DEV Community: Ashley Dotterweich

The Platformer #24: Regressions

Ashley Dotterweich — Thu, 13 Oct 2022 18:40:05 +0000

It’s the first week of the month, and not just any month. It’s October! And we all know what that means: the start of a new quarter — Q4 no less. Time to look back and forward.

A common theme for the next quarter for many platform teams is going to be performance monitoring and regression detection.

To explain why this matters, let’s look back to the biggest performance regression we witnessed in the last year: the introduction of collapsed-reply threads (CRT). CRT is a shockingly complicated and large project, with many complicated aspects. Sadly, one unanticipated effect was a significant regression in performance. We should have caught this before shipping it to customers. And we could have — if only we had the right infrastructure and focus on this topic in place. While we had the infrastructure (our load testing tool), we didn’t properly leverage it.

We try to learn from our mistakes, so after some heroic efforts to fix the performance issues, we now have renewed focus on this topic. On the server platform team, we have Alejandro García dedicated to this topic. And guess what? It works. Even yesterday we detected a performance regression using our tool and reverted the change before it impacted anybody. Not a CRT-scale regression, but a regression nonetheless.

Performance testing is one of the highest impact topics we can work on in platform teams, so we want to “spread the love” beyond just server, specifically to mobile, web, and ideally, desktop as well, leveraging the pipeline and tooling from QA. Therefore, this will be a shared topic among all four platform teams. Stay tuned.

OKRy picks

So, what did Q3 bring for the platform teams, and what will Q4 look like? Let’s dive in.

On the mobile platform end, both in Q3 and Q4, the big effort remains to support the planned release of v2 by the end of the year. In addition, we managed to spend some time on platform topics as well. Specifically, this quarter we:

Built a logging framework;
Are now using GraphQL for the initial load (on servers that have GraphQL enabled);
Made good progress on integrating Sentry;
Vastly expanded our end-to-end test coverage.

In Q4, we will ship this Sentry integration and keep expanding our test coverage. In addition, we’ll be laying the groundwork to have the first Boards and Playbook functionality be integrated into the mobile app next year. As part of this, we’ll invest heavily in further smoothening the developer experience. The goal is to have a one-line command to set up your development environment end-to-end. This should remove a big barrier to entry to get started on mobile.

On the web platform end, we made solid progress on the multi-product architecture for front-end in Q3 and will continue this effort in Q4. In addition, we are now using GraphQL (for servers that have it enabled) in more places. A few big refactor and cleanup efforts are still in progress and will be continued in Q4, including the menu component and post components. In Q4, we will spec out our new front-end Suite API, implement the data manager, and avoid DoS-ing ourselves (avoid the thundering herd problem in more places). In terms of focus on performance, we intend to improve channel and team switching performance by 20% and contribute to the platform-wide effort to detect performance regressions.

On the desktop platform end, we internationalized the desktop app! We also implemented the new download list UI. Both of these major features will ship as part of desktop 5.2, which will ship later this month. In addition, we now have support for native node modules, which will allow us to do more operating-specific cool stuff like native notifications, which we hope to leverage in Q4. In Q4, we intend to further invest in reliability by making it easier to run our E2E test pipelines and reduce the number of flaky tests. We also want to make technical strides by attempting to compile-in some parts of the webapp into the desktop as a proof of concept, starting with the top bar. Last but not least, we want to invest in supportability, another big platform topic, by giving customers a simple screen to “sanity check” their installation to make sure everything is set up right.

On the server platform side, we did a few huge lifts with big diffs in Q3. In addition to supporting the mobile and web teams with GraphQL work, we landed a few huge refactors reorganizing how code is structured as part of the multi-product architecture. The biggest one was merged yesterday, which resulted in some issues that we’re still figuring out as we speak.

However, refactoring is not all we did. We also significantly improved our error handling in many places (resulting in more massive PRs). This means we’re ready for our next big lift: supporting Playbooks in their move to the multi-product architecture as well in Q4. Other things on the docket for Q4: automatic continuous profiling, rollback support for database migrations, mmctl import/export improvements, tons of improvements to our load testing tool, and scope of the load tests. In addition, we want to look at effective ways we can use Go’s generics to improve our code base, and will hopefully introduce the Event Bus.

On the QA platform side, we made major strides on our testing pipelines. Not only supporting the current ones, but also creating new ones for our desktop and mobile apps. They are now operational but can still be optimized significantly in terms of run time, which we’ll work on in Q4. Further in Q3, we kept iterating on our Rainforest tests, supported weekly releases, and worked the infrastructure to allow us to engage the QA community through writing test cases in the future. In Q4, our work on pipelines and infrastructure will continue. We also hope to continue growing the QA community again with five new people, publish best practices on how to write test cases, and continue to expand the scope and robustness of our end-to-end tests in Cypress and Rainforest.

And that is all for this week. Somehow, I’m not super how high on the dad joke humor today. So, to compensate, I’ll end this with a dad joke I pulled from the Twitters:

I was walking past a farm and a sign said: Duck, eggs!
I thought: That's an unnecessary comma — and then it hit me.

