May 1, 2018
Ep. #15, Enterprise Security with RedMonk’s James Governor
In episode 15 of The Secure Developer, Guy is joined by James Governor, Analyst and Co-founder of RedMonk, a developer-focused industry anal...
My name is Nick Gottlieb. I've been working in developer tools for about six years, specifically focused on helping companies and developers get products out the door quicker and for development teams to work more effectively and efficiently.
About six years ago I co-founded a company called Mobozi. We built APIs for developers building on the mobile web. The mobile web didn't turn out to be quite as big as we were hoping for.
I moved from there to CircleCI where, as Dana mentioned, I was the first business hire, focused on building out essentially all of our go-to-market motions and team there. Also launched our first enterprise product, CircleCI Enterprise.
I've now been the VP of Growth at Serverless for about two years and work on all things go-to-market at Serverless.
When talking about communities, and specifically communities for developer-focused companies, there's usually three types of communities we see the most often.
The first one is user communities. This is a community of end users of your product. This typically exists in SaaS companies when you have a free tier or a very cheap tier of your product. The users of that tend to be your user community which give your company a couple large values.
First of all, they spread the word about your product. Second of all, they let you validate what's hopefully a larger business model. But they typically don't represent that business model themselves. We'll talk a little bit more about that later.
The second type of community is open-source. That's what companies like Docker, HashiCorp, and us at Serverless are building. That's where you have a community of developers around your open-source project.
Advantages and values there, obviously you can move very quickly. You actually get engineering cycles from your community. And you have very low barrier to adoption with open source.
They don't need a signup. They don't need to give you any information. They don't need to go through any terms of service. They can just start using your product right away which helps dramatically with adoption.
The third type is a platform community, and that's where your community, your developers, are building on top of your product. You can think of things like AWS and other development platforms, Heroku in the past, is these type of communities.
Advantages are that you need large economies of scale, which is a challenge. But that you get, your developers are relying on you for their business so they have a vested interest in your success.
So these are the three type of communities that you see the most often. You can span multiple communities at once, and I'm sure there's other types that exist out there, but these catch most of these cases.
Why do we build communities? It's a lot of work. What do they actually give us as companies?
The first one is that they help us validate customer problems. When we go up to start a company we all have an idea of a problem we want to solve. A community lets us actually go out and validate that people care about that.
A second thing that they give us is an opportunity to identify champions, people who care more than the rest, who are really passionate about the problem you're trying to solve.
These people are typically how you're going to close your first couple large sales, and so these people are really important to identify. Without a community it's really difficult and typically expensive to identify these people, so a community lets you identify these people early.
Third one is brand recognition. Building a authentic brand is incredibly expensive and difficult.
But if you have a community of others who are willing to talk about your brand, tell others how great you are, that is by far the most efficient way to do branding, especially in the early stages.
A fourth is an ecosystem. And you can use Heroku again as an example here. They, in their early days, were able to expand functionality by letting partners plug into their platform. So it let them bootstrap their development.
They didn't have to build logging. They didn't have to to build testing, CI/CD. They were able to let partners plug in and they could actually offer a much more robust set of functionality via their community.
The fifth one, and honestly probably the most important, is time. As a startup timing is hugely important. I watched a talk by Bill Gross who's a serial entrepreneur in D.C.
He did this quantitative analysis of, I think there was five things: idea, team, technology, to see what the most important variable in a startup's success was. Timing was more important than any of those when you hit the market, if the market's ready for your product, if the problem that you're trying to solve is felt in a very real way in the market.
What communities allow you to do is raise money, provide value to your users before you're actually providing a commercial product, and bide your time until you are confident and ready in your go-to-market strategy and until your confident that the market is ready for what you're trying to deliver.
Again, time, as we'll talk about, you don't have infinite time but going to market at the right time is super important.
What do communities not give us? They don't give us commercial products. That's what we're all trying to build. We're trying to build a product that people are going to give us money for. And a lot of people, I think, get confused and equate their community with their commercial product, when that's almost never the case.
