Building a Security-First Engineering Culture at LumixSys
How we operate when every engineer is on rotation to read incident postmortems and customer interviews. The norms that make it work.
We are 142 people. About 60 of us are engineers. The rest of the company is built around making engineering productive. That's not a slogan; it's an operational design. Here is how we run.
Every engineer reads postmortems
Once a quarter, every engineer is assigned three customer incident postmortems (theirs, ours, or an industry one) and writes a 200-word reflection. The reflection is not graded. It is read by the writer's manager and the CSO. We've built engineering judgment that no training program could.
Every engineer talks to customers
Once a quarter, every engineer joins a 30-minute call with a customer. Not their direct customer; a randomly assigned one. The PM and AE attend silently. Customers love it; engineers learn the kind of thing no PRD ever captures.
Design docs precede code
Every project longer than two weeks gets a written design doc. The doc has six sections: context, goals, non-goals, design, alternatives, risks. Reviewers must read all six. We block shipping until the alternatives section is honest.
We pay 90th percentile equity and 75th percentile cash
We've made a deliberate choice. Cash pays for quality of life. Equity pays for ownership. We index more heavily on the latter — and our tenured employees average 6.4 years before exit.
We measure outcomes, not hours
We don't track time. We do publish team-level SLOs and OKRs every quarter. When a team misses, we ask whether the OKR was the wrong commitment — not whether anyone tried harder.