Andrew Monaghan [00:00:00]:

It's fun to hear about a founder who is reimagining the solution to an old problem. In this case, Rubi Arbel is the co-founder and CEO of Stripe Security and they're tackling the problem of securing the software supply chain, which is very different to application security in general. It's a difficult problem, but stay tuned to hear how they're uniquely tackling it, how Rubi and his co-founders decided to start a company, how they're going to market, and also Rubi's favorite pastime in spring in Israel. Don't go away. Welcome to the Sales Bluebird podcast, where we help cybersecurity companies grow sales faster. I am your host, Andrew Monaghan. Our guest today is Rubi Arbel, CEO and co-founder at Scribe Security. Rubi. Welcome to Sales Bluebird.

Rubi Arbel [00:00:59]:

Thank you. Thank you for having me with you today.

Andrew Monaghan [00:01:02]:

Yeah, I'm looking forward to our discussion. Scribe is an interesting space that's very popular right now. So I'm intrigued to learn how you're doing things differently and how you came to find the company. So there's a lot of learnings there as a company out of Israel coming into the US. And how you're getting going in the sales side as well. A quick break to say that this episode is sponsored by It Harvest. With over 3200 vendors in cybersecurity, it is hard to keep track of all the latest developments as well as research and analyze categories and subcategories within cybersecurity, which is where the It Harvest cybersecurity platform comes in. Want to know which subcategories in cloud security are growing the fastest? You'll get it in a few clicks. Want to know and track everything about your main competitors and keep up with their hiring and news? Simple search to be done. Want to know the top 20 fastest growing companies based out of Israel?

Rubi Arbel [00:02:04]:

Easy.

Andrew Monaghan [00:02:04]:

Just a couple of clicks to get that. It Harvest is the first and only research platform dedicated to cybersecurity and it's run by Richard Steenan, who has done it all in cybersecurity from the VP of Research at Gartner, a CMO at a cybersecurity vendor, a lecturer on cybersecurity, advisor to startups, advisory board member at Startups, and a main board member as well. The whole lot find out more by going to Salesbluebird.com Research. That's salesbluebird.com research. Now back to the episode. Well, let's look at your LinkedIn background here, Rubi. I'm going to try and see if I can dissect this and put it together. So it looks like many spent a lot of time in the Israeli military, although it looks like not just an 8200. You were in the air force before then, is that right?

Rubi Arbel [00:03:02]:

Yes, I was a fight a pilot in the Israeli Air Force for a long time.

Andrew Monaghan [00:03:09]:

What's our planes are you flying?

Rubi Arbel [00:03:10]:

F 16. Okay.

Andrew Monaghan [00:03:12]:

How long do you do that for?

Rubi Arbel [00:03:13]:

A long time. Over three decades, actually. I stopped flying about two years ago when they closed my squadron and opened F 35 instead of it as a reservist. Okay, yeah.

Andrew Monaghan [00:03:30]:

And do you still fly privately like yourself? Do you have a plane or rent a plane?

Rubi Arbel [00:03:35]:

Ultralights. I fly ultralights.

Andrew Monaghan [00:03:38]:

Really? That's very different from flying an F 16.

Rubi Arbel [00:03:41]:

Yeah, but if you go low enough, the terrain goes by more or less the same pace.

Andrew Monaghan [00:03:52]:

Where I grew up in Scotland, there's micro lights, little airport air fields, actually, not airport. And the micro lights go all around our area. And you're right, they swoop in low over the beach and over the golf course and stuff. It's pretty incredible.

Rubi Arbel [00:04:06]:

Yeah, well, they need to try it sometime.

Andrew Monaghan [00:04:10]:

Well, you were in the Air Force and then you were in the military intelligence side. So 8200, I'm guessing as part of that, you left there in 2015. So you spent quite a while there, had some consulting gigs, it looks like, but then Argus, you were a VP at Argus Cybersecurity. You were a founder and a partner in a boutique professional services firm, a cybersecurity professional services firm, for three years. And then in June 2021, you became the co-founder and CEO of Scribe Security. So why don't we go back to that moment, I'm guessing before June 2021, where you and your co-founders were sitting there, whatever you were doing on your mountain bikes or wherever it might be, they said, you know what, we might actually start a company right, about this problem.

