[MUSIC] >> Welcome to Category Visionaries, the show dedicated to exploring exciting visions for the future from the founders or in the front lines building it. In each episode, we'll speak with a visionary founder who's building a new category or reimagining an existing one. We'll learn about the problem they solve, how their technology works, and unpack their vision for the future. I'm your host, Brett Stapper, CEO of Frontlines Media. Now, let's dive right into today's episode. [MUSIC] >> Hey, everyone, and welcome back to Category Visionaries. Today, we're speaking with Dan Lawrence, CEO and founder of Chain Card, a software supply chain security platform that's raised 250 million in funding. Dan, welcome to the show. >> Thanks for having me. >> No problem, super exciting, and let's jump right in. Talk to us about what you're building today. >> Sure. So software supply chain security is a really complicated area of both security and software because it kind of bridges that gap. It applies to securing the way you build your software, which includes everything from the way developers write their code, the way they push into production, all the way up to the security of all of the third party dependencies that they pull into their applications. And we're really focused there, especially on the open source angle. Anywhere from 90 to 98 percent of source code by lines of code and all the different studies I've seen running modern applications is open source. That means it's written by people typically not at your company. Open source is awesome because it's this huge shared library of really high quality software that you can just pull in and start building from for free in your applications. But from a security perspective, it's a little bit scary because it's written by pretty much anyone on the internet. If you spend any time on the internet, you realize how scary that can be when you look at it. Not everyone there is a nice person. So that's the area we're focused on. We're trying to become a safe source for open source, which means we're providing a platform of open source code that's trusted, vetted, secured, patched, meets all the compliance requirements that your developers can use while still meeting them where they are and packaging it up in all the friendly ways that they want to consume it. And I could have this wrong, but at least from what I saw, software supply chain really became a big thing that people were talking about after SolarWinds. Is that a correct way to view things or is that wrong? Yeah, no, that's pretty much it. That's when it hit the mainstream media. That's when it hit the bigger landscape. Before starting this company, I was at Google for about a decade and Google started worrying about this pretty early on in the scheme of software supply chain security being a buzzword. I mean, Google cares about security a lot, right? You know, I got there in around 2012, which was right in kind of that time train with Operation Aurora and the Snowden papers and that realization for big tech companies that there are attackers out there with larger budgets than even the largest companies in existence. Nation States, that kind of thing, they're incredibly well-funded and incredibly patient. And that led to a whole bunch of rethinking of the way security works inside of Google. When you start to apply that principle to all of the different components of your system, you really start to worry about everything, including your supply chain and the things not written inside of your company. It's pretty lucky to get to watch that transformation inside of Google. And then it's supposed to start working on this space really before it became a term in a buzzword and a category. And then what happened in your world in October 2021? You founded the company. What happened at that time to say this is it, this is the time? Yeah, so it all kind of blew up in that solar winch breach, right? Which was December 2020, something like that, you know, right during the pandemic. And everybody started looking around and saying, hey, why is nobody even working on this? Why does nobody care about this problem? How did we get caught by surprise here? And so the space sort of blew up and heated up overnight. That spring, there was an executive order from the Biden administration around this area. A whole bunch of tailwinds picked up and a whole bunch of people started paying attention to this area. My co-founder, Matt, he's spent a long time with me at Google, working on a lot of these same problems. He left and just took some time off during the pandemic. He was just doing barbecue, you know, bought one of those big green egg barbecue things and just kept really neat for a while. And I kept trying to talk him into coming back to Google, because we're just paying attention when the space is getting really interesting. One day he finally texted me and said, all right, I'm ready to start working again, but how about instead of me coming back, we leave and start a company? That was pretty much all it took for me when I bought the laptop the next day and started figuring out how to get a startup going. So what did the first three to six months look like? Take us back to those early days. Yeah, yeah. So it turns out that summer and fall of 2021 was basically the easiest time to raise venture capital in the history