Posted on

Sharing stories and celebrating success

Today ISANZ announced their finalists for New Zealand Security Company of the Year. SafeStack is not on that list.

We’re ok with that.


We’re little and growing, a chaotic little family of security people trying to do things differently.

Actual response from team SafeStack

What we will do though is post our application here. This is the exact text we sent with our nomination.

Awards systems rely on secret interviews and nominations, on never sharing why we make decisions and on small groups behind closed doors.

One of the things we value most at SafeStack is openness. There is nothing confidential about our application, nothing secret or special inside.

We post this not with envy or regret but with great pride for what we have achieved. No grapes have soured, no milk has been spilled.

We post this to celebrate even throwing our name into the hat, that can be a really scary thing to do.

We post this to inspire other tiny companies with big ideas to share your successes, celebrate and learn from your failures and to keep trying.

We encourage anyone who nominates themselves, their team or someone else for an award to share their applications. Let us see what makes you proud, what makes you smile and share your stories.

Good luck to all the finalists in ISANZ and other awards like it.

Kia Kaha to everyone else, share your stories widely, we’re all waiting to celebrate with you.

Love and hugs,

The SafeStack Team

Nominated Company: SafeStack Limited

SafeStack is a New Zealand owned and operated boutique security firm based in Auckland, New Zealand. It provides advisory, training and custom security products for fast moving, innovative and growing firms globally.

Founded in 2014, by Laura Bell, SafeStack is now a crazy security family of 6 full-time employees and one dog.

In its first two years, SafeStack has grown to serve 55 customers from tiny 4 person start-ups to some of the biggest companies in the Asia Pacific region and continental USA.

Our clients are located in 7 countries and across a range of industries from Telecoms to Healthcare and from Finance to SaaS/PaaS unicorns. Occasionally we deal with a government department or two but only when they ask really nicely. Our client list includes 30% of the NZX top 100 companies and two winners of international growth and innovation awards (start-up sector).

As a bootstrapped start-up that started out with a budget of $NZD 300 and a desk in a shared space in Auckland CBD, SafeStack has grown organically in line with a well-defined set of operating values.

We believe it is this journey and our values that make us a strong candidate for Security Firm of the Year.

Trust – Creating and challenging trust between applications, organisations and people.

Our customers trust us. They refer us to their friends and bring us in when they feel the most vulnerable. Our staff are trusted to make decisions, to learn and to share when they are vulnerable or when they fail. Trust is crucial to everything we do.

Trust works both ways though, we work hard to highlight issues with tools or approaches that are trusted but don’t deserve to be. This includes responsible disclosure and helping customers critically evaluate their technical choices and suppliers.

Collaboration – Uniting technical disciplines to build secure applications and systems.

SafeStack is a team of hybrids. We are employ 2 full-time software developers, 1 DevOps specialist, 1 data wrangler and pseudo librarian, 1 reformed penetration tester/chaos monkey and a former QSA bassist. We work closely with animators and graphic designers and seek consultation from video games designers and Harvard MBA’s.

Security is no longer about being a separate voice in an organisation that should be consulted. Security is about pulling together complementary skills from across the organisation to solve problems. We reflect this changing landscape in our team.

We are stronger as a company when we specialise. We are leaders in agile application and information security, we find partners who are equally respected in their own niche.

Innovation – Changing the way we talk about security, changing the way we manage it.

SafeStack isn’t the type of firm that just preaches. We’ve thrown out the traditional governance approaches and help organisations survive, secure and comply using context relevant, automated and pragmatic approaches.

In SafeStack reports “words are expensive”. Our deliverables to clients are short, clear and concise – highlighting not only gaps, but also positive areas that should be continued. There are a number of banned words in the SafeStack office including “cyber”. If a word doesn’t add value or creates FUD it goes on the list!

Examples of this include our work with the largest banking innovator in Australia, where we have enabled them to meet APRA requirements (Australian Banking Regulations) without a single gate in their software development pipeline. Security, banking governance and compliance without a red pen and change review board in sight.

Outside of advisory we have developed two products. AVA (, an open source human vulnerability scanner made international news in 2015 (including MIT Scientific Review and Wired magazine) when it was shown at BlackHat USA.

Dfend ( is our first Software as a Service offering and aims to provide vulnerability management and security alerts to small, fast moving firms who don’t have the budget or people to do this themselves. We are practicing what we live what we teach and building our own software, using our own agile application security approaches.

Leadership -Setting the direction for security in a rapidly changing world.

SafeStack is a global leader in bringing security into fast paced, innovative or chaotic environments. We work with both established organisations undergoing digital transformation as well as start-ups, helping them to build security into their businesses as they grow – the right amount of security at the right time. We have _literally_ written the book on this for O’Reilly media (due for pre-release November 2016).

Despite the growing workload and expanding team we try to only work 38 hours per week. Leadership for us is about respecting and encouraging work-life balance and understanding that to remain effective we have to remain rested and happy (even if this means having an office ukulele).

Community – Bringing security knowledge to the wider community and sharing our skills.

We are all fighting to defend important systems. We know this is hard work and we value having our community around us.

From running the training for the Waikato Cyber Challenge, to mentoring a number of students on formal and informal basis, SafeStack likes to help others succeed and enter our industry. We also choose not to send vendor gifts to our clients, instead donating the amount we would have spent to charities. In 2015 this money supported Syrian child refugees and in 2016 this will be going towards New Zealand mental health charities.

Education – Creating a secure foundation based on education not fear.

In two years we have taught almost 600 people in person. This has included giving away ~50 seats to students, start-ups or people from diverse backgrounds. We speak at a range of national and international events and will often give advice to small fledgling companies or student for the cost of a cup of tea.

We believe that success in the security industry is not about sitting on our knowledge and building a kingdom, it is about sharing our knowledge and building an army.