The Decibel Podcast: Founders Helping Founders

Oliver Friedrichs, Founder of Phantom Cyber: The Masterclass in M&A

Episode Summary

Oliver Friedrichs is the Founder and CEO of Phantom Cyber, a four-time successful entrepreneur who has exited companies to McAfee, Symantec, Sourcefire, and Splunk. On today’s episode, Jon Sakoda speaks with Oliver about the lessons he has learned along the way, including how to cultivate partnerships that lead to successful exits and avoiding valuation traps as a first-time founder.

Episode Notes

Oliver Friedrichs is the Founder and CEO of Phantom Cyber, a four-time successful entrepreneur who has exited companies to McAfee, Symantec, Sourcefire, and Splunk. On today’s episode, Jon Sakoda speaks with Oliver about the lessons he has learned along the way, including how to cultivate partnerships that lead to successful exits and avoiding valuation traps as a first-time founder.  

  1. Your Advantage Is Your Speed [17:47 - 18:39] - Many startups think they are smarter than big companies. Oftentimes their greatest advantage is their ability to execute and focus when a large company might be distracted by other priorities. Listen to hear why startups should not act like they are smarter than everyone else, but should act with speed and certainty when building their product.
  2. Don’t Overshoot Your Valuation [22:41 - 24:24] - If you have a high valuation, it may take years for your company to grow before your investors believe they can exit a company. Having the flexibility to exit is important and a high valuation can limit and restrict the M&A possibilities for your company. Listen to hear why Oliver believes optionality to exit at the right inflection point is a founder’s best friend.
  3. Build The Right Partnerships For A Successful Exit [24:47 - 26:19] - Oliver subscribes to the idea that companies are bought not sold, and has cultivated valuable relationships throughout all of his startup journeys. To create an exit strategy that makes sense, work with companies to integrate your products and increase customer engagement. Listen to learn how to leverage your existing partnerships into successful exits.

Follow Jon Sakoda https://twitter.com/jonsakoda

Follow Oliver Friedrichs https://twitter.com/autom8security

Follow Decibel https://twitter.com/DecibelVC

Episode Transcription

OLIVER FRIEDRICHS: To the point where at one point, the Royal Canadian Mounted Police came and talked to me and said, “Look”—I think I was maybe 19—they said, “Look, this can go one of two ways. If you keep doing this, you’re gonna get arrested, or you can go down the good path.”

JON SAKODA: Welcome to the Decibel Podcast. I’m excited to welcome my friend, Oliver Friedrichs, one of the few entrepreneurs to have successfully started and exited four cybersecurity companies. His most recent success was Phantom Cyber, a company that was recently acquired by Splunk. They created a new category in security orchestration and automation. He is now on his fifth startup, setting a record for the most companies founded by any of our prior guests.

Oliver, it is so great to have you. Please say hello to everyone, and welcome to the show.

OLIVER FRIEDRICHS: Thanks, Jon. Awesome to be here. Look forward to talking with you. And more importantly, I look forward to sharing some of the many mistakes that I’ve made over the course of the last few years.

JON SAKODA: I think every founder has a story about how they first discovered computers and what eventually led them to become an entrepreneur. If you don’t mind, could we start at the very beginning? Tell us about where you grew up and how you found your way into the cybersecurity industry.

OLIVER FRIEDRICHS: Yeah, yeah. This goes way back to the ‘70s and ‘80s. I grew up in a small town called Winnipeg, Manitoba, right about North Dakota. And it’s essentially in the middle of Canada, the prairies, right, where there’s not much there except farmland and farming. My dad was a stone mason. And he restored old historic buildings like churches and other buildings—you know, basically the exterior of those buildings. And my mother was a nurse, originally in Germany. And they met in Canada. And I was born in ‘74. And so, grew up really during the super early stages of computing, right, when personal computers really started to become a thing. 

And one thing that I think heavily influenced me in this direction was actually my mother passing away when I was about 12. And at the same time, the Apple II kind of emerged, and we had one in school. And that was one of the things that I could escape to, essentially, from reality, was, hey, there’s this amazing new platform, the Apple II. I could tinker with it, learn basic programming on it, and play games. And really, it was just amazing to learn the basics of how computers worked back in the mid-’80s or so.

