Questions to answer before you scale a cybersecurity company with Ross Haleliuk, author of Cyber for Builders

[00:00:00] Hey, it's Andrew. Just quickly before we start this episode, I want to tell you about one of my

[00:00:03] favorite podcasts, the Secure Ventures podcast. The host Kyle McNulty interviews cybersecurity

[00:00:09] founders about what they are building. I enjoy it because Kyle focuses on their technology,

[00:00:14] what it solves, why they build it, where it fits in the market. Also listeners can understand

[00:00:19] the why of these startups. In some ways is a great compliment to my own podcast where I

[00:00:23] focus on the go-to-market side, not the technology side. He set some great guests on

[00:00:27] recently. For example, the CEO of Reality Defender when they talked about the ins and

[00:00:32] outs of deep fate detection. He's had the co-founder and CEO of Go Security and also

[00:00:37] the co-founder radical Chris Peterson, who was incidentally a founder of LogRhythm.

[00:00:42] They talk about the role of AI in the sock. This is not a paid promotion. I just simply

[00:00:46] enjoy what Kyle is doing with his interviews and get a lot out of them. Check it out.

[00:00:50] It's the Secure Ventures podcast. Now on with this episode.

[00:00:55] Starting a company and getting traction in cybersecurity is hard. Fundamental decisions

[00:01:01] like which problem to solve, how do you know when your product market fit? How do you compete

[00:01:05] against the big platform companies? Luckily Ross Halley Luke literally wrote the book about all

[00:01:11] of this. Cyber for Builders was released in January 2024 and has become a best seller.

[00:01:17] Ross joins us today on the podcast to demystify what it takes to get building right. Don't go

[00:01:23] away. Welcome to the Cyber Security Go To Market podcast where we tackle the question,

[00:01:38] how can cybersecurity companies grow sales faster? I'm your host, Andrew Monahan. Our

[00:01:44] guest today is Ross Halley Luke, head of product and Lima Charlie and the best selling author

[00:01:49] of the book Cyber for Builders. Ross, welcome to the podcast.

[00:01:54] Thank you so much, Andrew. Happy to be here.

[00:01:56] I've been looking forward to our discussion, Ross. The book came out recently, right? Was

[00:02:00] it February, March time? Is that about right? Mid-January.

[00:02:03] Mid-January. Okay.

[00:02:04] Mid-January.

[00:02:06] I was behind on getting my copy, but Cyber for Builders, the essential guide to building

[00:02:12] a cybersecurity startup. So a lot of good stuff in here. What's interesting about it,

[00:02:17] Ross, is not just you. You've actually collaborated with a whole bunch of cybersecurity

[00:02:22] entrepreneurs and operators and all the rest of it to bring out a pretty compelling little

[00:02:26] book here. Yeah, it's been a very,

[00:02:29] very exciting journey of getting together the book and also reaching out to over 50 cybersecurity

[00:02:34] startup founders, investors, like industry analysts and participants of the industry.

[00:02:40] Otherwise, to get their perspectives, I didn't want it to be just a monologue of one guy

[00:02:46] who builds products in the industry. I wanted it to be a fairly diverse

[00:02:51] collection of different perspectives and different ideas.

[00:02:54] Well, when we look at the book, Ross, I looked through some of the chapters.

[00:02:59] I would say actually, before we get into it, if you're listening to this episode and you're

[00:03:03] wondering that this book is for you, if you're in the mode of building a company,

[00:03:07] it's for you. Also, if you're in the go-to-market side though, there's a great

[00:03:11] whole chapter here that Ross has done explaining the ecosystem of the cybersecurity

[00:03:16] industry, explaining what different players do, the pros and cons of what they do and where

[00:03:20] they fit into everything that's going on. I think it's probably the best summary.

[00:03:25] If you don't know what a GSI is, for example, and how that differs to look a reseller versus

[00:03:29] how it might relate to an angel investor versus a VC versus a PE, if you want to make sense

[00:03:36] of all those things I've just said, I would go read that whole chapter in Ross' book because

[00:03:39] he lays it out very clearly about what all these different entities do and what they care

[00:03:43] about. Yeah, if you're in that mode, definitely go read it for that reason.

[00:03:47] There was a couple of sections in here that caught my eye. One was called validating the problem

[00:03:51] at the start, towards the start of the book. Then towards the end, you got a section called

[00:03:56] a practical guide to failing a startup. You've got a sub chat there that says,

[00:04:01] scaling before the company achieves product market fit. This seems to be in Demi-Cross.

[00:04:08] Very unfairly and unscientifically say, of the 3,700 vendors in cybersecurity,

[00:04:13] there's a whole load in that half million to five, six million ARR range that aren't growing that

[00:04:18] fast, primarily because they don't have a strong product market fit. Why do very, very smart

[00:04:25] people kid themselves that they've got product market fit and start throwing salespeople and

[00:04:30] marketing people at a product or a company that isn't quite ready for it?

