End of summer 2020: Bearer takes the decision to pivot. We have been building an API monitoring & debugging solution for engineering and DevOps teams. We have a stable product and dozens of users onboard. Even so, after months of iterations product adoption is still low and our positioning with all-in-one monitoring solutions is disadvantageous. Product-Market-Fit (PMF) is definitely not in the line of sight.
So we make the hard decision to start from scratch and explore a new, more promising path. Our main priority is to build a product that people will find valuable. This means finding one clear problem for one clear persona and focusing in on it. Data security is a subject that came up frequently in discussions with our existing users. In software environments with many APIs—microservices and third-party integrations—monitoring data flows is a headache. We decide to pull this thread and do a deeper customer discovery with security teams.
Challenge #1: Get in touch with security teams
Our first goal was to conduct 20 discovery calls with Chief Information Security Officers (CISO), Directors of Security Engineering, or Security Engineering Leads in tech companies. The aim being to onboard 5 users to our Proof-of-Concept (POC) within 2 months. Our primary assumption is that they need visibility over data flows. We want to dig deeper to understand the underlying motivations and the whole user story. Re-using our experience and previous tech, we quickly build a POC that scans the codebase and automatically creates an inventory of internal and external APIs.
Our first challenge is that security personas in tech companies can be hard to reach because they are busy, over-solicited, and—understandable—quite allergic to any form of cold requests. Plus, we have no inbound traffic we can leverage. This leaves us with our personal networks and our investors to get our first introductions and start our customer discovery. Then we appeal to the solidarity of French tech companies to get the feedback of their security teams. This is a great success, and we quickly reach our goals.
The real challenge begins when we want to go beyond that circle and cold-contact people. We test many tactics, some more "salesy" than others. In our case, what works best is an honest product-building-centric approach: "We are building a data security solution, and we are looking for feedback from experts like you to ensure we build it right. Would you be open to sharing your experience and feedback?" It works amazingly well. For our contacts, it defuses their aversion to sales-oriented requests. For us, it helps automatically filter out poor matches by identifying only those with a "Design Partner" mindset. We are first and foremost looking for partners that can help us design and build the product that helps them the most.
Challenge #2: Focus on one clear problem only
We quickly get feedback from 100+ experts with very different profiles including: CISOs, CIOs, CTOs, security engineers, Data Protection Officers, and privacy engineers. Both in startups, tech unicorns, and more traditional enterprises. While it was valuable to have such a large scope at the beginning—this helps find the right problems—we end up trying to build a solution for two audiences: security and privacy teams.
Their problems may be closely related, but they are not the same. If you try addressing two issues at a time, you'll always go slower. This is a sign you need to narrow down the focus to a more specific audience: security teams in fast-growing tech companies with 80 to 300 software engineers.
It is also critical to ensure the alignment of every team here: everyone in the company—whether they are in Engineering, Product, Marketing, or Sales—should understand clearly who they are serving and what pains they are addressing. At Bearer, we use the Lean Canvas and the Job-To-Be-Done framework to write our assumptions down and communicate them to everyone.
Challenge #3: Iterate fast on a technical product
With the initial discovery done, and a narrower focus, we decide to provide security teams with visibility over data flows, so they can assess and mitigate data security risks across the products they build. Making them manually map data flows is out of the question. It's what they already do and hate. We want to do it automatically, so we brainstorm over several technical options and their pros and cons: in-app agents and an API Gateway plugin. Spoiler: these were both bad ideas.
We could spend months working on either option, but we first want to validate that it actually brings value to our users. We build a Proof-of-Concept for each of them. Nothing fancy: a Ruby agent and a Kong plugin that retrieve metadata in a very raw format. The reaction is unanimous: Nope. It's too time-consuming to install and they won't even try it. Not at all what we heard with our earlier POC relying on Static Code Analysis (SCA).
So we decide to keep exploring the SCA option with the same approach: iterate on the raw technology and validate its output with our users before plugging it into the product. It helps reduce our iteration cycle length greatly. That's why our Design Partners are so valuable: they don't expect a sales-ready product, and they are eager to spend time digging into technical details. Definitely the kind of users you want when you are building a complex security product.
Challenge #4: Build data security expertise
Expertise is key in the security industry. Without it, you won't build a relevant solution or a trustworthy brand. So we had to get deeply knowledgeable on information security frameworks, data regulations, and the security operations ecosystem. Every time we spoke with an expert, we wrote down every term we didn't understand and every question we couldn't answer. This helped us quickly identify the gaps in our knowledge and fill them quickly.
But what's game-changing is surrounding yourself with experts. We hired part-time CISOs and security engineers to quickly get product feedback and iterate. This is nice because we’re paying them for their time, expertise, and opinions—not trying to pitch them. Then, we created a Customer Advisory Board with our Design Partners to get their advice on strategic topics. Lastly, we will be bringing more data security and governance specialists to the team in the coming months to further round out our internal expertise.
From 0 to 1 data security solution
It’s easy to think about things from the perspective of 1 to 100, but sometimes you really need to start at 0 and work up to 1. A huge thanks to the many great people we talked to since we decided to pivot. Without their time, knowledge, feedback, and kindness, we wouldn't be where we are today. Bearer helps security teams at cloud-native companies assess and mitigate data security risks across their products. If bringing data security to the speed of DevOps sounds like a hot topic to you, we are actively looking for Design Partners to join us in building the future!