[MUSIC] >> Welcome to Category Visionaries, the show dedicated to exploring exciting visions for the future from the founders or in the front lines building it. In each episode, we'll speak with a visionary founder who's building a new category or reimagining an existing one. We'll learn about the problem they solve, how their technology works, and unpack their vision for the future. I'm your host, Brett Stapper, CEO of Frontlines Media. Now, let's dive right into today's episode. [MUSIC] >> Hey everyone, and welcome back to Category Visionaries. Today, we're speaking with UK, CEO and co-founder of Opal Security, a data centric identity security platform that's raised about 32 million in funding. UK, how's it going today? >> It's good, glad you're using the initials. >> Yeah. >> It's always good. >> She's been doing a great job. >> Mommy, live, but the full name is for those who are curious, Mema, Khan, or UK, for short. >> I really appreciate you giving me the out there with UK. I was sitting here on these YouTube videos trying to figure it out. I thought I had it figured out and you told me in the pre-intro, I don't or the conversation that I don't have it figured out, so I appreciate that, it makes it a lot easier. >> No worries. >> Tell us about your background. >> Yeah, so I started off life thinking I was going to be a math professor. I've always loved math and puzzles. I started doing cryptography, research in school, and thought that was going to be life, worked in the federal government for a bit, and then caught the startup bug, ended up being very early at a few startups and seeing them scale, and had this not intentionally strange theme that constantly ran through them. I often worked on back-end systems, data engineering, and I would always work at companies that would go through these inflection points as they would start to scale themselves and start to have to harden systems, start to have to think about what they needed to do in order to kind of hit the next milestone, and security is often a big part of that security and compliance, and specifically around access and identity, so you're building, you're building, you're building, and all of a sudden you have to stop and you have to ask yourself, "Oh my God, what's going on here? What are we doing for Auth-N? What are we doing for Auth-C?" This curious thing happens where you realize you need to sort of have things up internally, you don't really have anything, so you start building, and then you can't scale it anymore. And I think the second kind of theme was, I'd always worked on very, very sort of cutting-edge abstract research and technologies, and I would see this kind of same theme over and over again, where it's like you're working on encryption, and here are people falling over and getting breached because they just didn't set up access properly, or they failed to kind of apply certain protocols to certain systems. So I don't know, it was almost like organic, I just sort of, I saw it, I felt it, and they drove me crazy enough that I actually eventually quit my last startup and started to just think about it full-time and work on it full-time, that leads us to here. What did those first, let's say, three months look like when you started working on it full-time? So for me personally, there was just a lot of reading and talking to people. I had, because I had kind of built an early version of prototype at my last job, I had some idea of what I thought the system and the architecture could look like, but I just spent a lot of time also just thinking about it from different angles. So in authorization, there's a lot of research on building policies, building languages that can kind of evaluate and verify authorization logic. There's obviously kind of the authentic side of the house, there's password lists, and I didn't really kind of go about it with a whole lot of intention. In the early days, I just wanted to read and talk to people and understand what they built and why it had worked and why it hadn't, and sort of very, very early on, but my thinking was kind of, look, if this doesn't make sense, at least I've learned a ton along the way and this satisfies my intellectual curiosity. I think over time, that kind of mutated into what the hell, like, why does this exist and why are the people who are working on it, not working harder on it? So that's another story. - Why do you think this problem exists? Why is no one solving this? - So access management, identity, first of all, I like to call it one of the last great enterprise frontiers, and there are people who are working on it, there are people who have tried to solve it. Famously, no doubt, and I think, like, 80s or not 80s, like, I think early 2000s, which, correct me if I'm wrong, was headed by Eric Schmidt before he went to Google. So a lot of really, really smart people have worked on identity and authorization and authentication. The problem is, it's so fundamentally tied to the way businesses change and grow and how they sort of go through these milestones of, like, technological complexity, that it's very, very hard to stop the world and design something that's beautiful and perfect and can keep up with the pace of business. So, like, for a while, like, all of computing was done on hardware, on-prem, right? And on firewalls