[00:04:34] That is a good question. I don't think I have a very insightful answer, but I definitely have

[00:04:38] an opinion on this topic. I think the number one thing that comes to mind is that it's very hard

[00:04:45] to see once you have achieved the product market fit. There isn't a specific revenue

[00:04:50] threshold that enables you to say that. There isn't a specific kind of feedback that you

[00:04:55] start receiving about the product. There is no milestone when it comes to the number of active

[00:05:02] users in the product that you can just hit and say, okay, I have achieved the PMF. Everything is

[00:05:10] going well. It's time for us to start scaling. It's a very abstract term, and it's much easier

[00:05:17] to see when you do not yet have a product market fit than it is to see once you have

[00:05:24] achieved it. The textbook definition of PMF is that while the signs are very clear,

[00:05:31] the moment your product starts selling like a hot cake and everything is fantastic and

[00:05:38] customers are reaching out and prospects are reaching out and starting to ask for your products,

[00:05:43] starting to say, hey, just take my money. Give me what it is that you've built. That's

[00:05:47] where you would have achieved the product market fit and it's time for you to start scaling.

[00:05:51] But realistically speaking, with security products, it rarely if ever happens.

[00:05:56] There are some examples of solutions where the market was educated so well that it did indeed

[00:06:05] start to pull security solutions. There is an example of an MFA which has taken us over a

[00:06:12] decade to get to the point where the broader market understands the value of it and starts

[00:06:17] to implement it. There are some of the other examples, but for the most part,

[00:06:22] cybersecurity startups always have to educate prospects and educate customers why it is that

[00:06:29] they need to care about the specific attack vector that they're solving for or the

[00:06:33] specific problem that they're solving. For that reason, it's frankly very hard to say

[00:06:39] once a startup has achieved the product market fit. We've been able to sell the product to

[00:06:46] 25 SMBs. Is that enough for us to go and hire 25 salespeople and just say,

[00:06:54] go? I don't know. It depends. It's the absence of a very scientific formula that makes it very

[00:07:00] hard. Frankly, timing is also tricky because if you scale prematurely, you can lose the

[00:07:07] momentum and you can essentially just set your resources on fire, burn the money by over hiring

[00:07:14] salespeople, by unleashing them to start selling something that the market is not yet ready

[00:07:21] to buy or maybe that doesn't fully solve the problem. But if you wait too long and you don't

[00:07:28] hire fast enough, the problem you end up in is very different. It is the problem where your

[00:07:34] competitors are able to seize the moment while you're trying to ramp up your sales function.

[00:07:40] So there is this sweet spot for hiring once you are seeing strong enough signs of the product

[00:07:48] market fit, but before it became evident to the rest of the industry that this is indeed a

[00:07:54] problem with high potential when you need to start hiring. That spot is very, very hard to

[00:08:00] find. If I were to summarize this, that's the number one reason why. There is the second

[00:08:08] reason too, and I think that second reason is much easier to explain. It's probably an even

[00:08:16] harder one to tackle. And it has to do with the fact that the vast majority of cybersecurity

[00:08:20] startup founders are very smart, technical people who have great ideas about how certain

[00:08:27] technological innovations can change the game and can enable cybersecurity defense teams

[00:08:35] to do their work and to outsmart the adversaries. But what they're often not is they're not sales

[00:08:42] people, they're not marketers, they're not product people. So they have that technical

[00:08:46] understanding and they end up building a very good, very robust technological solution

[00:08:52] that the market may or may not be ready for, the market may or may not understand.

[00:08:58] And in their mind, it's often that all we need to do is to just now that you've built

[00:09:03] the product, let's hire sales people and let's start selling. But that's like you and I both

[00:09:08] know that that is not how the life works. If you didn't initially start from the customer

[00:09:14] discovery, if you didn't understand the problem in depth, if you didn't understand

[00:09:18] the customer's willingness to pay, if this problem is in the top 10 or top 5 problems that

[00:09:27] the security team cares about, you're probably not going to build a product that you can just

[00:09:32] go ahead and start selling. And this is where what I often see in the industry, sales people

[00:09:38] and marketers are put in the position in which they have no chances of winning. You have very

[00:09:44] smart technical founders who build great solutions to problems that may or may not exist.

[00:09:49] And they see that they're struggling to sell those solutions. So they go ahead and they hire

[00:09:54] a marketer, they hire a salesperson and say, okay, go start selling. We want to see them end.

[00:09:59] But neither of those people can artificially manufacture that demand. And so then the

[00:10:04] founders become upset that their sales and marketing are not performing well. And there

[00:10:08] is this disconnect between the reality of the market and what the founder or a set of founders

[00:10:14] and salespeople and marketers are trying to do. So that to me is the second reason, is this

[00:10:18] the fact that many products are started as solutions first or solution driven. And then

[00:10:24] they're trying to find the problem and they're trying to just get somebody to buy them.

[00:10:29] I feel like in cyber, maybe in tech in general, everyone has a ton of problems. You talk to

[00:10:34] SSO, you talk to VP of Security Ops. There's things that aren't working great. It's whether,

[00:10:39] as you said, it's the top five things they're really concerned about. Maybe that's where

[00:10:44] sometimes founders are going to get happy ears a little bit, say, well, they got this problem.

[00:10:48] Therefore, we should go solve it as opposed to digging deeper into, well,

[00:10:51] how big a problem is this?

[00:10:53] And 100%. And it's actually much more complex. And this is why I don't believe that some

[00:10:58] blanket suggestions are going to do this industry justice. For example, the fact that the security

[00:11:05] team has a problem does not necessarily mean that one, it's the most urgent hair on fire problem

[00:11:10] that is going to compel them to go out and look for solutions. But more importantly,

[00:11:15] there are times when it is a legitimate problem. Security team is genuinely concerned about

[00:11:22] solving this problem, but they also know that they have like 85 or however many security tools

[00:11:28] already implemented in their environment. So every time the question becomes,

[00:11:33] how do we solve this problem? The number one option is never to go out and see what are some

[00:11:41] of the newer startups offering. The number one default option nowadays is becoming, let's have

[00:11:47] a look at our existing stock and see if any of the solutions there can solve this problem.

