EPISODE 8: Jeremy Vaughan

In this episode of the Cyber Thoughts Podcast, Lucas Nelson sits down with Jeremy Vaughan, founder and CEO of Start Left Security. His unconventional path to cybersecurity was sparked by personal experience and professional opportunity. Jeremy details launching Start Left Security during a global pandemic, emphasizing 'starting security left'—at the beginning of software development. He shares insights on building a platform that empowers developers to create secure software, aiming to enhance consumer protection and national security.

Welcome to the Cyber Thoughts podcast, where we explore the world of cybersecurity through the eyes of practitioners and leaders in the field. In each episode, we invite a guest from the world of Infosec to share their insights and expertise on the latest trends and developments in the cybersecurity market.

Whether you're a seasoned Infosec professional or just starting in the field, this podcast is for you; our guests will provide valuable insights and perspectives on the challenges and opportunities facing the Infosec market.

Join us as we delve into the world of Cybersecurity and learn from the experts on the Cyber Thoughts podcast.

PODCAST TRANSCRIPT

Lucas Nelson

Welcome to the Cyber Thoughts podcast, where we explore the ecosystem of cybersecurity through leaders in the field. Today, it's my great pleasure to welcome Jeremy Vaughan, the founder of Start Left Security and one of our companies. Jeremy, great to have you on the podcast.

Jeremy Vaughan

Yeah, thanks for having me. Jeremy Vaughan, CEO, Co-founder, Start Left Security. Happy to be here, happy to share my story, and super proud to be part of the Lytical portfolio.

Lucas Nelson

Well, thanks for saying that. So let's start with the origin story. How did you get into cybersecurity? Let's go all the way back to the beginning. Like what first got you involved?

Jeremy Vaughan

Yeah, it's interesting, right? So it's been a journey. I'll just say it that way. I started in finance and the recession hit and smartphones came out and me and a couple of buddies from college, I was the business guy. They were the engineers were like, let's get into software, build a business, things like that. And so after two successful services companies in software engineering, in the second one, we really started to differentiate ourselves by doing DevOps, CI/CD, delivering code faster. And then we started applying security into that. And so we're sitting here delivering high quality, super secure software to our CTOs and CIO champions. And they're like, what are you guys doing? You guys are delivering way faster than everybody else. So we showed them what we were doing, what we were monitoring, how we were doing this thing. And they're like, you have a SaaS opportunity here. Go commercialize this thing. And of course, you're sitting there like, do I want to start over? Starting over is really hard. You got to create all these new case studies. Before we had all the case studies, people were like, hey, who do you do business with? Who's your logos? Blah, blah, blah. And we could easily call these people up and be like, hey, talk good about us. So the origin story then becomes of what kicked me in the ass to start over. And so if you say anything about me online, I'm very passionate about this. In fact, I have a video out there we'll put in the comments or however way we share it in the podcast. 

But what kicked me in the butt was my daughter is a type one diabetic and we use monitoring devices that report to the mobile phone mobile applications. And what happened was overnight, we didn't we used to not sleep. We do check her every one to two hours. So we, we joke, we didn't sleep for like five years. Right. And so we got this device. It allowed us to sleep for the first time in several, several years. So we began to trust. She was when we first got the device, it was about five, six years old. And the story that I'm talking about, this was when she was about eight, eight and a half, yeah, right about eight, eight and a half 2018, 2019, I would say. And we trust this device. And if you know about diabetes, if you go into a low blood sugar, that's potential seizures and life threatening. And so overnight this happened. She was a 47 blood sugar for three hours and the device never notified us. My daughter got up, we call her juicing herself. You know, you hear about diabetes like taking sugar to pump up their blood sugars again. She did that. She woke us up. Obviously like we're fired up. Like what happened? And I just did a quick research on the Google store and the iPhone iOS store. And this particular medical device company did not update their mobile, their mobile application for two and a half years. And so what that means is the OS you know, we're getting these updates on our phone, update your update, update your software, update your software. Right. And so the OS changes, but the mobile application is not staying current with the OS right. And so in the world of software engineering, that's called code rot or software decay, right? I mean, just what it means, right? It's very obvious what it means from there. 

