EMEA Expansion, AI Experiments & Channel Secrets: Inside Legit Security’s 2025 Strategy

[00:00:00] Hey, it's Andrew here. Just quickly before we start the episode, I want to tell you about one of my favorite newsletters. It's called Strategy of Security. If you want to understand the companies, ideas and trends shaping cybersecurity and its sub-markets, you should take a look. Cole Gromos runs the newsletter and he has spent the last 20 years in cybersecurity, including stints at PwC and Momentum Cyber, the investment bank dedicated to cybersecurity. Recent articles I'd like include,

[00:00:30] how could platformization work in cybersecurity where he talks about there being lots of single-vendor platforms, but not a multi-estate platform. And also one called Demystifying Cybersecurity's Public Companies, where he explores the pure-play ones and also hybrid companies which are in cyber. He lists all of them and then breaks down the numbers in all sorts of different ways. Now, this is not a paid promotion. I just simply enjoy what Cole is publishing. Check it out at Strategy of Security.

[00:01:00] Strategy of Security.com. Now, on with this episode.

[00:01:12] Welcome to another episode of the Cybersecurity Go-To-Market Podcast from the RSA Conference 2025. We're sitting here in the Marriott, which many people will know. In the atrium is a hub of activity going around. I think breakfast is over, so we're not going to hear too many dishes and plates getting smashed. But it's a packed room and there's a lot of good conversations happening. We are here with Dave Howell, the CMO of Legit Security. Dave, welcome to the podcast. Thank you so much. Good morning, and I appreciate being on the show.

[00:01:42] Yeah, it's going to be fun. I'm kind of interested about this because you're in a potentially noisy space looking from the outside. A lot of four-letter acronyms kicking around, try to describe what you do or don't do or others do. And they're, you know, a lot of bleed over in different areas. How would you describe what Legit does? And what does your thinking as a CMO mean in terms of how you position the company to try and help people make sense of all this?

[00:02:06] Yes. Well, so the general market that we play in is application security posture management, ASPM. And at the end of the day, what we're attempting to do is help customers to make sense of the reams of vulnerability data that they have so they can really understand which issues have to be prioritized for remediation. The way we think about it, though, is what are the problems you're trying to solve? And that could come in from many different angles. Number one would be, I just want to understand what my entire software development factory looks like, and I want to understand the state of security. So it could be discovery blade.

[00:02:36] The second could be if you're more mature and you already have a bunch of tools in place, how do I understand of all those vulnerabilities that I have, which really matter to the business? And so we bring the context around that to help you really understand of the 100,000 backlog issues.

[00:02:50] These are the ones that you need to prioritize because they're creating business risk. So for us, we do believe we need to use the ASPM acronym because it's what's becoming more understood. It's how customers compare us to others in the space, but it's getting to that real problem that they're trying to solve via discovery, prioritization, automated remediation, things of that nature. As a marketer, does it give you a good feeling about having to use ASPM or do you kind of feel a bit uncomfortable because it is just another four-letter acronym out there?

[00:03:20] So it's funny. We were having this conversation with colleagues yesterday, and I'll say it's a little bit of both. So I think the positive of it is that it gives prospects and customers a common focal point to compare solutions and products in the market. And so as ASPM becomes more well understood and the capabilities become more clearly defined and agreed upon, it's easy to kind of center the cognitive recognition on where we play.

[00:03:44] That said, if you had talked to Gartner, there are probably 20 to 30 vendors that play in the space, all have very different definitions. And because ASPM is such a broad category, it's pretty easy to position yourself in that pocket of technology, even if you only have a subset of those capabilities. So there are pros and cons. I think pros are recognition and awareness. Cons are then really just finding what we do and how we do it differently and better than our competitors. It's hard to have a conversation about this area and not talk about any potential effect Wiz might have had.

[00:04:14] Have they dived into ASPM at all? Are they a viable competitor for you? So they certainly could be should they chose to go there. They acquired DAS several months ago. When you look at DAS's capabilities, though, they were really much more focused on kind of centralized ticketing and remediation. We take a much broader approach to ASPM in terms of giving customers a full view of the software factory. What are all the different assets that developers are using? Where are there potentially misconfigurations or other issues in the environment?

[00:04:44] And then how does that line up with your current app set posture? So our goal is to provide all that context across both the software factory and the applications as they're being developed, which is very different than what DAS does. Now, that said, because DAS, like many others, are positioning themselves as ASPM, it does mean we have to get into some more further explanation in terms of how we are different and where we're similar.