Want to take a closer look at the inner workings of the Platform team? Join the Community server to be the first to read The Platformer every Friday.

How open source solutions help the U.S. Air Force accelerate software development and modernize collaboration

Ashley Dotterweich — Tue, 06 Oct 2020 20:52:01 +0000

The pressure to ship quickly is greater than ever before. But for many organizations, including the U.S. Air Force, security and compliance concerns severely limit their ability to quickly adopt and integrate new technologies, putting teams at risk of being locked into approved vendors and missing out on critical innovations.

In order break the cycle of slow-moving development, Platform One, the U.S. Department of Defense’s DevSecOps Enterprise Services team, adopted a new approach to software development services to enable the DoD to support continuous upgrades and new features with integrated cybersecurity testing on a much faster timeline and at a lower cost than the traditional “waterfall” cycle.

At the core of this new approach is leveraging open source software, which has allowed Platform One to adopt new technologies rapidly and take advantage of cutting-edge solutions that were previously out of reach. Among these open source partners is Mattermost, which has partnered with Platform One to provide a secure environment for government-wide cross-functional collaboration.

Open source enables the shift to modern infrastructure with security and flexibility

Security was a key concern for Platform One as they implemented a collaboration platform.

One of the key advantages of open source solutions is their transparency and flexibility. With open source, the Platform One team can easily inspect source code, evaluate security risks, and adapt solutions to meet their compliance requirements themselves.

“As the DoD, we are not a very trusting enterprise by design,” said Master Sgt. Matthew Huston, the team’s chief of enterprise services, during an interview with Inside Defense. “What we do at Platform One is buy down our risk with vulnerability scans upfront as well as constant monitoring while the tools are in use. This allows us to move faster across more tools knowing that there is someone/something always watching.”

Bringing Air Force mission planning into the digital space securely with Mattermost

In addition to enabling faster DevSecOps collaboration, the adoption of Mattermost has helped the Air Force modernize field operations and allows teams to stay in touch no matter where they are in the world.

“Often [airmen] are disconnected from command and control. They operate in a grey area where timely information is critical but difficult to obtain,” says Major John Cockburn. “AMC by its very nature is a command filled with remote teams. Those teams need secure, global command and control across a resilient and distributed network that is not behind a common access guardwall.”

Mattermost allows Air Mobility Command, U.S. Indo-Pacific Command, and other major and combatant commands to coordinate operations from their phones rather than relying on personal computers and emails to receive “for official use only” (FOUO) information. The crew is now able to do flight authorization, pre-mission paperwork, go/no-go processes, and post-mission forms without having to worry about the security of those communications.

Scaling secure remote work during COVID-19

While enabling communication for a distributed team has always been a priority for the USAF, the ability to scale collaboration was compounded when COVID-19 hit in early 2020. As tens of thousands of Air Force personnel quickly shifted to remote work, the deployment of a secure, scalable communications platform became an urgent need.

Platform One Program Director Major Rob Slaughter says that COVID accelerated his team’s plans for rolling out Mattermost across to a larger user base, and that the platform had to go “from zero to available and accredited in 48 hours.” Now, with over a million DoD employees working remotely, the Platform One team has not only been able to successfully enable remote collaboration securely but also maintain a 10x daily deployment cadence.

Expanding real-time collaboration and exploring AI opportunities for the U.S. Air Force

Implementing a secure, scalable collaboration platform is just one early step for USAF’s workflow modernization.

“What I’m most excited about is that we’re pushing the collaboration tools that we’ve wanted to get out for quite some time,” said Lauren Knausenberger, CTO of USAF, during an interview with Government Matters. “We’ve launched Mattermost, we’re about to expand Office 365 to the entire department so that folks can collaborate on tools like Teams and work in real time, coordinating those documents and pushing through some of the Zero-Trust programs we’ve worked on for some time.”

Modernizing and accelerating software development has also helped lay the groundwork for future technology initiatives for the Air Force. Will Roper, the Air Force’s acquisition executive, shared his thoughts on the future of collaboration and technology for USAF during a media briefing: “Cloud One, Platform One, Data One—this family of ‘one’ systems builds a tech stack that really is about getting data … in proper custody so that analytics can be built on top of it and we can finally go do AI at scale.”

To learn more about how Mattermost enables government organizations and other privacy-conscious teams to collaborate more effectively while meeting security and compliance requirements, visit our Mattermost for Government page.

COVID Resources for DevTools Startups

Ashley Dotterweich — Thu, 14 May 2020 21:15:11 +0000

Large or small, over the past few months all organizations have been impacted by COVID-19 in one way or another. For startups with limited resources and small teams, adjusting to the downturn has been especially difficult. As we collectively adjust to the new normal, Heavybit has been collaborating with industry experts and experienced leaders to learn what teams can do to weather uncertain times more effectively and develop educational COVID resources for startups.

Read on to learn more about some of the expert AMAs, working sessions, and guides we've created, and to learn how to stay in the loop as we continue creating new resources moving forward.

