Ep. #18, Secure Infrastructure with Elizabeth Zalman of strongDM
In episode 18 of EnterpriseReady, Grant is joined by Elizabeth Zalman, Founder & CEO of strongDM. They discuss enterprise software go-to-market, remote teams, product prioritization frameworks, and SOC 2 certification.
Elizabeth Zalman is the Co-Founder & CEO of strongDM. Previously she was Co-Founder and CEO of the cross-device profile company Media Armor. After its acquisition, she served as VP of Analytics at the acquirer, Nomi. With over 15 years of experience leading data-driven organizations, she is an expert in analytics, data privacy, and security.
In episode 18 of EnterpriseReady, Grant is joined by Elizabeth Zalman, Founder & CEO of strongDM. They discuss enterprise software go-to-market, remote teams, product prioritization frameworks, and SOC 2 certification.
transcript
Grant Miller: To get things kicked off, it'd be great to hear a bit about your personal backstory and where StrongDM came from.
Liz Zalman: Sure. Do you know what ICQ is? The precursor to instant messaging?
Grant: I remember it.
Liz: ICQ is an Israeli company, and there were a couple of founders, I think three or four. One of the founders of ICQ is this guy named Yair Goldfinger.
Grant: That's an amazing name.
Liz: It's an amazing name, yes. So ICQ got acquired by AOL for $400 million dollars or something in the late 90s, and after ICQ Yair went out and started a company called Dotomi.
In typical Israeli format, Dotomi stood for "direct one to one messaging over the internet."
Grant: That's amazing.
Liz: Yair essentially invented what today is called re-targeting or re-marketing, which is those banner ads that follow you around with a picture of the thing you last looked at on the Gap's website.
He started this company and I was employee number seven, maybe.
I joined them in Boston as their first account manager, and then I moved with them to Chicago and I stayed with them for four years.
They grew up to be this big behemoth. They actually ended up getting acquired by an ad network and then took over the ad network, and then got acquired by Alliance Data Systems, which owns Epsilon for over two billion dollars.
I left them well before that, four years in, and I was working with this guy named Eric. We saw the start of smartphones, and it was when HTML5 was just beginning.
The iPhone had just come out, so this is 2009 maybe? 2008-2009, and Eric turns to me and he's like "I have this idea. Why don't we do something with smartphones and mobile? Dotomi is not doing anything in mobile, it's all web."
And I said, "OK." So in typical entrepreneur fashion, we're like "We think we can do better." So we quit.
Grant: Mobile is a pretty good trend to quit off of.
I think it's a good one to be like, "We think there's something here. This mobile thing could be big."
Liz: "It could be big,"that's right. And he was working for a mobile ad network at the time, so all he did was AdOps all day.
He said, "There's actually a problem in mobile in that agencies are spending a ton of money, and they have no visibility as to whether ads are rendering on the phones."
That's how early it was, verification services didn't exist in ad tech, on mobile specifically. DoubleClick existed, "Did an ad appear on a browser?"
But not on mobile. So we did that, I moved from Chicago to Boston. I slept on my co-founder's floor for a month on the air mattress, actually.
We started a company called Media Armor, which started as mobile ad verification, and four years later ended up essentially becoming a 360-degree consumer profile.
By the end of it, we knew who you were on any device that you owned, and we could track you to an in-store purchase and then update your messaging based upon your behavior.
I would integrate with brands on their websites, on their mobile sites, on conversion pages and within email blasts, so I would create essentially a graph, "Your device graph."
Then I could track you doing in-store purchases, and in-store purchases-- Like, how many times do you give your email at the register now? Often.
Grant: Not that much for me personally, but that's mainly because I don't shop anywhere but Amazon.
Liz: Maybe your wife?
Grant: They have my email address every time I buy something, but that's just Amazon.
Liz: Right. There you go. Amazon was not a customer, unfortunately.
So we raised $1.75, Greycroft and Inovia were our leads, and at that time a series A was $1.5 million, not $10 million dollars.
So we raised an A, and we realized that the best exit at that point was going to be an acquisition and that we needed help to grow bigger.
So we got acquired by another Greycroft, and actually a sell-back company called Nomi.
Nomi was Google Analytics for the physical world, so they would install Wi-Fi sensors and Bluetooth beacons in physical retail locations, then based upon your proximity of the phone to the sensor they would track your literal physical path to purchase.
So if you took this in-store footpath and you combined it with the Media Armor 360-degree digital profile, you had what I may or may not have affectionately called "The Death Star.".
Grant: Nice. At least you acknowledged--
Liz: Totally acknowledged.
Grant: The dark side--
Liz: Do you know what a Fathead is?
Grant: The sticker you put on your wall?
Liz: Yeah, the giant wall-sized sticker. I may or may not have purchased a Death Star Fathead.
Grant: That's amazing.
Liz: So Nomi acquired us and we were working together for about a year, and they ended up getting acquired by another company called Brickstream, and Brick Steam did hardware manufacturing for sensors.
They wanted to move into the modern age. In the middle of all of this, Nomi had a data breach, so they had--
Grant: Pesky security stuff?
Liz: Pesky security stuff. They used Mongo to essentially store just hundreds of millions of hits that were coming in from these sensors in all of these retail locations.
They had every major retailer in the US that you ever heard of, and other guys like restaurants and such.
Mongo is not the most secure when you set it up, and Mongo ended up leaking on port 27017.
A hacker got in and found all of the Mac addresses of every phone that Nomi had ever seen in any one of their locations, totally not encrypted at rest, and the FTC found out.
Grant: OK, so the challenge was that Nomi had a handful of different security issues.
The first being that they exposed the database on the internet publicly, like just over a port. Unauthenticated access to that database over that port, right?
Liz: There were a couple of things. The Nomi privacy policy stated that data was encrypted at rest, and it wasn't.
Grant: OK. So, even then--
Liz: There was a disconnect between business and IT.
Grant: So you're saying they attested to one bit of their data policy that just turned out it wasn't true?
Liz: There was a disconnect between teams, yes.
Then Mongo, I think there were controls put in place but nobody QA'd those controls.
Like, if you're going to spin up a database today, and you're going to tell us that you're going to put it behind a firewall, you need to get access through that firewall or onto the VPN in order to gain access to the database.
You're going to test that's the case, right? You're going to try to--
Grant: Yeah, we would probably even spin it up through some automation.