[00:11:53] Again, it doesn't mean that those solutions will be able to solve this problem better than

[00:11:57] wherever dedicated startup out there is tackling this specific challenge. But if any of your

[00:12:05] existing tools can solve this problem to like 75%, that may very well be good enough.

[00:12:10] You don't have to introduce a new vendor, you don't have to go through a new POC,

[00:12:14] you don't have to sign a new contract, you don't have to negotiate a new contract.

[00:12:17] So all of those factors are impacting the startup's ability to succeed. Just because you

[00:12:22] have a problem doesn't mean, and just because the customer has a problem and just because a startup

[00:12:29] has a good solution, it does not mean that this customer is going to go out and consider

[00:12:36] bringing in a new vendor. It's much more likely that they're going to say, okay,

[00:12:41] is any of the platform vendors that we currently have going to solve this problem

[00:12:45] within the next six months? And if the answer is yes, there's just no chances that this

[00:12:50] company is going to buy a startup. They will most likely sit and wait until Okta's or Crowdstrike's

[00:12:56] or Palo Alto's or Microsoft of this world are just going to release this new feature.

[00:13:00] And it makes sense, right? So there's just so many factors that startups and founders

[00:13:05] have to think about that is just beyond is this a problem and should they go ahead and

[00:13:10] solve it? Like yes, some things are problems. And with so many blurred lines to what you're

[00:13:15] saying between different categories or subcategories or product types, right?

[00:13:20] It's not clearly saying this one shines a light and this one drives a car. It's not like that,

[00:13:24] right? The world we're in, there's so much overlap in different product areas. You could see how

[00:13:30] good enough is actually might be a completely different way to solve the problem that

[00:13:33] the founder hadn't even thought about, right? That if they just did something and activated

[00:13:37] something in Okta, it might actually take care of most of this other problem they were thinking

[00:13:41] about. Yeah. And for many founders, well, for most founders or I would even dare to say for

[00:13:47] all founders, this one problem that they're solving is the number one problem that they

[00:13:52] hope the security team is going to worry about. And it's the number one problem that causes

[00:13:57] all the breaches. Like if you look at the marketing of every single cybersecurity solution,

[00:14:03] it sounds as though if you look at the identity solution, like 90 plus percent of all the

[00:14:10] breaches happen because of the identity, misconfiguration and so on and so forth.

[00:14:16] If you're looking at the cloud security solution, you take the same number, 90 plus percent,

[00:14:21] but just say they happen because of the cloud. If you are a company that helps to secure

[00:14:26] workforce or deal with insider trap, it's the same story. Like 90 plus percent happen

[00:14:31] because of the insiders. And so I don't... It's hard to say to what degree those numbers are

[00:14:36] correct. Obviously, they all cannot be right at the same time. But what is true is that

[00:14:42] from a perspective of a founder that is, for example, tackling the problem of insider

[00:14:47] threats, they go to market, like they talk to CISIS and they say, you know what? This

[00:14:52] is the number one problem you should worry about. And we have a solution. But then if

[00:14:57] you step back, then you realize that from the CISIS standpoint, there is like 155 of those

[00:15:02] startups that are all trying to say that yes, the problem we are solving is the number one

[00:15:07] problem you have to worry about. And a smart security leader is not going to handle

[00:15:12] prioritization based on whatever the companies that are selling them solutions are telling

[00:15:17] them. Instead, they'll step back, they will look at their own environment, they'll try

[00:15:21] to understand what the attack vectors are, what the crown jewels are of this specific business,

[00:15:28] where the risks lie in this specific customer environment. And based on that,

[00:15:33] will do their own prioritization. And it just so happens that there are hundreds and thousands

[00:15:39] of potentials, you know, attack vectors of potential ways through which an organization

[00:15:45] can be breached. But some of them are much more likely to happen than others. And security

[00:15:49] budgets are finite. So the buyers will have to prioritize the areas that they're most

[00:15:54] concerned about and deal with the rest. One of the things I've heard you say,

[00:15:58] Ross, in the last couple of years is that you really advocate for founding teams who have been

[00:16:03] practitioners. So they've been in security operations or architecture and they had to run

[00:16:08] that for, I don't know, a Fortune 500 company for a few years, they truly understand

[00:16:13] the nature of the world in which they're in. And yet, you know, there's a whole bunch of

[00:16:18] very successful startups right now who came out of 8200 out of Israel, very, very smart

[00:16:23] people, right? Who clearly know cyber security really, really well, but they might not have

[00:16:28] the operational experience. So how do you think about that dichotomy then about, you know,

[00:16:33] where the real secret sauce might lie? Yeah, so it is a very interesting question.