JON SAKODA: We might have been discovering computers around the same moment. I believe you were in Manitoba, and there really wasn’t a big cybersecurity industry yet. I’m curious, looking back, did you get any exposure to hacking or cybersecurity early on that ultimately led you to want to start a cybersecurity company later on in life?

OLIVER FRIEDRICHS: Yeah. So, I think a lot of it starts with just security in general. One of the things that I eventually bought was a Hayes 9600 modem, which was really the way to get onto a network at the time, right? This was when the internet didn’t exist. The only way to connect to any other computer was through a modem. And we used bulletin board systems, right? These were systems where, kind of like a message board forum today, where many people can access one, you literally had to dial up to a single computer that was hosted by an individual that was running a piece of software called the bulletin board system. And common versions of that were called Tag, Renegade, Waffle BBS. And you would connect. And basically, you would connect for maybe 20, 30 minutes, see what kinds of new messages there were, talk to other people, send a message, and then disconnect. And then someone else would dial in. And only one person could use it at a time. And it turned computing from what was more of an isolated activity to more of a social activity. 

And a big part of that was, there was a big hacker subculture that existed at the time on these bulletin board systems. There was definitely a dark side to it that some of these folks were leveraging stolen credit cards, just like they would today. There was viruses, computer viruses at the time, MS-DOS viruses that were available that people would upload and download to some of these bulletin board systems. So, that introduced this whole dimension of security. 

And, you know, I’ll be honest, right? A big part of my childhood and my late teenage years was, I would say, pseudo-hacking systems. And because of the fascination of being able to explore and learn more about these various operating systems and computers, to the point where at one point, the RCMP, which is the Royal Canadian Mounted Police, came and talked to me and said, “Look”—I think I was maybe 19, 18 or 19 at the time—they said, “Look, this can go one of two ways. Either we’re gonna come and track you down, because we already know who you are. If you keep doing this, you know what’s gonna happen, right? You’re gonna have a criminal record. You’re gonna get arrested. Or you can go down the good path.”

JON SAKODA: I have to ask, so these are the Mounties, right? Did they show up in their uniforms?

OLIVER FRIEDRICHS: They were well-dressed, walking at the time, no horses. But absolutely, same organization.

JON SAKODA: Perhaps not so surprising to you, a lot of guests on our show have had their own personal experiences with the police, the government, law enforcement. Many very successful cybersecurity founders were once incredibly successful hackers. So, no surprise there. Some would say, looking back, this was a turning point or an inflection point in their career. What happened to you next?

OLIVER FRIEDRICHS: After that RCMP, I’d say it’s an interview, or intervention, potentially, right, they actually hired me to help work in the Unix lab and help defend the network and learn more. There was a great gentleman, Bill Reid, who was running the lab. And he just saw the potential and took me under his wing as someone that he could kind of mentor and help to turn into a good guy. And the reason the opportunity came along is there was—long before Slack, there was Internet Relay Chat—

JON SAKODA: Of course. IRC.

OLIVER FRIEDRICHS: … which was just like Slack.

JON SAKODA: Yes.

OLIVER FRIEDRICHS: Just like Slack, but text-based. Definitely not as user-friendly. But it was full of tens of thousands of people chatting in real time at all times. And there was channel called #Hack. And if you go back and you actually look at the number of cybersecurity companies that came from individuals that were on the channel back in the late ‘90s, you’re literally talking dozens that have now been formed, going all the way back to Internet Security Systems that Chris Klaus started, I think, in 1994 now. 

So, what happened is, a great friend of mine who I’m sure you know as well, Jon, Al Huger—

JON SAKODA: Of course.

OLIVER FRIEDRICHS: … called me, because we were on IRC together. We were chatting all the time. We were talking about security and hacking. And he had this idea. Let’s go start a company that will produce a commercial tool to penetration test networks. Before that, there was a tool called SATAN that I think stood for Security Administrator Tool for Analyzing Networks. And it was written by two guys named Dan Farmer and Wietse Venema. And it was the first open source tool that would scan a network, so basically an IPv4 range, and look for a set of security vulnerabilities in common Unix operating systems like, again, SunOS at the time, and others. But it wasn’t very complete. It was not supported. There wasn’t a commercial offering. And in fact, I think it was so controversial at the time that the DOJ actually tried to shut it down, because heaven forbid you try to find security vulnerabilities on your network.