Navigating the Shift to Remote Work

As teams go remote, the challenges and benefits of distributed teamwork are more apparent than ever. It's unclear for many organizations when co-located working can resume, so it's important for founders to consider how they can help their teams stay productive in the long term. Darren Murph, Head of Remote for Gitlab, shared his advice on how teams can build processes and cultures that make remote teams more efficient (and happier).

Adapting Your Sales Strategy to Preserve Pipeline

Sales during a recession is about focusing resources on the deals that will make the biggest impact and strengthening relationships with your existing customers.

Sales Priorities in a Downturn

Tidelift’s Bridget Gleason and Chris Grams shared how revenue teams can navigate the economic downturn. After their presentation, Bridget and Chris fielded questions from our members on everything from accelerating POCs to understanding when it's time to drop a prospect. Check out the transcript of our Q&A with Bridget Gleason and Chris Grams.

Customer Success in a Crisis

With a stronger focus on retaining and upselling existing customers, customer success strategy is paramount during COVID. Identifying opportunities to educate and empower your users now will pay off in the long run. Dremio VP of Customer Success Ohad Almog discussed how customer success in a crisis can help teams weather uncertain times and foster stronger relationships with their customers.

Marketing and Brand During a Crisis

It seems like every brand is jumping on the "we're in this together" bandwagon right now. But making a true connection with your customers requires a measured approach. Look for opportunities to engage with your audience in the ways they need it most.

Comms Strategy During COVID

We asked GitLab’s Director of Corporate Comms Natasha Woods to share how teams should think about internal and external communication strategy during challenging times, and why how you communicate is essential to your recovery strategy.

Pivoting From to Live to Online Community Engagement

While many teams had big plans for event marketing at the beginning of the year, it's now critical to explore digital-first marketing and community engagement opportunities. Readme co-founder Greg Koberger shared how he and his team pivoted an in-person speaker lineup to a WAPI Radio, a digital radio station to combat shelter-in-place anxieties.

We also spoke with Developer Advocate Dawn Parzych about how LaunchDarkly has changed up their community engagement strategy during COVID. They've moved transitioned their live monthly Test in Production meetup to a Twitch-streamed weekly event, and introduced ToggleTalk to keep a pulse on the community via Twitter.

Defending Pipeline and Bottom-Up Adoption

This week we hosted ex-Heroku CEO and Dropbox exec Adam Gross for our Speaker Series on The Defensibility of Developer + Self-Serve Go-to-Market. Adam shared his framework on how developer and enterprise startups can gain early adoption, land, and expand while others are at a standstill.

Financial COVID Resources for Startups

In an AMA with Heavybit member founders, Burkland Associates’ Stephen Lord shared what startups need to know about the Payroll Protection Program (PPP). For more from the Burkland team, check out their extensive collection of COVID-19 Financial Resources.

Many members of the Heavybit community have launched their own initiatives to aid in COVID recovery. Learn more about how the Heavybit community is contributing to COVID-19 efforts here.

Learn More about Heavybit's COVID Resources for Startups

We're continuing to develop COVID resources as our community recovers. To stay up to date on the latest articles, interviews, and expert sessions as we release them, subscribe for updates from Heavybit.

Fostering Remote Fluency: Remote Team Tips from GitLab Head of Remote Darren Murph

Ashley Dotterweich — Tue, 31 Mar 2020 23:36:19 +0000

While many teams have been experimenting with remote workforces in recent years, few have taken the leap to go fully-distributed. As recent events have forced many organizations to take their teams remote, many of us are learning how to stay productive, stay in touch, and stay sane.

With over 14 years of remote work experience himself, Darren Murph now owns the process for the world’s largest all-remote organization as Head of Remote for GitLab. Last week Darren joined Heavybit for an online group session on how to foster remote fluency and build better distributed teams. Watch his presentation here:

Here are some of the lessons we learned from Darren on fostering a happy, effective remote team during the session:

Embrace Asynchronous Workflows for Your Remote Team

Distributed work lends itself well to flexible work schedules, since the physical lines of being “at work” and “at home” are blurred. Embracing asynchronous work allows your team to design a work schedule that works best for them. This workflow is especially helpful for teams with children or other family members to care for right now. It can also be beneficial for night owls who tend to do their best thinking in later hours.

Since real-time interactions have to be a bit more intentional remote teams, it’s important to make sure that you’re making the most of the time that your team is working together. Setting agendas for meetings is a great forcing function for keeping meetings focused and cutting down on unnecessary sessions. Darren recommends keeping rolling agenda doc attached to recurring meeting invites to ensure that everyone involved can easily see what’s been discussed.

Tips for Getting Started:

Communicate your work hours to the team
Set agendas for meetings and working sessions to keep them focused

Document Everything

An important aspect of asynchronous work is ensuring that every team member has the information they need without relying on their team members in realtime. One of the challenges of remote work is that information can easily become siloed, which is why one of GitLab’s core values is to write things down. Darren told us, “The way a GitLabber thinks is, if you get asked a question, you should be able to answer that question with a link. If you can’t, then you should document it as you answer it.” Baking documentation into your team’s workflow helps make information discoverable for whoever needs it, whenever they need it.

