August 11, 2022

Tech Seo

seo service

Software security: Giving developers a leading role

In this episode of the McKinsey on Start-ups podcast, McKinsey executive editor Daniel Eisenberg speaks with Guy Podjarny, cofounder, president, and chairman of Snyk, a leading provider of developer-first security tools. An edited transcript of their conversation, which took place earlier this year, follows. To hear more episodes of McKinsey on Start-ups, subscribe on Apple, Audible, Google Podcasts, Spotify, or Stitcher.

Audio


Giving developers a leading role in cybersecurity

Daniel Eisenberg: Hello and welcome to McKinsey on Startups. The job of cybersecurity professionals has become so challenging and complex that the work of safeguarding assets and protecting against vulnerabilities increasingly needs to start when developers are first building software and applications. This move to developer-first security is an extension of the broader shift known as DevOps, now practically the industry standard, in which the once siloed worlds of development and operations work together to build and iterate at a much faster and productive pace.

Snyk, a leading platform provider of developer-first security tools, is one of the companies driving this approach, known as DevSecOps, and today we are excited to have Guy Podjarny, its cofounder, president, and chairman, joining us on the podcast. Guy cofounded Snyk back in 2015, along with Assaf Hefetz and Danny Grander. He previously served as the CTO of Akamai after it purchased his first startup, a web performance venture called Blaze.io. Earlier in Guy’s career, he built web application security products at startups as well as at IBM.

Guy stepped down from the CEO role in 2019, moving aside as veteran software executive (and Snyk board member and investor) Peter McKay took the day-to-day management reins. Snyk has been growing at a torrid clip of late, going from less than 100 employees a few years ago to just under 1000. Last year, it raised more than $800 million (including new and secondary funding), bringing its total raised to $1.4 billion, with its valuation jumping to $8.5 billion. In his spare time, Guy hosts his own podcast, The Secure Developer.

Guy, welcome to the podcast. Tell us what Snyk does and the problem you’re trying to solve?

Guy Podjarny: Snyk is a developer-first security company. Our thesis is that as the world becomes more digital and DevOps-minded, it relies on these independent teams that can move fast and wait for nobody so that you can speed up that iteration from writing a line of code to getting it to a customer to adapting what the customer did and going back.

As an industry, security has stayed pretty centralized for a variety of reasons. So, as organizations have embraced DevOps and modern development, it has quickly become the bottleneck.

We believe that the DevOps industry cannot continue with security going against the grain of the business. Fundamentally, to get security to work well in the fast-paced DevOps world, you need developers to embrace it.

We founded Snyk to tackle that, to create developer tools that tackle security, that feel natural and delightful for developers to use.

Daniel Eisenberg: You’ve talked in the past about Snyk being a developer tools, developer-first company, rather than a cybersecurity company. How important is that distinction?

Guy Podjarny: It’s the difference between night and day, to be honest. The notion of “shift left,” of having security run earlier in the process, is not a new concept. What I and others in the industry had been doing was taking auditor tools and trying to bolt them onto the development environment, run them in the build or run them in an integrated development environment (IDE). What we never really stopped to consider was the persona involved. Their worldview is different. Once you peel back that layer, you find many differences between developers and security.

Embracing the dev side led to an entirely different company, different go-to-market, different branding, and of course different product and UX, with key distinctions between how you would build it for a security person, for an auditor to run early in the process, versus how you would build it for a developer. The core example of this is that developers like depth while security people need breadth. So, if I develop in JavaScript, I couldn’t care less if you support PHP or not. If I code in JavaScript, it has no bearing on me whether the tool in question supports another language. And so, as a developer, I want depth, while security people need breadth. Security people are faced with a fragmented world of risk that already has a lot of different types of risks and is hard to wrangle. They can’t have every director of engineering use a different tool to secure their use of open source or find vulnerabilities in their code. They need a tool to support most of the stacks in their organization.

