Security news that informs and inspires

Q&A: Haroon Meer

Haroon Meer, founder of Thinkst Applied Research, recently joined Dennis Fisher on the Decipher podcast to talk about recent changes in the security industry, the economic downturn, and how to get value out of conferences. This is an edited and condensed transcript of that conversation.

Dennis Fisher: I was reading this blog post by Mark Curphey from Crash Override talking about this coming security tools crash. And there's a lot of stuff in there about the pullback from VCs, people, companies and founders who, say two years ago, or two and a half years ago, didn't know how long the pandemic was going to last. So they, maybe raised a whole bunch of money for the next couple years. And now those bills are coming due. Right. And as you said, the stock market is going down, the revenue might not be there. So people are going to start looking at all these things that they bought or may have wanted to buy and be like, well, we can't do all of this.

Haroon Meer: I think everybody's been talking about the market correction for security tools. And again, I think the same old curmudgeons who are waiting for the crypto collapse have also been waiting for this right sizing almost like the market has been frothy for too long. Like I've complained about it in the past and not because I have a problem with people getting money. A long time ago, I heard Moxie Marlinspike, he was on a review board for funding security projects. And at some point Moxie says hey, if I'm allocating other people's money out, I'll give money to everyone who wants to do a security project. I'm fine with it, like fund it all. And it's an interesting point, except I think security does have a problem when the markets are frothy, because there's a lot more noise in the system. And it's a lot harder for people, to quote your colleague, Wendy Nather’s line, for people who are on or just below the security poverty line, they can't easily tell the difference between what's just been funded and what actually adds value. And so hopefully, I'm happy with some of that froth getting cleaned up.

But it's hard to tell. Certainly when COVID hit, there were lots of people who were worried about whether security would take a beating. And I don't think it did. I think security was kind of immune to it, for the most part, like people did cuts. But we're scared to cut into security. And so I don't know how much this cut will affect security. I think security needs a little bit of justify your existence. I'm not convinced that it'll hurt. Security seems to be like a cockroach that just survives no matter what.

Dennis Fisher: I think that's true. It's proven to be true in the last 20 years, since cybersecurity really became its own thing, that it's been pretty resistant to most of the severe ups and downs. Part of that is due to just the fact that threats have expanded.

Haroon Meer: The threats went on, the dependency is more real. Like 20 years ago, if stuff went down, it wasn't political. And now stuff goes down. And people don't know what to do with their lives. So I think that's true. Look for us personally, speaking as a vendor, we were lucky, like, we didn't know how things would go during COVID. For us, we had a lot of feedback from people going, Hey, we'll do cuts, but like, we won't cut you guys and impact, like we fought hard. We've never increased our prices, like with Canaries from day one. And, it's the most logical thing to do, the market will tolerate an increase every year. And for us as a company we don't think we need to. I think lots of people will say, so you've got to consider the source. But we focus crazy hard on making sure. Like, we think we are adding fair value. And so even when things get tighter, it's a lot harder for people to go, oh, let's throw that out. Because that's a waste of money. Because mostly we have pretty good value. And we should be good. But what we did see the last time, like, the last time we braced, and it's shockingly small. But we monitored closely. We had about eight companies who pinged us to say listen, they think they're going out of business, or they're just about out of business. And our response to all of them was, hey, we'll carry you for a year. And from all of those, three of them went away, three of them shut their doors. And so that's one of those things that I think is a knock on and may happen this time. Also, anyone who sells ends up selling to a lot of other startups also. And if those startups get shuttered, then there's just a whole lot of money that drains out of the system.

Dennis Fisher: I think some of it in your case, and I can take a few other examples, has to do with just the simplicity of what you guys do. It's so easy to explain in 20 seconds. It's not like well, we have this machine learning model, and then we throw it through this AI algorithm. And then we come out with a network map.

Haroon Meer: There's two interesting things that happen. One is this human nature that says, if you've bought a product, and it's simple, the easiest thing to do is to just keep making it complex. Without it being part of anyone's grand plan, the industry forces you to do this. Like, if I did another podcast interview with you three years later, almost the logical question is, well, what's new in the product? What's the new stuff that you've done? And so people feel forced to show progress by saying, Here's how we've made the simple thing more complex. '' And it's really hard to go, No, we're going to spend a lot of effort making it even simpler. Because if we talk to someone, and they say, what's new, and you go, Oh, that thing that used to take three minutes now takes 30 seconds. It's like, people start asking questions like, no, what are you really doing with your time? And so there's lots of stuff like that, that pushes towards complexity, and we actively fight it as much as we can. And it's very easy to get it wrong.