[00:16:38] And I think it's also important to define what the meaning of the word security practitioner,

[00:16:45] right? I have a full confidence and I have a very, very high degree of certainty that

[00:16:53] every 8200 unit graduate is a security practitioner, right? It's just they're

[00:17:01] practitioners who are often on more of an offensive side, but they're still very

[00:17:08] proficient, highly educated, highly agile security practitioners and people who understand

[00:17:15] security at the very fundamental level. There are many reasons why places such as Unit 8200

[00:17:21] are producing so many great founders and so many great companies. And there is definitely,

[00:17:28] you know, there is definitely the Israeli culture. There is definitely this, you know,

[00:17:31] this mindset that I can do anything like I am very capable. There is the support

[00:17:39] that people from IDF get once they do choose to start a company, but also something that

[00:17:46] often gets missed. And it's the fact that there is a very good understanding of the

[00:17:52] offensive side of security. And when you think about places like NSA, when you think about

[00:17:59] places like IDF, people who work in the military, they get visibility into the most

[00:18:07] cutting edge offensive technologies. And typically in cybersecurity specifically,

[00:18:14] it generally takes several years for the cutting edge offensive technologies to, you know,

[00:18:20] to start and to start spilling into the market and to translate into, you know, just the

[00:18:27] day-to-day breaches. So anything we are talking about today as just the commonplace

[00:18:34] breaches like the behavioral detections, like all of this stuff, it used to be the,

[00:18:39] you know, it used to be the very same techniques and methodologies that were used in IDF or used

[00:18:44] in NSA were used by the nation states attacks. And then after several years, it sort of escapes,

[00:18:50] you know, the containment and it becomes commonplace. So essentially people who get

[00:18:55] to see the attacks in the military can anticipate that the same or similar types of attacks

[00:19:02] will be seen in the industry several years from now. And they can build solutions that not

[00:19:08] only anticipated, but solve those specific problems. There's so many reasons why that's the

[00:19:13] case. I do believe that 80 to 200 like in general, like a unit might solve IDF more broadly,

[00:19:21] like places like NSA, you know, the US cyber command, like all of those places are producing

[00:19:27] highly capable security practitioners. It's just that their lenses are very different than the

[00:19:32] lenses of somebody, for example, working in a sock at JP Morgan, which is also going to be very

[00:19:38] different than the lenses and the perspective of a security engineer building solutions at say,

[00:19:44] Google or Meta. So it's they're all security practitioners. They just see the industry from

[00:19:49] different perspectives. It feels like the ideal combo is a little bit of each, right? If you

[00:19:53] had the more future thinking 80 to 200 person with the JP Morgan sock person with

[00:20:00] the Meta engineer architect, that might be the killer combo right there.

[00:20:04] Potentially, potentially. I think I think that like the fundamental philosophical question here

[00:20:10] is do we care? Like, do we care about people and their ability to do things, you know,

[00:20:16] their drive, their hunger, their passion, their willingness, you know, to go an extra

[00:20:21] mile to succeed? Or do we care about the specific skill sets and experiences?

[00:20:26] I am a big believer that the former matters much more than the latter, meaning one of the

[00:20:32] like one of the reasons why Israeli founders often succeed over, you know, founders from

[00:20:36] other geographies is really their drive. It's their hunger. It's their desire to just push

[00:20:42] the limits and go, you know, go and make things happen. While you see people in some other

[00:20:47] places are used to more, you know, like I'll say safer, safer ways in which the competition

[00:20:55] unfolds. And we're just frankly less hungry. And that is something that I see a lot with

[00:21:01] the security engineering culture today, where if you're a security engineer in one of the

[00:21:06] successful like in one of the Bay Area cloud native venture backed companies, you can be

[00:21:14] paid very well. Like we are talking about like hundreds and thousands of dollars. And

[00:21:19] the question is, why would you take a risk? Right? If you like if you're deciding if

[00:21:24] you want to give up your half a million salaries somewhere at very advanced and

[00:21:30] very tech forward corporation and go and build a startup that has very high chances

[00:21:34] of failing, do you even feel compelled to make to take that risk as much as if you

[00:21:40] are not making half a million bucks and you know that the only way for you to succeed

[00:21:45] financially is to go and build this, build a successful company. So there are all of

[00:21:49] those factors that come into play. But I do believe that the future of cybersecurity

[00:21:52] innovation is going to be defined by security practitioners. And frankly, not just the

[00:21:56] future, but the present, like very much the present today is being defined by people who have

[00:22:02] who have seen security from the very like who know security from the very foundational level,

[00:22:08] who have accumulated their experiences, be it in the military, be it in you know, on SOC teams,

[00:22:14] being, you know, on application security teams. So like the future the future is already here.

[00:22:20] It's just not evenly distributed as they say. Talking about risk, let's take a different angle

[00:22:25] to this. What did it take for a CISO or security leader, let's say any company

[00:22:31] to actually want to buy from an early stage cybersecurity company? Yeah, I it's interesting

[00:22:37] because I actually have an article that is I think it's scheduled to come out this week or

[00:22:41] potentially next week about like talking about risks of buying from startups. And frankly,

[00:22:48] in my view, any purchasing decision has some risk context, right? If you are like if let's

[00:22:56] just say if a security team is considering buying solutions from a large and established

[00:23:00] corporation, there are risks. It's just different kinds of risks. Yes, maybe the risks of

[00:23:07] that company going, you know, going out of business three months later are lower. But there

[00:23:12] are risks to, you know, to the quality of support that the security team can expect. You know,

[00:23:18] even you submit a support ticket with a large enterprise, you're probably going to wait for

[00:23:25] a few weeks until they get back to you. And the answer is often going to be yeah, thank

[00:23:30] you. We acknowledge your concern that, you know, the team will take this into consideration

[00:23:35] as we plan our future roadmap. And that's the end. Like to me, the fact that you as a buyer

[00:23:42] cannot get your feedback actioned in a quick manner is a form of risk, for example. Then if

[00:23:49] you look at the startups, you see that yes, the chances of that startup getting out, you

[00:23:55] know, either going out of business or pivoting or, you know, maybe be getting acquired are

[00:24:03] potentially higher than the chances of a more established company. But even then,

[00:24:09] there are risks that are lower, right? You have a much lower chances of needing to wait for

[00:24:15] six weeks until your product question gets answered because the founders are working 24-7

[00:24:21] and they will get that answer to you right away. So you're not taking those risks.