of venture capital. If you look back at it, you know, that was like peak zero interest rate phenomenon bubble. So it was pretty easy to get the company going, lineup funding, that kind of thing. It was a perfect storm just in terms of the category being really interesting and investors being more willing to invest than they ever had been in history. So we got our first round of funding done right around then and started trying to figure out what problems we were going to solve. Not normally the order you would do things in the market, but that's what it was like back then. The space was really messy, right? And it still is messy to the software supply chain applies to pretty much everything from developer lifecycle to vulnerability management to all sorts of new tools to try to help sign stuff and verify signatures and things that people weren't really thinking of before this. So we tried just basically throw spaghetti at the wall and seeing what would stick. I think we understand the space pretty well, but in an early space, you want to make sure that you're targeting the things that people are actually willing to take action on. So that's where we spent the first three, six months doing. That leads you right up until the beginning of 2022 when the market really corrects itself. How long from when you founded the company so you had money start coming in? What was that time period? Yeah, early on, we were trying a bunch of different things, talking to potential customers, talking to large organizations. So one of the benefits of being in a space like this, even when it's early, is that it's really, really easy to get conversation with people because the market was really in an awareness mode. And that was sort of fine for a while until we realized that it wasn't just going to be possible to keep raising money on nothing. When the market really corrected itself. So we shifted pretty quickly after that actual product development and sales. I think we ended up closing our first deals nine or 10 months after we started the company. Could have done it earlier, we're just more focused on discovery and awareness first. And how did you get those first couple of deals across the line? I know getting those first thing customers is never easy. What did you do and how did you pull it off? Yeah, founder led sales really. There's no easy answer to it, especially when you're developing a security product. It's selling the vision as much as it is, selling the same product. We started with a couple products at the same time, just to really maximize the chances of something taking off. Our first product that we actually landed those first deals on was the wrong one it turned out. So we got pulled the wrong way a little bit that way, which set us back a little bit. But we kept going on both of them because we thought it was important. And eventually made a hard pivot the year after that over to the other product. We ended up churning somewhere on a million in revenue as we made that transition. It was definitely the right move. This show is brought to you by Frontlines Media, a podcast production studio that helps B2B founders launch, manage and grow their own podcast. Now, if you're a founder, you may be thinking, I don't have time to host a podcast. I've got a company to build. Well, that's exactly what we built our service to do. You show up and host and we handle literally everything else. To set up a call to discuss launching your own podcast, visit frontlines.io/podcast. Now back to today's episode. What was it like making that pivot? Everyone always talks about pivots, but they're hard, they're painful. What was it like for you and what do you learn from that process? Yeah, it sort of looks like a pivot. It didn't really feel like one at the time, right? Because we were doing both things in parallel. You know, we had two different engineering teams working on two different products, talking to two different sets of customers. And it was more of a doubling down on one thing and making our decision to shut off the other one rather than like a hard pivot, depending on how you looked at it. It was sort of just obvious over time, right? You know, we had earlier revenue on one product, but looking out into the future pipeline, demand, interest, awareness, all that was really building up on the second one. And, you know, the market had corrected. We couldn't really go out and hire more. And, you know, we really had a double down on the one that was working, which required our moving resources off over to that one. So it was pretty obvious decision at the time, just given all of the circumstances. Now, if we look at the company from a go-to-market perspective, what does the go-to-market strategy look like right now? Yeah, it's hot down sales, right? It's sales reps. I'm a huge fan of Ed Sim and his blog and all the stuff he writes and talks about. A hundred bulls start. Staked in as is the term he just talked about this type of sales. It's really our go-to-market strategy. In terms of the marketing motion, it's a lot of inbound still today. And I think that's probably because of some of the decisions we made early on. And that first year when the market was really in awareness mode and budgets had gotten slashed as the market kind of reset, we knew nobody was really going to be buying anything. Nobody was really