We probably wouldn't be-- We always called that process of doing it manually, "Artisanally hand-crafted servers,"and we're never a big fan of those.
Liz: Bespoke servers?
Grant: Yeah, bespoke servers. Everything for us is automation, but I understand years ago that was not the case.
Liz: Yeah. So, what year was that? That's like 2014.
Grant: They could have been using automation, but they didn't. It's fine.
Liz: But they didn't, right. People didn't QA that the steps that should have been taken to get that Mongo lockdown put in place.
Grant: And that was all the data, just tons of data.
Liz: That was all the data.
Grant: It's a huge Mongo list, it's tons of information. Interestingly for Nomi, it's their direct end customers who are consumers, who a bunch of data is now leaked out about. Right?
Liz: It's Mac addresses, which is considered PII in most countries. Certainly in the EU and America, I think Canada not.
But that being said, who knows what I can do with a MAC address, right?
You might need other information to triangulate who I am, but I think the black eye ended up being on the retailers.
Where if you look down this list, you can Google it and you'll find it, it was 7-Eleven, Abercrombie, Aerosols, you name it.
It was just a massive black eye for these guys.
Grant: I often talk about this from one perspective, which is that as an enterprise, really as any organization, security posture of your least secure vendor really becomes your security posture.
You can do what you want, but as soon as your vendors have access to this data and they are not truly secure, that's your security posture. It's the weakest link, right?
Liz: Yes. Any vendor that you are relying on for anything critical to your business is now-- Correct, that's right.
So there are things that-- There's certainly things you can do, I can think about the things that we as a provider of security are held to.
Things like SOC -2, things like pen testing, things like ongoing vulnerability scanning, things like contractual notifications of any breach within probably less than a 24 hour period, and so on and so forth.
But the number of companies that actually ask that of their vendors is very small, and I have conversations with people all day. I just sit there and I listen to their security posture, and there's no judgment, there's no good or bad. Because if I'm being honest, at the end of the day, everybody can get breached. That should be our default state.
You have to ask yourself, "It is scary to think we are all completely interconnected and interdependent, and we simply don't ask the right questions."
Grant: Let's dive into a little of that in a bit. I want to keep going into the story around strongDM.
So you were at Nomi, they acquired your company and you're all excited about working there, and then they get breached. Were you there during the breach?
Liz: Yes, I was. Nomi itself got acquired by this Brickstream company, and so I got out with a double trigger.
Grant: OK.
Liz: That was all happening at about the same time, and that happened, and the FTC got wind of it because the hacker went public.
Nomi ended up becoming subject to not one but two FTC consent decrees, and then the whole entity just went out of business.
Grant: Interesting.
Liz: That was exactly what happened.
Grant: So, you were nevertheless fairly close to this breach.
You knew what was happening, you were paying attention, you knew the team.
You were staying connected, you were still there. Maybe you were on your way out, but you had a pretty front row seat for what happened here.
Liz: I had a pretty front row seat, yeah. Now, thank God Media Armor was collecting the CRM data from companies, so that data was stored in a completely separate system and had never been integrated with Nomi.
Grant: One of the advantages of--.
Liz: An acquisition--
Grant: Without great integration, "Yeah. We're going to integrate this all in." "We didn't integrate all the processes, but it turns out that saved our ass."
Liz: Yeah.
Grant: That's funny.
Liz: So all this was going down, it was actually the summer of 2014 and it's all happening at the same time.
I have two co-founders, one is my CTO Justin, who I went to high school with. I've known him for a million years and he taught me how to drive a stick, actually.
Then Skyler, my co-founder and CMO, he was the VP of marketing at Nomi.
That's how we met, and so we are in the trenches together while this is happening later that summer.
We are just fighting for our lives, with customers together, hand-in-hand combat. When it was all over, I was like "This guy's great. I trust him explicitly."
So the three of us started talking and batting around ideas of what we might want to do for a business, and that's how everything coalesced.
Grant: Tell us what StrongDM does now?
Liz: Strong DM manages and audits access to servers and to databases.
Grant: OK, so dive into a bit more about how you do that and why it's different.
Liz: Companies today have, what? Three, four or five different types of database management systems.
They're running one or probably two different types of operating systems on their servers, probably a bunch of Linux and some Windows, and if you are managing access to those systems for technical teams--
By "Technical team," you could be somebody in the BI team or you could be an actual engineer, you're doing it by hand.
Maybe there's a little bit of automation using Chef say, but you're creating users in the database and you're managing them manually.
When it comes to seeing who's doing what, maybe you've got agents installed on the databases. It's certainly not--
You don't have complete logs, they're not all in the same place, you certainly can't see what people are doing in RDP sessions or SSH.
We simplify that into a single control plan, it's a proxy, and then you can see who's doing what when you put everything through.
So, simplified access and full visibility.
Grant: Then who would your customers be today?
Like, not necessarily if you don't want to name specific customers, but just generally what types of businesses?
Liz: The product does a pretty good job of ranging all the way from super small teams all the way up to Fortune 100, so the cool sexy brands that we have that your avid listening base might know of.
Peloton, Yext, Hearst actually started as a customer and they liked it so much they asked to invest.
Grant: Cool.
Liz: It goes up and down market.
Grant: OK, so would you say this is a solution to the problem that you experienced at Nomi? It feels like it's not a direct solution, but it feels related.
Liz: It's related in the sense that-- If we speak in Amazon parlance for a second, if you're spinning up infrastructure today that stuff is going to be firewalled.
If something is particularly sensitive you're going to put it away into a subnet, into a DMZ that probably not many people are going to have access to.
So, let's say Strong existed four years ago and Nomi were a customer of Strong, I think what I probably would have recommended is that nobody would have been able to gain access to that Mongo instance unless it was coming from an IP of one of our relays.
In that way, the only way you could have gotten access to the relay is by having our software installed on your workstation.
Grant: Right. So you're telling me you would have had them not expose it on the public internet?
Liz: That's correct.
Grant: OK. That's a great idea. Sign me up.
Liz: You said it, not me.
Grant: OK, so how long have you guys been around for? Was it 2014, and you then started this? What was the--?
Liz: That's a good question. I think we closed our first round in early 2015, so we've been around since early 2015 and we've raised $5 million dollars.
True is our lead, Bloomberg beta is in us, data collective is in us. The chairman and former CEO of Splunk, Godfrey Sullivan, is in us.