Your community can help you realize your commercial product, but they're typically not giving you enough money to sustain yourself as a business.
Second one is just a business model. If you're asked what your business model is and your answer is, "It's my community," look, they're so great, that's not going to get you to where you want to get, which most of us are a part of a venture-backed startup.
We want, our end-goal is, "Let's get to at least a $100 million in revenue, let's get acquired, let's IPO." You're going to need a business model that's scalable and defensible for that, and your community is not going to give you that alone. It can help you get there.
So, why does all this matter? Why does it matter if your community's not going to get you that business model, that commercial product? Well, because you're not going to survive.
This is one of my favorite books, that, "on a long enough timeline, the survival rate for everyone drops to zero." And if you want your company and your community to survive, you have to establish a business model.
Providing community value is great. We all want to do that and we all can benefit from having a thriving community. But every thriving community,
just about every thriving community, especially in developer tools space has a successful company behind it, driving it and sustaining it.
This is a framework, a model, that I've found very valuable for starting to think about this process of moving from community to commercial. On the left side is community funnel, is what most early-stage founders, especially if they come from an engineering/product background, they're comfortable and they're familiar with this.
They know about building awareness around their product. Getting developers to consider it and try it. Getting developers even loyal to that product and advocate for it.
But the commercial funnel is often, that's the sales and marketing guys, that's a different world, one that we're not quite as comfortable with, not quite as versed in. But then scaling that middle ground of how do we take a great community funnel and now move to a commercial funnel, that's typically the hardest part.
That middle ground of how do we make that transition, how do we make that movement, that's what we're going to talk about in the rest of this presentation. To just illustrate real quickly how this community works, I'm going to use HashiCorp, which I think is a company that does a great job of spanning this community funnel and this commercial funnel, and just take an example user and walk through what it looks like for them, a user.
I'm a user of HashiCorp. I heard about HashiCorp's Terraform project after Googling around for an easier way to engage and manage my cloud infrastructure. After seeing all the different providers Terraform supports and the community that exists around it, I decided I want to try it out.
So I'm in the consideration phase. I use the "getting started" guide. I deployed some resources to AWS. Super easy, I loved it. My infrastructure is represented in it's code. I'm getting value from it. I'm now moving into the loyalty phase.
I'm using Terraform to manage my infrastructure. It was way easier than I anticipated. So now I'm beginning to look at different ways I can use it. Using it on different providers, different use cases.
Finally, advocacy. I write a blog post about it. I give a presentation to other members of my team. This is all great and for a lot of companies I think it ends here.
This is where the celebration is made. And you should celebrate this, this is difficult. If you get to this point, you're doing great but this isn't going to build our business. We want to span than gap. We want to cross that chasm. We want to get over to the commercial funnel and there's a few things that we need to address.
There's a few things to think about that aid in making that transition. I think the big four things you need to think about from moving from what we just saw there and, rather than just feeding that advocacy back into awareness and having that feed more community growth, actually having it feed commercial growth, you're going to need four things that often change in a company.
First is packaging and messaging. You're going to need to start talking to a different type of audience, going to need to make some changes on your team in order to successfully cross this chasm and get into commercial funnel.
Implement new tooling. You're going to have to change your company culture, which is often the most uncomfortable part for early stage startups.
So let's talk abut each of these real quick. Again, using HashiCorp as an example. This is, on the left side you'll see their Terraform.org page, this is where they're talking to developers. They're talking to their community. They're talking about their open-source project, which is what developers are typically most interested in. They talk about the features. They show you how to get started right away. That's their primary call to action.
On the right side you have the Terraform.com which is pitching their enterprise products. The first thing they say is request an enterprise trial. They talk about higher-level business values. They're talking to the decision maker or the purchaser. They're not talking to their community member, the developer. These people aren't necessarily two different people.
The person in that funnel, who you just saw go try the open-source, get comfortable with it, in a lot of organizations, that might be the same person who now moves over and wants to request an enterprise trial, wants to being engaging in that sales process but they have a different hat at that point. They're thinking in a different mindset and it's important that you message to that.