going to be spending money that year and no one had any budgets. So instead of doing traditional demand-gen style marketing, our strategy was basically to be emerged from that year as the most well known, the leaders, the most trusted folks in this space. So we did a lot of really, really far out top of funnel work. The traditional brand marketing, awareness, PR style stuff. So our goal was at the end of that year, if you ask NEC, so who the best supply chain security company is, we want them to say us, even if they don't know what we're doing or what our products are. And that's hard and that's expensive. It takes a while to really see results from it, but we're still seeing dividends paying themselves back today. Did you have any moments during that phase where you thought, shit, maybe that was a mistake, maybe we're spending too much money on this and maybe it's not going to convert? Or did you just have the belief and did you just know that it was going to work? Well, you can't really do demand-gen when you don't have a product yet. So let's just get out there. We know it's really hard to get people to pay attention to you as a small company. And there's ways to do it cheaply. You can take advantage of being a small startup. You know, one of the things we did a lot of was commenting for news stories, commenting for articles, getting our name out there that way, working with reporters. You know, I'd been at Google and done some of that work, but if a pre-shappens at a big company, it takes weeks or months to get approval to make a comment on that, especially when it has nothing to do with your business inside of large companies. That startup, you don't have any of those hurdles. You can just get out there, start tweeting, start posting on LinkedIn, building up relationships with those folks. So they come to you the very next time. And then your name starts showing up in higher and higher level publications and it gets easier over time. So it doesn't actually cost that much money if you're right. Did you hire a PR firm to facilitate that? Or did you go direct and just engage the journalists directly on Twitter? We did a little bit of both. We had a PR firm and we still use them. We still work with them. They're great. But you know, at some point, they just start picking up your social media. They start picking up your feeds. It's always funny when I'll just write something on LinkedIn on the very next day I get a Google alert saying somebody quoted me a newspaper article. What have you learned about generating media awareness and getting in the media? What have you learned from that whole process? It's really just got to be genuine and authentic, right? You can't do product pitches. You can't do sales pitches that way. But reporters, they have a job too. They've got to write articles. They've got to put out content. But as long as you're putting out good, useful content that people are going to be interested in seeing, even if it's not directly related to your product, it's easier than it sounds like it's going to be at first. What else have you done to raise awareness or in that phase of the company? What else were you doing to really raise awareness and build up the brand? Social media has been great, right? Twitter kind of died out. We don't get as much engagement on there as we used to. TikTok vid goes for a while. LinkedIn has been the best though. The LinkedIn platform is awesome for this type of content. If you're publishing useful stuff to professionals, the algorithm, all of it works a little bit differently, but it's so much easier to get engagement there, especially if you're putting out interesting stuff. And who are you trying to speak to on social and via the media? Are you trying to speak to the CISO? Are you trying to speak to the head of product security? Or maybe if there's heads of software supply chain security? Who are you really trying to speak to? All of it, it's a mix. It takes everything, right? We have a product that CISOs love. It helps them do their job. They really like it. But at the end of the day, developers are sort of in charge of implementing a lot of this. And that's what makes the supply chain security space a little bit tricky and different from other areas in security. Developers are traditionally hard to sell to. They hate spending money. One of the ways I looked at it was developers have the brake pedal on a deal. If they don't want to use your product, nobody's going to spend money on it. There's no one likes buying shelfware. But they're really easy to engage with in other ways. And so if you kind of mix up the content, we do a lot of memes. We do funny stuff. We keep it lighthearted. You connect with both audiences. And it works really well when you get both of them working together. This show is brought to you by the Global Talent Co., a marketing leader's best friend in these times of budget cuts and efficient growth. We help marketing leaders find, hire, vet, and manage amazing marketing talent for 50 to 70 percent less than their US and European counterparts. To book a free consultation, visit globaltalent.co. What's been your best meme so far? Oh, probably wasn't even a meme. Like one of the best posts I ever had that was I just took a picture of my desk and posted it. My desk gives a complete absolute mess. There's papers all over it, books. I