking deeply about our customer journey during this period, in particular the AE-CSM holdover. We want our customer’s experience to be as seamless – and as human – as possible. This influences how we communicate, when we communicate, and the ways in which we demonstrate value. It all comes back to being human-first and, as Nick said, “treating customers not just as a transaction or a deal, but as a group of human beings”. We’re empowering all Tessians to understand their role in customer success. During our Town Hall, we asked everyone at Tessian to take this quarter to reflect on this question: How does your role impact our customers? We’re encouraging even those employees who aren’t in customer-facing roles to explore the challenges our customers are facing and what we can do to best support them. We’re also kicking off a Customer Success Book Club. Our first pick? Nick’s latest book “The Customer Success Economy”. This way, all Tessians can understand how to apply customer-centric principals to their specific role.  We’re immersed in customer feedback. We are taking the time to find even more ways to communicate with our customers during COVID, even without face-to-face meetings. We want to make sure we understand – at all times – how their priorities are shifting. That way, we can anticipate their needs and continue delivering an amazing customer experience. We’re setting company-level OKRs focusing on Customer Centricity. While creating all of these initiatives and putting them into action are steps one and two, we have to somehow hold ourselves accountable. That’s why we’ve set company-level OKRs. Now, individuals, teams, and entire departments across Tessian have goals set around Customer Centricity. These will be reviewed throughout the quarter to make sure we’re always demonstrating this value and putting our customers first. The bottom line is: We’re guided by our customers and we want to support them today and in the future, wherever and however they’re working.  What can other organizations do to make sure they’re focusing on their customers? COVID has impacted all of us and while customers are certainly looking for value, they’re also looking for a human touch. Empathy goes a long way. Here are some questions to reflect on: How can we break down silos in our company to ensure customers are at the forefront of every decision? In what areas of the business could we show more empathy to our customers, and err away from treating them as a transaction or deal? How can we reach out more frequently and regularly to our customers in a human-first way to ensure we are showing value?

Tessian has just finished building our first-ever Growth Framework for our Engineering team. At the same time, we’ve also introduced Internal Levels to represent different stages of progression and identify key milestones as our Engineers develop and grow.  We see this framework as a guiding North Star for Tessians to trail blaze their own career. Tessian’s values ensure we achieve against the expectations outlined in the framework in the right way, and they are embedded throughout.  Why did we do it?   We’ve had feedback in the past about not having clear progression paths for our current team and – at the same time – it’s critical we understand what “good” looks like at each level for new team members. So, what problems is this new framework going to solve for us?  Our Engineers know what their career at Tessian could look like.  Introducing levels means we can celebrate promotion more formally.  It will support future hiring so we can find the best people to join us.  What does it look like?  There are levels which show the milestones of development at Tessian. As our engineers develop and grow, they progress through these levels.  How do they know what it takes to get to the next level? Well, that’s where our Growth Framework comes in! The framework defines competency clusters which are then broken down into further competencies that outline the  key behaviors expected at each level.  Let us introduce you to our Competency Clusters (and Competencies)

How did we do it?  Our Engineering and People team partnered on this and garnered insights not only from Tessians, but also by exploring best practice in our industry.  We have a culture of collaboration so it was important for us to hear directly from our Engineering team to learn more about their perspectives. We spoke to as many engineers as possible to find out what makes a great engineer and a great framework.  We also reviewed successful frameworks in other tech companies to get a strong sense of what has and hasn’t worked for others.  Here’s a step-by-step of our actions:  Information-gathering  We researched open sources and, by comparing and coding, we found that there are similar core competencies that appear in the majority of frameworks. We whittled it down to seven possible competencies; Craft, Impact, Execution, Leadership, Advocacy, Continuously Improves, and Communication.  Explore workshops  We ran a series of workshops with our Eng leaders to really dig into what’s important for them. In the first workshop, we shared the seven possible competencies and, in breakout groups, we discussed the competencies. We asked ourselves two key questions:  For Tessian: How important is this in helping us achieve our business goals?  For our Tessians: How meaningful is this for individuals in their careers?  