JON SAKODA: This is such a great story. I had forgotten about this chapter of the book. Sounds like it was one of the precursors to Nmap, Nessus, Metasploit, now even companies like Rumble. There were some really great cybersecurity companies started or inspired by the desire to find exploits on networks.

OLIVER FRIEDRICHS: Yeah. It goes so far back. And that’s where Chris Klaus originally had the idea to start Internet Security Systems. And so, we knew Chris from the same IRC channel. And we were basically thinking, hey, if Chris can do this, we can do it. Not that we’re better, but because we’re probably just as good, and we have the same skill set. A couple years later, so Al contacted me. I was living in Winnipeg. He was in Calgary. I wasn’t quite done my college degree. And he said, “Hey, come join me. I want to build this company together. I need someone to actually write the code.” And literally two weeks later, after I met him in Calgary, I was in a U-Haul with very limited belongings, like a bed, a chair, maybe a mattress, a couple other things, on a 13-hour drive to Calgary.

And so, we worked together for a good year-and-a-half building a product that was, at the time, very disruptive, I would say, that would scan your network. We wrote about 700 different checks for vulnerabilities at the time. CVE didn’t exist. CVE came maybe five years later. So, we really had to research and find vulnerabilities ourselves. Today, there’s tens of thousands of vulnerabilities, right? And I think it’d be impossible to start a company like this today. Today, you have Qualys, Rapid7, Tenable, and others, right, that have been in this space for decades. But at the time, there was very few. So, our company was called Secure Networks. We built a product called Ballista. We spent about a year-and-a-half building it. 

And then McAfee came along in 1998—we started in ‘96—and said, “Hey, we’re really building the next great large security company, and we’re consolidating some of these products. And we want you to be part of our company.” So, they came and bought our company, this group of 12 Canadians at the time, many of whom we actually recruited from the #Hack channel on IRC to be our engineers, and moved us down to California. So, that’s kind of the first company. And what a great experience. We never did this to try to make money. In fact, that was the last thing we were thinking of. We just loved what we were doing, taking that hacker mentality, productizing it, and then ultimately creating a great product that people wanted to use.

JON SAKODA: You mentioned you grew up in rural Canada, and that this first company was very likely your first real job. And perhaps this job was not like anything else that your family had ever seen before. I’m curious, what did your parents think about all this? Were they supportive of you taking a path that was unknown and probably seemed really risky?

OLIVER FRIEDRICHS: Yeah. I think at the time, I was 22, so honestly, not a lot of experience in any of this. But my dad quite honestly didn’t understand anything that was going on relative to what we were doing. In fact, at one point, he asked my computer science teacher, you know, “Oliver’s just spending so much time on his computer. Is this okay? Is there something wrong here? Should I be worried?” But he supported me. He knew I wasn’t going to pursue his path, his career path, and take over his company. And he respected that, and I think really wished me well. And he was so surprised when we became part of McAfee. He just couldn’t really understand how this could even happen so fast.

JON SAKODA: So, this was the first of four successful startups. You then went to start three more companies. Your most recent exit was perhaps the most famous. You started Phantom, which was eventually acquired by Splunk. It was known as an early market leader in security orchestration. This was a very successful exist. I’m curious, first, what inspires you to start numerous companies? Is there something that you’re trying to prove or something that inspires you every time to start from scratch? And what ultimately was the inspiration for Phantom?

OLIVER FRIEDRICHS: Yeah. This is a good question. Sometimes I don’t know what goes in your head to actually want to do another company. But look, I think when you’re young still, you’re in your 40s, you still have a lot of runway left, right? I mean, what’s the alternative, to sit back and relax and retire? I just don’t see that as an option. Nothing good ever happens when people do that, you know? It’s either health becomes an issue, or you start doing things that just are not a good idea. Plus, when you really love doing this—I love building product and designing product, being part of the early phase. I’d say my biggest strength is the super early stage, right? 

In this case, with Phantom, what I think happened in this case was just super timely and very unique, in that the day after I left Cisco, I had the chance to attend a conference in the Bay Area, where I had a 15-minute meeting with one of the intelligence agencies. And they were a big researcher in this kind of new space that they were looking at. And they called it—and this was the NSA, right? This is all public information. They called it Integrated Adaptive Cyber Defense. And the idea was, okay, we have billions of alerts that we’re receiving. We would need 20,000 or more analysts to even triage all of these alerts. How can we enhance human performance when it comes to security monitoring, right?