Tips for Getting Started:

Encourage teams to document everything on an ongoing basis
Carve out time after every meeting to document

Keep It Human

While your Slack might have been all work and no play before, for your remote team it will become the hub of social interactions. Create dedicated Slack channels to give folks a break from work-related conversations. The GitLab team has a number of different forms of informal communication to give the team opportunities to get to know each other better, connect beyond their shared work, and build an inclusive remote culture.

Darren also mentioned that he starts every 1-1 with a life update before diving into work details. Taking these pauses to connect with your coworkers on a personal level helps build strong connections that might be missing from a distributed team otherwise.

Tips for Getting Started:

Create Slack channels dedicated to non-work activities and topics
Add life updates to 1:1 and team syncs
Avoid celebrating long work hours

Iterate, Iterate, Iterate

Ultimately, every team will go through a transition period as they figure out how to work remotely. Darren stresses that what works for one team, or one moment in time, might not work for another. Always be open to changing things up, experimenting with your processes, and communicating what’s working and what isn’t working with each other.

He also noted that it’s critical to have someone in charge of the remote experience — especially when external forces are pushing your organization into a remote team structure before you’re ready. “It’s important to establish a remote leadership team — it can be cross-functional, if you don’t have time to hire someone in. But there needs to be a task force focused on just getting the remote transition right,” said Darren.

Tips for Getting Started:

Designate a remote leadership team
Create channels for offering feedback
Continually look for opportunities to experiment

Learn More about Gitlab’s Remote Team Best Practices

Taking your team remote is a challenge of workspace, communications, and mindset, and getting all the pieces in place doesn’t happen overnight. But the infrastructure you lay out now will have long-term benefits — whether you have a fully distributed team, employees spread out across a few floors or even just the occasional individual working from home.

If these takeaways have whetted your appetite for more, you’re in luck; Darren’s team at GitLab has documented their remote experience in detail. Check out GitLab’s Guide to Remote Work and their company Handbook for a deep dive into everything from the organization’s processes to how they’re building a strong remote culture.

_This article originally appeared on Heavybit.com. Check out more content like this in the Heavybit Library.

5 JAMstack Radio Episodes to Listen to Today

Ashley Dotterweich — Wed, 18 Mar 2020 16:49:46 +0000

Since its kick off by the Netlify team in 2016, JAMstack Radio has been bringing together developers, founders and technologists to discuss how teams are using JAMstack to build faster, better web applications

We asked JAMstack Radio host Brian Douglas to share his favorite JAMstack Radio episodes and conversations. Check out his picks for the best JAMstack Radio episodes below and listen to them now.

Episode #8, Isomorphic Rendering in the JAMstack

“This was a great episode and one of the first where we really started talking about the JAMstack with real concrete examples.”

In this episode Brian speaks with Phil Hawksworth, Technical Director at R/GA and Eli Williamson, Creative Director at Netlify.

They discuss Phil’s experiments with isomorphic rendering in the JAMstack, including some of the staggering performance improvements he’s been able to achieve. Listen in for their discussion on optimizing website performance by empowering front end developers, using static sites, and going serverless.

Episode #41, Simplifying Developer Workflow with Paul Biggar of Dark

“The conversation with Paul was deep. The mention the CI platform becoming commoditized opens up the conversation to really talk about what is the next big thing in developer tooling.”

In episode 41 of JAMstack Radio, Brian is joined by Paul Biggar, CTO of Dark. They discuss improving developer workflow in the JAMstack, as well as the challenges of developing a holistic programming language from the ground up.

Episode #31, Originless Code with Cloudflare’s Kenton Varda

“This was an episode before Cloudflare Workers were even noticed by the dev community. Hearing the early thoughts on such a (now) popular feature is pretty awesome.”

In episode 31 of JAMstack Radio, Brian meets with Kenton Varda, tech lead for Cloudflare Workers and author of Sandstorm.io to discuss some of the infinite uses for running code at the edge.

Episode #44, The Developer Experience with Divya Sasidharan of Netlify

"This episode explains why DevX is greater than DevRel. It also gets quoted to me a lot in conversation. I personally find more teams considering following suit with Netlify and organizing their Marketing teams similar."

In episode 44 of JAMstack Radio, Brian is joined by Divya Sasidharan, a developer advocate at Netlify. They discuss Netlify’s clever approach to improving developer experience, as well as the journey one makes when switching from React to Vue.

Episode #12, FaaS and the Benefits of Serverless

"Another before its time episodes where we discuss Serverless just as it was just getting started."

In this episode of JAMstack Radio, Brian invites Ryan Scott Brown of Serverless and David Wells, Senior Software Engineer at Red Hat and member of the Ansible core team, to examine the rise of Functions as a Service (FaaS).

They discuss common use cases for FaaS and break down the cost benefit of using a service like Lambda instead of a more traditional server. Ryan also discusses the main players in the space and some of the vendor lock ins you should expect across the spectrum when using FaaS.