Rubi Arbel [00:05:05]:

Yes, well, it took some time. I think that we had a pretty long incubation. We had to convince ourselves first that this is what we want to do. The story is that a lot of our customers in our professional services company had the same problem, which was how to secure their software supply chain, how to make sure that the software they were developing is not tampered, how to trust their software, and how to demonstrate that their software is trustworthy to their customers. So we came into the same problem time and time again. And this was one side of it. The other side of it was that in one of our projects, we provided the telode solutions. So we developed a blockchain based platform to monitor and track the integrity of a specific digital asset. And after we did it, we thought about other uses for integrity technology. And we saw that there is a good combination between the solution that we found and the problems that we know and, you know, before. That sort of supply chain is not a new things for us. As you mentioned, each and every one of the co founders had decades of experience in the Israeli cyber units, both defensive and offensive. So we knew about it for a long time, and suddenly we understood that we have a framework and the technology at hand that nobody uses. This was way before the biden, executive order one, 40 to eight. So at that time, we were the only people that knew. We knew in the world that were speaking this language. And later on we discovered that on the other side of the ocean there are others which made us very happy. And this was after a long validation where we spoke with many other companies to make sure that software supply chain is really something that they still struggle with in spite of the plethora of application security tools that there are out there. And we understood that the problem is still unsolved and we thought that we have something special. So we said, all right, this is big enough, this is important enough, it can make a change for good in the world. To trust software is important stuff. So we decided to open a company that is dedicated only to that.

Andrew Monaghan [00:08:07]:

And to your point though, the idea of securing code and the process of developing and bringing code into our product, that's been something that people have been tackling for decades, right? And yet from your assessment and talking to a bunch of people, there's still a problem. So I'm wondering why it's still a problem and then why your approach is actually so important to solve the problems that still exist.

Rubi Arbel [00:08:33]:

Yeah, well, it's a problem because there is more than one reason why it's still a problem. I would say that it's still a problem because it's really difficult to solve. The 30,000ft Answer here's the thing. Most of the technologies today, and when I say most, I mean like 97% of the technologies out there, of the tools out there are application security solutions that are based on scanners. And these scanners task is to find misconfigurations in development tools in CI CD tools or to find CVE's nonvulnerabilities in the code artifacts. However, scanners can't really find malicious code and scanners cannot monitor and track the integrity and the provenance of the software that you are building. For this, you need a different kind of technology. When we started Scribe, we called it evidence based technology. I'll explain in a minute what it means today. The industry jargon is Attestations based technology. And what it means, at least in our case, is a different technology. The technology that we are developing is based on evidence collectors. They are kind of sensors or you can imagine surveillance cameras that are looking at the code wherever it is, throughout its entire life cycle, throughout its entire development cycle. And like surveillance cameras, some of them can take snapshots, some of them can take video, according to the case. And every time something interesting happens to the code, our collectors take a snapshot. And this snapshot is an evidence of something interesting that happens to code. And it could be anything actually. It could be a commit, it could be a PR, it could be moving code from A to B or it could be running any kind of traditional application security tool on it and getting results. And every time that we take a snapshot, we take a software bill of materials of the code, not only of the final artifact, but of the code, wherever it is. It could be in the SEM, it could be in the checkout of the build, it could be before the CD, et cetera. We take the metadata, we sign each and every component, each and every file in the FBOM. So we have the kind of the biometric fingerprint of the code at every stage, and we have all the metadata that is associated to it. So we have a lot of data that we can use later on to decide whether something interesting in a bad manner happened to code. Right? Like, was it tampered, was the integrity of the code intact? Was the integrity of the configuration file that produced the code was tampered? Were the development processes, the SDLC processes that your policy required, followed through as you had defined or required. So we have all this body of evidence or body of attestations that we can use either to prevent bad code from be pushed into the production or to just provide you the visibility and transparency that you need either for yourself to make sure that the code you produced is good, is trustworthy. And now, because of the regulation, you can use the same platform, actually to demonstrate to your customers, to your auditors, to your regulators that they can trust your code, that you did everything. Okay? And you can show it in a continuous evidence based manner. And this is what I think separates traditional application security from software supply chain security.

Andrew Monaghan [00:12:56]:

So in that model, then a company, someone who's writing the code, could prove over the lifecycle of the software that all the things have changed and they've tracked it all the way through. So I could see the value in that. Does it stop things from changes, from happening that are deemed to be some sort of risk level? Is that part of it as well?