Another example here is MuleSoft, who I also think does a pretty good job. On the one side you'll see their developer portal. Again, it's talking about getting started. They're clearly trying to push this person on the left through that community funnel.
They want them to trial the product. They want them to understand how to use it and consider it as a solution. On the right, everything is centered around business values, webinars, analyst reports. They're clearly talking to a different audience here and it's obvious.
You can see they have calls to action between both, if you land on the development page and you're wanting to get back, it's easy to find your place and people kind of self-sort into the information they're trying to find. But you need to be talking to those two different audiences in your packaging, in your messaging, on your marketing website.
Another huge part of packaging is pricing. And this is another company I'm a big fan of, CockroachDB. They make it super simply in their pricing.
They say either you're going through the community funnel, and that's our core open-source product, go try it, it's free, these are all the things you get. Or you're going to engage with our commercial funnel because you want, I think they have geo-partitioning, they have a couple specific enterprise products you get.
If you want that, fill out form, get the enterprise trial, start working your way through the commercial funnel. And again, oftentimes I think a developer will start in one side and now say, "I want these richer features. I've proofed out my POC. I want to move to the other side.
The team make up is another big thing that has to change in order to make this transition. These are generalized numbers, but in series A most companies are about 25% go-to-market and about 75% engineering and product. As you get to series B, that's about half and at IPO most companies are 75% go-to-market.
I know for a lot of early stage founders, early stage companies, this is scary cause it's a totally different type of company once 75% of your company is sales and marketing. But it's a transition that if you're lucky enough to have you're going to have to deal with, you need to start thinking about how you're going to build out that team.
This is the way I like to think about building this and the way we think about it at Severless, is thinking about those two funnels and we actually categorize each go-to-market initiative we undertake on whether it's community funnel focused or whether it's commercial funnel focused.
We also think about roles within the team of who's going to focus on different parts of the funnel. So types of roles that really focus on community funnel: community managers, developer evangelists, event coordinators. These are people who are spreading awareness to developers and then trying to get them through that funnel to trying and advocating for your products.
You then some roles that span that middle ground, span both funnels and are working it out of moving people from community to commercial. That's people like, you got your content managers, growth engineers, growth designer, marketing manager. They span that middle ground, working on crossing than chasm.
And then you have people who are purely engaging in that sale cycle, in that commercial funnel. And these are people like your product marketing manager, performance marketer, sales engineer and then your account executives.
And then the third part is tools. The tools you use as an early-stage, developer-focused company that's mostly engineers are going to be very different than the tools that the go-to-market hires you bring on are going to be used to using, are going to know how to use and are going to want to use to get their job done.
At an early stage company that's mostly developers, when you're building out your CRM, oftentimes you're just querying your database. You might not do anything. You might have spreadsheet. You're going to do everything you can to avoid Salesforce for the most part but as soon as you start bringing in account executives that's what they know, that's how they get their job done. It's going to be a transition that has to be made.
Same thing with email. Oftentimes you might be, your development team might be more comfortable with APIs like Mailgun. You might use Mailchimp for your newsletter, which is great. But once you start moving to that commercial funnel you're going to want things like marketing automation. You're going to want smart email campaigns, and tools like Marketo and HubSpot are what most go-to-market people are going to be comfortable with for that.
And then same thing, data visualization. You could come up with a lot more categories of tooling but in general you have to think about what is a salesperson, what is a marketing person, going to want to use and be proficient in using to get their job done.
And then culture. If you've ever been part of an early stage company that makes that first marketing hire, as soon as that happens the culture's changed and then it's changed even more once you start bringing in sales hires. This is something that you hope you face and there's a few things you can do to make that transition as seamless and as frictionless as possible.
make your company KPIs reflect your go-to-market objectives.
If it's centered around sales, if it's centered around opportunities, whatever it is, make those company-wide KPIs and make engineering, make product aware of those and let it be known how they can contribute to those as well.