And I think either a year before that or months before that, Target was hit because there weren’t enough analysts in India watching the alerts that were coming in, and someone just wasn’t looking. So, that was a prime indicator of, wow, this is a big problem. We don’t have enough people monitoring. We have too many security products. We have too many alerts. The volume and velocity of alerts is increasing. What can we do? We’ve applied automation in almost every other category, whether it’s marketing, or Salesforce, or IT, for a long, long time, but security hadn’t seen it, right? So, what the NSA—and the gentleman’s name was Phil Quade—great, super smart individual. He’s now a CISO at a security company after he departed the agency after a long career. 

But his idea was really, how do we tie together all of these security products that all of these companies have bought over time into a platform where they can work together? If we used APIs and connected these products together, we could create essentially a platform where we could turn each of these products into an actuator. We could ask them to do things. We could pull data from them and create more of a combined system. And that’s really where that name Integrated Adaptive Cyber Defense came from. 

So, when I heard that idea, and this was literally a 15-minute meeting, I immediately thought, wow, this could be really big. And at the time, SOAR wasn’t even coined by Gartner. This wasn’t even something that people had thought of or existed. And it was really, really new. So, we spent a year, and I recruited an awesome co-founder, Sourabh Satish, who was a distinguished engineer at Semantic. And we raised a really small round. I think it was, at the time—it’s small now, $2.5 million, in 2014 from a handful of seed investors. Brought on a total team, including us, of five people, and spent a year in a really small office in Palo Alto kind of putting this platform idea together of how do you use APIs to interconnect all of these products, and then how do you create an automation engine that is scriptable, either with programming, with Python, or with a visual WYSIWYG interface, where you can drag and drop blocks to be able to create these automation playbooks? 

And that’s what Phantom became. We were really the first purpose-built platform to do this, probably a year ahead of the other automation vendors that came along. We had the unique opportunity to win the RSA Innovation Sandbox in 2016, which really propelled the company as well. And then finally, Gartner started to take note and eventually coined SOAR, security orchestration, automation and response, as a category in the industry.

JON SAKODA: After many years of rapid growth, Phantom was eventually acquired by Splunk. And looking back on many successful startups in your past, I’m wondering if you can try and demystify the process of creating a startup from scratch. Is there a formula for starting a company?

OLIVER FRIEDRICHS: I think the early days are a little bit of like the Wild West. You could take all the product management discipline and formula, and try to apply it, and it could still not work out well, right? But I think ultimately, a lot of that is legitimate. You want to identify a big problem that either hasn’t been solved, and determine, are you the right team or person to solve it? And some of that becomes—typically right after your last experience, right? If you have a job somewhere and you’re seeing the problem, due to the fact that you’re part of a security team or the IT organization, that gives you visibility into what’s happening next or what the next opportunity is. 

Another one is, compute changes all the time. We went from just basic internet security back in the ‘90s to server security, to endpoint security, to network security, to now cloud security, to IoT security. And it just keeps going, right, to serverless computing. Every time you have a compute change, there’s almost always an opportunity to provide security for that platform or whatever that new technology, right? And, as we’ve seen over the last few decades, there’s always a rush by companies to fill that gap. Sometimes the tam isn’t big enough because they’re just a feature, right? For example, is serverless really an area that requires a dedicated company? Probably not, right? That’s probably an area that fits into existing cloud security products and so on. 

But that’s a big one, right, is how you stay with compute, because all of the existing security vendors are not going to keep up. They’re focused on what they’re doing today. They’re stuck with their existing platforms that they’re focused on. Some of them will try. But if you start from scratch, you’re inevitably able to move faster, only because you can make decisions faster. And I always see this. I used to think that the smartest people went to startups. And I really don’t think that’s the case. I think the reason why startups succeed is because you can move super fast, and you have a small group of people making decisions really rapidly, versus in a larger company, you’ve got a lot of people that need to be consensus-driven before you can even decide something, right?

So, I think those are some of the things that I’ve seen. Definitely the product management-based approach isn’t a bad one, right? If you can go out and survey 50 people and see what are their biggest problems… But look, if you’re not in some way deeply connected to the industry and the technology and the customer all combined, I think it’s going to be a lot harder.

JON SAKODA: I think many founders ask the question, how do I find product market fit? Do you think this comes from the vision of the founding team? How much of this comes from feedback from early adopters? Have you found that there’s some recipe for finding product market fit in your prior startups?