ruled the world and network authorization. Then we had this big transformational shift cloud and endpoint became key. And then we had the shift again to multi-cloud. And now we have, like, possibly, like, non-human agents writing software, and we have this, like, complete explosion of, like, identities and applications, and people don't work in the same office anymore. Like, the way you describe how a person works is not really totally defined by their role. So, like, all of these protocols just, like, break because they can't keep up with the complexity of what's actually happening in the world, right? And so, lots of start people try, and it's just really hard to scale adoption. And sometimes they give this analogy. It's almost like, we're in a world where people are trying to figure out what the schema looks like for a database that doesn't exist, basically. - This show is brought to you by Frontline's Media, Podcast Production Studio that helps B2B founders launch, manage, and grow their own podcast. Now, if you're a founder, you may be thinking, I don't have time to host a podcast. I've got a company to build. Well, that's exactly what we built our service to do. You show up and host, and we handle literally everything else. To set up a call to discuss launching your own podcast, visit frontlines.io/podcast. Now, back to today's episode. What are you doing to scale adoption? - So, it's an interesting question. I think one thing that's, like, sort of, uniquely changed in the landscape is that there used to be a time when you build enterprise software, it's always very information-rich, always very workflow-dense, right? Because a lot of business logic defines how you build enterprise products and each business varies. And these products are, like, very powerful, but they're not easy to use. And I think one thing that's changed is people sort of demand a higher bar for UI UX even at enterprise, and it's a good thing. It's actually what allows other folks to not be intimidated and actually adopt products, like ovals, which are meant to be work-work products. It's actually supplied to everything, no matter what your job is, no matter what systems you're touching, maybe some things are more sensitive than others. And, you know, maybe you think about at least privilege in, sort of, like, this sequential and systematic way, but at the end of the day, to build a data-rich identity security platform, it really does need to have broad coverage. So, you do need to have a product that is not intimidating at first blush. So, I think an example of a product that has done this really, really well, that we all know, is not, right? Like, IRC has existed for a really long time. Like, I grew up, you know, on chat forums that, like, had all their roots and bindings and clunky UI UX. And I remember, like, just sort of being pleasantly surprised and startled when people started using Slack outside of, or products like Slack outside of engineering teams, because it's like, this is IRC. It feels like this is, like, 80s chat, 90s chat forums, and now you have, like, marketing teams who are, like, totally not intimidated by, like, messaging each other on things like this. So, you can kind of get these gains for adoption. I'm sorry if that's a little long, rambly answer. - No, we like the long rambly answers. Those are always the good ones. What about marketing philosophy? How are you approaching marketing? - Oh, man, that's a fun one. So, there's this paper I talk to people about sometimes that a friend recommended to me. It's called The Market for Silver Bullets. And it's basically, it's inspired by a classic econ paper. And it's about how there are really no rational buyers or sellers in security because nobody has enough information to understand what's going on, right? So, you end up kind of in this crazy, like, black hole of security companies, like, they market, like, big pharma sometimes. And then you have these vendors on the other side of the house, we're just trying to solve a problem. And they're reading through these white papers and these, like, incredibly polished, you know, decks. And at the end of the day, it's like, well, it's just solving anything. So, the way we think about it, local security is, what can we do that really cups through the fat and shows people real value? And the nice thing is, when we take a step back from this broad category of identity security, when we really talk about something like these privileges, you should be able to measure that. You know, these privileges, this is like the definition of getting the sort of minimum viable access to do your job and then kind of thinking about how that applies across different systems and entities and identities, you should be able to measure that. Like, that is a doable thing. And to be able to market something that is, like, here's what we do, here's where we provide value, here's where we're going. I think it's been unique to us as a product and security, but I think it's part of the cornerstone of our philosophy. - I see that you're gonna be at RSA. I think that's next week or maybe the week after, I've been to RSA the last couple of years. And whenever I walk around, I just think, wow, everyone is basically saying the same thing. It's very difficult to stand out and separate yourself from all the noise. Is there anything that you're doing from marketing perspective that you're seeing work very effectively to rise above all of the noise that exists? - Well, it's early for us, but I do think, like, the way I think about it is we are a product company and the product should speak for itself. And what marketing function is to do is provide an explanation and a value of the sorts of information you wouldn't necessarily get otherwise. Like for instance, why are you suitable for the enterprise? And also like an ability to kind of teach books, right? 