Make financials and data as accessible as possible. Let people know why revenue is important and then always link revenue back to specific initiatives. When a sale is made it's not just the sales team who should be celebrated. The product, the designer, the product managers who delivered that product, they need to be invested and feel part of that success, part of that win as well.
Again, for most of us in the room we're part of a venture backed startup, subsequent rounds of funding are important and often those have benchmarks around revenue, around go-to-market milestones. Make those known to your team. Make it known that, hey in order to get this next round of funding we need to go achieve these go-to-market objectives.
And then lastly, just avoid silos. Try to let marketing, sales, product, engineering, let them work together whenever possible and at all costs avoid having them be like completely siloed and have completely different views of reality within the company. Which I think is natural, it happens a lot.
So, after addressing those things hopefully it will be easier to move across that chasm, into the commercial side. I want to take a look really quick, still using the same HashiCorp for example, what will it look like with this person moving through the commercial funnel after getting to that point where they proofed out of POC, they're advocating, for Terraform in this instance.
I begin to search for more resources on learning Terraform. I see that there's an enterprise guide available. I provide my email and download it. Now I'm in the process of being educated on this enterprise solution.
The guide helped me understand more complex use cases. Some problems that Terraform enterprise could help me solve that the open-source could not. At this point, maybe I'm bringing in. So now I want to evaluate this solution. I fill out a form on the website, set up a meeting with the solutions architect. I might bring my boss in, bring my manager in.
But now I'm getting help from the sales team to understand the capabilities and how I can use this product to solve the problems that I defined in my POC. And now I'm moving to the purchase phase and this is where you're actually working on closing deals.
After I decide that this was something that would be valuable to my team, I introduce the account rep to my boss. My boss has some questions, they go back and forth, but the POC clearly shows the value at this point, hopefully.
It's less a conversation around the value and more a conversation around pricing, legal, and the logistic side of it, which again, is what account reps are trained and professional in handling.
Hopefully you sign a purchase contract here. And then expansion. Maybe my sales reps help me get internal recognition for the innovation that we've accomplished with Terraform. I've introduced him to other team members that are interested in buying and are beginning to entertain vault enterprise, which is another product offered by HashiCorp.
This having your community funnel feed into the commercial funnel; that's the ideal state. Again, it's about timing. Until you get to that point where you're ready to commercialize, you want to feed advocacy back into awareness. But eventually you're going to have to get into a motion that looks something like this.
In thinking about how you want to achieve and go about that commercial funnel, here are some examples of what has worked for some of the larger developer tools IPOs in the last couple of years. Focus on the enterprise, and if you haven't thought about focusing on the enterprise and focusing on customers who have large bankrolls, large problems, and large budgets, I think you should really consider that.
Almost all these companies get a majority of their revenue from the enterprise. I don't think it's impossible to not do that, but there's certainly a lot more successful examples of companies that have.
And then especially early on being specific and selective in who you sell to. Don't try to create a product for everyone, for every variable, for every market. You can get there eventually, possibly, but start specific and ideally start with companies that have a large budget and a large problem.
So, key takeaways: community is valuable, but it's important that the limits of its values are understood and recognized.
Community is not a business model or a product. Specific and separate activities must be taken to build those.
We talked about some of those earlier. And that it's much easier to build a successful company with a thriving community but a lasting community will not exist without a sustainable business model. So you need to continue to think about that and eventually decide when you're going to move from that community-building to that commercial-value building.
It's impossible to make sure they land in right place at first. The best you can do is think about it kind of like a data architecture problem. Make it clear where the different pieces of your site are positioned and make it easy to find that. That's one thing you can do.
Once you get more advanced marketing strategies and you have different ads, different programs going on, you're pointing people at different places, you can make sure that this program is really targeting developers and the end goal of this program is to get people into that community funnel. And get developers aware and hopefully to try the product, then you want to push them towards the page that's optimized for that.
And vise versa. If you're looking at people who you're assuming have some knowledge of your product, their problem is relevant to your problem space, then you want to be pushing them towards the page that's more about engaging in a sales process. So I don't know that there's any way you can ensure they land in the right place. But you can take steps to optimize the traffic to each of those.