Grant: When you think about how you're going to market today, just generally it helps, would you think about yourselves as a bottom-up or more of a top-down?
Liz: We are definitely a top-down.
Grant: OK.
Liz: It's an excellent question, because I get asked all the time "Why don't you go to meetups and talk to developers?"
If I think about how Duo, like if you talk to anybody about Duo it's this product that that everybody loves.
When Duo first came out people were like, "This is the absolute right way to do things."
There was this evangelist swell of the doers who wanted this multi-factor solution, and I wish that were the case with a control point. But if I'm going to go and buy an access plan to manage all of the access that I have at a company, it's got to come from the top-down. Because why buy a control plane if you're not going to put in? It's all or nothing.
Grant: Sure, OK. So then you find yourselves, like your key advocate is going to be a CTO, or VP of engineering, something like that?
Liz: Yeah. Head of infrastructure.
Grant: Great.
Liz: IT, infosec, something like that.
Grant: So, they find out about you because you're connected? Call in, shoot them an email, what's the normal way that customers are finding you?
Liz: All sorts of things. From a marketing perspective, we put out a lot of content. Less-so sales stuff, more educational.
You can't sell to infrastructure guys, they have a very clear opinion and they know what they want or don't want.
Customers love us, so it's a lot of word of mouth. I think the typical software playbook at this point.
Grant: Great. And your team, how big or how many people right now?
Liz: We're distributed and I think we're just under 20 right now. We're all over the globe, which is awesome. We're on video all the time.
Grant: Funny.
Liz: Yeah, it's fun. People are like "How do you do it?" I'm just like, "We love video. We love video and we love Slack."
Grant: What's the furthest timezone from you? Is there anyone that's ten or twelve hours?
Liz: There is. We have Amsterdam, actually. But he works pacific hours, so when he goes to bed it's like-- What time is that in Amsterdam?
Grant: I don't know.
Liz: That's enough.
Grant: They should only be what, six hours or seven hours from New York?
Liz: Right, so it's 9 from San Francisco.
Grant: Yeah. But it's better for you, it's not too bad.
Liz: I'm great with it. I just don't know how he could be up, but that's how he's worked forever and ever and ever.
Grant: That's actually the funny thing about being distributed. When I was at Live Person and I was based in Los Angeles, we had a big office in Tel Aviv.
The 10 hour time difference was actually the thing I found to be the hardest, because I would be trying to take meetings at 7AM and it's their 5PM, and with Tel Aviv there's also that you only overlap with four days because they start working on--
Liz: They don't work on Fridays.
Grant: Yeah, so they start working on Sunday. Both parties felt inconvenienced by these meetings, and so it was hard to get that.
Even over video, you're there, you're seeing each other. But I'm not super stoked to be on a call at 7AM everyday, and they're not super stoked to be staying past 5 when they want to go see their kids.
So that's the biggest challenge I have with time zones, so it sounds like your employee that's in Amsterdam has figured out it's better just to stay on the same time zone as the rest of team as much as possible.
Liz: Or, maybe he's just a night owl.
Grant: Yeah, maybe.
Liz: No, but it's true. I had a demo today with somebody in Israel and it was 2PM Eastern, and you get on the phone and he's like, "It's 9PM," you can hear his kids screaming in the background.
Grant: Yeah, that's the biggest challenge. Because you want to be able to live a normal life and have family and things outside.
Liz: I don't think you can say that, you're an entrepreneur. You can't have a normal life.
Grant: Yeah, I have a somewhat normal life. I try to. Or at least, I try to make sure that everyone on my team has a fairly normal life.
Liz: Better.
Grant: That's important. That's really important.
OK so StrongDM, you guys are helping secure infrastructure and you're doing top-down sales, so then who are your first customers?
How did they help you discover the problem and the solution? What does that product discovery part look like for you?
Liz: It's a great question. I'm going to give the banal answer of "We listen to our customers," except I'm going to caveat it and say that most people who say they listen to their customers are totally full of shit.
And-- Maybe that's not true. Do you listen to your customers, Grant?
Grant: We try.
Liz: So we actually had an idea of what we wanted to do.
We knew that this thing with Mongo shouldn't have happened, so we were like "We're going to do something with access.
There's got to be something with auditing." And Justin sat down and just started to code.
He's like, "I have an idea. I think I want to do something with a proxy on a workstation and an intermediary, and we're going to see where it goes."
He knew he wanted to write and go, he wanted something pretty low-level, so he's off coding and Skyler and I had no idea what customers wanted.
This is pretty new, because if you were managing stuff to date you were doing it by hand. Things like Active Directory don't extend to servers, let's say.
Or even to modern databases, what was last time you could integrate Active Directory with Redshift? It just doesn't happen.
When was the last time those two words were used in the same sentence?
So Skyler and I went out and literally called everybody in our network, and we did these product development interviews, and both of us were on every single call.
So , it was one person who was administering the call and one person taking notes and IMing the other when they were like introducing bias into their line of questioning.
We would start with some provocative questions about data and access, and then we would just let the person talk.
Some of these were 15 minutes, some of these were an hour long and it was everybody's.
CEO, marketing people, we went to ad tech and we went to banks, we went everywhere.
After maybe 150 of these we stopped and we took down every single thing that people were complaining about as frustrating in their job as it relates to this subject area, and we aggregated it into different features or things that we may or may not need to build in order to sell it.
Then Justin finished in MVP, and Skyler and I started selling it. It was like hotcakes.
We started off with Postgres was our first protocol that we deconstructed, SQL Server was the next one.
It was very simple at the time, it was just "Can we manage access? Can we log queries?"
Then we started adding database protocols and going down the line of listening to our customers, and then people started asking for SSH.
So we were like, "Let's see." And we deconstructed that, and then people started asking for RDP so RDP came next.
By the way, surprise-surprise, even modern day startups-- Like the Peloton example, these guys still have Windows servers sitting around and everybody's got an AD server sitting in a closet somewhere, so that's how it expanded.
People asking and then us delivering. We actually-- I can't think of a single feature that we've built unless somebody has paid us for it.
Grant: So this is a bit of a-- Partially out of my personal experience, but you're building some features that customers are asking for or maybe paying for, are you doing a full go-to market with every one of those features?
Like, rolling it out to the rest of your customers and making sure that it's not just the company that asked for it, but everybody else knows about it. It's launched.
Liz: There are two phases. There is what I'll quote as a "Design discovery phase," where we sit down and we get what our customers are asking for.
