From Consulting to Product: IriusRisk’s Critical Lessons in Building a Security Software Company

From Consulting to Product: IriusRisk’s Critical Lessons in Building a Security Software Company

The shift from services to product company represents one of the most challenging pivots in B2B tech. In a recent episode of Category Visionaries, IriusRisk CEO Stephen de Vries revealed how a common structural decision nearly derailed their transition – and the insights gained from navigating this evolution.

The Consulting Origins

IriusRisk’s story begins in penetration testing, where they noticed a fundamental shift in customer needs. “Companies were still sending us IP addresses, but increasingly they were sending us URLs,” Stephen explains. “They said, yeah, I don’t care about my infrastructure, I’ve got that protected…But we’ve written this unique application. It’s now live on the Internet. What are the security problems in this application?”

This evolution revealed a deeper opportunity: helping companies design secure software from the start rather than finding vulnerabilities after deployment.

The Costly Structure Mistake

The transition from consulting to product came with a critical lesson. “We essentially founded the company as a consulting firm, 2008, ran it as a consulting firm, and then 2014 decided to start building a product,” Stephen recalls. Instead of creating a new entity for the product business, they maintained the existing company structure.

This decision created unexpected complications: “When you then apply for some of the grants that are available in the EU…or when you apply for things like startup accelerators, they will just ask you a very simple question, how old is your company?” The result? “All of a sudden you’re being penalized because you started the software business maybe this year, but you’ve got seven years of history as a consulting firm.”

Navigating Knowledge Gaps

The transition also revealed significant knowledge gaps. Coming from a technical background, Stephen admits he “knew zero about sales, almost nothing about marketing, customer success and all these other aspects of a business.”

The solution wasn’t to fake expertise but to acknowledge these gaps. “You got to be a good listener,” Stephen explains. “You need to essentially know that you don’t know and say, okay, I don’t know enough about marketing. Let me go and find out. Let me listen to people.”

Building for Enterprise Reality

Understanding enterprise requirements shaped their product evolution. Early penetration testing experience showed that security needed to shift left – moving from post-deployment testing to design-time considerations.

Stephen draws a powerful parallel to physical architecture: “If you’ve ever built a house, you’ll know that the architect of that house plays a pretty significant role in the safety of it…in the software world, it’s now 2023, and now is the first time when we’re saying maybe it’ll be good idea that we look at the design of the things we’re building from a security perspective before we go and build them.”

Measuring Success Differently

The transition from services to product required new success metrics. Rather than focusing solely on new logos, IriusRisk prioritized expansion revenue, which Stephen describes as “the most satisfying growth that we can have” because it reflects real value delivery.

This approach has driven impressive results: “112% growth, and the year before that, were at about 104%. So 85 was a slower year for us.”

The Future of Software Security

Looking ahead, Stephen sees the product business positioned for continued growth as software architecture becomes increasingly critical. “The act of writing little bits of code, little units of computation, microservices, functions, all of those things are going to become commoditized,” he notes. “What’s going to become less commoditized and where the interesting problem space is, how do I connect all that stuff?”

For consultants considering the transition to product, IriusRisk’s journey offers crucial lessons: create a clean legal structure, acknowledge and address knowledge gaps, and build metrics around customer value delivery. Most importantly, recognize that the transition requires fundamental changes in how you think about and measure success.