So in security, that shows up on the OWASP top 10 as outdated components, right? And so we monitor for those things in our software. And that was the thing that made me extremely passionate. So at first it was, hey, we're solving a problem for ourselves that we have. But the second thing was, this happened to me and my family. And that was like the trigger point that made me click of like, how does software actually impact consumers, patients, and like how life-threatening it could be, how detrimental it could be for somebody's life and business. And so that's what really fueled me. And I picked my big boy boots up and started executing. You know getting this thing off the ground and that was the origin story.

Lucas Nelson

Cool, so we've jumped into Start Left. Let's go down that path and then I'm gonna pull in some of your other history. But tell me a little bit about, you started Start Left, what do you do today, where'd you start? Kind of give me the story of a startup.

Jeremy Vaughan

Yeah, so I'll tell you what, man, this startup has been very hard to get off the ground. And it is nothing to do with the technology. It has everything to do with finding the right people, getting people to believe in you. And what, you know, I didn't set out to be a CEO. I just didn't like that wasn't like my aspiration. It was I was trying to solve a problem today, you know, five years later. I know being a CEO has been my destiny, right? So like, I really love it. I do well at it. I know what I'm doing. I didn't really realize I'm that good at business until now. Right. And so, but I give you that background because the original CEO that I found to help lead this organization, cause originally I was the product owner. He actually passed away early on in our journey. Right. And so I don't even think I told you this, cause that's a, that's a deeply personal story, but. He had a heart attack at Disney World. And it was, I, and that was part of the original story of picking my big boy boots up. Like somebody has to do this. And I just took the reins and started running. And so that was a couple of years ago, 2019. And that was, it scared me, right? It scared me to take the reins and let's move this thing along. But yeah, launched the company and raised some angel investment, you know, it was serendipitous that I met a gentleman who was an investor that, you know, became my angel investor. And he just like, Hey, I believe in you. Let's go. And so he fueled the first round and we started executing and, you know, just, we just started building this team. And it's a couple of years later, you know, I'll be honest, raising capital was hard. We literally launched right at the fricking beginning of COVID. And at that time, we were in an insurance accelerator getting exposed to Hartford, Beasley, Chubb, all these big insurance companies. And like, all of a sudden COVID hits and they're like, oh, we're gonna have to turn this down, right? Like in the heart, in the accelerator, just shut down. And all the deals that we had going, literally gone. They're like, we have to make everybody virtual. And so that's an unexpected expense. So we don't have budget for you anymore. So I then took a step back and said, okay, if this is gonna be successful, how can we innovate in a way that nobody else is doing. And since nobody's really buying right now, it gave us the opportunity to figure out the channel. And you know, when you do channel, it takes, you know, everybody says 12 to 18 months to get things rolling. Well, if nobody's buying anyways, you know, let's talk to the channel, let's educate people, let's train people, let's become friends with their sales folks. And so that's what I did. And so all the way through COVID, it was, I didn't quit working, I didn't quit selling. I was educating and frankly, the market had to catch up. Like we're still a little bit emerging, right? We're emerging technology. So I always said 2024, 2025 is going to be the years that this becomes an adoption curve. And so working on the channel, 2022 just like hit us. All of a sudden the channel started throwing us business. We started closing deals and mind you, I haven't raised money other than the angel, right? And so I wanted to raise money, I wanted to figure out sales, I wanted to figure out channel. And I can see a lot of companies struggling when they raise way too much money too early and they haven't figured out how to sell their damn tech. So we figured that out. And then I raised money, right? And so we raised a seed round last June, and we hired a team like we're really kicking in and going now. And it's becoming a very exciting ride.

Lucas Nelson

Cool, so let's go into the product for a little bit. What does it do? What's the problem you're solving? And how do you work with your customers?