'Cause to your point, everyone copies each other. It's fairly noisy. So anyone who can really come into the space with an opinionated point of view and explain why they do something the way they do it. And also a little bit like call out like, I don't know what these acronyms mean. Do you know what these acronyms mean? I think goes a long way. The second thing I will say is your best marketing is doing right by your customers and letting them speak to the value of the products. So allowing our customers, and it's early for us, but sort of letting them speak to what they've been able to do with Opal and how they've been able to sort of solve problems like that goes a long way. - So you founded the company in 2021. How long did it take for you to start getting paying customers through the door? - Yeah, so Opal is kind of unique in regards to the fact that like we never really did this kind of like design partnership like after we GA'd. So in the sense that we qualify all of our early customers and we build with them, but we understood that there was a real need in the market and that if we could kind of build in the right direction and show people meaningfully the value that they would be able to get, that it was worth paying for. So I think when we felt that the product was ready to GA and we felt that we were in a position where we could continue to provide value, it felt like a more straightforward conversation than perhaps trying to sort of find product market fit. You know, product market fit by the way is like always like a negotiate, like it's always a work in progress, but that conviction right from having built before met that we knew that this was a problem that needed to be solved and no one was solving it adequately. - And were you tempted at all to go the design review partner route or did this just make logical sense for you? - It's a great question. The truth is like, you know, it's more of an art than a science at the stage and it could make sense. If there was a really unique opportunity, but like we were able to show that we really did provide value from day one, right? So it was really a question of like having that conversation with potential customers of how much do you think this is worth and working with them and figuring that out. - What about your market categories? In the intro, I called you a data centric identity security platform, obviously I stole that from your website or from LinkedIn, is that the market category or what do you think is the market category? - Yeah, so this is a great question. You know, I think there's a little bit of to be determined kind of in terms of the market, but broadly speaking, I would say there's sort of like four main silos that happen like in identity security. One is identity providers, then there's that's IDPs. So this is like Entra and Okta, et cetera. And then you have privileged access management. So these are like tools that are designed to like if you step up privileged access or cyber arcs, there's IGA, entity and governance. And this is companies like SalePoint and Savion. And then there's sort of cloud infrastructure entitlement management. And broadly these four combined are like on the order of a $30 billion market. And there's like a story kind of on how you feed from IDPs and sort of consolidate to some extent those silos, otherwise what's happening is like people are sort of looking at different parts of the horse, right? And then trying to sort of Frankenstein it together, which is one of the reasons we have a lot of conviction that it really should be one platform. I think from there, if you really do design like the infrastructure well and the platform well, there is potentially a way to continue to grow and expand and go into more markets. So I think, you know, when people talk about security in particular, I think Alalto has famously did like a fantastic job of this in terms of how they expand into the cloud market. - This show is brought to you by the Global Talent Co, a marketing leader's best friend in these times of budget cuts and efficient growth. We help marketing leaders find, hire, vet and manage amazing marketing talent for 50 to 70% less than their US and European counterparts. To book a free consultation, visit globaltalent.co. - So is this a new line item then that customers are creating or is this taking away from one of those existing line items for other identity security tools? - Yeah, a little bit of both. It actually, it depends, you know, like when we think about like those latter three cloud infrastructure and talent management, IGA, high dining governance, administration and privilege access management, it does solve for a lot of those use cases. So you do have in some sense a built-in line item. The difference