OLIVER FRIEDRICHS: So, I think the initial version, or if you want to call it an MVP or prototype or alpha, usually comes from the founding team having some insight into product design, and really putting themselves in the shoes of the end customer, right? How well can you impersonate the customer to the degree that you know what they want, or you think you know what they want, and then build that, right? And I think that’s what I always like to do, is okay, if I was a user of this, what would I want? And some of that comes from just experience, like using a lot of software products over a long period of time, or even just looking across what’s available today and figuring out, okay, does that experience work for me?

And so, version one usually comes from that. But then, as soon as you have users or even design partners, which are always a great idea, like signing up five, 10, 20 people that you trust that you may know in the industry that are customers, that can advise you on that early design is also always mandatory, right? You want to do that before you start introducing a product into the market. Now, when you have a product in the market, then it’s really about how rapidly can you iterate based on customer feedback? And that’s where traditional product management starts kicking in. And typically, the founders are those people, right? You’re not always hiring a product manager on day one. You as the CEO or you as the CTO or technical founder, you’re the PM. And you’re interviewing and surveying those customers regularly, right? 

And often cases, they’re personal relationships that you build, because you’ve got some advocate at a global 2000 or even a mid, small enterprise company that’s your ideal customer, and you become friends. You build a relationship. They want to help you. Phantom was a great example, where Uber was our first design partner. And the team there had seen this before. They came from Facebook before they went to Uber. And they needed automation. And they had built it at Facebook. They weren’t going to build it again. They partnered with us. And they gave us feedback every day. Super valuable feedback that helped us build a better product.

JON SAKODA: Now, after you find product market fit, you obviously need to try to scale a company. Talk us through some of the things that go right and wrong in this part of the journey. Are there lessons learned that you can share?

OLIVER FRIEDRICHS: I think oftentimes, it’s trying to go too fast when you don’t have the right fit. So, for example, investing too much in sales. I heard of one company that will remain nameless that was spending $5 for every $1 of revenue. And at that point, hey, you’re simply not seeing the productivity and efficiency that you should be. The approach that I would take is when you have one or two of your lead salespeople—like in the US, if you have an enterprise product, you probably have someone on the East Coast and someone on the West Coast—on the West Coast, targeting high tech; on the East coast, targeting financials and the larger enterprise. And when those folks start becoming productive and attaining their targets, maybe not all the way, but when you have visibility that they will, the pipeline’s strong, the conversation and commitments are there, I think that’s really when you want to start scaling, right? The worst case is you start scaling into the unknown when you don’t have that repeatable sales go to market process built. That’s when things start becoming really tricky and risky. And that’s, I think, when companies get into trouble.

JON SAKODA: You have had a number of successful exists. And the topic of M&A is always a mystery for first-time managers. Curious when you think founders should think about an exit, and what’s the right way to go about the process?

OLIVER FRIEDRICHS: So, I think there’s a few things. The most obvious one would be just the financial dimensions of the company. So, for example, if you have an offer on the table, like let’s say—I don’t know, let’s say it’s $100 million, and someone wants to buy your company, and you raised, let’s say, a Series A, and you raised $10 million on $25 or $20 million, which puts you at $30 or $35 million post. And you’ve got an offer for $100 million. And you take a look at, okay, where are you in the market, and how many years away are you from actually hitting a $100 million valuation? And these days, look, the valuations are so high that $100 million isn’t even that much anymore. But for the sake of this story, how long will it take you to grow into that valuation? Can I do it with the current cash that I have? Can I get to $100 million? Do I have to raise another round and then take another 20 to 30% dilution hit as a founder from the valuation? And if that’s the case, can I get to that valuation with the next round?

So, you’re kind of playing this optionality game. I always like to be in this position, where you could sell the company at any given point in time for a reasonable number and not overshoot your skis in valuation, because you just don’t know what’s going to happen, right? And you’ve got a lot of people that work for you that have joined you for the mission that trust you to make good decisions. And so, maintaining this optionality is just a really powerful thing, and trying to be in control and be ahead of your valuation at all times. And these days, the companies raising money rarely ever do that at these high valuations.

JON SAKODA: I hear you. And really, in any normalized valuation environment, M&A can be a very attractive exit. I’m curious about how you would coach founders about when they are trying to develop relationships with their acquirers. There’s this old saying that companies are bought and not sold. How have you built relationships with your large prospective buyers?