We're going to go and build V1 of that, it's not going to be the most user-friendly design. It's going to be a little cluegy and we're going to get it into four or five people's hands.
We're going to watch how they use it, and then we're going to go and revisit it and refine it to make it generally available.
Grant: I say that because we build a lot of stuff at Replicated. I'm sure you do too, and especially when your team is very engineering-oriented, it takes a lot of effort to make sure that you're writing all the docs and all the examples, and you're writing the blog post to announce it, and you're integrating into your dashboards so people can discover it.
I think that one of the points I try to help everyone see is one, writing code is not-- You're not nearly done. That's just a step, that's like 5% of it.
Then you've got to get it all the way automated and into production, and then it's like "We've got to get people to use it."
You have to enable the rest of the team, talk about it and scale it, and so there's so much more that has to happen other than just writing one of these features. It's a lot of work as a startup.
Liz: So, let me ask you a question. In your case, does this new feature make you more money or does it make you stickier?
Grant: Yeah, I love this. So I mentioned that you were attracted to it.
We always have this framework we talk about when we look at potential things to build, and we think about it in terms of acquisition, conversion and retention.
We'll score lists of features that we think we might want to have on those different metrics.
Really, what our measures are in. OK, "How do we think this will help us acquire new users, convert folks that are trying it out, or retain existing?"
So, it depends. For us, we don't have a retention problem much anymore.
Probably because we've built too many retention-oriented features in the beginning.
Liz: Congratulations.
Grant: Yeah, exactly. So now it's like, "OK. Where's the pain?"
It's like now we're focusing more on conversion, so we think about trying to make as many features as we can that will just help people convert faster.
That's been a big focus for us, but that depends on what that feature is. How do you think of it?
Liz: I think similarly. So for example, if you're running Netezza and I don't support Netezza, I'm not going to even get you into a trial.
That's a very clear line. Now there are things that you can build support for after a conversion, so let's say somebody wants to buy-in Strong to OCTA. Of course, we support OCTA, but let's say we didn't.
That might be something I could build as a condition of the conversion.
Grant: Sure.
Liz: Wait, what were the other two? You said "Acquisition," and then "Retention," and--?
Grant: Conversion.
Liz: "Conversion," OK. For us, the bulk of features fits into the retention and stickiness category.
"How can I make sure that Strong is more and more and more useful to you?"
Adding SSH means that I now not only proxy access to databases, but I've got your whole engineering team from a server perspective, and dev ops people.
If I have an integration, if you can take our logs and you can pipe them directly to S3 or send them directly to Splunk without writing a single line of code, that's just made me stickier because you now rely on my logs within your system.
Grant: Sure.
Liz: And then honestly, we actually have a third category. I'd say things that demo really sexily.
Grant: I love that.
Liz: So, time boxed access is an amazing demo feature. I can grant myself access and I can fire myself on a demo, and people are like "Whoa."
Grant: That's actually so funny. When I built my first company, we had this feature that was basically live customer support screen sharing, but the end customer--
The consumer was on a mobile phone. So you could be in the hotel tonight app, and I can request to view your screen, and then as a support agent I could see your screen and click into it and show you what to do. Super cool, right?
Liz: Super cool.
Grant: This is like 2012, and it was the coolest demo you could ever see.
No one's seen something like it, and then no one ever used it in production.
It worked, it was there in production, but it turns out what people wanted when they were trying to book hotel room was to ask a question about the room.
They didn't need to be shown what to click next. The demo had super sexy demo value, but not much product value.
Liz: Not much product value, but that's interesting, because you would get on or you would show it to them-- Or you even get on demos now, I bet you.
People go through their series of questions that they're going to ask you, and I bet you haven't heard a new question in two years.
Grant: Sure.
Liz: You know your sale cold, so there's also something to be said for simply having the answers.
Or if somebody calls you and says, "Do you support X?" "Of course we do. Here's the doc for that."
Grant: But I actually love that idea. Because sometimes it helps to build some things that have a super sexy demo value, because it's what makes people talk about it, and the same is actually true for fundraising.
You need to find a thing that will boil down your product into a common reason for someone to be able to say it at the water cooler.
Or they're grabbing lunch, and like "Did you see that product? It does this one cool thing." Whatever it might be, so I love that as a category.
Liz: Props to Skyler, he asked for it for months. He's like, "Guys. This would be so sexy. Please, can we build it?"
And then finally, Justin and I were like, "OK." And he was he was very right. Skyler, if you're listening, you were very right.
Grant: It's so important too, because from a purely technical perspective I'm sure you're like, "This is not that useful."
There's a bunch of different reasons why it's not something you're going to use all the time, but from the demo perspective, if you're like "That is really neat."
It ties together a few things that you're doing behind the scenes. Like, "That is really cool."
Liz: Right. It gets your brain starts moving, and you're just like "Oh, my God. How could I implement that?"
Although I'll tell you, we finally had somebody decide to use it in the most amazing way.
It's a company that has data centers, and so for managed services they need to go and access customer's infrastructure, and they need to do it in a way that's audited, not immutable.
So they signed with Strong and there's no lease privilege at this customer. There's zero privilege.
100% of access is temporarily granted through workflow and automated. We were like, "Yes. Exactly."
Grant: That makes total sense. So this is this interesting thing where you've built this company and you came out of this--
Like, Nomi's trouble with security and you discovering this problem, and the other thing we were talking about before this, which I want to touch on a little bit, is the martech ad tech.
These other industries that are not infrastructure software, they're not data tools and they're not security tools.
The security posture that they have , and the way that they think seems to be-- They don't seem to really get it always, and that's a challenge.
I've experienced it and I know you've experienced it, I was the problem at some point at my last company.
I was the guy was who was like, "Why are we using these VPNs? These are terrible." I didn't really get it.
It feels like there's something in that industry that people just don't really get, and the problem around data security and around process that needs to be done in a way that isn't going to result in this issue.
Liz: I think it's all companies, but I certainly do agree with you in ad tech having come from it.
I will admit we have not a single ad tech customer. We have data customers, but we have no ad tech customers. You want to hear a story?
Grant: Yeah.
Liz: OK. This actually happened through our product development interviews. I discovered this a few years ago.
So, there is a very large marketing services provider. It's a holding company, and they own a subsidiary in every part of the martech stack.
Like, social display, search affiliate, they own a data co-op, video, whatever. You name it-- They have an e-com, they even have an e-com site.