Subscribe to JAMstack Radio for the Latest JAMstack Conversations

Check out the entire catalogue of JAMstack Radio episodes in the Heavybit Library, and be sure to subscribe to JAMstack Radio to stay up to date with the latest episode releases.

What VCs wish founders knew about startup security practices

Ashley Dotterweich — Thu, 05 Mar 2020 00:20:22 +0000

At DevGuild: Enterprise Security, we learned that security has become more and more of a revenue driver for startups. As a result, investors are taking an interest in how the companies they invest in are doing to ensure that their products, user data and teams stay secure.

We chatted with GGV Capital investor and and former CISO Oren Yunger to learn what investors look for when they evaluate the security practices of organizations, and what early-stage teams can do to communicate their security initiatives more effectively.

Have you seen a shift in how investors are thinking about the value of good security practices?

"Investors are often assessing solutions from the target customer’s standpoint. As a result, and particularly when evaluating mid-market and enterprise technologies, investors are expecting to see a certain level of security posture that will meet the standards posed in the buying process.

Another shift I’m seeing is the increasing prominence of the CISO and how pivotal they now are to any company. They have more business and technological influence than ever before. One of the outcomes of this organizational shift is the amplified CISO presence in Boards of Directors’ discussions. Investors, who often sit on those boards, are taking note.

They’re also in a process of deepening their domain understanding as well as asking questions that are increasingly sophisticated. Many startups are aware of this increased attention to security. Combined with hearing about what’s in the news and top of mind for businesses in terms of security, this results in many young companies adding security phrases to pitches that are not related to security products.

For example, a company would say, 'We collect data and provide insights to Chief Marketing Officers securely,' but it won’t always be able to provide a good explanation as to what “securely” means and what protocols are followed. So, we’re seeing increased awareness of security from both investors and founders, but there is still foundational work to be done to make sure everybody is on the same page when talking security. We’re in a maturation stage that shows that security is of great importance across the board and the right mentality is there to treat it seriously and do it right."

What’s the biggest incorrect assumption that teams come to investors with regarding security?

"In order to address security and show the company’s investment in the area, we see many young companies complete SOC2 audit and even ISO27001 certification. By working hard towards the goal of achieving compliance and approval from an unbiased third party, many companies believe that they are secure. In my view, this is one of the biggest misconceptions since compliance doesn’t really equal security. While it is important to establish security programs, laws and regulations will never be able to fully address the technical complexities of a technology business.

For example, a company might claim to adhere to some secure development lifecycle policy, but if sensitive data is transmitted over session IDs or there is a vulnerable application dependency running, then the whole system could be compromised even though the company had passed the audit successfully. Therefore, I would encourage any team to think about security as a category that includes a subset of compliance."

When it comes to security, what’s one thing you wish every company you spoke with was doing?

"I wish small companies and startups better understood the risks that they are facing and took action to design a mitigation plan to the business roadmap should a bad scenario take place. Rome wasn’t built in a day, and security maturity should not and cannot be built in a day either. Often times, a decision of “all or nothing” – as in not being able to staff or resource for security and therefore abandoning it altogether – could be destructive to the business as it is remaining in a most vulnerable place.

This is the main reason I teamed with a group of skilled CISOs on Security4Startups.com, a free initiative that provides guidance for startups to understand security concerns from different business operations. We also outlined technical yet feasible security measures that early-stage companies can take in order to embrace security efficiently.

Founders routinely share revenue numbers and new users stats with VCs. How can they share security work and progress and goals to their investors?
Security should be treated as a board-level and investor-level topic. Just as founders are sharing their product roadmap and organizational changes with their investors, they should keep the security work and progress top of mind.

As a best practice, I suggest that the startup’s security program be presented at least once a year for boards and/or investors to review. In this alignment, the parties can ensure that the strategies support the direction of the company and the desired risk posture. It will also allow the investors to understand what actions would be taken in the case of an incident."

Is there anything you’re seeing recently that excites you most for the future of startup security?

"There has been a rise in the attention that management teams allocate to security. It’s exciting to see that the industry is going places and that it’s not only CISOs who are keeping security top of mind. Equally important is that security leaders today understand that while the ultimate goal is not to be breached, security can play an important role in growing top-line revenue.

This is a great transition for everyone involved: For executive teams as security is supporting the business, for security professionals as they now are in the rooms where things happen, and for security-related startups who can sell more efficiently into businesses."

Learn more about Startup Security Best Practices

For more from Oren, watch his DevGuild: Enterprise Security talk on Startup Security Basics. Learn more about Enterprise Security trends, best practices and tooling by checking out more of our security talks and articles in the Heavybit Library.

Creating Effective Buyer Personas: A Template and Process

Ashley Dotterweich — Tue, 25 Feb 2020 22:21:10 +0000

Buyer personas are an essential building block for any marketing strategy. Coupled with strong messaging, they help the team focus on a user profile that will yield the most success across sales, marketing, and product initiatives. But personas are can be hard to nail down. Once drafted, they’re all-too-easily hidden away in Google Drive folder and never referenced again.