It's an interesting question.
I guess I have a particular perspective from my history with the companies I've been a part of, which have typically been engineering founders, very community-focused early.
And so the challenge I've faced much more is the one I just talked about. How do we move from this community momentum over to the commercial side? In going the other way around, I think you want to think about it the same way.
If you have a large community, how can you leverage that? And how can you use the momentum you have behind that to try to move into the commercial funnel? It's the same way if you're going the other way. How can you use the resources and the assets you have, in having a successful commercial strategy, to go the other way?
You probably have a lot of great use cases, hopefully white papers, customer stories, things that show that, hey look, we're solving for companies. We're solving this problem. Now we're looking to get back to the open-source community, or now we're looking to get back to the developers.
I haven't thought about that one as much but I think in general you want to think about what assets and advantages do you have with that commercial motion that you can use to leverage in moving the other way. But yeah, that's an interesting question.
So, the difference between Circle and Serverless in go-to-market. I think in talking about the different types of communities I mentioned earlier, Circle was very solidly a user community. We had a freemium model. Thousands of developers who use our SaaS service, most of which generated little to zero revenue.
And so our challenge at Circle was how can we work our way up the food chain, up the value chain, to larger deals? It took a little bit of discovery work but we eventually found out that the thing that's stopping us from getting larger deals, is that it's a hosted service and the larger customers want something they can employ under their own infrastructure.
Then it was all about, okay, we had a lot of labs teams, we had a lot of small skunkworks teams within these bigger enterprises who were trying out the .com product, the Saas products. What ended up happening is our community funnel was really made of people within enterprises using our SaaS product who wanted to be able to spread it throughout their organization.
But what that required was a formal sales process. It was a much bigger deal, and then it needed a product that could accommodate that, which ended up being CircleCI enterprise.
But Serverless, we're an open-source community, we have a very vibrant, large user base of our open-source software. The challenge for us now is how do we go about finding a commercial product that delivers value on top of the open source that our customers are willing to pay for? It's the same high level problem but the mechanics of it, due to the difference in the communities, are quite a bit different.
I think the one advantage you have with open source is that that barrier to adoption is so much lower.
At Circle we really spent a lot of time optimizing that SaaS funnel. How do we get people to land on out page? How do we get them to sign up? How do we get them to enter a credit card so they trial? And once they're using the free product, how do we transition them into that paid product?
Whereas with serverless framework and open-source project, they go to GitHub, they download it, they're going. And then we get users in a much, it's much lower barrier to adoption but the business model is less defined and more challenging.
Yeah, yeah absolutely. We work closely with them. Almost all of our customers are one of their customers, whether it's Google, Microsoft, Amazon. The key with getting cooperation from them is finding a niche that they're not currently addressing or not interested in addressing.
For a lot of them they, especially AWS, they offer a huge suite of tools. They're addressing a lot of things but they're not addressing everything. And as long as we can offer additional value to their community that they're not offering right now, they're super open to working with us on that.
Abdicating it to their users for us. It gets a little bit trickier and more challenging when those things overlap and when a service we're offering overlaps with one of theirs, they're often not quite as cooperative. But yeah, finding those gaps is what's been the most successful.
Our open-source framework, it's completely open source and does not require a signup.
We have a unique challenge in that a vast majority of our users, we don't know who they are.
They download the framework. We could see that they're using it with 20, 30 people inside the same IP, maybe we can figure out where that IP comes from, but there's no way to know who they are.
So we typically do things that let them come to us. We offer workshops, we offer information, we offer tutorials. We give them ways to come to us and ask for additional help and let them identify themselves.
Once they do that, we have some different metrics and benchmarks we think about, like what stage of the cloud adoption process are they in, what's their strategy as far as multi-cloud? We have some certain things we want to talk to them to see how good of a fit they're going to be.
But what we're more focused on, rather than scoring that lead, is identifying it. That's the bigger challenge for us.
Thanks a lot, guys.