OLIVER FRIEDRICHS: Yeah, absolutely. I fully agree, companies are bought and not sold. Developing relationships with other companies, usually under the guise of a partnership, is really key, right? That’s what will ultimately have them knocking. And whether or not you want to sell is another question. You know, is the number right and so on, like we just talked about. But leveraging a business development relationship, at Phantom, we were working very closely with Splunk, for example. Most of our customers that we were selling to were also Splunk customers. We were tightly integrated with the platform. And that ultimately led to them coming because they had some of the big banks in New York ask them, “When are you going to buy Phantom?”—asking Doug, who was the CEO at Splunk at the time. 

And so, that’s something that they can’t ignore, because you’ve got joint customers. They want the products integrated. They think this is an obvious fit. And it’s a great next step for Splunk. Why would they not do this? And that’s what led to the acquisition there. So, a good partnership, started it. Haiyan Song ran the business at Splunk for security. And she and I developed a great relationship where we kind of triangulated all dimensions of that partnership. But we did it with other partners too at the time. And it could’ve been someone else that ultimately bought the company. So, you definitely want to apply some resources there. I wouldn’t say you want to overextend from a resource standpoint. But definitely, if there’s a legitimate business reason already for you to partner, absolutely, you should invest there.

JON SAKODA: Some founders are led to believe that you should really never think about exit. In some ways, they are coached to focus on building a standalone, mission-driven company. I think you’re giving slightly different advice. It seems almost more pragmatic and realistic advice. And that is to look at the optimal points for exit and to almost run it like a probabilistic equation. I’m wondering, are there two sides of the coin? Are you able to live in both worlds? Do you feel like certain founders just live in one? Or are there other times where you look back and say, “We never intended to sell Phantom”?

OLIVER FRIEDRICHS: Yeah. This is a good question. I think those are two divergent models, right? There’s kind of the lean startup approach where you’re going a little slowly, not raising as much money, growing with the market, maybe creating the market, but still growing relatively slowly. And that can produce a great outcome. It’s just going to take a heck of a long time. I’m invested in, personally, about 20 startups right now, a lot of them cybersecurity. And I see both. I see companies that are just five people after two years after raising a couple million. And they’re coasting along, doing their product market fit, building product, and so on. And then some have just grown very rapidly into $500 million valuations, at which point I’d like to get out, because that’s where a good marker is.

But look, there’s different ways to do it. And I don’t know if one is better than the other. I think time is a key factor. How much time do you have? If you’re in your 20s and you love doing this, and you can do this for 30 years, why go big fast and risk it exploding? I would say if I could go back in time, like our first company that Al and I and R. Wong started together, with Secure Networks, if we kept going, shoot, we could’ve been absolutely a substantial cybersecurity player. But at the same time, when you look at the market, there have been very few multi-billion-dollar market cap cybersecurity companies that have gone public. There’s a lot on paper right now, right, that are sitting there. And it’s unclear what’s going to happen to them because some of them have literally 100 to 200 multiples on their private company valuation that they raised their latest private round at. And they have to try to grow into that, which is going to be super hard.

But what I would say, and we’re doing a little bit of this now, is if you absolutely feel that you’ve got the idea that can scale, and it’s a no-brainer, and the time is right, you’ve got the right time, you can put the right team together, then you may want to move as fast as you can, right, if you really feel that you’re confident you can deliver on those milestones.

JON SAKODA: Yeah. Tell us a little about your latest journey. What are some of the new challenges you’re taking on, and what’s different this time?

OLIVER FRIEDRICHS: Yeah. So, this is exciting. We’re building a company called Pangea. And that’s no coincidence. Pangea was the super continent that existed for many years.

JON SAKODA: It’s a great name. It’s a great name.

OLIVER FRIEDRICHS: Thank you, yeah. So, we love the name. And it hadn’t been used in security, which was surprising, because names are hard to find these days. But what we’re solving is the challenge that developers have today—and we’ve built a lot of enterprise applications—is you’re building a new enterprise app or a cloud app. You’re a bank, you’re an insurance company, someone who really cares about security. Inevitably, you have to add security features to that product, right? The basic one is, you always have to add authentication. You always have to add authorization. Those are table stakes. But beyond that, there’s a lot of other things. There’s things like, hey, I’m a mortgage company and I want to take your W2 in. How do I store that securely? How do I accept that securely and store that? Again, if I’m an engineer, I need to build that into the app from scratch every single time.