[00:05:05] And from a sales team side, whenever you get that environment, my experience is that people start saying, what I really mean is, and they could almost like have to justify even saying the thing in the first place. How are you encouraging the sales team to handle that conversation? So we really have centered them on approaching this by using kind of three key pillars of messaging. And it centers on this notion of find, fix, and prevent.

[00:05:29] So you want to find everything related to your software factory, how apps are being developed, and those applications themselves. You then need to be able to prioritize the issues that are most important to fix them. And then you need to get into the motion of preventing bad issues from occurring in the future by putting guardrails and other preventative measures in place. So for us, again, it's really about find, fix, prevent, which is a simplified way of kind of describing what we do. Okay.

[00:05:55] And is most of the growth driven by the sales and marketing team or have you got partners or someone else who brings deals most of the growth for you? So we are channel first all the way, and we were one of the first ASPMs to go 100% through the channel. And so we are partner led. That said, we're also bringing leads and opportunities through our marketing efforts, our direct sales efforts. But regardless of where those come from, we will always get a partner involved because we believe that's really core to our business. What's an ideal partner for?

[00:06:25] So an ideal partner would have three or four characteristics. Number one, they must have app set capabilities. Number two, they need to have this desire to really get into the ASPM space and work with a partner like us. And number three is right now we're not looking for volume partners. We're working for partners that have the real consultative selling and engagement aptitude so that we can go deep. We're selling to the largest enterprises in the world. Some of our customers are very well-known household brands. And so this isn't a transactional play.

[00:06:55] We need to build relationships. We need to help customers understand how to use the technology, how to deploy it. And so we're looking for partners to help with that. What would be an example of a partner that is not a transactional, but really a value play and a solution play? Well, GuidePoint for sure has been our top domestic partner over the past year, year and a half. And so we lean heavily into GuidePoint, partnering with them on events, direct selling motions, bringing them into deals. And likewise, they bring us into deals.

[00:07:22] So Skip Shaw is the GuidePoint rep in Columbus, Ohio. If I'm Skip, how would I engage with legit? How do I make money together with you? Well, the first thing I tell Skip is that when you look at our customer retention rates, they're outstanding. So partners that work with legit and win deals that are legit are likely to retain those over time, which is a net positive from a revenue standpoint. Number two is we have industry-leading margins.

[00:07:44] And so we're looking to bring on partners who really want to work with us, go deep, and help us to build our business as we build theirs. And if I'm Skip, I'm worried about – well, not worried. I'm thinking about how do I make money? So deal regs, what sort of margins? You said healthy. Deal regs, we have some of the highest margins available. We're comp neutral, so they're fully encouraging our sales reps to bring partners involved. And we do everything we can to incentivize them.

[00:08:15] The other thing we focus on with our partners are looking for those that have pockets of expertise in certain regions. And for those, we will go deep. We'll send our field CTO, our SCs out, and do one-on-one trainings with those groups. We're not relying on more transactional sort of enablements such as portals and the like. We'll get there eventually. But right now, we really want to work hand-in-hand with these partners to make sure they understand what we're selling. They understand the value prop. They understand the ICP and the right personas.

[00:08:41] And that they're really well-positioned to walk into these accounts and make a solid pitch for themselves and legit. Partners are always looking for ease of doing business, right? Because they've got 3,800 vendors trying to get their attention. I'm wondering what you're doing with your program and how you communicate with them to try and help them see that you're actually a good option in terms of doing some business. Yeah, I mean, I think it's probably a roll-up of what I've described before.

[00:09:04] So number one is making sure it's comp neutral so that our reps are fully incentivized to involve a partner and there's no disincentive to do so. Number two, to understand that you as a rep or as a partner organization, what do your sellers need in order to better position and understand what we're doing? And then number three, delivering margins that are some of the best in the industry so that you will make money over time. And so that's what we intend to do. We make it very easy to partner with us on marketing programs. We're pretty flexible.

[00:09:32] We're a smaller organization, less than 100 employees, so we're able to be quite nimble and kind of pivot as the partners need us to. What other growth areas are there for you in 2025 that you're looking to grow the business with? So in terms of channels or initiatives, programs? Yeah, so there are a couple. So number one, we just recently brought on board a small team in the UK to really help with our EMEA focus.

[00:09:58] So for the past couple of years, we've been primarily focused on the North American market, U.S. and Canada. We are starting to see some really interesting business opportunities in the UK in particular, and that warrants additional investment. We recently won a deal in South Africa, for example. So we're seeing more and more desire for the ASPM capabilities pop up in other regions. The other thing that we're looking at really closely is how we can leverage partners to better kind of scale our outbound efforts.