Let’s take a look at what you can do to develop, use, and maintain buyer personas to ensure that your team gets value from them.

When Do You Need Buyer Personas?

Personas are a bit of a chicken-and-egg problem; great personas help you find and convert customers, but in order to build your personas, you’ll need happy customers to model them after. So, what comes first?

During a session with Heavybit founders, Mitch Morando advises that you start building personas once you have a few signed contracts. “Use closed contracts as data points for persona development,” says Mitch, “once you’ve gotten about five, you should start seeing patterns.”

So now that you have a few very happy, paying customers, and you’re ready to start creating buyer personas — or at least, the first version of them.

Start with User Research

Dive into with Customer Data

Personas should reflect your real users. Early-stage user research is a critical part of finding product-market fit and will help you develop personas that are useful and grounded in actual feedback. Interview successful customers to get fuller picture of their roles, their goals, and how they think about purchasing decisions.

“You should be able to point to your personas within your user base, and be able to identify people who represent that persona in a very clear and immediate way,” said Okta’s Sr. Director of Demand Gen Claire Hunsaker.

Align with the Sales Team

In her talk on personas, Claire Hunsaker said that the number one mistake that marketers make when crafting personas is avoiding sales calls. If you can’t get on calls in real-time, tools like Gong can be extremely useful for catching up on sales conversations and discovering trends in your audience.

Your sales team is on the front line, talking to would-be users constantly, and your best performers probably already have a good mental model of what a buyer looks like. Talk to the sales team and get those mental models on paper. They can help confirm or recalibrate your findings about your buyer.

Use Social Media Research to Fill in the Gaps

LinkedIn can take you beyond your current user base and fill in the gaps in your data set. Examining LinkedIn profiles can tell you what topics and groups people are interested in. Look for markers like:

Educational Background
Technology and language preferences
Career aspirations

For technical audiences especially, taking your social research further and digging into Twitter can also be helpful — who are the most-followed figures in the space? What are the most contentious topics and questions?

Build Your Personas

You’ve done your research and you probably have a rough idea in your head (or in your notes) of who your buyer is. Now it’s time to distill that into a clear, succinct description that will paint a very clear picture for everyone on your team about who this person is.

What to Include in Your Personas

There are many persona templates out there, some are flashier and more complex than others. Start simple and focused. The goal is to define who your buyer is and how you can help them.

We like this buyer persona framework, which is based on Claire’s talk grab the persona template here:

Check out this persona template in action in Claire’s example of a developer persona from her talk:

Distribute Your Personas

The problem with looking at persona templates is that personas aren’t just a framework that exists in a vacuum; they’re only useful insofar as the team uses them. Don’t throw personas over the wall and expect them to be used.

It’s helpful to think of personas as something to be launched internally, just as you would a new piece of software for the team. Not every member of your team will be familiar with personas or how to use them, so taking the time to help them understand how they’re helpful (and ask for feedback) can go a long way. A few ways to frame how the team can use your personas:

Use demographic data to build campaigns
Use questions to build marketing content and onboarding tracks
Use influencers to find partnerships

The Cycle Continues: Update & Review

Here’s the real secret to great personas: they aren’t ever done. As your product and market evolves, so should your personas. Review your personas quarterly to evaluate whether they’re still an accurate representation of your buyers.

Another common mistake that marketers make is not taking feedback from the team. Customer-facing team members will quickly see changes to the buyer persona, and can help calibrate your personas over time. Provide channels for persona feedback to help your team surface ideas and concerns to you as they see them.

Learn More about Creating Effective Buyer Personas

Creating personas is hard work, but going through the exercise of creating them will have big impact on your team as you scale. To dive deeper into the process of developing high-impact buyer personas, watch Claire Hunsaker’s Heavybit Speaker Series talk Personas, You’re Doing It Wrong in the Heavybit Library.

How to Create an Effective Incident Response Plan

Ashley Dotterweich — Tue, 25 Feb 2020 18:52:27 +0000

When it comes to security incidents, it’s not a question of if, but when they will happen. 80% of organizations say that they have experienced some kind of cybersecurity incident in the last year. With this in mind, it’s essential to have a security incident response plan in place before you need one.

At DevGuild: Enterprise Security, Zendesk CISO Maarten Van Horenbeeck stressed that having a plan enables organizations to handle security incidents both small and large more effectively. This article is adapted from the talk he gave, outlining the steps that teams can take to develop and refine an incident response plan.

Assign Clear Roles and Responsibilities

When you are a smaller organization, you're probably going to be quite stressed when an incident happens. If it's clear to you what it is that you're going to be doing next, then you're not going to be as stressed during the incident and you're going to have a better handle on things when you're reacting. Your first step is to make sure that you assign clear incident response team roles: a communicator, an investigator and a leader.

The person leading the response should not be the person doing the technical investigation. They’ll get lost the logs and lose track of the fact that they just discovered something they have to escalate.

