Securing Digital Transformation: Practical Lessons from Signal Sciences with Zane Lackey, Co-founder at Signal Sciences

Zane Lackey on Getting Hacked in 30 Seconds, Co-founding Signal Sciences, and Why Practitioners Make the Best Founders

Zane Lackey, Co-founder and CSO, Signal Sciences (acquired by Fastly) | Interviewed by Luke Alie of Atolio

Zane Lackey co-founded Signal Sciences, a web application security company, which was acquired by Fastly for just under a billion dollars in 2020. Before that, he was CISO at Etsy during the formative years of DevOps, when Etsy and Netflix were the companies pioneering what digital transformation would eventually look like across the entire industry. He talks about what being hacked at 16 taught him about security as a systems problem, why the shift from silos to shared visibility is the real story of DevOps, and what he looks for in founding teams.

Getting Hacked in 30 Seconds: The Pivotal Moment That Started a Career

Luke Alie (LA):  Take us back to a formative moment early in your career.

Zane Lackey (ZL):  I had spent months trying to get my Linux box online in the mid-90s. Custom kernel settings, modem drivers, all of it. Finally got it connected and jumped on IRC to celebrate with friends. Within 30 seconds, somebody hacked into my system and shut it down. It was just absolutely mind-blowing. My reaction wasn't: this is terrible. It was: that was amazing. I am going to learn exactly how they did it, how to defend against it, and how to understand the systems all of this relies on at a deep level. Security, for me, has never been something separate from understanding overall systems. It's part of the same thing.

Through high school and college I kept digging. After school I got an opportunity to be the first employee at a boutique security consulting firm co-founded by five partners, one of whom was Alex Stamos, who went on to become CISO at Facebook. I spent years there and then moved to New York to help build out the East Coast practice. When that firm was acquired, I got the opportunity to become the first CISO at Etsy out of Brooklyn.

The DevOps Shift: What Etsy and Netflix Were Doing That No One Else Was

LA:  What made the Etsy CISO role so formative?

ZL:  At the time, Etsy and Netflix were basically the only companies pioneering what we now call DevOps. It was before the term was really established. I was one of the first two security leaders, along with my counterpart at Netflix, to actually live through this shift from traditional IT to cloud and DevOps. And so much of what the industry had taken for granted about security just no longer held true in that environment.

In 2011, I stood on stage and said Etsy makes production changes 30 times a day. At a time when banks were deploying code changes once a year. The room thought that was insane. But the lesson that started to emerge was this: the way organizations were able to move faster and faster was to break down silos and bring capabilities, information, and visibility that had previously been locked inside one team to the entire organization. Whether that was monitoring tools, observability, or institutional knowledge, the pattern was always the same. Empower the whole org, not just a small group.

From CISO to Founder: A Much Less Deliberate Story Than It Sounds

LA:  Did you always want to start a company?

ZL:  Not at all. The actual story is that I and one of my future co-founders had both left Etsy at different times. We happened to be giving a talk together on security at the end of 2013. Afterward, a friend came up to us and said: don't you guys miss working together? We said yes. He said: after you got off stage, a million people asked if they could buy something that would solve the problems you just talked about, and you told them all no. Maybe just turn that into a product. And we said: well, when you put it like that.

We built Signal Sciences for close to seven years. By the time we sold to Fastly in 2020 for just under a billion dollars, we had 150 employees and about 30 million in revenue. We were defending a substantial portion of the Fortune 500. It was a crazy journey that started with a friend pointing out the obvious.

What to Look for in Founding Teams: Practitioners, Chemistry, and Shared History

LA:  When you look at startups now as a buyer or investor, what do you look for in founding teams?

ZL:  Whether I'm wearing the buyer hat or the investor hat, I always click on the About page or anything about the founders' backstory first. Have they been practitioners? Have they lived in the space they're working in? Do they actually understand the problem from the inside? That is by far the most powerful pattern I look for. Practitioners who have lived the problem they are solving.

And then: have they worked together before? Even if only briefly? The founding teams behind iconic companies almost always have real shared history. When you're building something genuinely hard, the moments of stress will be intense. You need people around you that you like, deeply respect, and fully trust. If you don't have that alignment with your co-founders, it is not going to work.

The Biggest Macro Lesson from DevOps, Applied to Information Management

LA:  What's the biggest lesson from your DevOps experience that still applies today?

ZL:  The techniques that allow you to move faster are the ones that win. And historically the way you enable speed is by taking things that were siloed and sharing them with the entire organization. Monitoring tools that only operations saw. Security data that only the security team understood. Institutional knowledge that lived in one person's head. Making all of those accessible and contextual to everyone is what enabled Etsy, Netflix, and companies like them to move at speeds that seemed impossible to everyone watching from the outside.

That same shift is now happening at the institutional knowledge level. You used to solve this on a personal level: go to floor seven, ask so-and-so. That doesn't scale, especially post-COVID in distributed environments. The companies that figure out how to apply the DevOps playbook to information accessibility across their organizations are going to have real structural advantages.

The Nicest Thing: How Open Founders Were When Signal Sciences Was Nobody

LA:  Last question: what's the nicest thing anyone has done for you?

ZL:  The thing that surprised me most and positively in the early days of Signal Sciences was how many successful founders were willing to just get on the phone and share advice. We were three people, no seed round yet, completely unknown. And founders of really successful companies would jump on a call and share lessons, feedback, and perspective with no expectation of anything in return.

That is also the piece of advice I would leave anyone listening with: reach out to your peers. We are all fighting the same battles a lot of the time. It is very rare to run into someone who isn't willing to share what they've learned. There is a tremendous amount of help available if you're willing to ask for it, whether you're guiding an organization through transformation, thinking about starting a company, or already in the middle of one. People want to be helpful.

LA:  Zane, thank you so much for talking with me.

ZL:  Yeah, happy to. This was super fun.