We were talking to a CTO and he said, "I am certain that there is sharing of passwords going on between my subsidiaries."
He gave me an example of how one of the subsidiaries, one day an engineer noticed a spike in IO on one of the databases and logged in, and they actually had a good enough audit trail.
They found that somebody had downloaded the entire CRM file of somebody in the IR top 100, internet retailer top 100.
But they couldn't attribute it to a particular person, because credentials were generalized at one subsidiary and they were being shared.
I actually believe it was between the display and affiliate people, and so I'm just going to invent retailer names here.
If you've got the Walmart rep on one side, and the K-Mart rep on the other side, they're sitting there and they're like "How can I trade this information in order to get more money out of my particular business?"
That was what was going on.
Grant: Interesting. You're like, "We know someone did it. We just don't know who."
Liz: Every data breach that you see in the news to date, it's like facts on the ground. It's just a fact of doing business.
I spoke to the head of sales-- There's a pre-IPO company, HR company here in York City, and I was talking to the head of security there.
He started the meeting with "I have to assume I'm going to be breached," like his default posture is "I'm going to be breached. Now, what are all of the things that I need to do in order to prevent the breach?"
Now let's assume there's a breach, "What's everything that I need to have in place in order to detect it? Alarm on it, triage it and act?"
So he's sitting there from both a proactive security standpoint and a reactive security standpoint, and that posture is incredibly freeing because this guy is sitting there and saying, "I have no ego about my decisions.
I just want to do what's right for the company." and it's amazing. I remember sitting down with him and he was so open and honest when he was talking about his stock, and I had this baffled look on my face.
It's rare that people throw me for a loop, but he was like "What's this look on your face?"
I said, "Dude. I've got to tell you, you're being so nice to me, and I'm a vendor."
And he was like, "My job is to talk to people who have interesting technology because all I care about is trading up and doing better."
That statement-- Can I name this person? Is that OK?
Grant: Yeah, of course. I love that.
Liz: Yeah, OK. Anyways, Daniel Leslie at Namely. He's amazing.
That posture and that positioning is so rare. I don't know why, but it just is. People either don't want to admit that they have a problem, don't know that they have a problem.
I've spoken with tons of heads of securities who can talk a really good game but they're so far removed from the facts on the ground that they'll say "I have logs for that."
They say, "I've got some privileged access management provider."
"No, you don't. You have no idea what you're talking about. When was the last time they touched a command line? Twenty five years ago?"
It's a shame. And I think in the security space, look at the average tenure of a CISO. It's what, a year and a half?
Grant: Not very long.
Liz: So from a continuity standpoint, it's hard.
Grant: The interesting thing about that perspective, that "I want to do everything that I can to prevent it, but I assume that we're going to be."
That person had the right take away from it. Like, "What can I do to constantly get better?"
I see a different response that people have to that same perspective, which is like, "What's the point?"
People are like, "If we all say "Assume it's not if you get hacked, it's when," or "You've already been hacked," or whatever else it is.
Then people were just like, "Then I'll just give up. What's the point of being secure? Because we're already hacked anyway."
People will be like, "Your data is everywhere anyway, like who cares?" There's this dangerous thing, I'm like--
I always point out, I'm like, "Look. When people say there's no such thing as a company that hasn't been hacked or a perfectly secure company, "I'm like, "I disagree."
And I'll say, "I disagree because maybe that's true five or 10 years ago, but like now I can prove that there are some companies that haven't been hacked."
It turns out they're crypto companies, and the reason I know they haven't been hacked--
You know the ones that have been because your bitcoin is gone, because someone took your digitally unique asset and moved it somewhere else.
You know all those ones get hacked, so any crypto currency where you can check with your private key and validate that your balance is still there, they haven't been hacked yet.
Doesn't mean that they aren't going to be hacked in a minute, but they haven't been hacked yet and you haven't lost your cryptographically unique thing.
So to me, the idea of like "You can't do security well enough that matters," is the most asinine perspective in the world.
Have you ever-- Do you run into that at all? Like, is that something you see?
Liz: I have not encountered that. What I've encountered is arrogance and ego. "What I'm doing is good enough."
"I've already built this in-house." "You're too expensive. I don't need to pay this." Never--
Grant: How about on the consumer side? You've seen people be like, "I assume my data is everywhere anyway," so they'll just give away their data constantly.
That's not a perspective you've ever seen?
Liz: I haven't seen that perspective, and I think that's because most people aren't educated.
My stepsister shops all the time, I'm sure she's signed up for 8,000 newsletters and enters this and that. She's just simply not educated on any of this stuff.
Grant: Browser plugins that just monitor every website you're on and tell you what discounts you can get.
Liz: You want to hear a story? I'll tell you a story. I'm going to tell you a story, I like stories.
My stepmother will never listen to this, so I'm going to tell a story.
Grant: My mother won't even listen to this.
Liz: Yeah, right. I'll even send her this and she'll be like, "Good job." So I have internet, but I don't have cable television.
As you know, sometimes when you go home cable is the most amazing thing. You can just sit there and watch FX for 12 hours straight and it's wonderful.
I don't have Netflix, so I borrow passwords from people.
Sometimes I just want to watch four 8,000 times on FX on the weekends, or I just want to watch reruns of Law & Order, or something.
So I go home to my stepmother's house in Nashua and they have Comcast. I'm like, "Can I borrow the password to Comcast?"
And her husband Les is like, "No." I was like, "Come on Les." And he's like, "Absolutely not."
And I'm like, "Fine." Les goes out to play his poker game, I go downstairs to his unsecured laptop and I open up the browser.
I go into the cookies which are being stored in the browser itself which is linked across all of his devices, I grab his username and password out from his Comcast, log in, and I am now happily watching cable television with Les' account.
Grant: Naturally.
Liz: Naturally. So basic 101 security, use a password manager.
Grant: Of course.
Liz: So like, the uneducated-ness about security and just the most basic things you can do to shore up your own personal information.
Now I'm an insider threat, that was not fair because I had an unfair advantage. But that's your typical layman, right?
Grant: Yeah. I just--
Liz: I swear I'm not a bad person.
Grant: No, you are. But it's fine. I'm glad that you haven't seen people just give up on security.
Maybe they don't tell you, but I think many people actually have.
That's a thing in the world, people have given up on privacy and they've given up on security.
It's just part of what we're fighting in order to help create a more secure world.
