RSA Innovation Sandbox Finalist: P0 Security with CEO, Shashwat Sehgal

[00:00:00] Hey, it's Andrew. Just quickly before we start this episode, I want to tell you about one of my

[00:00:03] favorite podcasts, the Secure Ventures podcast. The host Kyle McNulty interviews cybersecurity

[00:00:09] founders about what they are building. I enjoy it because Kyle focuses on their technology,

[00:00:14] what it solves, why they build it, where it fits in the market. Also listeners can understand

[00:00:19] the why of these startups. In some ways is a great compliment to my own podcast where I

[00:00:23] focus on the go-to-market side, not the technology side. He set some great guests on

[00:00:27] recently, for example, the CEO of Reality Defender when they talked about the ins and

[00:00:32] outs of deep fate detection. He's had the co-founder and CEO of Go Security and also

[00:00:37] the co-founder radical Chris Peterson, who was incidentally a founder of LogRhythm.

[00:00:42] They talk about the role of AI in the sock. This is not a paid promotion. I just simply

[00:00:46] enjoy what Kyle is doing with his interviews and get a lot out of them. Check it out.

[00:00:50] It's the Secure Ventures podcast. Now on with this episode.

[00:00:57] Welcome to the Cyber Security Go-To-Market podcast for our special showcase episode,

[00:01:09] where we're talking to leaders of the company selected for the 2024 RSA Conference Innovation

[00:01:16] Sandbox. These are just the 10 companies that judges have selected as the most innovative

[00:01:22] startups in cybersecurity today out of hundreds who apply. I am your host, Andrew Monahan,

[00:01:28] and today we're talking with Shashwat Sehgal, CEO and co-founder at P Zero Security.

[00:01:34] Shashwat, welcome to the podcast. Good to be here, Andrew, and great to meet you.

[00:01:39] Yeah, good to meet you. It must be a bit of a thrill to get selected,

[00:01:41] Darren, to one of the 10 finalists. That's quite an honor.

[00:01:44] Yeah, thank you. I'm quite looking forward to meeting everyone, customers, judges,

[00:01:49] and the broader community alike over at RSA. Yeah, the Sandbox Innovation Day Monday has

[00:01:55] turned into quite a big thing. So it's quite exciting to see these companies get the chance

[00:01:59] to showcase what they're doing. But let's get into our discussion today, Shashwat.

[00:02:03] First question for you, where in the world did you have your first Sandbox?

[00:02:08] Great question. So I grew up in New Delhi, India. That's where I spent my childhood. That's

[00:02:15] where I went to university. And then I've been kind of going around the world for my career.

[00:02:21] I spent a few years in London, moved to New York. And for the last 10 or so years,

[00:02:26] I've been out here in the Bay Area. Well, it must be a thrill to be able to

[00:02:29] come from one hotbed, which of course is India, tech-wise these days, into another one,

[00:02:35] which is Silicon Valley, where a lot's going on at the moment.

[00:02:39] What's the story of the founding of P Zero Security, Shashwat?

[00:02:43] So this goes back to what I was doing before I started the company. I was at Splunk

[00:02:50] at Splunk. I was leading product management teams, multiple product management teams within

[00:02:55] observability. And that's where I met my co-founder, Greg, who's also my CTO.

[00:03:02] What we had noticed was that the security team at Splunk was having a very hard time

[00:03:09] at the time trying to make sure that cloud was secure. What do we mean by that?

[00:03:16] We were building all of these big technologies as part of an observability suite. And we were

[00:03:23] looking to make sure that these were something that the Fortune 100s, the Fortune 500s felt

[00:03:30] safe deploying. And as part of that, obviously, the security team wanted to make sure

[00:03:35] that the access to Splunk's critical infrastructure was secure. In other words,

[00:03:41] they could regulate access to both human identities and non-human identities to

[00:03:48] any kind of sensitive resources in the cloud. Now, this sounds very straightforward in theory,

[00:03:53] but as we started implementing these access controls within our environment,

[00:03:58] what we realized was that the cloud was quite different from the technologies that came before

[00:04:05] it. Specifically, cloud-native technologies like Kubernetes, like microservices, etc.,

[00:04:10] were especially challenging to secure access for. Why was this the case? As we dug deeper,

[00:04:15] we found out that this was difficult because the cloud was unique in at least two ways

[00:04:22] from how application development used to happen before the cloud. What were those two ways?

[00:04:27] Firstly, it was an order of magnitude more complex. Why was it more complex? Previously,

[00:04:33] all security teams needed to care about was to make sure humans don't have access to

[00:04:38] production infrastructure. Now, they had to make sure humans as well as non-human identities

[00:04:44] did not have access to production infrastructure. The number of identities exploded 100x from what

[00:04:50] it used to be before and the number of access paths to sensitive infrastructure and sensitive

[00:04:54] data also exploded in number. So, the first reason why this was challenging was just the

[00:04:59] sheer complexity. And the second reason we found it was so challenging was because previously

[00:05:05] the tools that secured access to any sensitive information or sensitive data or sensitive

[00:05:11] infrastructure were not built from the perspective of a developer. Now, increasingly with cloud-native

[00:05:18] development, the gatekeepers of the cloud are developer teams as opposed to IT and security

[00:05:23] teams. So, the incentive of someone in security is to ensure that the changes that

[00:05:31] they are introducing, the access control that they're introducing into the system

[00:05:35] does not impede a developer in any shape or form. And this, what we found was extremely

[00:05:40] hard to do with the existing tools. So, that's how we got started.