Additionally, make sure you have someone focused on communication. It's very difficult when you learn something new every 10 minutes to make sure that you keep a good understanding of what's actually happening. It's the communication that gains you trust, whether it's from your CEO or your customers.

Build Relationships Before You Actually Need Them

The security community offers a wealth of support and knowledge. Build relationships before you actually need them. There's a couple of different forums that you can participate in. There's First.org, there's also information sharing and analysis centers that focus on these types of things. I's relatively inexpensive for you to participate in these forums and learn from them. If you're not ready for that, go to a security conference and ask some of your peers about what it is that they do to prepare for an incident and how you can also help make that better.

You really want to know the right people to be able to partner with when something happens. So make sure that you know your peers, your competitors, and that you connect with their security teams and don't compete on security, but try to make the pie bigger for everyone by making sure that they trust SaaS services. As a result, they will trust you.

Do Your (Legal) Homework Ahead of Time

You're not going to have the ability to know everything from the legal side to the technical side of incident response, so again, make sure that you built these connections ahead of time and you look into what it is that you can potentially even contract ahead of time. There are retainer agreements you can sign with law firms and with forensic investigators, so they can come help you when an incident actually happens.

Now, you might ask yourself the question, "Should I really be spending my money on this? The answer is it depends a bit on the size and you may not. But even then, it's worth starting the conversation so you at least know how much it's going to cost you when an incident actually happens. You'll know a little bit about the process, and maybe you can agree on terms for getting support before the incident happens so you don't end up locking yourself into agreements you disagree with.

Understanding Your Reporting Obligations

Understand who it is that you need to report to, as this has become more and more important with rules and regulations like GDPR. Quite often you're expected to report to a competent authority, which could be a national search, or could be a regulator. What rules are important? What are the things that you really want to learn ahead of time so that they don't catch you by surprise?

You can do that yourself, but it's highly recommend that you talk to your attorneys. You usually will have an attorney that you work with on things unrelated to security incidents. Maybe have the conversation about what support you need when an incident strikes, so that you can really figure that out ahead of time, and also think about your culture.

Security culture is one of the most critical things for a company because if you are very open with your customers and then you have an incident and you don't communicate, your customers may lose a lot of trust. So make sure you have that conversation with your legal support ahead of time, so they also know what it is that you will want to do in terms of your customer relationships when a security incident strikes.

Create an Incident Communication Plan

Communicate often and early, but always be correct and truthful. That can mean that if you don't know something for sure, you may actually want to tell your customers that you don't know it yet or that you're still investigating and that you don't have that information. But make sure that you're as truthful as you possibly can be,

It’s important to have the right mechanisms to communicate to your customers -- you want to create a place where customers can continue to learn new things and get authoritative information from the source.

Templatize Impact Statements

You will be learning something new every hour, every day. It's very easy to get lost in what is happening there. There are a lot of details, and details may look very impactful and in the end they may not be.

Have a couple of questions that you continuously ask yourself as you learn something new and you go to new things. Think about exactly what the impact on customers is. This new information that you just learned, did it tell you something that you didn't know yet? Did you learn something new about how access in this case was achieved? And does it actually impact customers?

The best way to do this is by having one document with a couple of paragraphs at the top, and actually call it an "Impact statement." You continuously update it whenever you learn something new, so that everyone involved can continuously stay in the loop and know what the status is.

Never Let a Good Incident Go to Waste

Finally, you should never, ever let a good security incident go to waste. You will likely have a security incident of some magnitude at some point in time, and it's probably going to be more frequent than you want even though it might not be very frequent. But it's sometimes good to just look at the things that just didn't meet the threshold and treat them as a real incident, so you have an opportunity to go through the entire process and get everyone prepared.

Document everything you do during an incident and study it afterwards with everyone involved. Make sure they know that you're not trying to find blame -- you're just all trying to improve. Get them to share what worked for them and what didn't work for them, and then spend a little bit of time thinking about how you can put all of that in place.

Then communicate your needs and share your learnings. The only way we're all going to make sure that we don't all have to make the same mistake again is by actually being transparent about what we did wrong so others can learn the different challenges that they are going to face.

For more on creating an incident response plan, watch the recording of Maarten’s complete talk on Disclosing Security Incidents from Routine to Breach.

This article originally appeared on Hacker Noon.

OKRs for Startups: Tactics for First-Time Goalsetting

Ashley Dotterweich — Tue, 21 Jan 2020 23:35:36 +0000

Setting goals for a team isn't too challenging -- but setting goals that a team can stick to is. In an interview with Webflow VP of People and veteran OKR program leader Heather Doshay, I learned a few tips for getting OKRs right the first time:

1. Your First OKR should be...Implementing OKRs

Goal setting-programs often fail because no one is making sure that the program is successful. Startups have a million competing priorities at any given time, and the meta-work of setting and sticking to OKRs can easily fall by the wayside.

Designating someone on the team as the OKR champion ensures that the entire program doesn’t end up as an abandoned initiative three weeks into the quarter.

2. Start with a Small Cohort

The purpose of OKRs is to get everyone in the company aligned and working towards a shared goal, but that doesn't mean that you have to start with everyone in the company.