Jeremy Vaughan

Yeah. So Start Left is really the methodology, right? Like, I don't know why it wasn't bought previous to us finding it. Because the old industry is marketing for us. It's awesome. So even our partners, they write blog posts on Start Left, but it's not about us. It's about the methodology. Right. And so the way that we see it, if you hear my background is I came from software engineering. There's this whole like shift left mentality going on which is essentially causing turmoil in the organization. Tool churn, we're starting to see tool churn that has happened over the last couple of years that people are like, hey, the shift left mindset didn't solve the actual problem. So what is solving the right problem, which is actually start security at the start. Like it's not that like mind shattering, right? And so what this requires is a whole paradigm shift of how do we empower our developers to become security experts. And how do we do it in the flow of their work so that it's not disruptive, right? And so how do you do that is, and even Garner says this, the future is about platforms, not tools, right? And what that means is there's a whole lot of cybersecurity tools, security tools scattered throughout the organization, and it's just adding to the attack surface. It's adding to disrupt everybody. And it's all these silos, so nobody knows how to work together. And so what a platform means and what we're doing is we have our own tools in one place. And if we have other things that we need to integrate with, like the other commercial tools, we can integrate with it. And so it doesn't matter to us if you use our tools or your existing tools. But the point is you need all of this stuff aggregated, number one, but correlated into context. And so our differentiation is what we call product focused DevOps. And what that means is we're correlating all of this data from all of these tools and it's a lot of data to crunch. So you need an analytics platform. So, but what this does is it's providing visibility, control, and accountability and developer empowerment all the way down to every single product team. What you can do with that, finally, is manage an actual security program. Right, and so if you don't have visibility and control, you don't know what's going on, you cannot manage the performance of your people who are actually the ones that are supposed to be doing the security work. The tools aren't gonna do the work. The people do the work, right? And so how do we empower people? How do you manage people? How do you mentor and coach people? And then the people drive the success of your program. And that's what we're focused on in one platform.

Lucas Nelson

Awesome. So you've had quite a journey from starting before COVID to today. How has your vision changed since the original launch?

Jeremy Vaughan

It's awesome and like as I look at the landscape, the vision that we started with, I would say eight years ago is exactly where I would say competitors are today. Again, eight years ago. So the vision has and what nobody's and I keep on I'll drive it and hammer it home. People people people. It's not about tools. So the vision has changed to basically bake in the all of these existing capabilities in one place, but focus on the people. And what we've done is if you look at our talent on our team, it looks much different than your traditional cybersecurity or security firm. Everybody else looks and acts the exact same way. They communicate and marketing really boring the exact same way. They're not innovating. And so my past is I'm an innovator, like I'm a product innovator. So how do we disrupt this space focused on people? We are technical creative director, we took from Activision. And so he was part of the Spider-Man Call of Duty. What that means is we're gamifying this process. We are changing the incentivization to get people involved, right? And so what that means is we've baked a whole scoring and awards system into our platform and we have a lot of innovation that's gonna come from that in the future that completely disrupts the space. And what this is gonna be focused on is how do we enable people to be successful in their current companies? But then how can they use that data, those awards to enhance their career all the way through the career path? And so nobody's really focused on that. And so not only are we focused on trying to help companies be more secure, We're also helping people become experts and helping them be better in their career path. And that's, I would say, a vision that nobody else is expressing.

Lucas Nelson

Very cool. All right, so let's broaden the aperture a bit. 2024, we see budgets a little bit down for CISOs, right? So the world's changing a little bit, but where do you see the market generally going with respect to the entire space, not just where you play, but everywhere? Like, what do you see?

Jeremy Vaughan

Yeah, it's, I mean, I see it as the same, as the same concept as we building a platform is happening in the marketplace, meaning there's a lot of consolidation happening and the big boys are starting to realize that a platform play is the right play. Right. And so I don't know how many companies Snyk has bought in the last like two months, but like I get alerts on that like every other day. Oh, they bought this, they bought that. Palo Alto, like all these guys are buying a crap ton of companies. And so we're seeing consolidation. What you're seeing is they're realizing that they're legacy, they're traditional, and they need to innovate. And how do they innovate? They build, they buy startups, right? And so, but what tends to happen is they're recreating the same issues over and over again, which is a whole bunch of tools and disconnected stuff that isn't actually solving the problem. We had enough foresight to focus on the platform play from the beginning, but that's what's happening now is consolidation and more of these companies moving towards a platform and solving it from a more, what I call a systematic approach, which is a more well thought out, Program-centric, people-centric play and so we're starting we're seeing all that all of the market. I'm sure you're seeing it as well. Yeah

Lucas Nelson

Well, I took a perusal of your LinkedIn, and it looks like you started off way back when on the investing side of the house. So why don't you talk a little bit about that, and then we'll drive using that. What did being an investor early on teach you about startups? What did you have right? And then what surprised you?