We then brought everyone back for a group discussion and shared our thoughts from the breakout groups. As expected, we found there was a lot of cross-over amongst the competencies and what they mean to us.  From this first session, we had two main takeaways:  We needed to ensure that we created clear competency cluster definitions that describe exactly what that competency means to Tessian.  We could chop and merge some of the 7 possible competencies clusters to identify our core competencies.  In our second workshop, we shared our findings and introduced the rescoped and refined competencies. This was where the idea of Competency Clusters with Competencies within them were born.  Our four clusters became: Craft, Impact, Delivery, and Communication.  From this session, we gained better understanding about our competencies, but had feedback that perhaps the names of the clusters didn’t feel quite right.  We wanted our clusters to be action statements, so:  Craft became “Master your Craft” – broken down into Technical Skills, Continuous Improvement and Security.  Impact became “Make an Impact”– broken down into Teamwork, Influence, Accountability and Customer-Centricity.  Delivery became “Get Stuff Done” – broken down into Delivery and Autonomy.  Communication became “Communicate” – broken down into Information and Feedback.  Building the behaviors  At this point, we were in a good place with our competency clusters, competencies, and definitions. It was time to build the specific behavioral indicators that sit under each competency and each level.  We knew from our previous workshops that – while we were getting some really useful comments – it was sometimes quite difficult to capture them all verbally. So, we tried out a live commenting activity. It worked brilliantly and captured the diversity of thought amongst all of our engineering leaders.  We shared the draft framework with our managers before the session. Then, during the session, we asked managers to spend the first 20 minutes making live comments on our Google sheet. Afterwards, and as a group, we went through each of the comments, discussed further, and made notes for action.  Iterations  But, we didn’t stop there. We had a few more manager workshops where we had cycles of gaining feedback > making amends > sharing back.  When we got to what we’d call a ‘final draft’, we asked the wider Engineering team for volunteers to join a focus group to get their feedback. This was an energizing session and was the first time the wider team was able to see the framework and overall, the response was really positive. People really cared about understanding how this tool could be used to support their growth at Tessian. One nugget of feedback that came from this group was that our Competency Framework sounded very formal and not very inspiring, and so, this became our Growth Framework. This really felt like it was more representative of what we want to use it for.  Defining our levels  While we were finalzing our Growth Framework, we were also identifying what levels and job titles would make sense for Tessian. Again, we looked at what our peers were doing (using progression.fyi), so that whatever we landed on spoke the same language as the rest of tech. This also ensures that it’s on par with appropriate expectations in the market so it’s easily comparable with other companies. Testing, testing!  This is arguably the most important part. We had to see if the framework actually worked in practice. We had meetings with individual managers to work through what level each of their team members were currently delivering to. And, to ensure a fair and transparent process, we had a group calibration session to discuss the larger team. In an effort to ensure the same approach was being applied to every assessment, we asked managers to use a traffic light system to review their direct reports against each competency. The traffic light colors indicate: “They are consistently demonstrating this behavior” (green) “They demonstrate this behavior from time to time, but not all the time” (yellow) “They are currently not demonstrating this behavior” (red) Go Live The final tweaks were done, wordsmithing complete, and design decisions made. Finally, our framework was published on our internal Wiki for everyone to view.  All managers had discussions with their direct reports to understand where they think they currently sit against the framework, and we will finalize trial levels over the coming weeks. The word “trial” here is important. We’ll explain more below. What comes next?  Collaboration and shared accountability are critical to our engineering culture at Tessian. So, for the next few months, our team will have what we’re calling “trial levels”. This means that we won’t confirm final levels until we’ve used the framework in practice for a couple of months, and our team has really had the opportunity to see how this works for them before providing feedback. It’s a process! We’re beyond excited to see how this framework will continue to support Tessian to create a world class engineering organization that not only builds amazing products, but that enables engineers to thrive and grow in their careers. Watch this space as we share more news about how this has worked for us in practice and key insights gained!   And, if you’re interested in joining our team, see our open roles here.