Because one of the first big hurdles of using OKRs is getting the team in the habit of creating and sticking to them every quarter, rolling it out to every person in the organization can end up being an exercise in herding cats. You’ll make mistakes in the beginning, and if your first run of OKRs includes every single person, every little setback can become a major slowdown.

Heather recommends starting with a small group -- either executives or a single team within the org -- to pilot the program. This will help smooth out the bumps and build excitement before you roll it out to the whole team.

3. All Goals are Good Goals to Start -- But Aim High

The truth is, your first OKRs probably aren't going to be the magical, productivity-transforming goals you're hoping they'll be. But that's fine!

Many teams get hung up on creating (and achieving) their ideal goals the first time around. But homing in on the right OKRs for your team can take a bit of trial and error. Be data-driven with your goals wherever you can, but don't be afraid to take a best guess.

The real goal of the first (and sometimes second) round of OKRs is to establish a baseline. It’s okay to under- or overshoot your metrics when you're first getting started, and that failure can provide a lot of very valuable information for your team. That said, ambitious goals breed better results from the team, says Heather:

“Ultimately, the team has no baseline and doesn’t know what’s possible, But by using data and adding a layer of ambition, your team can achieve a healthy mix of being nervous while still being committed to the goal.”

Check out the rest of the interview here: https://www.heavybit.com/library/blog/best-practices-startup-okrs/

I'd love to hear from folks who have used OKRs successfully in the past (or are on a team using them now). Are there any best practices or tips that make a big difference in getting them to stick?

What Dev Teams Should Know about DevSecOps

Ashley Dotterweich — Mon, 04 Nov 2019 21:30:56 +0000

In the past, many teams were able to get by with security as an afterthought — or so it seemed. But as development cycles have become faster and devices more connected than ever before, there’s no mistaking the fact that every team needs to make security a priority.

More organizations are starting to implement DevSecOps and integrating security into the development process; one study found that while only a small percentage have fully-implement DevSecOps today, 68% of companies plan to use DevSecOps practices within the next two years. We chatted with Mike Kail CTO of Everest.org, to learn more about what teams need to know about DevSecOps as they begin their journey towards shifting security left.

The Best Time to Start Implementing DevSecOps is Now

As DevOps practices gain broader adoption, security is often still a gap in the process; according to a survey of DevOps practitioners, only about half of organizations with mature DevOps processes perform automated application security analysis throughout the development process.

But the cost of not integrating security into application development is high. A study from IBM found that businesses without formal security protocols in place spent on average $4.74 million after a breach. “Every year there are thousands of data breaches, largely a result of source code and application-level vulnerabilities, but many organizations still take an antiquated approach to application security,” says Mike. “Organizations need to flip their security approach from defensive to offensive in order to anticipate and thwart attacks before they happen.”

Culture is the Biggest Barrier to Change

“The biggest barrier to DevSecOps is culture, not technology,” says Mike. “Development teams are more concerned with delivering new features and functionality at an extremely high velocity. Security teams are often seen as a blocker to delivery. They can create a lot of fear and uncertainty. To successfully transition to a DevSecOps methodology, both teams must be willing to make application security an integrated strategy and continue to drive security awareness for developers.”

Mike suggests that teams should look to successful implementations of DevOps as they model a more progressive, security-focused culture. “The core tenets of DevOps are collaboration, automation, measurement and sharing. We need to build a culture based on those ideas for application development and security.”

Scaling Out Can Hinder DevSecOps

For many large initiatives, the first questions a team might ask are, “Should I hire more people for this?” or “Do I need additional software/tools for this?” But for teams that are keen to start implementing DevSecOps, Mike warns against investing in tooling or hiring too early. The shift in your existing culture is critical to the success of a DevSecOps process, and that putting the focus on new hires or new infrastructure can create additional roadblocks to that shift:

“A scale-out approach works extremely well for most infrastructure architectures and applications, but it is completely ineffective in terms of additional security tools and hiring more Security Engineers. This shifts the Security team even farther away from the Development and Delivery process and it doesn’t embrace the core tenets of the DevOps culture,” says Mike.

Tap Into the Security Community

Communication is at the heart of modern security practices — whether that’s building better communication practices internally or creating intelligence sharing relationships with other organizations. DevSecOps is still a new and evolving discipline, and organizations that are just getting started can benefit from learning from other teams with more mature DevSecOps practices already in place. Mike recommends checking out #DevSecOps on Twitter to get vendor-neutral input on the space. For more from Mike Kail on DevSecOps, application security and more, check out his Medium blog.

Learn More about Best Practices for Security at DevGuild: Enterprise Security

Developer companies face a unique set of challenges when it comes to designing, developing and selling secure products. Join us for DevGuild: Enterprise Security on November 14th for a half-day conference featuring CISOs from organizations like Atlassian, Hashi Corps and Splunk as they discuss topics including “Democratizing Security from the Top Down” and “Disclosing Incidents from Routine to Breach.” Learn more and buy tickets to DevGuild here.