[00:24:26] And so I guess the meta point is that every single buying decision is risky.

[00:24:32] It's just there are different types of risks that are more likely for different kinds of products.

[00:24:37] Moreover, in cybersecurity specifically, there aren't really that many choices that buyers have,

[00:24:44] right? You look at some of the more established companies and you see them getting acquired.

[00:24:49] You see them getting acquired for pennies on a dollar, you know, despite having raised like

[00:24:54] billions of dollars. Like you see companies getting acquired by private equity firms and then,

[00:25:00] you know, having their roadmaps and having their focus changed entirely.

[00:25:06] So there are risks. There are always risks. I think one of the responsibilities of a security

[00:25:13] leader is to find ways to manage those risks. And when they buy from an early-stage

[00:25:20] cybersecurity startup, yes, the chances are much higher that something is going to happen

[00:25:25] that startup. But then also they can get a potential partner that is going to be very

[00:25:30] responsive to their questions, that is going to be willing to build the product and shape

[00:25:35] the product in such a way that addresses the unique concerns of the enterprise.

[00:25:41] So for very early-stage founders, I think that's where it becomes very tricky. Like if you're

[00:25:46] a pre-seed seed stage company and you're trying to get an enterprise to talk to you

[00:25:50] and to buy from you, like that is a much harder value proposition.

[00:25:54] There are some tricks through which people are trying to signal that the risk of working

[00:26:01] with them is lower. Like some startups, for example, build an open-source version of

[00:26:06] their product. So while the enterprise buyer may not develop a very high degree of confidence

[00:26:14] that this startup is going to be stable, at the very least they can inspect the code.

[00:26:21] They can see exactly how the product works so they can analyze it to understand if there are

[00:26:27] any kind of security concerns that they should be worried about. So creating the open-source

[00:26:33] version is one way to handle those risks. Being just very transparent with buyers about

[00:26:38] the stage of the company is another way to handle the risk.

[00:26:42] Raising capital from reputable investors is also a very strong signal that buyers look at and

[00:26:49] they say, okay, we don't know if this company is going to be successful, but it's most likely

[00:26:54] that we will want to replace this product after two years anyway, and they have just raised

[00:27:00] capital that will give them runway for the next three to four years. So that sounds great.

[00:27:05] Like we're probably okay to make this buying decision. So all of those factors, the capital,

[00:27:11] the caliber of the team, the quality of the team that the company is able to attract,

[00:27:16] are they hiring very senior, very reputable people or are they outsourcing their software

[00:27:22] engineering to countries with lower cost of labor? So all of those factors along

[00:27:27] with the capital that they're able to raise, like the quality, the caliber of VCs,

[00:27:32] the CISs and the peers who either recommend this product or who could have potentially either

[00:27:40] invested into it as angels or maybe who act as advisors to the company or just reputable people

[00:27:46] from the industry who are not practitioners, but who still have that strong profile. Like all of

[00:27:52] those things matter and they signal that the startup is ready to start selling to more mature

[00:27:57] companies.

[00:27:57] But Ross, let's learn a bit more about you personally. I'm going to spin the wheel here to

[00:28:04] see which of these 35 questions I'm going to ask you. And just so you know, my spin the wheel

[00:28:10] technology is next gen, it's AI driven. It uses the latest polymorphic encryption to protect

[00:28:16] the algorithm I'm using to generate completely random questions out of absolutely nowhere. So

[00:28:21] let me spin this wheel and see where it comes up. Question number 19, Ross, how did you make

[00:28:31] money as a kid? So when I was a teenager, I was actually doing some writing, like some sort of

[00:28:39] ghost writing for different local media. So writing was something that I've done before.

[00:28:47] When I was even younger, I think I was solving, I was doing homework for people for money.

[00:28:52] That's also something I've done. Living in a different world where it wasn't considered

[00:28:57] cheating at the time. I've got two teenage girls, I'm sure they would tell me it's not

[00:29:03] cheating either. Now you started writing in your teenage years. Is that the forerunner

[00:29:07] of your blog then? Which has been so successful? I did. I was quite active. You see,

[00:29:13] I was quite interested in politics and different societal challenges. So the topics on which

[00:29:21] I would write before were very different. I was doing all kinds of random stuff. I was

[00:29:27] drawing. So I had several exhibitions and actually sold some paintings abroad in different

[00:29:33] European countries. It was, yeah, the childhood was an interesting time, a very different time.