Rubi Arbel [00:13:17]:

Yeah. So it depends on the policy that you have defined. I mean, policies could be many things, okay? You can choose a policy that says that no code that consists of a package that a vulnerability associated to it above a specific level, severity level, let's say critical, can be pushed into the production. A policy could be you don't allow a code that was produced by a Jenkins, that its configuration file was changed, unwillingly to be pushed into the production. Another policy could be that you only allow commits that went through a code review, or you only allow commits that after the commit, you ran some SAS checkmarks or Veraccode, whatever, we don't really care. And you don't allow a commit after that security audit to be pushed into the production. So there could be many policies. And we would like, first of all, to allow you to prevent code that is not adhered to those policies, to be pushed into the production. And second, to provide you with a tool, with a dashboard, with a platform. That can aggregate all this information and can be used as a security archive or a security documentation tool that provides you all the security aspects in a continuous manner.

Andrew Monaghan [00:14:57]:

I like that whole process then is part of what you're delivering now. Does that mean that companies should still use their traditional software scanners to deal with vulnerabilities and misconfigurations and things like that? Or are you saying that becomes a moot point?

Rubi Arbel [00:15:16]:

Yes, we don't develop new scanners. We think that there are more than enough scanners today in the world that there are excellent companies that are already developing scanners for many years. This is like for the last 20 years, the industry developed scanners. There are very good open source scanners, so there is no use for us to develop new ones. And Scribe plays well with any tool that you are already using. What we are developing is the stuff that is missing is the Attestations technology and the provenance technology, the integrity technology, the ability to share everything in a controlled manner between the different stakeholders, et cetera.

Andrew Monaghan [00:16:07]:

And when you're going out to talk to companies, who's the main buyer that you're talking to? I'm sure there's all different people that get involved, but who's the main buyer?

Rubi Arbel [00:16:16]:

That's a very good question. So the problem lies on the shoulders of the security team. So usually our first meeting is either with the CISO or the application security officer or the product security officer. And many times with the security architect, it's always security guys because they own the problem. The second meeting is almost always with either the DevOps team, either the DevSecOps or the head of DevOps. Or if it's a small company, sometimes they don't even have DevOps. So it's like with a full stack developer that got this ticket from his boss. So the buyer could be in many ways and is this is what we see, the security team. However, the implementer of Scribe, the implementer of the deployer of Scribe collectors in the pipeline are the DevOps teams. So we also saw a company that the RND got the problem on his shoulders. This was like the shift left movement in that company. And also The Budget came from the R and D, so it could come from both.

Andrew Monaghan [00:17:33]:

So I guess part of this skill, part of the thing you have to do when you talk to new companies is figure out where the power, where the money, who's got the budget, who cares most, I guess, about this because that's where the impetus is going to come from.

Rubi Arbel [00:17:46]:

Yes, you are correct. But Scribe is not different from many other developer tools for security. Okay, so Snake and Checkmarks and Veracode and man and there is a plethora of security tools that the users are developers or DevOps. And the famous shift left movement is also applicable to Scribe.

Andrew Monaghan [00:18:21]:

Yeah, that's the phrase that everyone's using. Right? And I guess that's probably a blessing and a curse for you though, right? Because A, there's a big movement shift left looking at code and trying to do things properly. But secondly, if you get lumped in with that, then it's hard to differentiate and say yeah, we are part of it, but we're very different. I'm wondering how you kind of approach that.

Rubi Arbel [00:18:42]:

Well, the value proposition that Scribe provides is unique and is different. We don't try to compete with Sneak or with Men. We don't try to integrate Scribe into the IDE in order to provide like real time understanding of vulnerabilities to developers. This is not what we do. Scribe is a software supply chain platform. We take Attestations and of course it could help and assist the R and D to understand which kind of vulnerabilities they integrated into the code that they provided. However, of course that's the natural users of Scribe are either the security teams or even the compliance teams. Because of the new regulation. The GRC is many times involved.

Andrew Monaghan [00:19:48]:

When you're talking to companies and they're thinking about buying, I'm curious how they justify it internally, what their ROI is, what their economic kind of reason for buying something like this. Is it an efficiency thing that they talk about? Is it just risk reduction or is it something else?