[00:05:44] And does that mean that your buyer is on the development side or is it still on the security

[00:05:48] side? A buyer is still on the security side, but we have designed our tools to be, we have

[00:05:55] taken a lot of care to ensure that the eventual users of a product, which is typically the

[00:06:01] developer team, they are not impeded in any shape or form. We meet them where they are

[00:06:06] in their journey rather than introducing new workflows, new ways of doing things.

[00:06:11] For example, we've gone all in on integrations with command line, with integrations with

[00:06:17] Slack, rather than deploying a new software on the laptop of a developer or asking them to

[00:06:25] log into a new portal. We try to meet them as much as possible where they are so that we

[00:06:30] are as less of a hindrance to them in their day-to-day work as possible.

[00:06:33] And where were you and Greg? You said that and thought, you know what,

[00:06:38] why don't we just do a company to solve this?

[00:06:40] Yeah, so that's when we started facing this problem internally. That's when we decided,

[00:06:44] hey, there's probably a company to be built somewhere in this problem, right? Somewhere

[00:06:49] in this space. So that's when I also started talking to my third co-founder, Nathan. He and

[00:06:56] I were peers a couple of jobs ago when we were at Cisco Meraki. So at Cisco Meraki, I led

[00:07:05] the SD-WAN team and he was my engineering counterpart. So collectively we had been

[00:07:11] in the security space for the longest time. And so he had left Meraki to become the VP

[00:07:16] of engineering at Semgrep. And then he was thinking about his next steps after leaving

[00:07:21] Semgrep. So the stars just aligned and Greg, Nathan and I decided to start the company in late

[00:07:27] 2022. That's awesome. And going back to your problem statement, so I get the fact that you

[00:07:32] had a developer first mindset to make sure that they were catered for. But what's the

[00:07:37] biggest innovation that judges would have seen in what you do that got them so excited?

[00:07:41] Yeah, so the broad space that we are operating in historically has been called as IGA, identity

[00:07:48] governance and administration. Historically, this space has been targeted towards developers

[00:07:55] or specifically not even developers, towards human users or employees of an organization

[00:08:00] as they look to gain access to applications. And we believe we are the next iteration of

[00:08:06] this space specifically for the cloud and specifically for a cloud development stack,

[00:08:11] which means we include not just developers but non-human identities as well. So we believe that

[00:08:18] two innovations that we bring to the table is that we are solving this problem holistically

[00:08:23] for the cloud for all kinds of access across all kinds of identities. That's one. And the

[00:08:28] second innovation that we are getting to the table is that we've designed a product, the form

[00:08:33] factor of the product in a way that does not introduce any kind of friction to developer

[00:08:39] workflows. So developers being important people in an organization in terms of the systems they

[00:08:44] support and usually they help the company run and make money, so therefore keeping them happy

[00:08:49] is a big deal. Absolutely. So every company requires some kind of access governance. And

[00:08:56] for better or for worse, access governance has been synonymous with some kind of a tradeoff

[00:09:02] between security and productivity. And we want our goal is to make sure that this tradeoff,

[00:09:09] to the extent that one exists, is minimized in any company.

[00:09:14] Intuitively I get the idea that lots more access is going to have an impact on your

[00:09:20] ability to mitigate risks. But what's the biggest business impact to this that people

[00:09:25] are really worried about? Is there evidence to say that having all these non-human identities

[00:09:29] is a challenge, is causing problems and people getting breached left, right and center from them?

[00:09:35] Yeah, absolutely. So there are usually three sources of business impact to most of our

[00:09:41] customers. The first source is obviously one of security. At the end of the day,

[00:09:46] we are a security company. By some estimates between 65 and 75% of cloud security incidents

[00:09:54] in 2023 had something to do with some kind of identity misconfiguration. If you think about it,

[00:10:00] that's a shocking number, right? And if you're able to move the needle on the statistic, even

[00:10:07] like let's say 10 to 20%, that could be huge in terms of its repercussions on the security

[00:10:13] posture of a company, right? So that's one. Secondly, a business metric for us is to improve

[00:10:20] the operational efficiency of a company, right? So many of our customers, they use us day in,

[00:10:25] day out for things such as automating access requests for individual engineers or for automating

[00:10:34] access reviews of non-human identities, levels of access to the cloud, right? So in

[00:10:42] many instances, we end up saving them hours of their time per week, several hours of their

[00:10:47] time per week, right? So it's not hard to tie that to some kind of a business outcome in terms

[00:10:53] of we all live in a world of now that the zero interest rate environment is gone, everyone

[00:10:59] starts to worry about their margins once again, right? So we help security and DevOps teams do

[00:11:06] more with less. So that ties frequently into yet another business outcome for our customers.