That’s a key distinction between dev and security. In turn, it drives a whole bunch of differences between what dev tooling companies look like and what security ones look like. For instance, practically all dev tooling companies that are successful are product-led and self-serve because the decision is at the resolution of a team. They work on a specific stack, and the successful ones are bottom-up. They build that way while practically no enterprise security company is product-led because the decisions tend to be broad. They tend to require a mandate that covers more of the organization. And those are bigger decisions.

There are a million other differences. And so, with Snyk, I think the achievement that we’ve had is being able to provide the security capabilities, but build them similarly to how dev tools work, focusing primarily on getting dev adoption.

Daniel Eisenberg: What sparked the idea?

Guy Podjarny: I had spent about a decade in the world of AppSec building application security products that find vulnerabilities in code. I was also a part of the programming committee of Velocity, which is one of the key conferences that played a leadership role in getting DevOps off the ground. So, I was very close to the disruption that DevOps created in the world of operations and performance, and I learned a lot from it.

The idea of Snyk was the culmination of those journeys. It was taking what I’ve learned in this era of DevOps, that you have to think about developers and software teams first, about this brand-new way of developing software. We have a playbook now for how to build great DevOps tools and bring them to security.

Daniel Eisenberg: Before you went into the private sector, you spent a few years doing military intelligence in the Israel Defense Forces. Was there anything from your experience there that contributed to your vision for Snyk?

Guy Podjarny: There are two lenses to it. I spent about five years in the Israeli army, sort of an extended version of the mandatory service there. During that time, the primary thing I took beyond some technological skills was this approach of, “everything is possible.”

There’s a strong mentality of, “What do you mean you can’t do it? Figure out a way”. That’s a very healthy sentiment to have when you’re an entrepreneur, to figure out what needs to happen and then find out how to make it happen, versus starting from what is possible.

There was also the talent network. I founded Snyk while I was living in the U.K., with cofounders in Israel. From the beginning, we were very clear not to create an us-versusthem mentality in the company between the offices. Yet we were also keen to take advantage of each market’s assets, to tap into the great network of security professionals and deep technologists that we had coming out of the Israeli army as well as this great network of product discipline, UX mindfulness, and developer thought leadership in the UK.

So, we decided that no team would be co-located. Although we started by building out the company in both London and Tel Aviv, there wasn’t a Tel Aviv team or a London team. There were two teams, both split with some people here and some people there. That has helped us scale the organization and hire people who work remotely, which was helpful in the pandemic days.

It merged this tendency for an “everything is possible,” fearless, and security-minded skill set from Israel with a product discipline and focus on the user that is much harder to find in the Israeli start-up ecosystem and more prevalent in London.

Daniel Eisenberg: You talked about the bottom-up approach of DevOps, and in some ways, that’s been the business, model, right? Offering the product to developers initially for free and then having a freemium model that builds up to the paid version. How did you decide when to introduce that paid option? Were you confident it would work?

Guy Podjarny: If you think about freemium, sometimes people think about features and capabilities. I find that to be the wrong way to approach it. You want to think about use cases. You want to say, “who could benefit from the free tier, and for what purposes?”, and then figure out the features that they need to succeed.

Alongside that, which use cases would require a premium version? And then you can use the same methodology to figure out your different tiers.

In the beginning, we said that individual developers or small teams that are using Snyk for open-source projects should be able to use it for free. Within the free tier, we did everything in our power to make them successful without paying.

If you want to use Snyk for a business, or governance, for a larger team or volume of activity, all those things required moving up to paying tiers.

When we launched, it was free for beta. We got tens of thousands of developers using the product. Then we launched a paid tier that was 50-100 bucks a month to get going. We turned that on, and we expected the floodgates to open, but instead, barely a trickle came through. Nobody bought. It was around that time that we realized the depth and breadth that I mentioned before. We’d built a product that was good enough for individual developers to use but we didn’t appreciate what it would take to get a security person to govern successfully with our product.

