Informal security chat with Beyond Identity's CTO Jasson Casey, Founding Engineer Nelson Melo, and our host Marketing Empress Reece Guida on how devs don't want to talk to sales.

Transcription

Reece

Hello, everybody. And we are here for the "Cybersecurity Hot Takes Podcast," featuring me, the Empress of Marketing, and Jasson, the CTO, who is casually sipping from coffee I hope, and Nelson, who is by the Empire State Building. He is our founding engineer and our global sales engineer. So, welcome, guys. I hope you've had a good week, and today I'm gonna just throw out a hot take, and you guys are gonna either say yes, agree, no, disagree. Let's get into it, have a good debate, have your facts ready, let's go. Today's hot take is cybersecurity companies cannot do PLG. When have you ever seen a company like CrowdStrike do PLG? Go.

Nelson

Jasson, I feel like you have a take on that.

Jasson

So, yeah. I think a couple things. Number one, it's not in the historical sales motion of a lot of companies to allow their product to be discovered without the carefully curated experience by a sales team. So, to back up a little bit, PLG, product-led growth, is a fancy way of basically saying prospective customers should be able to learn about your product, sign up for your product, try your product out, not spend any money, and not have to suffer through receiving any sort of calls by someone who's not technical, really anyone, until they understand, number one, what is it you're doing? How are you doing it? And is it even interesting to them, right? And I know I'm certainly guilty of that. When my phone rings from a number that I don't know, I no longer answer it.

If they actually know me, they're gonna leave a voicemail or text and I'll call them back. Most of the time, it's people trying to sell us stuff. And it's not that I don't like learning new things. I mean, clearly, I do. But I'd rather kind of learn a little bit on my own before I really engage with anyone, because we're all busy. We all have stuff to do. And so, yeah, PLG is a set of products that there is a way to release a product to allow that sort of experience. The counter argument to PLG is, well, it, really, the engineers aren't necessarily the key decision maker, they're folks that would use the product. We could do that, but that involves cost and it doesn't necessarily buy us anything. We focus on the CISO, blah, blah, blah. And that's kind of the historical motion.

Personally, I think CISOs, CIOs, CTOs, for the most part, are largely former engineers. I shouldn't say former. And the engineers that you're allowing to try your product today are tomorrow's CISOs, CTOs, and CIOs. So, PLG is not a silver bullet, but I think not having a self-signup and being able to outreach to those folks, it can be limiting, and yeah, there's no reason why you cannot have such a sales motion on a cybersecurity product.

Reece

Yeah. It's by developers, for developers.

Nelson

On the flip side, identity companies seem to have almost no problem letting people try stuff. Okta, OneLogin, more the SaaS ones, but on-prem, you can even find a wild copy of Ping or Forgerock and install them and try it locally. Wonder why...

Jasson

I'm sorry. Go ahead.

Nelson

Why is that?

Jasson

I'm kind of curious, and I don't actually know the answer here, but was that a true statement before Okta?

Nelson

That's a good question.

Jasson

Right? Like, Okta... So, you can look at a lot of the identity companies. When they were founded, how long their products had been around. And I think it's easy to see Okta as probably one of the youngest, right? They were founded in what, the early teens, 20 teens, or late 20, or 20 aughts. And last I checked, they were what, $30 billion, $40 billion in market cap. And their primary sales motion has always been about trying things. Well actually, I don't know. Has it always been about trying things? I certainly know my experience with them over the last three to four years has been it's easy to create an account, not unlike Auth0, but although technically they're the same company now.

But you can try a thing, you can see how it works, and then you can decide on whether you want to use it or not. I'm kind of curious how much pressure Okta put on the market to enable that sort of sales motion, right? Because Okta started up about the same time a couple other companies, but with a different sales motion, and one of them has a 30X to 20X multiple over the other company.

Nelson

Gotta be something to that.

Jasson

Well, I mean, it's clearly growth. But then the second level question is how did they achieve that growth, and how much of it was bottom-up? I don't think it's also that clear, right? Like, when you talk about identity stack, you have a complex set of users, right? You have IT engineers, who are going to assess the system and do the work. You have end users that are gonna feel the impact of that sort of choice. You have a CISO, who's gonna have some sort of play in it. You have a CIO who's gonna have some sort of play in it. And PLG motions, I don't know how successful they are in their own, in a product that has such a complex set of stakeholders. So I don't think the Okta story is as simple as PLG helped them achieve that growth rate, but it's hard to believe it wasn't a key factor in that growth rate.

Reece

So, do you think that cybersecurity companies are scared to do PLG because there's a lot of stakeholders and there's the assumption that rolling out cybersecurity products is complex?

Jasson

I don't know if they're scared, but there's definitely a mindset amongst having a self-signup product, along the lines of... So, the argument goes like this. It's basically, no matter what you do in your product, you are going to incur an operational cost, right? So, with PLG, it would be like, all right, if we put something out there, we need to have documentation. We need to make sure that there's a good experience for anyone that lands in there. We need to make sure that we can service anyone who lands in that experience, with questions and support and whatnot. So it's not a free activity, and it's not a one-time expense from a development and support perspective. You will be doing things that are constant.

So then, the flip side, so then the second argument is, so, I have that baseline expense. And then the second thing is, what do I get for it? And traditionally, cybersecurity products are kind of sold to CISOs. And some CISOs will try out products, but all of them won't, and a lot of traditional sales motions are more focused on building a relationship with the CISO, or with the security architect, or some key set of decision makers, and then engineering a POC or a POV to try out their product, and only then and then will they engage.