Rubi Arbel [00:20:09]:

So first I think that we should recognize that 2023 is a watershed moment in the software supply chain domain and this is mainly because of the US regulation. I think the US federal government should be proud of the moves that they've done in order to enhance the nation's resilience to software supply chain tax. It started with the executive order of President Biden, one 40 to eight and then it developed to NIST 800 to 18 or SSDF in short. Now there are also the ESF best practices. So there is a new movement that requires software producers first for critical infrastructure sectors and then in a domino reaction, also for noncritical sectors to adhere to new requirements. And the new requirements in the new regulation talks about continuously and automatically generating accurate S bombs to each and every build of each and every microservice or pipeline of products that you are producing and to provide the attestations and the proof, if you will, that you've done anything right in an evidence based manner. So we left the times of once in a year or once in every two years or ISO 27,001 audits or even Socked audit. Now we are talking about a different regulation and I think this is the incentive that rules our market in the 2023 to buy new stuff. Okay? The other aspect of it is companies who belong to critical sector or moreover software producers. Two companies who belongs to critical sector and they are very aware, their consumers are very aware to the risks, to the cyber risk of software supply chain attacks. So if you will, it's like a safety belt in a car, you put it either because you have to or because you recognize the risks. And we see both.

Andrew Monaghan [00:22:59]:

Yeah, I bet every company's got their own culture. They're probably dealing with their baggage from either trying this before or wherever it might be. And they'll come at this from different angles, at a different pace, depending what they're used to.

Rubi Arbel [00:23:13]:

Yeah, I agree.

Andrew Monaghan [00:23:15]:

What's interesting is that you look at where's the most software developed, it's actually in massive companies, big banks and things like that. They've got thousands of developers working on different things. Whereas I think a lot of people think that it's probably the software development community inside software companies. That's where the main developers are. But it's both and it's everywhere, right?

Rubi Arbel [00:23:37]:

Yes. I think that huge companies usually have the resources to do it on their own. And we see teams, security teams and development teams in huge companies that has 50,000 developers and they develop the things that they need in order to be assured that their software is okay in house. But most companies, the smaller ones, don't have such resources. And Scribe provides the same level of security and the same level of compliance in a fraction of the cost and fraction of the time. So this is what we do. So we don't target like huge companies. We target the ones who don't know or cannot do it themselves.

Andrew Monaghan [00:24:27]:

Got it. Let's change tax just a little bit here, Ruby. So there's 3300 vendors in cybersecurity. I don't know the exact number in Shift Left movement and the CIDC movement, things like that, but I bet you it's I don't know, you tell me. 100, give or take. There's quite a few people doing it. How do you think about how you stand out as a company in that noise so that people actually pay attention to what Scribe is doing versus whatever analysis saying they do? Yeah.

Rubi Arbel [00:25:02]:

So first I think that one should admit that this is a hard task because anyone can say that they are doing software supply chain security and nothing bad will happen to them even if they don't. And to the matter of fact, any application security, any traditional application security company can say that they are doing social supply chain security and to some extent they are right, they are providing some sort of security to an application. So what we think, and I think this is the direction that the world goes to eventually there is going to be a new market segment that is called software supply chain security and it is going to be distinct from application security because it is really not the same thing. The technology, the basis of the technology is different application security, almost all the application security tools out there are scanner based, all kinds of scanners. And the software supply chain technologies are or at least should be different because the value that they provide should be different. Application security is almost always local. It's the base case scenario. The developer knows what's wrong with his software or her software. Software supply chain security is not a local problem. So we think that the solution cannot be only local as well. You need to provide, as a software producer, some kind of transparency, visibility, of course, in a controlled manner, according to your agreements with your customers, because they want the black box that they get today to be at least a little bit more transparent. They want to trust what they are using today. If you sell something, the basic is that you provide a user manual right, to to your product. So so you provide documentation to your software product. Where is the security documentation? Right. Why? Why is the security documentation you know, it's not enough that you say, all right, I'm compliant with SoC Two. I will show you the certificate that EY or KPMG or whatever gave me two years ago, and you can rest assured that I'm okay, this is not enough. And actually, the new regulation acknowledges that more should happen here, more transparency. And I think that this is how we distinct ourselves. This is how we differentiate ourselves. We are not another application security tool. Okay? Our technology is different. The value proposition is different. We provide integrity and provenance. You cannot find it in application security. We provide compliance with software supply chain security regulation. There is none in application security. We provide continuous code signing. We sign the code all the time in a continuous manner. None of it is in application security tools. So I think as a software producer, you should have both. I'm not discount application security. It's super important. Super important. But it's not enough. And the next generation of security for software is what scribe is doing.