In the Spring of last year this notion of a dev team being able to use the product, not just a security person, but a large dev team wanting to apply continuous security to it. And now, it’s amazingly successful.

It’s the same functionality that we had at the beginning. But what happened was the ecosystem evolved. When we launched Snyk, the market was not ready for dev teams to decide to purchase even a smaller-scope security tool to use, while, five years later the notion of continuous security has strengthened. And now dev teams are much more willing to own their security tool and license Snyk to secure their code or their open-source usage. And when it comes to the need to govern across the business, it goes back again to that governance capability and sales touch that security sometimes needs.

Daniel Eisenberg: You’ve talked previously about governance being the key to unlocking that commercial aspect for the security teams. Does that suggest, in any way, a different role going forward for security teams versus the more traditional model now that the continuous security ecosystem’s becoming more of a standard?

Guy Podjarny: All in all, if you’re in the security industry, the future is rosy for you. Your job security is high. I don’t think that’s going to change. What I believe will happen is that the security practitioners, especially in the application security space, need to undergo a similar change to what has happened to DevOps, in which system admins have become DevOps engineers. And their role in the organization, their perceived value to the business, is so much higher. Their job is so much more interesting. Instead of repeatedly doing grunt work, they’re building systems, building platforms.

Similarly, many security teams need to go from reviewing all the vulnerabilities to building platforms, tools, and capabilities that help developers build securely from the get-go. They need to become experts for escalation points when an interesting problem comes along, when there’s a more complicated conversation to be had.

That’s a very positive change, but not everybody is well suited to make that transition. It means that the skills which might have been required in the old world, or present world depending on where you are, might not cut it.

Daniel Eisenberg: You’ve spoken previously about product builds or market success not happening as fast as you had originally anticipated. What have been the biggest challenges that you’ve had to overcome along the journey?

Guy Podjarny: Snyk’s journey has been amazing and constantly challenging. I’ll give you three different key challenges as examples.

The initial challenge we had was around breaking through from developer adoption to monetization. We were two years into the company. We had tens of thousands of developers using the product, with $100,000 in annual recurring revenue, but nobody was buying the product. It felt like it had the potential of the classic pitfall of developer tools, which developers are keen to use but organizations are often not keen to pay for.

The primary lesson that came out of that was the need to constantly assess what was holding us back, and the importance of not losing conviction. There was a constant question, “Can you build a developer-focused company that tackles security? Can you do a bottom-up enterprise security company?” We were adamant that we would rather crash and burn than not be successful. I think that helped. That conviction and the support from investors like Boldstart helped maintain it. The fact that we stayed true to that conviction is what fueled subsequent growth.

The second challenge was the decision to go from a single product to a platform. We had a single product that helped secure the use of open-source components. It would tell you if they were vulnerable or not. Relatively early on, we decided to add a second product around container security. There was a lot of debate about that because the playbook says, if you keep a single product, make it amazing, and really own it, because the opportunity’s always greater than you think.

But Snyk was never created to be an opensource security company. It was created to be a developer security company. So, we held onto the belief that by launching container security products, more people would want to use the platform, and would find more value in our open-source product.

The main thing that came out of that was a practice that we’ve since evolved around isolating add-on products as much as we can. That means forming a team and having them build a secondary product with minimal distraction to the breadth of the company. Because we’re dev first, we build depth first. The products don’t have the breadth necessary to stand on their own two feet right away, so they’re sold as add-ons. Customers must have bought the original product to buy this product as well. We then expand them over time until they’re big enough.

The third challenge that is happening right now is scaling. It’s great that Snyk is growing but we’ve been roughly doubling, and at times tripling the size of the company every year. We’ve gone from 80 people to 240 people, to 450 people, to over 900 people in annual increments.

Every time, it becomes a different company. You have to constantly invest in maintaining culture and agility. You have to figure out how much you centralize for consistency or stay decentralized for agility. You have to always assess leadership across all levels of the organization to see if the best person that you had for a 250-person company is also the right person to lead that part of the company for a 500-person company or a 1,000-person company. So, scaling is a massive challenge. It’s a good challenge, but it’s not one to be underestimated. If you do, then the company would collapse.