don't organize it at all. Empty cans or drinks, that kind of thing. I posted that one and it just blew up. I don't use a second monitor. It's just my laptop. And you know, people are horrified to state if my desk enough. How poorly organized this. But I think that one just blew up. And that's probably the one I've gotten the most of you on. That's funny. Now makes sense. The spare Celsius can that you had earlier. The Celsius, if you want to sponsor me, let's talk. Yeah, it seems to come up in almost every episode. So I hope someday they'll sponsor this little B2B podcast. What about positioning? How have you approached positioning yourself in the market? Positioning is a tricky one, especially when you're in a new category like this one. You know, we get compared to a lot of incumbents that do nothing compared to what we do at all. We're kind of in this space where nobody's really offering a product close stars. And so it's a lot more education than it is traditional positioning. I kind of hate the term category creation. But you just want people to come in with a good understanding of what you do. Because people hate clicking that contact sales form at the bottom of the web page. And from a category creation perspective, do you view it as the category software supply chain security? Is that going to be the category or do you think it's going to be something else? I don't know. It's a tricky one. You can look up the gardener charts and all the analyst reports and all of that thing. And you know, they had software supply chain security category reports like six months in when nobody really had anything in this space. I think we're sort of stuck with it for better or worse. But I think the market's going to understand how all these things fit together rather than how they can keep those in the next couple of years in a much better way. What about analyst relations? I know you mentioned it there. How important is analyst relations to your current go-to market strategy? We don't do a ton of it. We don't focus on it a lot. They're out there. You know, we don't ignore them. We work with them trying to make their jobs easier. But it's not a huge strive for force today. Who's the company in cybersecurity that you think is doing really good from a marketing perspective? I love whiz. Obviously whiz is just crushing it at all aspects of cybersecurity. But I love the way they keep it light-hearted. People like the brand. They love the product. That's the more important part here. But yeah, they're branding, they're messaging, they're marketing. They do both everything from really serious cybersecurity research and vulnerability discovery out to just fun games and the way they talk about their brand in the company. I was at RSA this year and you're just walking around. Everyone looks the same. And they have, was it like whizmart or something like that? So damn clever. I just wish I could be that creative. It was crazy. Yeah, I've got a couple pairs of their socks. A lot of say. Amazing. I love it. Now let's talk a little bit about funding. So I know a couple of weeks ago you announced a big round of funding. Talk to us about what you've learned about fundraising throughout this whole process since founding the company. Yeah, you know, I want to know this knowing absolutely nothing about fundraising. There's reading books on it and stuff. You know, all this started. There's a lot of different approaches you take to it. You know, probably one kind of unique thing for us is we've never made a pitch deck. We've never made a VC pitch deck. I think energy you're spending there is energy that's probably better spent on your product and your business and everything. It's sort of how I look at it. It's important, right? You obviously need a fundraise when you're trying to grow this fast and scale a business. But I see a lot of these things flying by about, you know, tips for your pitch deck and services that will review pitch decks and everything. And I always just kind of shrug my shoulders at that. If you focus on the business and you're building a great business and the numbers speak for themselves, that's really where you should be spending your time in your energy. And that's what we do. I do like building relationships with investors, though. I think that's incredibly important. People talk about that a lot. Like, you know, when you get someone on your board, it's longer term and harder to get out of than a marriage in most cases. And you really do want to know the folks that you're going to be working with and build up that relationship ahead of time because that's one of the most important ones in a company. What type of growth are you seeing today? Are there any numbers or metrics that you can share? We don't really publish metrics on revenue growth or anything like that. But it's going really quick for us. We got really far behind on sales hiring that first year because we were doing founder-led sales and didn't quite know how all of that stuff worked. But catching up there has been huge for us. And one of the biggest mistakes I think we made was not hiring sales reps early enough. You read a lot of the advice and it says, "Founders have to close the first 10, 15, 20 deals, something like that." And I agree with that, right? You can't get yourself out of the sales cycle. But selling, especially in top-down