[00:10:28] And so while we don't believe it's a volume play yet, we're starting to see that the market is getting there, where more and more companies are understanding that I have these reams of data that I need to deal with. I don't know how to deal with it from a vulnerability standpoint, and I need a way to manage that. And that is going from the largest organizations down into the mid-market. And so we're looking at how we can organize our teams to support that. Is that rep by rep, or is it more of a program that you're looking to do with partners to drive that in much?

[00:10:54] It would be rep by rep at this point, but I think as the year goes by, we'll look at how we can expand and make it more programmatic over time. Yeah. All of the European expansions interest me. I'm originally from the UK, so I always think about how companies are doing that. Anything you've learned about that that you're kind of surprised about that you weren't expecting? Well, I think we very much take it a let's test and experiment and then invest if it works.

[00:11:19] And so we brought a consultant on for about half a year part-time to start doing some initial discovery work in the market, talking to partners, talking to prospects, going to events to really make sure we had a handle on, is it time to go in deep? And I think what we learned through this is that that approach is really the right way to take it when we're looking outside of the U.S. and we don't have a large team to focus on that market. So I think that's how we'll probably continue to evolve as we expand into other regions.

[00:11:47] AI, hot topic in all sorts of ways this week. Very much so. But in terms of go-to-market, where do you see, where are you most excited about what AI can bring to what the Goge Market team is doing at Legit? So I'm very excited about some of the new capabilities we're seeing from an AI standpoint, supporting marketing operations, revenue operations, sales, etc.

[00:12:09] We have, for example, brought on a new tool that helps us to better analyze the potential productivity of accounts in our pipeline. And so rather than using basic ICP data, your revenue size, employee count, vertical, which all matter, it looks beyond that. So are there other characteristics? How does the company talk about themselves? What sort of key initiatives they have as an organization? How do they talk about digital transformation and other investment areas?

[00:12:39] Who are they hiring? And all those sorts of – there's about 150 different characteristics that they can really triangulate around and say, based on who you've won in the past, these accounts are likely going to be really good for you or likely not very good for you. And it's interesting when you stand that up against what you would consider from an ICP standpoint, there may be a very significant variant. So looking at those tools, again, experimenting, see how it works and moving on. And the others, I think, are a little more, I would say, kind of team scale.

[00:13:07] So how can we use AI to better scale and delivery of content? How can we take pieces of content we've developed as a team and repurpose it using AI more quickly? And really, we're just very open to talking to any of those newer startups in the space. Most of the tools that we brought on are very early stage, even seed. But our goal is to get in early and test them and see what works and help us grow. I am a sucker for a good new tool coming up. Can you give me some names of some of the ones you're excited about?

[00:13:34] Well, so, yeah, Revic, R-E-V-I-C, is the tool that we're using for account prioritization. And what's interesting, if you ever talk to them, generally, they're selling to RevOps. And I think I was probably one of the early ones to be interested from a marketing standpoint, because what I see is that even if we aren't ready to fully grab and hold on to that data from a sales standpoint, let's start running some campaigns and see how it plays out to see if it helps us to either justify or argue against the capabilities of the tool.

[00:14:02] The other that we use is a tool called Tofu, T-O-F-U, which helps us to do a couple of things. One, it helps with scale of personalization. So everything from emails to landing pages, et cetera, for our various campaigns. And it also has a play in terms of content repurposing. So those are the two ones that we've been most deeply embedded with. There are others we've tested and moved away from. I won't mention those. So we'll leave it at those two. It feels like in six months time, you might have a different answer, right? I may. It's moving so fast right now. I may, yeah.

[00:14:31] Hot topic as well is SDR, BDR. Does that fit in marketing and legit? Or do you have SDRs, BDRs? We do. We have BDRs and they are both hunters and farmers. So they're managing both outbound as well as managing inbound leads. We have a small team. They sit in marketing now. They were previously in sales. From my point of view, I'm less concerned about where they reside from an organizational standpoint and more concerned with do we have alignment across sales, marketing, and the executive leadership

[00:15:01] team in terms of their responsibilities, their KPIs, what their day-to-day looks like. So I don't think much has materially changed as they moved under marketing. And we can move them back later if it seemed to make more sense. What was the reason behind the move then? There was just an overall organizational change. Yeah. All right. Yeah. Well, good. Dave, thanks so much for joining us. It's been a good discussion. All right. It's exciting time for the company. RSA is always an energizing moment for many, not a de-energizing moment. It is. And we're choosing the team every success for the rest of the year. Thank you so much, Andrew.