is you're also sort of creating space to also provide new value in something that may not have existed before. So what we've seen is like customers will like realize they're getting that value and maybe create more budget on top of what they sort of had thought was like pre-existing or what was just the use case we were solving for. - What's the go-to-market motion look like? - Yeah, so for us taking a step back, if you think about where the complexity and the challenge of a problem like this truly lies, you have to be a business of a certain scale and size and largely that's enterprise. So we are an enterprise business. It's just when you're our spice, you also have to think a little like a little intentionally about how you choose who to work with, whether they're sort of bought into your vision and whether it can be a strong partnership, right? And you can kind of deliver. So it is top-down, right? It is sort of like a classic enterprise motion, but it's also sort of coming from this very like strong product partnership perspective. So having people actually test out the product and having people like give their feedback, seeing the value in those evaluations, right? And then sort of using that also as like an avenue for education. - What have you learned about building go-to-market teams so far? - Oh, this is a fun one. I think the biggest thing is, there's two parts to this. One is how you hire teams in any business, especially in technical enterprise businesses. Go-to-market is not actually that different from engineering. I remember really kind of having this sudden realization, like in the early days of building, sort of thinking about go-to-market. It's not that just similar from systems engineering and you're working off certain assumptions, you're thinking about scalability and robustness, and you also have to have like a pretty high tolerance for experimentation and just trying things out. And I think that's one thing that's really important. There aren't playbooks in cloud enterprises. Like, you know, we talk about triple twice double thrice and there are businesses like Rubric, for example, who have completely blown past those expectations because they've maybe been like a little bit more open to trying some things out or not others. So I think one understanding kind of where you're at is a business being open to experimentation and hiring for a team that is open to experimenting and is sort of like high curiosity, willing to run around the field, figure out what it needs to be done. That's important in technical products, also having a very strong sort of, the closest the technical sale. So like having a strong kind of sales engineering team is important. On the other side, I think enablement and positioning is really, really critical, especially if you're in a space like ours where you have lots of legacy tech, being able to very crisply explain what you do, why you do it, and why us, and why now all those classic things. You want to get ahead of the positioning, even maybe necessarily before all the pieces are in place in the product. - What's that Ben like for you learning positioning? I'm guessing you started the company not having spent a lot of time doing positioning in the past. - Oh, it's interesting. I mean, one of the things you always have to kind of like temper in yourself if you're from like a really tactical background, like myself is you get in the weeds, spend all your time thinking about something you can kind of forget like when you're in a sales call that you're explaining somebody thing to somebody who's just seeing it for the first time and like they're not as invested as you, like they're here to learn, they've taken this meeting and it's like a little bit on you to like explain to them quite quiet. And I think you have to kind of fight that instinct if you're the one who's like sort of grinding yourself, right? To sort of be like, well, my baby is ugly. It's great and it solves everything. So that's one thing. I would think the other thing is just that like, I don't know for me personally, I sort of just appreciated the learning experience and kind of had that framing before from having built an internal tool and having to basically sell it internally, it doesn't feel that different because at the end of the day, we also sell to technical means. Security also is largely, I think people forget that there is like an element of empathy as well, like recognizing that people are under an immense amount of pressure, right? For them to even be considering a startup's product for something like ours, which is changing access and infrastructure, that's a lot of trust like somebody's putting in you and just like labeling that and being able to speak to it and how you're thinking about it and being prepared, I think goes a long way. - To date, what do you think has been the most important go-to-market decision that you've made? - Oh, wow, this is kind of interesting. I think it's a combination of sort of having that conviction to go sell top-down and not sort of widen the net and sell to whoever wanted to come through the door and not do PLG as a result of that in the early days. It allowed us to be choosy in the enterprise and really build a mature product by having the ability to kind of partner strongly with folks who had