Daniel Eisenberg: I know that values and culture have been important at Snyk. Could you talk about how you’ve approached that area and made it an important part of the company?

Guy Podjarny: I think values are a powerful tool when you truly ensure that they represent the company, and they are a little bit aspirational. At Snyk, we have four values that represent us well.

The first is “one team.” We’re very keen to say, you succeed because you work with others, not at the expense of others. We don’t have a compete to win-type value. An engineer will get on a call at midnight with a salesperson to close a deal because we’re one team that works together. That’s true across regions, across departments, and has been very important. To maintain that we had to do things like say no team would be co-located.

“Care deeply” is the second value. It represents caring for one another, caring for our customers, and caring about our mission. Snyk is not a great place for a nice 9-to-5 job because it’s a highintensity, high-caring, and high-satisfaction type of place. But caring is key.

And then the third is “ship it.” It’s this notion that we don’t know better than the world. We have a big vision, but we are taking small steps. We know where we’re headed, but we increment our way towards it. We work with customers hand in hand, and we ship it. We don’t get paralyzed by analysis. And that guides the speed of the company.

Last but not least is “think bigger.” That’s the most aspirational value that we have. As the company grows at such a rapid pace, the opportunity and the magnitude of the problem are always bigger than we thought. And so, when you grow that fast, you don’t want to build solutions that last for six months, that you will outgrow.

I do think codifying values is very valuable. Those are ours. And then you want to live by them. Let go of people that don’t represent the values. You want to truly filter for those in the day-to-day and you want to always look for ways in which the company can help scaffold that behavior through all sorts of mechanisms like all-hands meetings, celebrations of shipping, and repetition in events. So, it needs to be true to how you behave, not just how you say you behave.

Daniel Eisenberg: And I assume there are even greater challenges when you are active in M&A as you guys have been, particularly over the past year or two, with several acquisitions, like CloudSkiff, Manifold, and DeepCode.

Guy Podjarny: Absolutely. As far as M&A goes, we invest in keeping the company as decentralized and as modular as we can, especially on the R&D side. It’s a constant exercise. Nothing is ever truly decoupled, but this modularity supports the activity that we’ve had on the M&A front, in which we mostly acquire to accelerate.

We knew we wanted to launch a static application security testing product. We had a thesis about what would make it dev first and how great it would be. And we found this great company called DeepCode. We acquired them to build the product and be the heart of it. We immediately added people to them from other offices. We swarmed them with caring and integrated it very quickly and then iterated on it.

Every company that we’ve acquired has evolved our culture and we are always looking for a culture fit, a values fit, but also something that we are inspired by, something that we can learn from.

Daniel Eisenberg: On a personal note, you’re now the president and chairman of Snyk. Can you talk briefly about your decision to transition away from the founding CEO role, and how you knew that it was the right time to make that change?

Guy Podjarny: The starting point is the understanding that just because something works doesn’t mean it can’t be better. So, there is a bit of a perception that if you’re replacing the CEO or if you’re replacing yourself as the CEO, it’s because you think something is failing. That wasn’t the case. At the time, we were probably about 150 people. We were doing very well. We were very much at the hyper-growth stage. And I think I was doing a pretty good job as CEO.

But there were two or three factors that drove me to make this move. The first was the realization that I’m very good at seeing where the market is headed, around maintaining and growing the product vision, and driving strategy. I was not using that skill at all. My time was almost entirely consumed by scaling the company. And I couldn’t bring this talent that I had, and that the company needed, to the forefront.

That gets me to the second point. It’s not that I don’t want to be a big company CEO. I want to build a big company, but there’s nothing specific in my desire to be CEO.

And then the last bit was the realization that if I find the right person, then the total can be greater than what we have today. That realization happened when Peter McKay was made available. He had an unfair advantage because I’ve known him for 15 years and he was on the board.