[00:29:37] You were doing lots of things to make money as a kid. That's awesome. All right,

[00:29:40] let me spin the wheel again and get our second question. All right, number 28. Is there

[00:29:51] a memorable moment in your work career that either makes you stop and think that was cool

[00:29:58] or stop and think that was a little embarrassing? That is going to be a tough one. Yeah,

[00:30:05] like I spent the past decade of my life in product management so all the memorable moments

[00:30:12] were primarily releases and big milestones that we would launch. I don't know if there is

[00:30:18] anything specific, anything that's fun or even embarrassing that I can come up with.

[00:30:23] You know, I never, fortunately I was never naked on a Zoom call or Google Meet call.

[00:30:31] No extra unexpected events have ever happened to me. I think probably the most memorable

[00:30:36] moments that I can think of were during the pandemic when I would get to actually get

[00:30:41] together with people that I've worked with. Just going out, going to do some rock climbing

[00:30:47] and some of those things. And the reason I say that those are the memorable moments is

[00:30:51] because I am a very social human being. Like, I need people, I need to be around people

[00:30:55] and the several years of the pandemic isolation were very, very hard on me. So,

[00:31:02] whenever I would get out and actually socialize with people I work with, that was indeed

[00:31:07] very memorable. Quite a boring answer but I think as long as you accept it. Well,

[00:31:13] I accept it for now but we got RSA in a couple of weeks time so we might have to

[00:31:17] engineer an embarrassing moment or a fun moment for you at RSA. All right, let's spin the wheel

[00:31:23] for the last completely random question here. All right, number three. What is the story

[00:31:35] behind you getting your first job in cyber security? Yeah, the story is actually very

[00:31:42] different from most of the stories I've heard about people getting into security. So,

[00:31:47] in my case, like I'm a product guy. I have been in product management for quite some time.

[00:31:51] I worked across different industries. So, I was in e-commerce, retail, wholesale,

[00:31:55] financial technology for a number of years and then at a certain like several years ago,

[00:32:01] well quite a few years ago or at least that's how it feels at this point,

[00:32:05] a good friend of mine reached out saying, hey we're looking for somebody to lead product.

[00:32:10] We are a cyber security pre-seat stage startup. Knowing that you have done product,

[00:32:15] knowing that you have led product at different companies, would you be interested in joining?

[00:32:19] I had a great conversation with the founder. I had a great conversation with the broader team.

[00:32:26] Everything made sense. The industry made sense, the opportunity made sense,

[00:32:30] the market made sense and then I went home and I started doing some digging into the industry.

[00:32:35] I wanted to understand how the industry functions, like what are the different vendors,

[00:32:39] what are the different product categories and ultimately after doing it for several hours,

[00:32:44] I ended up calling my friend and I said, you know what, I am not going to do it.

[00:32:49] So his response was like hey, like what do you mean? And for me, you know, for me at the time

[00:32:54] coming from the financial technology world where you can very much understand what different

[00:32:59] products do into the cyber security world, the very first things I saw were MDR, XDR,

[00:33:06] MDR, SIM, SOR, CSPM, DSPM, DLP and I was just getting lost in all of those abbreviations.

[00:33:14] It was so incredibly confusing and I said okay, you know, like let's put aside the abbreviations.

[00:33:20] What do those products do? And so I wanted to test some of them. I wanted to see, you know,

[00:33:26] how they compare against one another and what became very apparent is that I was either

[00:33:32] unable to do it because it was very hard to get access to the products or whenever I was able

[00:33:38] to do it, I would deploy it, I would create an account and I would see that the feature set

[00:33:43] and the functionality of product A was very similar to the functionality of the product B

[00:33:49] and yet they were considered to be products from different quote-unquote categories.

[00:33:54] And that's when I said, you know what, this is such a complicated space. Like how can I ever

[00:33:58] understand this? But again, like several years later, here I am. So as you can see, I did

[00:34:04] go back on my decision. I ultimately ended up joining the company and it's been a fantastic

[00:34:09] journey ever since. I think, I still think up until today that me moving into the cybersecurity

[00:34:15] space has been the absolutely very best decision in my career life. Probably not in my life,

[00:34:20] but definitely in my career life. Yeah, you know, I talked to a head of sales recently.

[00:34:27] They just exited a bot and he told me a couple of stories how in the early stages

[00:34:33] when they were getting their first customers, one of the questions they would get asked by

[00:34:37] prospects was who's your VCs? And it was almost like a proxy for, well, how credible are you?

[00:34:44] You look and feel okay, but I need to know other smart people that I trust have already

[00:34:49] put some money in. And they didn't have a great answer because the founders had actually

[00:34:52] gone for the best deal in terms of valuation as opposed to the highest caliber VCs. So when

[00:34:58] they said, well, this company, this company, this company, he said a couple of times,

[00:35:02] the system was like, I've never heard of those people. I have no idea who they are.

[00:35:06] I don't know what to make of that. It was almost like a black mark against them

[00:35:10] as they were thinking about it. Yeah, and it's always like,

[00:35:13] it's always a signaling exercise. Who are the investors that were willing to take risk on you?

[00:35:18] What is their reputation? Who are the early employees that left their well-paying jobs

[00:35:23] to join your company? And what's their reputation? Who are the early advisors

[00:35:29] that are really spending their time and effort to help this company grow? And what

[00:35:33] is their reputation? Who are the early angel investors and on and on and on. So it's just,

[00:35:38] it's all about signaling and the same is true for all areas of life, including business, right?

[00:35:44] Yeah, for sure. And let's completely change tech here on you, Ross.