Andrew Monaghan [00:28:38]:

So you need to position yourselves as the leaders in this next generation way of working. Right?

Rubi Arbel [00:28:43]:

Yes. And we are the leader. At least today, I think we are the leader.

Andrew Monaghan [00:28:47]:

Yeah. And then you kind of reframe the conversation. It's not that those tools are bad. They're just solving the wrong problem right now.

Rubi Arbel [00:28:56]:

They are solving the right problem, but they're not solving the whole problem. They are solving the application security problem, but they are not solving the software supply chain problem.

Andrew Monaghan [00:29:07]:

Got it.

Rubi Arbel [00:29:07]:

Okay. It's a different problem. It's not the same thing.

Andrew Monaghan [00:29:11]:

Yeah. And that's where the new category needs to come with software supply chain security. Right?

Rubi Arbel [00:29:16]:

Yes.

Andrew Monaghan [00:29:16]:

And you want to be the forefront of that category. That's where all the economic capture happens, with the leader of the category. Right. As opposed to the ones that are further down down the stack.

Rubi Arbel [00:29:26]:

I agree.

Andrew Monaghan [00:29:31]:

Let's go right now, though, Ruby, into a little bit about you. I've got a list of questions here. Why don't you give me three numbers in one and 35, and I'll read out the questions for you.

Rubi Arbel [00:29:41]:

All right, seven.

Andrew Monaghan [00:29:42]:

Seven. What is your favorite spring pastime.

Rubi Arbel [00:29:48]:

My favorite spring pastime is biking. Mountain biking.

Andrew Monaghan [00:29:54]:

Mountain biking. Where do you go to do that?

Rubi Arbel [00:29:57]:

So Israel's most beautiful season is spring, I think. Everything blooms, everything green, a lot of flowers. So I go to the woods and to the nature and just ebiking for a few dozens of kilometers each time around three or 4 hours.

Andrew Monaghan [00:30:21]:

Sounds wonderful. Although we're recording this in early March 2023. I heard you had a bit of a heat wave over there. Right now it got kind of hot. Is that right?

Rubi Arbel [00:30:30]:

Yes, we had a few hot days, but now everything is cooler again.

Andrew Monaghan [00:30:35]:

So good weather for mountain biking.

Rubi Arbel [00:30:38]:

Yes, that's the best season here, for sure.

Andrew Monaghan [00:30:42]:

All right, one more number.

Rubi Arbel [00:30:43]:

Between one and 30, 515.

Andrew Monaghan [00:30:48]:

Beach or mountains?

Rubi Arbel [00:30:52]:

In the winter, definitely mountains, skiing and snowboarding and in the summer, beach. So a little bit of both, I'd say.

Andrew Monaghan [00:31:01]:

Where do you go skiing and snowboarding?

Rubi Arbel [00:31:04]:

We are closest to the Alps here, so usually I go to Austria, sometimes Italy, sometimes France.

Andrew Monaghan [00:31:12]:

It's a great part of the world around there. So I grew up in Scotland, so when I went skiing a few times, it was always to go down to the Alps rather than try and do it in Scotland. The Scotland ski mountains. I think mountains is probably stretching a little bit. And it's funny because I saw something today deciding that one of the places is closed right now because they don't have any snow. So they're doing some maintenance on the lifts in the middle of March, which is supposed to be the busy time. But over here I live in Colorado, so we go up to the mountains in the summer and the winter, but in the winter go skiing. Obviously. Such a beautiful part of the world.

Rubi Arbel [00:31:46]:

Yeah. I didn't get to ski in Colorado yet, but I lived in Boston for one year, so I had my fair share of skiing in New England. It was okay, but I prefer if.

Andrew Monaghan [00:32:00]:

You'Re used to the Alps. It's slightly different to skiing. The Alps compared to New England are here. But if you come to Colorado, look me up. Let's go and hit Vale or Breckenridge or Beaver Creek. It's some great skiing up there.

Rubi Arbel [00:32:12]:

It's a deal. One more number.

Andrew Monaghan [00:32:14]:

Team one in 352-1210. What annoys you most?

Rubi Arbel [00:32:21]:

What annoys me most? Traffic jumps.

Andrew Monaghan [00:32:25]:

How is the traffic in Tel Aviv, Oliveill?

Rubi Arbel [00:32:28]:

It's like Silicon Valley. I mean, when I can, I just use my bikes in order to avoid the traffic. But sometimes you don't have a way to avoid it, and then you're stuck.