Jeremy Vaughan

Yeah, it was funny. So I was in investment banking when I first got out of college. So that kind of gave me the finance chops and really like the analytical chops. Then in one of my previous firms, we came up with this idea to build an accelerated program and invest in a couple, like five startups that through our own profit. And we really surrounded them, the business leaders and built their products, but it taught us how to do the Steve Blank way, right? The lean startup. And so while you can read something, right? And so people learn by doing, right? Like you don't really, you can't really read something and be like, oh, I know how to do that now. Right? And so not only did we get experience building our own company, right? As a services company, we started getting experience by helping five startups that basically lived with us in our office, right? And we created those collisions. We basically tried, we learned how to do economic development. We learned how to surround these startups with resources and help them get into sales opportunities and learn like basically how do you take that feedback those customers and build it into your, your product. Right. And it was like literally getting your MBA in six months because you're like, you're literally working with six companies, like five startups that we invested in our own company and we're just like, it was just a really fun time. Right. But I would say we also learned a lot of the things not to do. Right. And so They were failures. A lot of them were failures. I think there's two of them that are alive still today. Maybe I take it back. I think one of them is alive today. And so, you know what it is? People just get burnt out. I don't really think that people understand how hard it is to execute and get this stuff done. It is literally like pushing a boulder up a hill. You get over a little hill and then you got to keep on pushing, pushing. Right. And so I think a lot of people just give up. And like, it's sad because you're like, man, if you just did it a little bit more, you were like so close to getting that first big sale, you know, but like people just like give up and I really don't think people understand like how important sales is, how important positioning marketing is and like distribution and once you kind of figure all that stuff out, It becomes easier, but it's a lot of work to get there. Cause again, you're a startup. Nobody knows you. Nobody trusts you, you have to be very charismatic and you have to be authentic. You have to be genuine. You have to live up to your promises. And, I think a lot of people give up like way too soon and it's sad, but that was a lot and taught us a lot of good things. Yeah.

Lucas Nelson

And now that you're in the seat, what was the biggest surprise? Right? You thought you knew it all. You'd seen everyone else do it. What surprised you?

Jeremy Vaughan

It's funny, right? So grow, I, I'm surprised of how fun it has been to find like, and grow a team. And how hard it is to get like every part of the, the operations like working together, you know, creating that shared vision, creating that shared understanding, you know, getting everybody working towards a common goal. And it's been truly amazing to I would say really kind of think differently about, you know, the type of people you want in your organization. And like, when you get those, you don't, you never know how it's going to go when people come together, but like, when, when I, when now, like, I was like, man, this, the people that we brought in, we're all executing, everybody's working really well together. And it's just a really fun ride because everybody's just We trust each other. And so that's, I really enjoy what we are doing and what we're creating together.

Lucas Nelson

Cool. All right, so as we come towards the end here, for those people new to InfoSec, you didn't start in InfoSec. You got into it via learning and by starting something. What resources do you love in InfoSec? How did you get the lay of the land, given that you weren't native to it?

Jeremy Vaughan

So it'll relate it just to what I just said about startups and Steve Blank and things, right? I think and if anybody gets anything about this thing this podcast is it's people man I think people are a lot of times scared to get out from behind their desk and go talk to other people so you learn a lot right from other people like you you're surrounded in your organization or you go to networking events you ingrain your engulf yourself into wherever you're trying to go whatever you're passionate about and you learn it right and then when you're talking to people you want to talk to the thought leaders you want to talk to experts you ask them pointed questions like hey what do you think on this topic, how do I learn more about that topic, where did you get your advice or your learnings from that topic. And so, yeah, it took me, I'm not going to say I was an expert in cyber. I became an expert in product security, cloud security over eight years. Right. But I'm still not a practitioner. I can fake people out that I know like how to do all the way down to code, but I can't, but to me though, I know when people's blowing smoke at me and I know when they know, when they know what they're talking about now. And so it's just a lot of years of talking to people, doing research, reading, and I didn't go to school for it. I proactively got my butt out of the seat, talked to people and then researched, right, and read and took courses. And, you know, and even, you wouldn't hear about it. Engineers can go, you know, become an engineer or a designer or whatever in a couple of weeks, if they go take these online courses, did the same thing. Right.