So, I'll use CrowdStrike as an example, right? So, counter to Okta, right, CrowdStrike, for the longest time, had no real self-signup motion. And in fact, I remember actually calling on a CrowdStrike rep when we first got started here about getting some EDR going, and I was kind of unceremoniously told that we weren't qualified to be a customer of theirs.

And I understand how that probably happened from their perspective, right? Their sales function is this machine that they're focused on getting a certain market segment, a certain revenue segment. We're probably outside of the ideal customer profile of that subset of machine. So they're like, yeah, you're...some salesperson saw my call and was like, yeah, I can't make my quota by selling to 10 of you, so, nope.

And CrowdStrike's another example of a company with a fantastic market cap. They've been...no one, I think it'd be hard to argue CrowdStrike has not been a successful company, and they haven't had a motion like this. So, there's no silver bullet. Personally, I think it's a useful tool, back to that argument of if you're investing for the long term, tomorrow's CIOs, CISOs, CTOs are today's engineers. And if you're building a reputation with them as a serious security player who's trying to help them not just solve problems, but prevent problems, it's helpful to you, it's helpful to the company, and it's helpful to everyone.

Reece

Nelson, you're reading a book about PLG. You told me that earlier today. Do any of those insights apply to this conversation, or are framing the way that you're thinking about PLG as a developer?

Nelson

Yeah. So, I'm reading "Product-Led Growth," by Wes Bush. And I only just started it, so I don't really have much to say yet. But I think the key takeaway for me right now is the, you have to be very purposeful about why you're trying to do PLG. Especially if you're started with a sales-led motion, because you have established momentum there, and you have to make sure your sales force and the folks that are doing X now understand that there will be other users that are going to start coming into the platform, and you have outreach from them, and there's gotta be a process to deal with those.

So it's sort of interesting, because before, I worked at Beyond Identity. I've never worked in a company that didn't have a PLG motion. To be fair, I've worked in a lot of startups, which tend to start that way. And more than that, developer tools that tend to really be focused on folks trying it out, giving feedback, have great documentation. But I gotta...when we started Beyond Identity, I was very bewildered by the decision not to do PLG from the beginning, but when Jasson explained the reasons behind that, I think I pretty quickly understood it's as valid as anything else that other companies do.

Jasson

Yeah, there really is no silver bullet. And it just depends on, like, how do you actually sell your product? You have a finite amount of energy in how you build and support your product, and how you sell your product in your first couple of years, versus your mid years, versus your later years, can be different. And again, I think Duo and CrowdStrike are perfect dueling examples of having a PLG motion. Maybe Auth0 is a better example than Okta even, but of having a PLG motion versus not having a PLG motion, and still being successful. There's also some really interesting insights in when you make a sale of an Auth0-style product versus a CrowdStrike product, the sales motion is a bit different. The lead cycles are a bit different. The number of people that you have to convince and how you convince them are different.

So, like, you really...yeah, this sounds trivial to say. There are no silver bullets. There are no magic buttons. But yeah, who are you selling to? How are you getting them over the hump? Just because you convinced someone to use your product doesn't mean that company will actually use your product, right? Like, do they actually have the ability to put things in play? All of these come into the factor of, should you, and how do you offer a PLG on-ramp?

With that said, I know there are a bunch of security personalities on Twitter that lament this day in and day out, and their primary complaint is I don't want to take a sales call from some person I don't know. I don't want to hear another marketing pitch that honestly sounds like every other marketing pitch. Let me just sign into your product, see what it's about on my own, and you don't call me, I'll call you if it's interesting. And I can appreciate that.

Reece

And with authentication, I think doing PLG takes on even more importance, because authentication sets the tone for experience in a lot of ways. And PLG is all about experience. So, there's a lot at stake with PLG, but if it's done right, the payoff can be huge for both sides of the equation.

Jasson

Yeah. The developer use place, I think it's very obvious in how it helps. Companies always start small. Companies don't start big. They might grow to be big. Companies generally are started by technical people, or by engineers, right? They have this passion, this idea, and they usually get the company to the point to see if the company can be viable. And then they seek partnership to figure out how to grow the business as a business, not just a product disruptor. And, you know, when that group of wide-eyed founders is waking up every day in their first 18 months, what do you think their first thought is when they stick their feet outta bed? It's probably not, "I can't wait to work on my IAM stack." Right?

It's probably the point of the spear, whatever the point of their business actually is, which is, I don't know, have people exercise in a fun way, a la Peloton. Or be able to help people find local dog walkers, a la Wag. I think they're gonna IPO here soon. They all have an authentication problem, but it's not necessarily the point of their business. So, if they get it wrong, it hurts them. If they get it right, well then everyone claps and says, "Congratulations for putting on pants and a shirt. We all have to do it." So, it's not really their primary thing. So, they're getting started. They don't necessarily want to build it themselves. They know they need it. So having a service that they can do a self-signup, try it out, and immediately just start running, and save themself the headache of dealing with, like, complex security issues, implementing things correctly, choosing multi factors that actually aren't trivially phishable. Like, why take the chance of getting all of that wrong.

Reece

Yeah, why put on your pants backwards? You know, some people do it, but why?

Jasson

So, with a PLG motion, like, do a sign up, pull down a library, implement three functions, and away you go.

Reece

Yeah. And that puts a nice bow on it. Thanks for talking about PLG, guys. I'll see you next week for the Hot Take.