Andrew Monaghan [00:32:44]:

Yeah. You feel like you're wasting your life sitting in traffic sometimes, right?

Rubi Arbel [00:32:49]:

Yes. I listen to podcasts. Why I'll do it.

Andrew Monaghan [00:32:53]:

There you go. That's why. There you go. Listen to the Sales Bluebird podcast and hear about all these cool founders like you, right?

Rubi Arbel [00:33:00]:

Exactly.

Andrew Monaghan [00:33:04]:

So an important day at Scribe is the day you find in the company. Another important day at Scribe is the day you won your first real live paying customer. Why don't you take us back to that day, Ruby?

Rubi Arbel [00:33:17]:

It was a bank and it took a long time to process all the signatures on their sides. Very long. But when it happened and we got the signed contract, it was a very happy day, that's for sure.

Andrew Monaghan [00:33:35]:

Now, the time it took them, was that because they were reluctant to work with a startup? Or was it just their process?

Rubi Arbel [00:33:41]:

It was just their process. As a big organization, many people need to authorize.

Andrew Monaghan [00:33:49]:

And was our big celebration Scribe that day?

Rubi Arbel [00:33:51]:

Yes. We drank a good bottle of whiskey, hopefully scotch, right? Of course.

Andrew Monaghan [00:33:59]:

So you get your first customer and then somewhere you're thinking, we need to transition from founder selling into getting help somehow, right. Whether we hire a whole team or get a leader or do some contract work from someone. How are you thinking about how you're building out to go to market like that?

Rubi Arbel [00:34:19]:

Yes, well, first of all, I think it is too soon to tell. We are still doing the sales ourselves, the management, the leadership, the founders. We do have SDRs that bring us SQLs, right? Sales, qualified leads. But we do it the sales of sales. So I think that at our stage, we are still early stage. Okay? We are not like in a huge scale or growth stage. So in average it's still okay because it provides us a lot of insights about the customers, what they need, what they expect, what they like, what they don't like in our product. It provides us a chance to improve our product rapidly. And this is really important for a startup at our age. However, at some point, I think that when we are sure that we have the right pitch and the right story and we know how to match between a specific customer and a specific use case. So when we have the playbook, this is the time to scale up and bring salespeople that will do it instead.

Andrew Monaghan [00:35:40]:

Of us as a founding team. Have you talked about what that moment is defined as? Like if you said if we had the playbook and this many customers and we're getting this level of interest every month, something like that? Or is it more of a gut feel when you think you're ready?

Rubi Arbel [00:35:56]:

Yeah, I think that you know how they say if it walks like a duck and quacks like a duck, it must be a duck. So I guess that there will be a gut feeling. Look, I cannot tell you like ten customers, 20 customers, 30 customers. I guess it should be dozens of customers and not hundreds of customers. Right. But also not a few. So I think that when the time comes, we'll know it. I mean, we have an urge to give, to bring somebody else to do it, but we feel. That we still cannot do it today. We still have a lot to learn about the market and about the market needs.

Andrew Monaghan [00:36:41]:

In speaking of learning, what did you learn from bringing on the SDRs?

Rubi Arbel [00:36:46]:

So I think that we learned from them how to qualify a lead. They made us think about where to find leads, where to find leads with intent. You don't want to just cold call people, right? I don't like people calling me, so why should I do the same to others? I think that we would like only to approach people that we recognize that they look for a solution, that they are ready. Okay. My ideal SQL is somebody who understands what they need, why they need it, and hopefully they already allocated the budget for it.

Andrew Monaghan [00:37:34]:

Right.

Rubi Arbel [00:37:34]:

I don't want to waste like 2 hours educating somebody from scratch. Why? Security is important. So I'm not sure I answered your questions, but this is where we are and this is what we learned from the SDRs.

Andrew Monaghan [00:37:49]:

No, it sounds like what they did was bring almost like a discipline to saying, well, what is good and therefore what is not good. So they can sit there and go, yep, we meet the criteria or we don't meet the criteria. And I'm with you. I mean, I think that if I'm going to be selling Pepsi to people, I'd rather be selling to people who like Pepsi already and try to convince them to buy a bigger can or a different bottle or something like that, as opposed to approaching the market saying you're a sprite drinker or a coke drinker or whatever it might be. Come and try my Pepsi. So if someone's already thinking about A, they've got the problem and they kind of like looking for a different way to solve it, then it seems like that's where you want to be playing as much as possible. But it's hard to get though, right? As a startup, trying to get that education out there before you talk to them is difficult.