So, let's move on to some things that we think that if you're out there and you're building a software company and you're going to be selling enterprises and you're going to be processing data, what should you be doing to be more secure?
There's obviously security hygiene, like password managers, all those standard things that we should be doing from a corporate perspective.
But what are the things that you think about from demonstrating it?
I think you guys open sourced a bunch of stuff around SOC-2 compliance. Like, what's SOC-2 all about?
Who should be thinking about it and what's the process like?
Liz: So, SOC-2 to is a very popular compliance certification, that is popular with enterprise B2B startups specifically.
We're trying to win business up market, at least that's where I see it.
I would say its popularity has surged in the past two years, the European version is ISO 27,001 which is more rigorous.
It goes much more deep on the corporate level, but SOC-2 is super popular in the states.
So it takes a lot of time and a lot of effort to do. There is SOC-2 type 1 and then SOC-2 type 2, and I will note that SOC-2 is different than Sox compliance, which is a requirement for going public.
Grant: Sarbanes-Oxley.
Liz: Sarbanes-Oxley, thank you.
So SOC-2 type 1 is you saying "I've got a whole bunch of policies and a whole bunch of rules that I've put in place in my organization, and here they are."
Then type 2 is an auditor coming back at some point in the future, how quickly they come back depends upon your tolerance for pain, and then verifying that those policies have indeed stood the test of time.
So the threshold for Strong internally, we went as far as we could for as long as we could and said, "We're very secure. We uphold all these principles," and the threshold for us was losing business.
So somebody in the Fortune 500 said, "That's great child. But go get the certification."
Grant: Sure.
Liz: So we said, "OK." That was the trigger, and we did our type 1 about a year ago, and our type 2 actually starts in two weeks.
As we were going through it, my CTO Justin was like, "I'm never doing this again by hand. This is horrible."
And so Justin, as a developer, said "I'm going to code it. I'm going to code as much of this as possible.
I'm not manually tracking an Excel sheet who has delivered what evidence, I want ticketing integration with Jira.
I am not going to manually edit PDFs, I'm going to edit markdown and I'm going to have a pipeline to PDF so I can make one change and instantly propagate across all of my all of my stuff."
So he built this tool and at the same time Strong started seeing an uptick in people who were calling us to help them speed through the SOC-2 process from an access control and evidence collection perspective, and so we decided to open source it.
We're like, "Let's help all these startups out because it's frickin' painful."
So we put that out and there's coursework to bring people together and educate them. It's good stuff.
Grant: The interesting thing about a lot of these certifications, you mentioned it, it's this somewhat point in time snapshot of your security posture in what you're doing.
So, what are the attestations you were making in your type 1? What are those, some of the categories?
Liz: It's things like, if there's filesystem encryption on laptops, whether you need to be on a VPN in order to gain access to things.
Basic onboarding policies and procedures, it touches things as simple as org charts and goes all the way down to the exact vendors that you rely on in order to deliver your product.
You can make SOC-2 as a company, you can make the decision to make it as robust or not, because it's your call what you want to attest to.
We chose to go all the way with it because we are a security company, and I knew that as part of the process for people looking at us, we have to fill out these very long security RFIs.
People want to look at this report, they want to look at our pen test, they want to read the policies themselves.
To us, it didn't make sense to invest the time unless we were going to do it right.
Grant: This is because as a hosted service, StrongDM is-- Like, you're a proxy into these databases, right?
Liz: Yeah.
Grant: So, pretty important position to be out there.
Liz: We are the middleware that is your access between your humans and your infrastructure.
Grant: So even though everything's encrypted and secure, it's like there's data that's like being transmitted back and forth that's going through your servers?
Liz: No customer's data is going through our servers. We can--
Grant: Just authentication?
Liz: Authentication and authorization, you can log with us.
We've put as much of the product on premise as possible to reduce as much of the threat surface area on us, and to make customers feel more secure.
Quite frankly, they will be more secure. There's no reason why we need to see anybody's data.
Grant: So, you deploy an agent or something into their environment, into their VPC or whatever they're going to do.
That's where most of the actual logic happens, and then access to-- You're basically controlling that from your hosted control point.
Liz: That's exactly right.
Grant: Great, and then part of that process is that you saw some demand for this SOC -2 type 2 from customers, and said "Look. You seem to have it."
It's funny, the certifications I find really interesting, because people will be like "Are you HIPAA compliant?"
There's not a process for HIPAA compliance, you self-certify as HIPAA compliant. Or, "Are you PCI compliant?"
We don't really actually have any payment data, nor do we ever see anyone's payment data, so it doesn't make sense.
Even for SOC-2 stuff, we actually don't have any data really, because everything lives on prem for us. That's our whole thing.
But people still look for these certifications as signals, and so you give people asking--
Have you ever had anyone ask you about PCI? Is that a thing that somebody has asked before?
Liz: Not PCI, but HIPAA, and the answer is "I'll sign a BAA," but there's no-- Yeah.
Grant: I've had people mention or say something like, "They wanted us to be PCI compliant."
I'm like, "Do you actually handle payment card information? Because that's when you would actually want that, that's the thing. But I think that they're signaling you get."
Liz: So going back to your question about the thing you said a little bit ago about security and people not caring.
I think two things with respect to compliance, and this could be ISO or SOC-2 or HIPAA or PCI.
Number one for startups today who want to move into the large enterprise, it's table stakes.
You simply just need that seal of approval. On the flip side, if I'm at the large enterprise you have to ask the question, "Are they simply just asking the question? Do you have the gold medallion on your website? Is that enough?"
I would argue I get less scrutiny now because I am able to say, "Here's my 40-page SOC-2 report. It's possible that people have almost--
They're almost trusting that if you have that certification, if the auditors have come in, that's enough. That they actually don't need to look at it themselves.
So, maybe that's where a lot of companies are also falling down today.
Grant: Yeah. I have a problem with a lot of these certifications because I feel like they are just this point in time.
It's like every vendor security assessment questionnaire, I'm sure that Nomi filled out a bunch of vendor security assessment questionnaires that attested to the quality of their data security.
It turns out that policy wasn't implemented and it wasn't true, so you make these assertions but there's very little validation that those assertions are actually true.
Liz: Or, are true on an ongoing basis.
Grant: Or on an ongoing basis, right.
Liz: Correct.
Grant: I always say that when people fill out those forms, it's like rose colored glasses.