Lucas Nelson

So last two, rapid fire. And I'm going to reverse the order. I normally do the opposite order. But what's your favorite way to learn? What's your favorite information medium?

Jeremy Vaughan

South Park. And the Simpsons, man, like they give us the predictions, they're always right. I'll say it this way, and she's gonna hate me for saying this because we're gonna do a little plug on there, but our Chief Growth Officer, Stephanie Todd, goes down rabbit holes of understanding like economics, geopolitical risks. all kinds of crazy stuff. And she's like, Hey, Jeremy, this is what's going on. You need to go read this. Go read this. I found this blah, blah, blah. So like, she's my little she goes out there and she finds stuff for me to read. It's awesome. Like, so I don't have to pay attention all the time. And she'd like distills the information and what I need to read really quickly. She's gonna hate that I put her on the on the spot there. Exactly.

Lucas Nelson

And information is Sherpa, I love it. Last but not least, what's your favorite book?

Jeremy Vaughan

I actually, I'm going to say three things here. And you heard me say shared vision, shared understanding, common goals earlier. Peter Senj, The Fifth Element, I was forced to read it by my former business partner. It was very dry. But it was really, really good. It's very dense. But It took me a long time to get through it, but once you get through it, it's like, this taught me a lot of things about business and a lot of things about how to be a leader. And I think that's a really good book on how to leave lead organizations and initiatives. I also say Zero to One Peter Thiel, how to distribute, you know, run a software business and try to scale it quickly. Really good, always sticks around for me. And then I would say being that we're on a cyber podcast and I'm talking about modern software development. If security people have not read Jean Kim series on DevOps You know Phoenix Projects all that kind of stuff like those things are how you need to learn how to work with developers and so not only did I go learn cyber, right? I worked with product development for this whole entire time. Security people need to do the same thing, right? So like learn how to speak other people's languages and how they're delivering value so you can actually work better together.

Lucas Nelson

Awesome, well I'll have to get the link to that and put that in the notes because that's one I don't know, so I'm looking forward to that.

Jeremy Vaughan

Phoenix Pride, I can't remember all of them. I have all the books. They came out several years ago.

Lucas Nelson

Very cool. Any plugs you want to add before we wrap it up?

Jeremy Vaughan

I would say, yeah, a couple. Thank you for Lytical you know, believing in us and investing us. It's VCs like you, Gula, and a couple of other VCs that are invested in us that, you know, see the future, believe in our vision, and, you know, we're thankful for all that support. And then I'd be remiss if I didn't plug in Start Left Security. You know, we're a company on a mission right now, and we're coming out of stealth, and... If you hear my story, we're here to change the industry. We want to make software secure so it can protect consumers, patients. And so the world, like our nation, right? And so I don't know if anybody's seen that Netflix movie that's on Netflix right now, but it's scary. It's about cybersecurity and shutting down our grid and water supply, food supply, it's scary, man. And all of this is... unsecured software, right? And so we need to secure these things. We need to be proactively doing these things to protect our nation, to protect our consumers, to protect our patients. And that's what I'm trying to do. And we're here to work with companies through every stage of their journey. And I'll say this, and you can hold me accountable to this, I think I want to say we will be starting a podcast as well. And it's It's going to be a different podcast. It's not going to be focused on security. It's going to be more focused on software, the business of software, the journey of the software leader, right? And so, that's what else we're doing. It's going to be different. And, it's gonna be fun.

Lucas Nelson

Awesome. Well, if you've got one out by the time this drops, we'll put that in the notes as well. Listen, you've got a great personal story. It's obvious why you're passionate about this space. It's been a pleasure to have you on. Thank you for joining me, Jeremy.

Jeremy Vaughan

Thank you, sir. Appreciate it.

Lucas Nelson

Have a great day.