Rubi Arbel [00:38:38]:

Yes, of course. Go to market is difficult by definition.

Andrew Monaghan [00:38:43]:

Yeah. Let's flip things around a little bit. Ruby here. Do you have a question for me about the go to market site, about selling in cybersecurity world that maybe I can talk through with you right now.

Rubi Arbel [00:38:56]:

You looked at Scribe, right? You looked through our website and I'm curious what your go to market approach would be for Scribe. What is like the 80 20 that you think that we should focus on.

Andrew Monaghan [00:39:14]:

Since you brought the website? Let me think about that. So I'll tell you one thing that's true in general in cybersecurity with all 303,000 vendors. And I think, if you don't mind me saying, could be probably said about Scribe as well, is that when you first go to people's websites, I don't think people are being bold enough about trying to be different. All right. I think you said it right. People claim all sorts of things and they use the same buzzwords, but in different orders. Right. And being very unfair to a lot of vendors, but you put like ten of them in a row. Sometimes it's hard to tell what they do, and then it's hard to tell how they're different to each other. And in fact, it's borne out by buyers, right. One of the things that buyers say is that we end up picking this company because they all sounded reasonably the same, and this one just seemed to have I don't know, the way of doing this was a little bit better for us. Right. So I think as you do go to market in general, I would encourage you and I encourage any company to say, just be bold, don't hold back on making claims or calling the other way, the old way, or the different way, or whatever it is, like the wrong way or not enough, or things like that. Right. I remember I interviewed a CEO last year, and he was a former Siso, and he said he bought two or three of these Chasm companies. I'm trying to remember what Chasm stands for now. The automated attack. Surface Management companies. Right. And his company he formed, he founded was almost like an antidote to that. And he said, I bought these companies tools, and in my mind they're all snake oil. And that's a very strong thing to say. Right, yes. But I remember when I interviewed him, I could have stopped him and said, well, we'll tell you more about that. Right. You said something that was very controversial there. You got my attention. And I don't mean everyone goes around a bad mouthing everyone else, but I think there's an element to say, let's be bold about this. Right. And as I look at your website, I wonder if there's room for let's just flat out be aggressive and say, this is what we do and this is why not having this is so bad. So there's not a I don't know, people don't look at it and go, it just kind of sounds the same as everyone else. Right. I'm not saying that's what your does. I'm just saying, as a rule, you want to be more bold than perhaps as a startup you might be comfortable with right now.

Rubi Arbel [00:41:43]:

Yes, I resonate with that. Okay.

Andrew Monaghan [00:41:47]:

So that's one thing I would say, and I think the second thing that you have in the world that you're in and it's interesting what you were saying about how you complement the existing tools. It seems like there's whole usage bases of existing tools on the application security side that you can complement. And I'd be thinking about ways to piggyback on that as ways to get attention, ways to get into accounts, and I don't know what that means, right. But off the top of my head, it might be maybe more for marketing than even real technology reasons. You might have a connector to some of these other tools, right, that you could go in and say we're the partner of and we have the connector with. And that's your way to kind of start getting attention in there. And then I think that there you're probably already down that I would go down is in the developer community itself, right? Every conference, every hacker conference, get together, webinars seminars, podcasts, anything, that's where these people hang out. Go and have your best developer evangelist as soon as you can, you hire the evangelist person whose job it is, is to go around and just be in everything, everywhere and everywhere, right, to do with that whole community. So when people start thinking about it, they go, you almost want to be fed up hearing about you. There's that guy again, he's talking another conference I'm at. But it's done well and done with education, like you were saying, right? You want to do that education bit like that and maybe tied to some of the existing tools in place. Maybe that's the right to market, as you said, as opposed to just doing cold calls and more emails and things like that. So I don't know, I'd be thinking about those things.