[00:35:48] Philosophical question for you. If you were, let's say you were going to start your own

[00:35:53] company right now, would you want to create the wave that was going to, you were going to

[00:35:58] write off into the future or would you want to write someone else's way that already exists

[00:36:04] in terms of helping deal with the transformation? That is a very good question. And I did,

[00:36:09] I have to admit I've spent some time thinking about answering this exact question for myself,

[00:36:15] you know, as I think about my future plans and what could be possible. And I, there are pros

[00:36:22] and cons, right? There are pros and cons to each of those paths. And there are the way you build

[00:36:27] companies in each of those directions is going to be very different. If you are trying to create

[00:36:33] a wave, you have to like, you have to raise a lot of capital, you have to invest a lot of

[00:36:38] money into marketing, you have to invest a lot of money into educating the market and making

[00:36:44] the market understand like why they should care. Like why, like why is it that they should

[00:36:49] prioritize this specific thing that you're solving for against like all the other things.

[00:36:54] And in general, in cybersecurity specifically, a lot of the problems do not become a matter of

[00:37:01] market knowledge by default or because companies are looking for ways to solve them or to solve

[00:37:08] something. Instead, it's the company solving this problem that needs to go out and educate

[00:37:13] customers. And I'll give you a very, very simple, very basic example. If you're a marketer,

[00:37:21] you know that your performance is directly tied to the metrics and your ability to drive those

[00:37:29] metrics. So as a marketer, you're always looking for ways to get more people visit

[00:37:35] your website, to get more people open your email, to get more people click on the CTA

[00:37:41] within your email, to get, you know, to open the net new customer groups or net new channels

[00:37:48] to get exposed to different prospects. You're always on the lookout for something to help

[00:37:54] drive the same metrics that you know you're being evaluated on. If you're a security,

[00:37:59] so as a result, the buyers, the prospects in the marketing technology space are always out

[00:38:05] there looking for something new. The same is not true in security. Like in security,

[00:38:10] security teams aren't exactly starting their day by saying, oh my God, what is some cool stuff

[00:38:16] out there that we can try? Instead, they have to be very problem focused. They have to deal

[00:38:21] with their limited resources because they're not tied to the revenue, right? Their goals are

[00:38:26] essentially preserving the status quo and making sure that the company doesn't get breached.

[00:38:31] And when it does get breached, the blast radius of that breach and the financial

[00:38:37] impact are very much contained. So founders looking to essentially create, you know,

[00:38:43] start a wave, they have to think about all of those factors and they have to invest a lot

[00:38:47] of resources into educating others about this specific need. I like on the other hand,

[00:38:53] if you as you say, if you're riding somebody else's wave, that means that somebody else's

[00:38:58] marketing budget has already educated buyers about this problem. It means that somebody else's,

[00:39:04] some other VCs, not your VCs, but some other VCs have already paid for events and conferences

[00:39:13] and some of the other educational and marketing activities that have prepared buyers

[00:39:18] to at the very least ask themselves questions such as is this something like, is this an

[00:39:23] attack vector that we should worry about? If this is not the first time they're hearing

[00:39:28] about the problem, it's much more likely that they will actually listen and they'll, you know,

[00:39:33] they'll be willing to try something. And on top of that, when you look at the state of the

[00:39:39] market, you come to realize that many of the successful, in fact most of the successful

[00:39:44] cybersecurity startups and cybersecurity companies haven't exactly invented something new. Instead,

[00:39:51] they have leveraged a lot of the work that has happened before them. Like you look at companies

[00:39:57] like Duo Security and you realize that fundamentally it's the same RSA token that existed for

[00:40:04] many years that was now delivered in a much more user-friendly, easier to scale, easier to

[00:40:10] deploy way. When you look at some of the winning EDR companies, you realize that there

[00:40:17] was already the endpoint security market. There was a well-established endpoint security market,

[00:40:23] but there were some of the net new needs that the existing endpoint security market at the time

[00:40:28] was not able to solve. And so they focused on the known attack vector and they were able to

[00:40:34] build their business around this. In the same way, like if you look at the cloud security

[00:40:39] space today, everybody is looking at this. Like some people are paying attention to what Orca

[00:40:45] is doing and some other companies in that space. But what is true is that neither of those companies

[00:40:51] have quote unquote started the cloud security asset segment. Instead, they have leveraged

[00:40:58] decade and a half of the work that other startups have been accumulating and they

[00:41:03] were able to bring it all together and execute incredibly well. So to answer your question,

[00:41:09] I think again there are pros and cons to each of those approaches. I think I would be

[00:41:15] much more inclined to take the latter path and to look for a new way of solving an old problem

[00:41:23] as opposed to trying to educate the market about the net new problem.

[00:41:29] That's probably how I think about it. Well, speaking about educating the market,

[00:41:33] last question before you. You got a section in the book, the rise of security platforms

[00:41:39] in industry consolidation. You were talking about future trends or trends that are coming

[00:41:43] up right now. Of course, just a couple of months ago that the Palo Alto CEO said they want to be

[00:41:48] the platform for cybersecurity. There's the platform play coming in. Try to strike,

[00:41:53] obviously want to do it as well. Beyond all the arguments about what they're doing,

[00:41:57] let's focus on if I was a startup, how should I think about these big platform plays companies?

[00:42:02] Are they people that I should try and compete against? Should I try and integrate with?