[00:15:30] I appreciate it. All right. It's time for another episode of Visionary or Smoking Crack. Introduce yourself. I'm Joe Silva, co-founder, CEO of Spectrum. All right, Joe. I am going to throw out some bold predictions at you right here about the future of cybersecurity, cybersecurity sales. You tell me, am I a deep-thinking, insightful visionary? Or did I inhale a little bit too deeply walking through the tenderloin on the way to our meeting this morning? All right. You're in for the first one?

[00:16:00] Let's do it. By 2030, 80% of cybersecurity purchases under 100K will happen without a human seller or a human buyer. There'll be AI agents doing all the work. Visionary. Tell me more. Well, one, I increasingly see just relationships and sales and security being devalued. I see, you know, accounts get shifted around from rep to rep, which is already kind of dehumanizing sales.

[00:16:28] I just think there's an opportunity for disintermediation in security sales like there is in everything else. I think the nature of cybersecurity sales in general is going to change because it's so different than other IT sales. I think we're going to move more towards a model of you're either buying it online through agents or you're maybe buying it through a single reseller. Love it. All right. Next one. In five years, within five years, more CISOs will report to the CFO than they do to the CIO or CEO.

[00:16:58] I think you're high as a kite, my man. Tell me more. Well, you know, the as a CISO, you're managing security risk, cybersecurity risk for the organization. As a CFO, you're managing financial risk for the organization. I don't see the overlapping competencies there. And to say that statement is even somewhat on point, you would have to see a path for someone to go from being the CISO and then their next role of being the CFO in the company.

[00:17:27] And as opposed to right now, what's the role above a CISO that someone shoots? You could be a CIO, which, you know, is not very common, but it's increasingly common. Increasingly, you see a lot of CISOs who are actually taking on infrastructure within their portfolio. Ultimately, you're a technology professional with a concentration on managing security risk. You're not a financial professional where on one day I'm managing cybersecurity risk. And then the next day or maybe a year from now, I'll be managing 4x risk for our business. Okay.

[00:17:56] Next one. The most successful cybersecurity salespeople in the next five years won't come from a sales background. They'll be former practitioners who also know the business of cyber really well. Am I a visionary or am I smoking crack? I think you're probably hitting the pipe there, Andrew. I mean, ultimately, like, you know, going back to your first question, a lot of sales is going to get disintermediated, dehumanized.

[00:18:23] The core competency of sales is still your ability to connect with another person. So those sales folks that are left where person to person sales is going to continue to be common, it's going to be because you have the ability to make a connection with another person, understand their problems. And then, of course, a competency that you need to have is to have some ability to connect that back to the technical problems and solutions. But ultimately, the reason sales will continue to exist is because people want to

[00:18:53] connect with another person who can understand and empathize with them. Yep. Are you a college football fan? I am. Go Knowles. Okay. Although last year was painful. So by 2030, Shadur Sanders will have won a Super Bowl. Visionary or smoking crack? I would say I wouldn't say you're a visionary, but there's a lot of guys who won the Super Bowl sitting on the bench. Hmm. But no indication that he's going to be a starter. Okay. You'd have to move to a different team, right? That's right.

[00:19:21] I would definitely say you're smoking crack if you're telling me the Browns will win the Super Bowl anytime in my lifetime. Yeah, that was a little bit too obvious. All right. Last one. So recently, Google announced they were acquiring Wiz and some hacks in the industry called the combination G-Wiz. So within 12 months, CrowdStrike will buy Island and the new name of the company will be Hong Kong because it's a crowded island. Visionary or smoking crack?

[00:19:49] I think you're smoking crack, but A for creativity. I like it. Love it. Well, thanks for joining us, Joe. Hey, thanks for having me, Andrew. It's been fun. It will mean a lot to me and to the continued growth of the show if you'd help get the word at. So how do you do that easily? There are two ways.

[00:20:16] Firstly, just simply send a link to a friend, send a link to the show, to this episode. You can email it, text it, Slack it, whatever works for you and is easy for you. The second way is to leave a super quick rating. And sometimes that can seem complicated. So I've made it as easy for you as I can. You simply have to go to rate this podcast dot com slash cyber. That's rate this podcast dot com slash cyber and explains exactly how to do it.

[00:20:46] Either of these ways will take you less than 30 seconds to do and it will mean the world to me. So thank you. Thank you.