Like, "We have some data that we encrypt at rest," but that doesn't mean that it all is.
Or, I just find our preferences just to limit the amount of data that you actually get control over.
That's why we ship stuff on prem, and that's why you ship some stuff there.
It's like, then you never see it you can't store it and you can't-- No one on your team can access it, right?
Liz: Yeah.
Grant: But I feel like the world doesn't yet realize that. There's a lot of people that still just want to put the--
Look for the logo, look for the stamps on your website to make sure you have it. They're willing to trust you then.
Liz: But that's also the gift of enterprise software to sales, and especially as you are around for longer, because four year ago when somebody asked you who your biggest customer was you babbled something incoherent.
Now you say very pithily, "I have 40 % of the Fortune 100," was that what you said to me earlier today? That's baller, and people are like "End of my questions to Grant."
Grant: That's signaling as well, though. Like, it's all signaling.
So it's interesting the value of signaling, and this is also just a comment generally that the idea--
Maybe someone out there is doing some better continuous security attestation where they can validate that you actually do have all of your laptops encrypted, and everyone has the one password being used everywhere, and one password has a different password for every site you use.
You have second factor for everything. There's so many of these things that you should be doing that are better if you're doing it that way, but it's very hard to prove that on a continuous basis.
Liz: And if your company starts-- So we were lucky, honestly. I'll call it.
We were lucky that our line in the sand was somebody said they wouldn't do business with us, because it forced us to do SOC-2 when we were like five people, or something crazy small like that.
One of our customers actually, Troops did it when they were sub 10, and so if you do it really early on then it's just part of the culture, it's part of the fabric and it's just how you do things.
As opposed to having to retrofit when you're 200 or 300 or 1,000 people.
Oh, my God. I can't even imagine how much manpower or womanpower you would need on that problem in order to get that integrated.
Grant: Yeah. You have to take security seriously from day one, and we do and you do, but we're also infrastructure security nerds and we're not building ad tech anymore or marketing tech anymore.
Liz: That's true.
Grant: That's why they get to pay us money and work with us, so that we can help them be more successful and more secure.
Liz: Is that why they pay us money?
Grant: Yeah, exactly. Tell me, what else do you recommend for a founder or a product manager or VP of engineering out there who, maybe they're not in infrastructure or maybe they're not in enterprise software as we know it today, they do something in a martech company or an ad tech company.
What do you think they can do to help their organization get more secure and be more security-minded?
Liz: I'm a big fan of asking questions. So, let's say you're managing-- I don't know, the analysts who present-- Let's take ad tech, so let's say I work for a re-marketing company.
Pretend I work at Dotomi, so I'm back in analytics and I'm directing my analytics team, so they have access to a SQL Server database and they also have access to Greenplum.
As a manager, I should be asking questions. "What are you doing with this information? What access do you have? Let me see the queries you're running."
Just basic facts on the ground, get your hands dirty, "What is my team doing?"
That's where everything starts, because then once you have the information you can sit there and say, "OK. Sally doesn't really need access to customer DB. She only needs access to revenue DB."
And you can start making the decision for your team, you essentially have your own little set of internal security practices, and then maybe you go to the management.
Meaning you're like, "Guys. Guess what I found? My team touches the most sensitive data. We touch CRM data. We grew up, we became a $100 million company overnight, I think it's time to revisit some stuff and I've already revisited it on behalf of my team."
Grant: Yeah, I love that idea of asking questions, and I think you do that just asking the other teams "What do we do for this? How do we train our team to be more secure from a password perspective, from an access perspective, from a confidentiality perspective?"
There's so many areas here where they think it's training is a huge part of it.
Liz: Even like-- I don't know about you, but something that terrifies me as somebody who's in charge of the PNL is how much money am I spending on just software in general, like SaaS sprawl?
The crazy SaaS sprawl where your licenses just start to build up, and so we have a review and I review with every single one of the team leaders, and we go through the SaaS sprawl of team members and we cut off access where it's not needed anymore.
Just basic administration stuff, that's something that can be added to it. "Tell me who's got access to what in Google Docs right now."
Grant: One funny thing I'll ask people about, "How do they monitor their SaaS sprawl for all these things?"
They'll be like "Yeah, our CFO looked over it and what we are spending, and all this stuff."
And I'm like, "That's how we take control, make sure that we don't have to be sending data out everywhere else."
And my question is, I'm always like "What do you do about the free tools?" And they're like, "What do you mean?"
I'm like, "Yeah. Like a browser plug-in is free, or something else is freemium. Like, no one's paying for it yet but it's connected to your G-Suite or your Salesforce instance. What do you do to monitor those?"
They're like, "We should." It's interesting that billing concept is-- Realistically I would say that-- What do they say, "If it's free, you're the product."
I think that's very true in the enterprise space as well, it's not just a consumer thing, it's not just Facebook that's making money off of you as an individual user.
It's all these other organizations are providing these free tools and getting access to corporate data that they can then monetize as well.
I think I'm probably hyper aware, but I've talked about this in the podcast in the past.
I'm always concerned about the third party App Store apps that get added to everything.
You added something into Slack and it knows, and it can monitor all the conversations.
I just think that this is likely very pervasive in many companies.
Liz: Do you know what's crazy? Slack is literally a repository for how many privileged conversations across how many companies?
Grant: Exactly. So many. Everyone.
Liz: So many. You know what I used to think in ad tech? It actually didn't occur to me until after I left.
If you are integrated on the conversion pages of your customer's websites, or even the site visit pages and you've been working with that customer for even a year.
Or, it doesn't even matter even a year.
You can just look at their earnings statements from the prior year in real time, how that retailer is indexing against last year, and you can probably predict whether or not they're going to have an up or down corner.
That's privileged information, and that's just from pixel calls.
Grant: Super privileged information.
I was mentioning that I had a friend that worked at one of these big martech companies and they would get all the sales data from these other publicly traded companies in a week before they would actually release earnings, and the challenge there is if anyone that gets access--
Or, you're at the martech company or the ad tech company that has that information, if you index that and then you mention it in conversation and someone makes a stock transaction based on your information, that is securities fraud throughout the whole thing.
But no one-- I never got securities fraud training when I worked for --
I knew that I couldn't trade the publicly traded company I worked for, but the fact that our customers had data that I could see was never something that we talked about and it was never something that I had to file a report that I wanted to buy these shares beforehand.
I also found out recently, I was digging into it a little bit more because I think this is likely a pervasive problem.