[00:42:07] Should I just focus on my own thing and just try and find my own path? How would

[00:42:12] you encourage people to think about it? It's a tough one. It's going to depend on

[00:42:17] so many factors. What is the ambition of the founders? What is the vision of the

[00:42:22] founders? How much time and effort? What is the degree of risks that they're willing to take?

[00:42:28] Are they interested in building fairly well-scoped quote, unquote point solution

[00:42:35] and getting acquired within the next two to three years? Or are they looking to build

[00:42:39] a company that has a larger vision that it is going to pursue and solve a much more tangible,

[00:42:48] much more impactful problem? I don't think that either of those is better than the other.

[00:42:55] It's just that this whole process of ideating and thinking about the question you asked,

[00:43:02] it has to start by people asking themselves those questions and doing some soul searching

[00:43:07] and understanding what is it that they're trying to do. If the goal is to build something that has

[00:43:12] higher chances to get acquired, then it is again, past performance is not a guarantee

[00:43:20] of future results, but based on the past data, it does appear that point solutions that do one

[00:43:28] thing very well are much more likely to get acquired compared to the platform solution.

[00:43:34] In fact, acquirers tend to look for companies that just do one thing incredibly well and that

[00:43:41] can be integrated into the broader platform. The sales team of the acquiring company can just

[00:43:49] start selling and pushing to their existing customer base. That's typically the playbook

[00:43:53] for the acquisitions. If the intent is to build a multi-billion dollar company, it's a

[00:44:00] very different playbook. Although at the beginning, they all start very similar.

[00:44:04] Fundamentally, you need to understand what is it that you are trying to solve, why now? Why is

[00:44:11] now the right time to do it? Have a fairly strong opinion about the future perspective and

[00:44:18] the way you believe the industry is going to develop and unfold over the coming half a decade

[00:44:23] or a decade. Then based on that, finding a wedge, finding that initial use case that will enable you

[00:44:31] to enter the market. That's one of the hardest parts because in this day and age,

[00:44:38] if you just look at the surface level, it does indeed appear that all the impactful problems

[00:44:43] have been solved, but there are some that haven't. I'm a big believer that at times,

[00:44:49] it's very hard to think of a specific new solution or a specific new problem area

[00:44:55] that has a good potential. But we all know that there will be more successful cybersecurity

[00:45:01] companies built over the next decade. We know that the market is just not going to stop where

[00:45:06] it is today. Because there are going to be more companies built, the question is what will

[00:45:11] those companies look like? That question is not necessarily easy to answer, but what's very

[00:45:16] easy to say is that each of the solutions is going to have one specific wedge, one specific

[00:45:21] angle through which they enter. Then once you've identified that wedge, once you found that there

[00:45:26] are enough early adopters that are going to buy those solutions and that actually care about

[00:45:33] solving that specific problem that you've identified, there is this land and expense

[00:45:38] strategy that has frankly been really deep in the enterprise space, like in the enterprise B2B

[00:45:44] space, really the only fundamental way for companies to grow. You identify one specific

[00:45:51] problem area that people are willing to pay for solving today and then from there you look to

[00:45:57] expand into solving other problem areas adjacent to the main one over time. It's very hard to do,

[00:46:05] particularly today when every single startup enters the enterprise environment with a very

[00:46:10] similar approach. You have 60 cybersecurity startups within the company trying to expand

[00:46:18] into each other's areas and it becomes a very competitive and a fairly toxic environment,

[00:46:25] but at the same time that is the state of the market. I believe that the execution will

[00:46:29] continue to define and continue to separate winners from losers or winners and companies

[00:46:34] who win and companies who win to a lesser degree or don't win at all.

[00:46:40] But the playbook for building companies is likely to remain very similar, like in cybersecurity.

[00:46:45] There are some variations when it comes to how do you define the market? Whom do you target?

[00:46:50] Do you target CISOs? Do you target security practitioners? Do you target both? Do you go

[00:46:55] and sell through channel exclusively? There are those variations in how you get to the market,

[00:47:00] but fundamentally identify the problem, find the wedge and find a way in, and then from there

[00:47:06] solve one problem incredibly well, you know, a thousand times for a thousand customers

[00:47:11] and then look to expand into adjacent areas.

[00:47:13] Well, Ross, look, enjoyed having you on the podcast. I'll put your LinkedIn

[00:47:18] link into the show notes. Is that the best way to get hold of you or do you want someone

[00:47:22] to contact you a different way?

[00:47:24] Absolutely. No, LinkedIn is a perfect way to do it.

[00:47:27] All right. Well, listen, I wish you all the best with Cyber for Builders and hope to

[00:47:32] pump into you at RSA in a couple of weeks as well.

[00:47:34] Thank you so much, Andrew. Looking forward to it.

[00:47:48] It will mean a lot to me and to the continued growth of the show if you'd help get the word

[00:47:53] out. So how do you do that easily? There are two ways. Firstly, just simply send a link to

[00:47:59] a friend, send a link to the show, to this episode. You can email it, text it, slack it,

[00:48:05] whatever works for you and it's easy for you. The second way is to leave a super quick

[00:48:10] rating and sometimes that can seem complicated. So I've made it as easy for you as I can.

[00:48:15] You simply have to go to rate this podcast dot com slash cyber. That's rate this podcast

[00:48:22] dot com slash cyber and explains exactly how to do it. Either of these ways will take you

[00:48:28] less than 30 seconds to do and it will mean the world to me. So thank you.