Rubi Arbel [00:43:35]:

No, I resonate with everything that you said. And actually we have a developer advocate. We had a developer advocate before we had a marketing manager. Okay? This is how important it is for us. And we are part of the Linux Foundation and the CNCF and we go to KubeCon and OSS conferences. I think that the developers community communities are very important for us because in the end of the day, they are the one that deploy Swipe, even if it's for security reasons. And we have open source projects that we just opened some of Swipe technology to everybody to enjoy. And we are going to keep doing that in the future, mostly in order to engage with DevOps with developers. We think that this is even if a significant part of what we do is sell to security teams, we want to engage with developers. And you can see how Scribe is built. It looks like a PLG tool, right? You can just out for free. You don't need to pay anything, you don't need to sign anything. You can just start using it and start to see the value. And this is a classical developer friendly tool and go to market approach. But still, it's not that we are a classical PLG company. We do the top down just as well and even more.

Andrew Monaghan [00:45:13]:

Yeah, you guys do everything, I think, right? It's just what you can take on given your resources at various stages of development. But I love you're doing that. I mean, that to me seems like the natural way to go. Then the question is, when you're doing it, how do you sound different, look different, feel different than everyone else? And obviously, clearly you got some differentiation in this case of making sure that that doesn't get lost on people who don't take the time to dig deeper.

Rubi Arbel [00:45:41]:

Yes, that's the $1 million question. I agree.

Andrew Monaghan [00:45:46]:

Well, listen, Ruby, I've really enjoyed our conversation today. If someone wants to continue chatting with you, what's the best way to get hold of you?

Rubi Arbel [00:45:54]:

So my email is Ruby Rubi@skypesecurity.com, and you can just contact me directly or either through the Connect US on our website today. I'm still in a position that I can see the info, and if I don't see it, then somebody from our team would make sure that I see if anybody is directing me a message.

Andrew Monaghan [00:46:23]:

And will we see you at RSA this year?

Rubi Arbel [00:46:25]:

Yes, of course we will be at RSA. We're going to have a booth and actually we're going to participate in another booth as well. But this is still a surprise, so I can't say anything about it. If you'll go to RSA, you will see it in more than one booth.

Andrew Monaghan [00:46:40]:

Oh, great.

Rubi Arbel [00:46:41]:

Yes.

Andrew Monaghan [00:46:42]:

Well, I will definitely make sure I come around and say hello at RSA this year. And I wish you and the team every bit of success for the show, the year and into next year as well.

Rubi Arbel [00:46:53]:

Thank you so much, Andrew. Thank you for having me.

Andrew Monaghan [00:46:55]:

So in terms of takeaways for me, from that conversation, three things that spring to mind immediately. One is how long Ruby and the team, the founding team, are staying doing founder led selling. Right. They've got some SDR help to get more meetings for them, but they're doing all the legwork themselves when it comes to talking to prospects. And as Ruby said, there's so much learning to be done. There's so many of these conversations to be had now that they've got a product and they're starting to ask for money, that they want to learn themselves before they start thinking about having someone else do that for them. So I love that they're doing it for as long as they possibly can. And as Ruby says, it might be a bit more of a gut feel that now is the time to bring someone on. I would imagine that also when they start getting overloaded, that's going to be the point where they say, well, let's get some salespeople in to take on some of the load here. But it's such a good thing to do in terms of stretch that founder that selling period for as long as possible. Second thing I liked about that positioning was the idea that it could coexist with application security, application development security products, as opposed to replace, and therefore that would allow them to go to market in a different way than if they were competing against that old way. There's so many possibilities there by doing that that they might be able to tap into that make a big difference for their whole go to market. And the last thing that felt that was really interesting was, now that they've got some SDR help, how it's brought a little bit of discipline to their sales process. I think I see this a little bit. You've got founders who are selling and they're doing the things they should be doing and they're really good at doing it. They're good at going and talking to prospects and doing some qualification and positioning what they have to solve some problems. But it's often come from a standpoint of these are the basics we should be doing and this is what we think is right to do. But they don't have the ten years, 20 years experience about how to actually make this into a process and a discipline that can then be built on and handed out to sales teams to follow. So it's nice to have for them those conversations. I can see how it goes, right, you've got some SDR help and the question is, well, what are you going to accept as a lead? What does an SQL look like? Let's define what that is. And once you defined it, then the question is, well, how do you know you've got that both from an SDR qualification standpoint, but also from the company standpoint to say, we've got some leads through, but which are the ones that we can accept and which are the ones that are not up to scratch? Right? So bringing that initial discipline in, I think, is going to make a difference for them as well. But I really enjoyed that conversation. I really like Ruby and his background and how they're approaching this market and how they really are trying to do something different than whatever else is doing. So I wish them all the success. We look forward to catching them up with our safe.