Today is the tenth anniversary of Hedgehog Security's incorporation. The plan for an in-person anniversary event in Bath is, of course, deferred. The team did the appropriate thing this morning — a Zoom call across the company with the right kind of words from the right people, and a celebratory bottle that I shared on camera with the senior leadership team. The fully-remote operation has produced its own form of milestone-marking; it is quieter than the in-person equivalent would have been, and is, in its way, also fitting.
Ten years. The Christmas note in December covered the ten-year arc in fuller form. The anniversary-day note is for the personal reflection rather than the strategic narrative.
The first thing about ten years is that the company has, in any meaningful sense, become a different organism than the one that started in the spare bedroom in April 2010. The first version of Hedgehog was a one-person consultancy that traded on the Gala Coral CISO experience, the DDoS book reputation, and a handful of UK security-community contacts who were prepared to retain me. The current version is thirty-one people across two offices with a product business and an institutional services portfolio. The continuity between the two is the customer-organisation focus and the operational philosophy — defence, pragmatism, transparent communication, the relationship-maintenance that turns one-engagement work into multi-year programmes — but in every other operational respect the company is unrecognisably different from where it started.
The second thing is the people. Twelve of the current thirty-one have been at Hedgehog for more than five years. Five have been at Hedgehog for more than seven years. The lead engineer, who joined as the postgraduate intern in February 2016, is now a director of the company and the most consequential single hire I have made. The senior SOC analyst who joined in 2014 is now the SOC operations director. The vCISO senior partner who joined in 2017 is shaping the firm's strategic-engagement practice. The team is the company; the company is the team; the choices about who to hire and how to develop them have, in retrospect, been more consequential to the company's shape than the strategic decisions I have spent more time on.
The third thing is the customer relationships. Browne Jacobson has been a customer since 2011 — nine of the ten years. Towry has been a customer since 2010 — every one of the ten years. Northcott has been a customer since 2010. The manufacturer joined in 2015. The customers' programmes have been the substantive work of the company, and the multi-year arc of seeing customer-organisation security postures develop from the early-engagement state to the mature-programme state has been the most rewarding professional experience of my career. The personal relationships — the IT directors, the CISOs, the senior partners I have worked with for years across these engagements — are the kind of relationships that survive role changes, organisational changes, and the various other shifts that happen in long professional lives, and several of them have done so. The customers I worked with in the first year of the company are, in many cases, still in working contact even where they have moved on from the original engagements.
The fourth thing is the work itself. The cyber-defence discipline has, over ten years, become substantially more sophisticated, more demanding, more strategic, and more central to organisational life than it was in 2010. The customer-organisation conversation about cyber has shifted from technical-specialist concern to board-level strategic theme. The threat landscape has escalated in ways that I would not have predicted in 2010 — the state-actor era settled into operational reality, the targeted-ransomware shift, the supply-chain pattern, the regulatory environment that GDPR formalised. The company has been adapting throughout, and the adaptation has been, on balance, satisfactory — the customers' programmes have produced sound outcomes against an increasingly demanding environment.
The fifth thing is what the next ten years might look like. The cyber-defence discipline continues to develop; the threat landscape continues to escalate; the regulatory environment continues to demand more sophisticated customer-organisation programmes; the technology stack on which everything runs continues to shift. The company's role in that environment is more product-oriented than the first ten years' was, and the product roadmap is the principal strategic work for the next several years. The institutional-capital question that I declined in October 2019 may revisit; the partnership and acquisition conversations that exist around any successful product business may produce different outcomes than the bootstrapped path I have run for ten years. The personal-direction question that I have been thinking about more in the past year — whether to remain in operational leadership or to shift toward strategic and external-facing work — is not yet resolved. The next decade will, in some respects, be more uncertain than the previous one, and that uncertainty is, on the personal level, more interesting than steady continuation would be.
The team and the customers are the company. The work has been a privilege. The next ten years will, with luck, produce more of the same satisfaction at a different scale and shape.
The wife has produced a cake. The children have made cards. The day continues.