And the list goes on and on. How do I securely share a file with you? So, with this evolution of API-first companies, we’ve seen Amazon, kind of of the leader, 200 microservices that are API-driven. We’ve seen Twilio, with communications APIs that make it super easy to plug in with one line of code. We’ve seen Stripe, with financial transactions. One line of code, and I can charge your credit card. Nobody’s done that for security. And this is like a huge gap if I’m building a new application. Amazon had 50,000 new startups join AWS last year, right? Where are these companies getting their security features from? Because Amazon isn’t giving them to them. Neither is GCP or Azure. And that’s really our goal, is to be that united place for builders to get their security functions so that they can function on their core business logic.

JON SAKODA: For you, what feels the same about this startup? What’s very familiar? And then what are some of the new challenges that you think you’re going to have to take on to build a company like this in this time?

OLIVER FRIEDRICHS: I would say the things that are the same are just the fundamental concepts of building a company. The fundraising, the concept, the vision, direction, the hiring, the design, product design, as well as finding design partners. What is very different is the customer. In this case, we see, look, the 1,000 to 2,000 or more security companies that are out there today are largely targeting the enterprise buyer and the CISO. We’re targeting the builder. These are the development teams at the global 2000 that are building the apps themselves. It’s not the security team. And getting to that customer is very, very different than it is on the security side.

The security team can absolutely introduce us and get us into the door, but they’re not going to be the buyer, right? It’s going to be the builders and the team and the managers of that team that are going to be our main customer.

JON SAKODA: Yeah. I think we’re seeing this across the board, right? The people with the power are the people that are building the applications. They’re making all the purchasing decisions for all infrastructure products.

Looking back across all of your successes, I wonder, what is the number one piece of advice you would give to a first-time founder? In some ways, there’s never been a better time to start a company, but in other ways, it has never been more competitive on the field than right now. Do you have words of wisdom for everyone out there today?

OLIVER FRIEDRICHS: Yeah. I think a lot of it is really more personal care than like, I would say, a cookbook for for building company. You have to make sure that you are in a good spot physically, mentally, and ready to do this; your family’s on board; that you don’t have unnecessary hardship that you’re going through. One thing is, you need to take this seriously, but not too seriously, right? It’s not the end of the world if it doesn’t work. Nobody’s going to die, hopefully, and everyone’s signing up knowing that there’s risk, right, and understanding those risks. So, don’t let your health diminish or anyone else’s health diminish. And, look, treat people well. Everyone around you deserves to be treated well, and make sure that you build an environment that people really want to be a part of with a mission, a culture, a fun environment, and that people will want to come and work for you and make this successful. And elevate those people, right?

As founders, it’s often easy to be the center of everything, because people always look to you, right? But the more humble you can be and the more deferential you can be, and let people even make decisions, important decisions, on their own—that’s why you’re bringing them on, after all. I think when you’re early on, you want to have all the control. You want to make all the decisions. You think that that’s how it works. But it’s really not. You want others that are part of the management team that you bring on that are just as skilled as you are, and that makes your life so much easier. 

And that’s very different from the first company we started, right, where it’s super-down. And we pretend we know everything, but we really don’t, right? And you learn over time that that’s absolutely not the case.

JON SAKODA: This is such great advice. And it does bring me to my last question. Do you have any words of wisdom for your younger self? Anything you wish you could say to the Oliver Friedrichs who is on his first, second, or even third company?

OLIVER FRIEDRICHS: If I was younger, I wouldn’t, again, react quickly to things, right? If we had kept going in the first company, who knows what could have happened? It’s a double-edged sword, though, right? I think we could’ve continued building many great security products and built a really substantial long-term company. And don’t have a short-term view, is what I would say. Look at the economics, look at your runway. Sometimes a deal in the hand that makes sense to take for everyone involved. But if you manage all of that correctly and you still have the option to keep going and you’re in your 20s, shoot, like why wouldn’t you keep doing this, right?

JON SAKODA: Oliver, you’ve been awesome. There has been so much wisdom shared with founders today, and I’m just so grateful to have you on the show.

OLIVER FRIEDRICHS: Thanks, Jon. Great to be here. Great speaking with you, and really hope this can help someone.