Dennis Fisher: Part of that is because investors expect a product roadmap that shows some sort of graph that's like, Oh, we're adding new features every quarter. Not every product needs new features, like Oreos don't need more flavors. Chocolate and vanilla. It just works.

"Can you make your customers actually happy instead of dazzling them? Because now, that's the stuff that actually matters."

Haroon Meer: You're right. And it's not just investors. We've got customers now, like, we've been around for a while, right? So we've got customers who liked the stuff, it's worked for them, like it's saved them on their pen tests, it saved them when it mattered. And still, if a new PM comes in, and or some new CEO comes in, it's quite common where they'll go, Okay, show us your roadmap. And you go, yeah, that's not why you use us. Here's the stuff we want to do, here's the direction we are moving in. But the industry is largely conditioned for some things, it will be interesting, because I suspect some of that's going to be changing through this downturn. Like, through this downturn, one of the most interesting things to see has been VC voices that have pivoted very quickly from growth at all costs to sustainability, revenue, reasonable growth. And so part of that thing becomes like, Okay, can you make your customers actually happy instead of dazzling them? Because now, that's the stuff that actually matters? And yeah, I suspect good value and sustainable businesses making a comeback.

Dennis Fisher: And I think simplicity too, right? Like, If you can do one or two or three things very, very well, that have a lot of value, and pare it down to the things that you're best at, you know, is, a lot of times what happens in downturns anyway. Companies look around, and they're like, well, we don't really need all these product lines, or we don't need all these services, or whatever the case may be. Here's the things that make us the most money and the things customers really come to us for. And let's do that. Let's focus on that.

Haroon Meer: Yeah, it'll be interesting to see, it's one of the interesting takes on the VC world is, like, there's a lot of talk about whether the last generation or the last few generations of tech founders have so grown up in a bullish economy that they don't know how to operate under conditions of hardship. And one of the genuine questions like when you look at security products, is, I'm not convinced that lots of people know how to do simple. Simple becomes one of those things that conceptually should be a lot easier. But it's surprisingly hard for people to pull off.

Dennis Fisher: I think there's a whole lot of truth to what you just said, because there is a generation, probably two generations now, of security founders and executives who have grown up in the business since the early 2000s when security took off, and it's kind of just been upward growth since then. If I just take the dumb example of RSA Conference, the first year I went in 2001, there's, I don't know, 1000 people there. Now there's 60,000 people there, right? And like 5000 vendors, and you're just like, What do all these people do? There aren't that many new problems to solve.

Haroon Meer: No. Honestly, it's been interesting for us. So I didn't visit RSA until I did by accident in 2018. And, and it's interesting, like, genuinely, I happen to be in SF at the same time. And I was like, okay, like, let me finally go see this thing. And, ah, it's mind blowing. But it actually did convince me to try it. And we've got this whole long blog post on how RSA has worked out for us. Because it's shockingly good. Like, like RSA as a vendor booth is amazing for us. But there's a few interesting things about it. The one is, like we do it unusually. So we take our developers there, the people who are on the booth floor, our engineers who build it or like, PM. I'm there. And it's always surprising, because customers come by, and we've got tons of customers that we've never met. And the new people come by, and the customers who are there end up saying nice things about us. And so then people buy our stuff. And we focus a lot on doing actual demos at the booth. So anytime you come there, people are demoing the product. And I'm amazed that people don't do this. You see these booths this year, like the past RSA. But there were two booths that had cars, one that had a DeLorean and one that had a race car. And I asked the lady with the race car, why is this here? Are you saying something about the product?

Dennis Fisher: Are you saying we are like a race car, very expensive and easy to break?

Haroon Meer: Yeah, she looked at me like I was the idiot. She was like, What do you mean? Like, here's a race car. And I was like, surely that can't be right. Surely, you've got to link the two, like, why did you do this? Um, no, there's no hint of it. If there's a young security company, and you are interested you should go check out our blog post on it. It surprises me and the young me hates that. It's true. But it's shockingly good for us.

Dennis Fisher: There's lots of things that our younger selves would hate us for.

Haroon Meer: Yes, yes.

Photo: Mohamed Nanahbay, CC by 2.0 license.