like very real enterprise problems. - As I mentioned there in the intro, you've raised about 32 million to date. What have you learned about fundraising throughout this journey? - Well, it's interesting. I think I just kind of approached it with an open mind and I'm always like very curious how other people approach these things. But maybe I kind of just sort of took it from first principles. Like here's the things that I know make a lot of sense for the business, here's where I think we're headed, here's where the, like I know the numbers are good. I want to just go and find the right folks who are aligned with us and want to be a part of this journey. And it's my job to show them why this is a good bet. And I don't know if that's really the answer you're looking for but I don't know, I didn't read like anything on the internet or really honestly like ask for a ton of advice, frankly. I sort of just kind of thought about it from a first principles perspective, which by the way, like we'll see how to add to each their own. I think it worked because I knew like we had a strong product and then we were growing and it made sense. And we had like this very clear plan of how we were going to continue to grow. - How do you get good at thinking and operationalizing first principles thinking? I feel like everyone talks about it these days and it sounds great on paper, but it's hard to actually execute on it, I think. Do you have any advice for the listeners on how to do that? - Yeah, I mean, this is an interesting topic. I think for me personally, I mean, I was trained in first principles thinking in my voice, right? I enjoy zero to one a lot. And one is you have to kind of be not scared of failure. You have to like be willing to like widen the net and consider possibilities and perspectives. And you have to be willing to take in a lot of information without acting on it. And then you have to take a step back and ask yourself, what am I actually trying to solve for? And you get a ton of feedback, even like, especially when you go to market, like you can go Google a bunch of things and ask a bunch of people and everyone will have their perspective and advice. You have to kind of be very clear with yourself about what the axioms are and what you're trying to solve for and then be comfortable with the fact that it might be wrong and that you're going to have to (indistinct) axioms and try again. And I don't know if that's too high level, but I highlight that part because I think that's the scariest part for a lot of people to really, really be comfortable ambiguity and to ignore sort of what other people or what conventional wisdom might be. Like enterprises, so interesting because there are all these like industry metrics and standards and ways to build businesses that seem to kind of follow similar patterns and they do exist and you should take in that information. But at the same time, like really, really big businesses, like data rigs, like, you know, they don't necessarily follow a standard plague. There is a ton of experimentation there. So it's kind of obvious in the DNA that there were some first principles thinking that went into play. Final question for you. Let's zoom out three to five years into the future. What's the big picture vision here? Yeah, like I said, I think this is one of the last great enterprise frontiers. And I also think it's like a very exciting time to be thinking about access and authorization because like the world is undergoing yet another technological shift, which means you kind of get to be at the forefront of deciding what that looks like. This is a little bit left field, but like, you know, I talk about this sometimes like a lot of AI regulation, for example, is largely around access because it's easy to prescribe and define. And so being able to sort of help carve out with the future of identity security looks like and build a great business sort of in service to that, I think is like, it's a big opportunity. I think this is a space where like, there's going to be a lot of competition. There's going to be a lot of folks who try a lot of really smart teams who try. And there's only going to be a couple of big winners, but the winners who win will be big, basically. - Amazing, I love the vision. All right, we are up on time. So we're going to have to wrap here. Before we do, if there's any founders that are listening in that want to follow along with your journey, where should they go? - Well, you can follow us on LinkedIn and Opal Security. Reach out to us at any time. We'd love to talk, especially if you're interested in what the future of least privilege looks like. - Amazing. You can't thank so much. - I hope I'll talk to you soon on our website. You can visit us at Opal.dev. - Perfect. Thanks so much, Jake, and time really appreciate it. - All right, thank you. (upbeat music) - This episode of Category Visionaries is brought to you by Frontlines Media, Silicon Valley's leading podcast production studio. If you're a B2B founder looking for help launching and growing your own podcast, visit frontlines.io/podcast. And for the latest episodes, search for Category Visionaries on your podcast platform of choice. Thanks for listening, and we'll catch you on the next episode. (upbeat music) (upbeat music) (upbeat music) (upbeat music)