to CSOs with really high ACVs, that is a skill in and of itself. And when we first brought on our sales reps, we really learned everything we're missing that space, and I wish we did it probably three to six months earlier. I completely understand the advice VCs give when they say, "You've got to do it. Don't hire reps," all that kind of thing. They're probably pattern-mashing on that meme of technical founder that thinks, "If we build it and then hire a bunch of fancy sales reps in suits, they'll be able to sell it." That's not it, right? Don't do that. Don't do that. But there's a big difference in value-selling and getting people to believe in their product. And then actually knowing how to navigate procurement at a massive enterprise and get to a signed contract at the end. But if you don't have that skill, if you've never done that before, then hiring really good sales reps is indispensable, and it's only going to speed you up. What did you learn from the process of building out that sales team and transitioning away from founder-led sales? Hiring the right reps is the most important thing, right? There's a whole bunch of different strategies on this, but a great sales rep is make or breaks. It's hard to do. It takes some luck, especially if you've never done it before. But selling into a company, selling into a large enterprise, it's project management on both sides of the end of the day, especially in a small company when the product is still evolving as you're selling. Sales is one of the hardest jobs out there, and finding great sales reps and making sure that you're compensating them while it's incredibly important. Now that you've transitioned out of founder-led sales, what's a typical day look like for you? Where are you spending your time? It's the spectrum, right? I don't know that you have a really transition out of it, especially the startup selling to big companies. I still spend a lot of time with prospects. I spend a lot of time with existing customers, keeping them happy, understanding where their needs are, relationship building. We're 150 people today, something like that. If you're selling some of the largest companies in the world, they expect these idea alignment. They expect leadership to show up into these rooms, and I think that's still a great use of time. So I do still spend a lot of time in those meetings, building those relationships at those conferences, at those dinners. And seeing that, hearing feedback directly from customers is always great. But yeah, it's a lot of that. I'm an engineer by background. That's what I did for 10 years before starting this company. I do still love to get involved in our product. I probably write more codes than I should be doing still. But just bouncing around between all those areas, and especially at a growing company, there are always flyers to be putting out, and there's no such long, really a typical day. If you were speaking to early stage founders, let's say seed stage founders, building cybersecurity technology, based on everything you've learned from a go-to-market perspective so far, what's the number one piece of advice that you'd give them? Planning ahead is hard, especially with so much uncertainty. But when you're scaling an enterprise business, even thinking a year out isn't far enough, you've really got to be thinking 18 months out. All plans are made to be broken, but you still have to have a plan. But it takes typical ramp time for an enterprise rep is six months. It takes months to hire somebody. And when they start picking up quotas, you don't really see that impact for a year out. If you get behind there, it's really hard to recover from. And planning a little bit farther out, even when you know it's all made up, and it's all going to change every quarter, is really, really, really important. Final question for you. Let's zoom out three to five years into the future. What's the big picture vision that you're building here? Yeah, it's on our website. I think we finally landed on a mission that we like, and we all understand. But a safe source for open source is really what we're trying to build. Our product today is a set of hardened container images, but that's one way that people consume open source. We're really trying to provide a safe platform for people to use any of the open source code they need, any of the open source code they want. And that's a moving landscape. And it's going to take us at least three to five years to get there. Amazing, I love it. All right, Dan, we're up on time, so we'll have to wrap up here. Before we do, if there's any founders that are listening in and they want to follow along with your journey, where should they go? My LinkedIn is probably the best place. That's where I write the most content these days. It's obviously our website, changer.dev, or my LinkedIn, which is just my name, Dan, L-O-R-E-M-C. Amazing. Dan, thanks so much for taking the time. Thanks for having me. This episode of Category Visionaries is brought to you by Frontlines Media, Silicon Valley's leading podcast production studio. If you're a B2B founder looking for help launching and growing your own podcast, visit frontlines.io/podcast. And for the latest episodes, search for Category Visionaries on your podcast platform of choice. Thanks for listening, and we'll catch you on the next episode. [Music]