When you look at how stocks perform, there's always this whisper.
The whisper is the earnings that people on the street expect, and generally it's fairly right and it tells you what direction the stock will trade when the earnings are released.
You can see weeks beforehand that before a company announces earnings, it starts trending in either direction. That's because people have access to information, and so the thing that I think is true is that information asymmetry is screwing over small investors who don't have that information.
That ends up being hedge funds, and other people who get access to this data trade on it massively, and then you screw over the mom and pop Main Street person.
So I would love to see more enforcement of how people actually are trained around that, how they handle that data, and the process by which the SEC actually investigates insider trading is the most archaic system in the world.
They basically give a list of people that made money on suspicious trades, they give that to the CFO of a publicly traded company and be like, "Do you know any of these people?"
Then they'll be like, "I don't think so," and they're like "Can you find out if your employees know any of these people?"
They'll maybe track "Yeah, that's our--" But it's manual. It's like, only if you ask them these questions.
There's got to be a social graph out there that can figure this all out.
We should know all the employees at work at all your vendors, we should know all this surface area that have all your data, and we should be able to just look at that and be like, "You traded on information that wasn't publicly available."
Liz: Dude, you have your next company.
Grant: I'm a maniac.
Liz: A vendor dependency company.
Grant: All right. So, any other last advice that you think you want to get out there for folks who are building enterprise software?
It could be thinking about security, it could be thinking about go-to market, whatever you think is really top of mind for you right now.
Liz: What's always top of mind is not having an ego.
Skyler and I have been talking about marketing initiatives recently, and there's always debate.
Everybody wants to touch marketing.
I said to him, "I don't care if you tell me we need to buy banners at SFO or billboards down 101, or I need to stand on the corner at 20th and Broadway with a placard on me that says 'Strong DM' and hand out free flyers."
Like, I don't care. We have a great product people love and we're going to build this into a successful company. Whatever it is.
Grant: Sure.
Liz: It doesn't matter at the end of the day, it just doesn't matter. Provided you're putting something out there that people love, who cares what it takes to get there?
You're not doing anything illegal, you're not going to do insider trading, you're not breaching data or whatever.
But it doesn't matter at the end of the day, and I think as founders everybody has very strong opinions.
If a founding team is a good team, probably everybody is approaching problems from a different perspective.
It's the unity of those opinions that makes the founding team something bigger than the two of you or the three of you, into something magical.
You have to remember at the end of the day you're just here to solve problems, because everybody wants the same outcome.
That's something that's always top of mind for me.
Grant: I love that. Touching more on the "No ego," how else do you think that comes through in your style or in the people you admire?
Liz: I'll tell you a story.
Grant: Great.
Liz: Last Thursday night, I was on a date. It was the fifth date and we are not seeing each other anywhere. I actually think this date is the one that threw him.
Grant: You told the end of the story.
Liz: No, and he -- Kudos to him he didn't ghost, he texted me and said he wasn't interested.
But no, so we go on this date and he goes "Have you ever been bouldering? Have you ever been to Brooklyn Boulders?"
I said, "No. I'd love to go." I lift and I'm strong and I'm in shape, so I was like "Teach me."
So I show up at Brooklyn Boulders and he's been climbing for 1.5-2 years, and he's good.
And he was like, "OK. So, climb." And I'm like, "Teach me. What do I do? Where are my hands placing? Start from the beginning. How do I put my foot down?"
I'm just badgering him with questions for like a half hour, 45 minutes.
And he goes, "Do you really want to know the answers to these questions?"
And I was like, "Dude. How else am I going to get to 15-20 feet up if you're not going to help me?"
And he's like, "I guess I just figured it out myself."
And I was like, "OK. But like, I want to learn the right way and I'm going to learn much more quickly if you actually tell me how to do it, as opposed to me figuring it out for myself." And he was incredulous.
Just tell me, show me the path. If you tell me to do A, B and C, I'm going to do A, B and C, because I'm going to get there.
I'm going to have opinions on whether A, B and C feel right, "My hands don't grip that thing enough, can I try it this way instead?"
But he was incredulous, and I think team members can also sometimes be incredulous as well.
Because particularly in early stage when you're so wrapped up in things, the usability in the field, and there are so few people touching something, but "So few people" is everybody touching it.
It's hard to see the forest for the trees.
Grant: The thing that I took from that is instead of saying, "I'll just go figure it out myself,"you're like "No. If someone has some of the answers, I'd rather just get the answers from them, and then go try to implement that."
So if I can listen for 30 minutes while I try to get some of the fundamentals down and go in with some working knowledge, then instead of me failing and trying a bunch I'm going to get up there in two tries instead of 30.
Liz: Totally right. If I'm going to go and build out an SDR team, I am not going to go and try to figure out what an SDR is, how to train them, blah-blah-blah.
There are people who are far brighter than me who have done this for 20-30 years.
It's the reason why you go and hire a sales leader or a head of product or a head of customer success, or whatever it is, because this is what these people do for a living and you don't need to reinvent the wheel.
You listen to them, you're going to get there faster, you're going to have a bit of an opinion, but these are the experts.
Grant: I feel like you're talking specifically to me, as the person who literally tries to figure everything out before--
That's like, "I should do that. That sounds like a nice way of doing things." That's amazing.
Liz: I'm glad. This is good, I sound like I actually know what I'm talking about.
Grant: I'm like, "Have you been watching me recently?"
Liz: "What's up, Grant? Where's that head of sales?"
Grant: Exactly. Liz, thank you so much. It was a pleasure having you.
Liz: My pleasure.
Subscribe to Heavybit Updates
Subscribe for regular updates about our developer-first content and events, job openings, and advisory opportunities.
Content from the Library
Generationship Ep. #11, Ghost Workers with Adio Dinika of DAIR Institute
In episode 11 of Generationship, Rachel is joined by Adio Dinika of The DAIR Institute to discuss ghost workers. This talk...
Jamstack Radio Ep. #110, Online Whiteboards with Shin Kim of Eraser
In episode 110 of JAMstack Radio, Brian is joined by Kim Shin, founder of Eraser. They discuss the importance of collaborative...
Jamstack Radio Ep. #93, Elevating Headless CMS with Facundo Giuliani of Storyblok
In episode 93 of JAMstack Radio, Brian speaks with Facundo Giuliani of Storyblok. They discuss Facundo’s journey to DevRel, tips...