Across continents, the Tessian community is formed of diverse and intersectional people collectively working to secure the Human Layer. But, this month we’re proud to honor the contributions of LGBTQ+ Tessians and the importance of freedom of sexual orientation and gender expression in the workplace. With Human First as a core value at Tessian, we approach everything with empathy and we look out for each other alongside our own wellbeing. Respect, kindness, and inclusion are at the core of our company because our humanity is what makes us who we are. That’s why we’re launching Tessian Plus. And, we’re thrilled that within one month of launching the initiative, the group already holds more than 10% of the company — a significant minority and higher than the expected average. The Plus mission Plus is formed around a core mission to:  Ensure an inclusive and respectful environment for all employees Raise awareness of, and represent the views and issues of, LGBTQ+ employees Provide a support network for LGBTQ+ employees Create opportunities to socialize with other LGBTQ+ employees Offer confidential support when needed Provide guidance to Tessian as an employer on policy and how to enhance its diversity strategy What is Plus? Plus is an employee-led LGBTQ+ resource group for anybody identifying as LGBTQ+. The group operates as a “safe space” for all Tessian LGBTQ+ employees to network, socialize, and share experiences behind closed doors. With Plus, we’re proud to create a private community for employees to express their sexual orientation and gender identity. And, by building from the ground-up, we will form a vocal committee of LGBTQ+ employees who can advise Tessian’s leadership on policies+, diversity initiatives, and how to operate as a point of contact for employees experiencing homophobic, biphobic, or transphobic bullying and harassment. It’s important that these channels are private. Why? Because even though we enjoy a culture of general acceptance of LGBTQ+ professionals in the workforce both in the UK and US, keeping the community private and confidential ensures it’s a safe space – especially for those individuals who aren’t as comfortable wearing their identity on their sleeve. That’s why it’s essential that we always work to preserve peoples’ right to decide when it is right for them to publicly disclose their identity.

Why are we launching Plus now? Last year marked the 50th anniversary of the New York Stonewall Riots — a pivotal event in the modern fight for LGBTQ+ rights in the US and worldwide — during which black and latinx trans women led days of riots against police in response to an unlawful police raid on The Stonewall Inn, a bar primarily serving the marginalized LGBTQ+ community in New York’s Greenwich Village. Globally – from the UK Gay Liberation Front, to the Lavender Menace, and to Black Power groups – Stonewall was a symbol of struggle against systemic oppression. In the months that followed, and frustrated with discrimination in the justice system and public harassment from police, LGBTQ+ figures and people of color led the frontline in protests that created an intersectional movement across activist groups that exists today in the form of The Stonewall Foundation. From the following June, in commemoration of Stonewall and for the continued fight for LGBTQ+ rights, a Christopher Street Day Parade was held to celebrate the LGBTQ+ figures and people of color who dedicated their lives to furthering the rights of humans worldwide. This has continued every year since and is why we celebrate Pride Month in June. Though we have made huge strides towards equality for LGBTQ+ communities in the last fifty years, particularly in the UK, with same-sex marriage equality and employment equality — for true equality to be eternally ours, we must use our privilege and right to protest to continue the tradition of Pride Month. This year, of course, is different than years before. Our remote “new normal” has presented a challenge to the typical vehicles for LGBTQ+ visibility. Pride floats are digital, and events are canceled, leaving people isolated from their usual support networks. We must therefore work harder than ever to bring the LGBTQ+ community together, around a core mission of inclusivity and family. So, this June – and as a proud Tessian LGBTQ+ community – we are coming together to celebrate the contributions of LGBTQ+ Tessians and support freedom of sexual orientation and gender expression worldwide and form the Plus employee resource group. We’re providing LGBTQ+ Tessians with a safe space to socialize, celebrating LGBTQ+ history, and sharing experiences within the LGBTQ+ community.