How Did She Do It? A Q&A with Lisa Xu, CEO of NopSec

By Deb Kemper, Managing Partner, Golden Seeds Ventures

January 28, 2021

Lisa Xu, CEO of NopSec

With cyberthreats proliferating, security is a top priority for all businesses. NopSec is committed to helping enterprises respond quickly to today’s threats and to prepare for tomorrow’s. The company, headed by CEO Lisa Xu, uses a software-as-a-service (SaaS) model to help customers simplify workflows, analyze and prioritize security vulnerability risks, and remediate them quickly and effectively. Lisa recently discussed with Deb Kemper of Golden Seeds the reasons she started the company, challenges she encountered and strategies that have powered its growth.

DK: Tell us about the origins of NopSec.
We started as an offense-focused security company, helping businesses identify security holes and weaknesses from an offensive attacker’s view. Customers loved us and asked if we could put our intelligence “in a box” so they could reference our unique capabilities whenever they needed them.  As a result, we built a cloud-based SaaS product that combines data analytics using machine learning with augmented offensive security. It helps customers prioritize threats and vulnerabilities and then remediate the most important weaknesses.

DK: What market need are you solving, and how is your approach different from how others have addressed this need?
There are a lot of security tools generating tons of data, but it’s hard to separate meaningful information from all the noise. There is a gap from technical risk reduction to a business risk conversation.  A company can have someone gather data, enter it into giant spreadsheets and present the results in various charts, but that takes about 20 hours a month and it isn’t scalable. Deriving intelligence and insights from all that data is very difficult. You need to know where the vulnerabilities reside in order to determine the priority and decide how you’ll handle remediation and allocate resources. It’s also challenging to align teams from across the company—infrastructure, security, app development—to collaborate and focus on the right thing. Finally, how do you articulate the risk reduction to both technical and nontechnical stakeholders?

NopSec translates technical weaknesses and difficulties into a business risk language that’s easily digestible by nontechnical stakeholders such as the CEO and CFO. We show customers how they’re reducing risk and improving their security posture, as well as reducing the workload, saving time and cutting costs. This gives them a better story to present to the Board. Cybersecurity is a differentiator when companies bid new RFPs. Having a robust security program can help them win new business.

We offer a more automated intelligent approach that leverages our expertise as offensive security experts on top of machine learning. Our flagship product, Unified VRM, ingests data automatically and uses prioritization algorithms to focus on the most important areas, then delivers actionable metrics and reporting in a meaningful way from a business perspective. NopSec Unified VRM integrates with the customer’s ecosystem, using the tools they already have for detection, reporting or ticketing. The end goal is to highlight all the issues and rank them in a dashboard so companies can focus on the most detrimental weaknesses and prioritize the most impactful options to address them.

DK: What challenges have you encountered along the way? How have you overcome them?
There’s been no shortage of challenges! We’ve had to tackle everything from acquiring customers to building the product, growing the business and scaling the team. We had to pivot from a service model focused on satisfying customers to a growth model focused on subscriptions, creating a scalable enterprise to build the business. That’s not an easy shift. What keeps us going is that we never give up. It’s all about identifying the nature of the problem– is it strategic, directional or design? Does it require resources and capital or is execution the issue? Once the root cause is determined, you continue to iterate until it’s solved.

DK: What effect has COVID had on your business?
LX: Like many companies, we’ve had no employees in the office since March, so we’ve had to embrace going virtual and operating remotely. Our staff members, who are very widely dispersed, save commuting time and have a better work/life balance as a result. We’ve broadened our talent pipeline and hired new people, some we’ve never met in person. At the beginning of the pandemic, everyone was overworked, so we emphasized the importance of self-care. I’m happy to report that our team has managed to survive very well during this time.

DK: Any tools that have helped you stay connected or things you have done to help onboard remote workers?
Everything we use is cloud-based so it works everywhere. We’re big on Slack because everyone has adopted it both for business and personal use. We also use Zoom and email for onboarding new employees and Zendesk for ticketing.

To help new employees, we define the process and training material before we get them on board. We give them a weekly NopSec onboarding program, and we have regular check-ins—first daily, then weekly and biweekly. Building an infrastructure and training collateral helps expedite the process. To stay connected, we have a virtual happy hour on Fridays, which gives everyone a chance to socialize.

DK: What advice do you have for early-stage founders about raising money, growing a team, fostering company culture or other issues you’ve had to address?
People are always the #1 asset. You have to attract talent and work as a team to achieve your goal collectively. Without our people, we wouldn’t have a product or customers. You also have to be purposeful and intentional about company culture. We believe in transparency, because everyone is entitled to know what’s going on with the business. If our employees see a problem or have an opinion, we want to hear about it. The worst thing is when everyone knows there’s a problem but nobody talks about it.  We’ve made a conscious effort to ask people to step up and share their views on how and where we can improve.

DK: What’s coming up next for your company? Any big milestones on the horizon?
We’re getting more traction with customers, including enterprise-grade clients. On the product side, we never stop innovating. We’re always releasing new modules and capabilities, which is a great way to upsell our product, expanding horizontally as well as vertically to offer customers additional products. We are always actively working to engage with potential customers and future funders.

This is an exciting time for us, and it’s a great opportunity for SaaS-based companies to scale. We’ve more than doubled in size, both on the team and customer fronts. We understand our customers’ pain points and deliver a solution that truly solves their problems. They listen to us and keep coming back; we have an amazing renewal rate of 99%.

DK: Tell us about your experience with Golden Seeds. How has the Golden Seeds network been helpful to you?
LX: The networking has been invaluable. We really engage with the investors and they leverage their networks to help us grow. One investor has been especially active in working their contacts and introducing us to the right executives in enterprise-grade organizations. On a strategic level, Golden Seeds has always challenged us to think about things differently. We touch base every few weeks. There’s a regular cadence of engagement and not just four check-ins a year at board meetings. Golden Seeds wants to know what’s happening with our business, what problems we are encountering and how they can help.

For more wisdom like this from other incredible female leaders, read more on Golden Seeds’ blog.