[00:11:12] And the third business imperative for a lot of customers is that many of their own customers,

[00:11:20] especially if they are selling to upmarket enterprise, large enterprise, many of their

[00:11:25] own customers will come with some kind of stringent requirements on securing access to

[00:11:31] their internal data and internal infrastructure, right? And to do that, the easiest way to secure

[00:11:38] access to whoever it is that requires access is to use someone like PZero, right? So those are the

[00:11:46] three big business drivers, security, operational efficiency and revenue growth as you start going

[00:11:52] upmarket that we usually tie into. That's correct. You're talking to the three main

[00:11:57] business drivers, right? That's awesome to be able to do that. Must put you in a good

[00:12:01] position when you're talking where prospects are, as you say, they're scrutinizing this

[00:12:04] a lot more than they were two years ago. So it sounds like you're used to having that

[00:12:08] conversation with people. Yeah. So Ashwag, as you look at the rest of the year,

[00:12:12] what are your big goals for 2024? Well, life in the journey of a startup is that

[00:12:21] your goals are mostly or almost always on a two-week time horizon or a one-month time

[00:12:26] horizon rather than on a one-year time horizon. But yeah, I mean, jokes aside,

[00:12:31] right? So far we've been very happy with the traction and the feedback that we've heard from

[00:12:36] customers. Our goal is to really step on the gas as far as our product development is concerned.

[00:12:44] We've obviously covered a major portion of the stack at many of our customers, but

[00:12:52] we can always keep on building more and more integrations with the rest of the stack. For

[00:12:56] example, if a customer is using some database that we do not currently support access to,

[00:13:02] maybe we want to build access to that. Or if there's some cloud service that they use

[00:13:09] internally and we don't support access to it, that's also something we want to provide.

[00:13:13] So I'd say the vast majority of our time this year is going to go towards improving

[00:13:19] our product and making it ready for customers of all shapes and sizes.

[00:13:24] Simultaneously, we'll also be investing in some go-to-market talent so that we can start

[00:13:31] selling and we can start reaching more customers than the ones that we've been talking to so far.

[00:13:37] Is this an enterprise sales first go-to-market strategy or is there some other way that you

[00:13:43] think you'll have to do this? No, it's very much an enterprise sales first strategy.

[00:13:49] At some point, we'll be exploring other ideas as well around how to reach platform teams directly.

[00:13:56] But again, that's more for the medium to long-term future. I'd say in the near term,

[00:14:03] we are very much a security team focused sales strategy.

[00:14:07] And then if you look to RSA in two weeks' time, except for celebrating the win

[00:14:12] of the innovation sandbox, what else do you have going on that week that you want to tell

[00:14:16] people about? We'll be at Booth 1960, 1960. So any of you all who are attending RSA,

[00:14:25] if you want to see a demo of the product firsthand, if you want to play around with

[00:14:28] the product firsthand, I personally am a strong disbeliever of canned demos.

[00:14:33] I always believe in giving people access to the product, letting them play with it themselves

[00:14:38] and watching their face when they see the aha moment. If you want to do that, please by

[00:14:41] all means come over to Booth 1960. The vast majority of my time at RSA, I'm expected to

[00:14:49] be speaking to customers, prospects, understanding what they like, what they do not like about the

[00:14:55] product and in general just brainstorming on where cloud security is heading.

[00:15:01] And is that in the main floor or are you in the early stage expo?

[00:15:04] No, we'll be in the main floor. Great. All right. And any events with your investors

[00:15:09] at all? Those are more in the evenings. Yes, some during the day as well. But yeah, I mean,

[00:15:15] for me, we'll never be where we are without our customers help. Right. So for me, first and

[00:15:21] foremost, I want to be there on the front lines speaking to people, understanding their

[00:15:27] challenges, what keeps them up at night and really just taking it from there.

[00:15:32] That's great. And I'll put your LinkedIn link into the show notes. Is that the best

[00:15:37] way to get hold of you or do you want to offer a different way?

[00:15:39] No, I think that's the best way.

[00:15:41] Okay. Well, that's what I enjoyed our conversation. Looking forward to seeing you on stage at the

[00:15:46] Innovation Sandbox that Monday and I wish you all the best for that and for the rest of the

[00:15:49] year. Thank you. Really appreciate it. It would mean a lot to me and to the continued

[00:16:06] growth of the show if you'd help get the word out. So how do you do that easily? There are

[00:16:11] two ways. Firstly, just simply send a link to a friend, send a link to the show, to this

[00:16:17] episode. You can email it, text it, Slack it, whatever works for you and is easy for you.

[00:16:23] The second way is to leave a super quick rating. And sometimes that can seem complicated. So I've

[00:16:28] made it as easy for you as I can. You simply have to go to rate this podcast dot com

[00:16:35] slash cyber. That's rate this podcast dot com slash cyber and explains exactly how to do

[00:16:42] it. Either of these ways will take you less than 30 seconds to do and it will mean the

[00:16:46] world to me. So thank you.