I’d encourage any founder, especially technical founders, to think, “Are you on this path just because you’re unwilling to let go, or is it truly the path that you want?”

To make it successful, 90 percent of it is trust and then 10 percent of it is communication. So, for me, the key thing was to spend a lot of time with the incoming CEO and take the time to talk through things and surface things. You also need to trust that they can do the job.

Daniel Eisenberg: You’ve talked about people focusing too much on product and tech as opposed to the real use cases and personas, as well as the difference between building a product in technology versus building a company. What one or two pieces of advice you would offer from your own experience to budding entrepreneurs.

Guy Podjarny: One thing, maybe for later when you succeed, is around giving back. Fundamentally we, as people working in the technology industry, are highly privileged. This is the profession of the future. It is highly paid. It has great opportunities for value creation. And many people are not necessarily in that situation.

I think that it is very important for leaders of companies and specifically for founders— especially as they think about the type of company that they are creating—to include in their values the support for the communities around them and see how they can help those organizations.

At Snyk, we’ve created the Snyk Impact program that follows the Salesforce-created Pledge 1% model. It pledges one percent of employee time, equity, and product. That’s one way to do it as you scale, focusing on giving a bunch of time and equity for good, for social impact. We focus on diversity and inclusion in the DevSecOps community and then on mobilizing that community to help nonprofits do good, as well as support around climate change, which our organization, our employees, are passionate about.

Whatever your causes are and whatever the format is, it’s important to remember that even when you’re facing all sorts of challenges and risks, at the end of the day, we’re in the privileged slice of society, and we should not forget those that aren’t.

Daniel Eisenberg: Lastly, when you look at the secure DevOps space, how do you see that evolving over the next decade? And how do you see Snyk evolving over the next decade within that?

Guy Podjarny: I think the security industry needs to take the DevOps path, becoming platform builders and enablers that succeed by helping developers secure what they build as they build it.

Another change that will happen to the whole world of technology, I believe, would be this growth of the notion that software is eating the world, such that software security will eat the security world.

More and more security needs and security risks will be addressed through software security solutions, whether it’s cloud, data, or third-party relationships. Today those are increasingly written as code. From Snyk’s perspective, we’re here to be that software security solution that spans those different communities of developers, whether it’s low-code/no-code developers, mobile developers, back-end developers, crypto developers, or types of developers that we don’t know to name yet. I think all of those would need software security solutions.

But, more importantly, this is a vast problem, and I don’t think we can solve it alone. I’m especially excited as Snyk evolves to become a platform. We have recently launched our Snyk apps platform. I am keen to see Snyk grow into the platform that helps solve that depth versus breadth problem that security tools and developer tools hold today. I want Snyk to be a place that helps other startups build their piece of the puzzle to help another group of developers or another type of risk, whether it’s small scale or large scale. That, to me, is the most exciting part of the journey.

Daniel Eisenberg: Is there anything in particular that keeps you up at night or concerns you about the future?

Guy Podjarny: The market opportunity that Snyk has, and our position in the market right now, are great. So, what I lose sleep over, what I focus my attention on, is almost entirely internal execution. It’s to ensure that we keep hiring the right people, that we keep staying aligned, and that we keep scaling and evolving our culture as we grow it. If we have the right people and we work well together in this great market opportunity, good things will happen.

Daniel Eisenberg: Well, that does it for the pod. Thanks so much to Guy Podjarny for joining us and talking in such depth and breadth about all these aspects of Snyk’s journey. A big thanks, also, to our McKinsey on Start-ups production team: Molly Karlan, Polly Noah, Sid Ramtri, Myron Shurgan, and Katie Znameroski. And finally, thank you for listening. We hope you’ll join us again for McKinsey on Start-ups.


Comments and opinions expressed by interviewees are their own and do not represent or reflect the opinions, policies, or positions of McKinsey & Company or have its endorsement.