Navigating Startup Maturity and Security with CISO Mark Dorsi, Netlify

Show Notes

We're thrilled to welcome Mark Dorsi, CISO at Netlify, to our show for a deep dive into the complexities of startup maturity and the vital role of security practice. Mark spills the secrets on transitioning startups from early stages to full maturity, and the different types of exits that companies can pursue. He offers his invaluable perspective on understanding your customer's value and how to convey this value in a snap.

We'll be exploring the often underappreciated role of a CISO and their pivotal position in the sales process. Discover why vendors need to keep this in mind when conceptualizing their products, and how varying degrees of maturity play into different market segments. Learn about the virtue of patience, the necessity for repeatable processes, and more. Mark's expertise and practical advice make for an episode you'll be replaying time and again.

Host: Josh Bruyning

Chapters

• 0:05: Achieving Startup Maturity and Security
• 13:17: Effective Sales Strategies for Startups

Transcript

Speaker 1: 0:05

Welcome to this episode of Security Market Watch. I'm your host, josh Bruning, and I'm here today with Mark Dorsey, who is the CISO at Netlify, mark, we had a chance to catch up and chat a little bit before the show. You describe yourself or describe what you do in terms of helping startups mature right to go from various levels of maturity all the way to what you would call, you know, what we might call full maturity, whatever that means. You know, at Trustmap we deal with maturity assessments and maturity models and you know their philosophies around that. Are you ever truly mature? So I'd really like to dig into that. Pick your brain and you're in the startup space. I'm in the startup space.

Speaker 1: 0:55

There are lots of people listening to this show and they're in the startup space. We have CEOs of varying degrees of maturity not personal maturity, that's a different show, but in terms of growing revenue, going to market, the strategy, to basically get to a point where you're living life, you're doing okay, you know, you're happy with your staff, you're happy with your business. So I probably, as I always do, butchered and simplified what it is that you do so in your words. Could you please give us a little bit of a rundown about your world, what it is that you do and what insights you can provide us today at Security Market Watch.

Speaker 2: 1:41

Yeah for sure. Well, I appreciate the amazing intro there. So what I do is I really am trying to make the world a better place one conversation about security at a time, and I do that in lots of different ways, and one of those is really helping the world from a startup perspective. I spend a lot of time. I spend and I allocate five hours a week just to chat with different startups, kind of do it a half hour at a time and we walk through any really position that they might have in place.

Speaker 2: 2:12

I've been in the game a long time. At this point, folks can reference by LinkedIn if they so choose, in order to see what it is. But I've been all the way from, you know, from an assistant administrator all the way up to, of course, the CISO that I work as today, and in that time I've seen a lot of different companies. I've seen a lot of different sort of folks in the game, and I can really provide the perspective from each one of those different levels and I'm really focused on. You know, what is it that that particular startup needs to do in order to achieve whatever their goals might be? You mentioned exits and where folks want to be.

Speaker 2: 2:49

There's all the different types of exits that folks can pursue, from going public to being acquired, to really just go in for broke and seeing where they end up as an individual company, and my goal, though, is to really help them find what that thing is, that's driving them just driving the overall value to their customer, so that everyone can really be successful when it comes down to implementing a security practice from inside an organization all the way through to business strategy, and so I'm really happy to help folks in that way.

Speaker 1: 3:19

So are you working particularly with cybersecurity startups, or are you working with companies that you know, of any industry that may have a cybersecurity component? What's your focus?

Speaker 2: 3:32

Yeah, I work with all different types of companies at all different types of levels. So folks who give me a call and they're you know, they're coming at me with their you know sort of disposable domain account or whatever it might be right. So they're coming through and they're like hey, we have this idea, what do you think? All the way up to companies who are a bit more mature and really looking to exit, and that's really sort of my wheelhouse, which is helping those folks do those things that they want to achieve.

Speaker 1: 4:01

And how do you define? You mentioned, you know, companies that want to exit. Is that how you define maturity?

Speaker 2: 4:07

I don't know that. That's how I necessarily define maturity, because folks may or may not want to exit. What they may want to do is they may want to really mature for their moment in time. So if you think about a company, they may start in product driven growth, right. So product led growth, plg type motion all the way through an enterprise type swing, and those swings require different levels of maturity from an organization perspective. When you're talking about product led growth, you're really out there trying to get any sort of person that may consume your product to use it and use it with regularity as part of maybe a starter plan or something of that effect, whereas if you make it all the way through SMB and then mid market type swings and those sorts of things, now you're really changing the balance from okay, we have inbound to outbound, and those are very different motions, as folks realize, and that takes different types of maturity with an organization and really different levels of what I would consider to be patience.

Speaker 2: 5:09

So how patient can you be and how patient can the business be? Right, if you're really going after that enterprise swing, that could be a six to nine month swing, depending on what you're doing and who you're marketing to and what you consider to be an enterprise, which is the most entertaining thing. Now folks have an enterprise plan and their enterprise plan could be anywhere from well, I don't know. What do you think an enterprise is. That's always an entertaining conversation because it whoa. No, our enterprise plan just means that you need to use. If you want to use SSO, then you need to sign up to be an enterprise, but that could be a 10 person company trying to do that. But until folks really figure out what their focus is, what customers they're heading after and what the pitch needs to be in order to resonate, they can have a really long road out.

Speaker 1: 5:57

So repeatable is what I'm hearing. At least you can get to a point where you're up and running and you've got some repeatable processes. You're able to. You might not have everything well defined, but maybe you can. Your marketing campaigns are consistent, your sales channels are established. We don't know if we're enterprise or what that means yet, but at least am I hearing that right, that at the end of the day, we want to get to a point where the processes are repeatable. Yeah.

Speaker 2: 6:33

And I think that that really becomes something. So I see it early on and I love that you use that word repeatable. By the way, I see that startups all the time come through and they really haven't thought out, you know, into the future and so what? I'm speaking with VCs and those sorts of things. There were, you know, folks who want to, the venture capitalists of the world, those folks who want to invest. They really want to understand where you are in your overall process and you may not really know, but that's why they're looking for the overall maturity of the team that's involved. A few years ago, we saw a ton of speculation in the security space. Now, not so much. They really want to understand what the pedigree of the overall team is and whether or not it's going to be repeatable. Now there's plenty of statistics you can look out there about overall repeatability and those sorts of things, and most of the time what you'll find is that folks have caught maybe the proverbial lightning in a bottle so they're able to take something and go with it. Other founders are really good at it. They find a repeatable strategy. You can feel it right away when you discuss it with it and it really starts with that first pitch deck.

Speaker 2: 7:38

What I work with folks on is really that overall, repeatable strategy. What I want to hear from folks is really want to hear tell me what you're going to tell me. Tell me, tell me what you told me. There's no need to go through a long story or build out or something to that effect and you're going to surprise me with some new, novel concept. We probably already thought about it in some way or some other location in life, and so I don't need a huge build up.

Speaker 2: 8:04

What I need to understand is this is the team, this is the type of investment that you're looking for and this is what your product is.

Speaker 2: 8:12

Then go through what your product is and how the world it used to be before your product and how the world will be when your product reaches full maturity, and then show me the phases along the way that you intend to get after, and then, at the end, tell me again what you just told me and so that way it's like, and we're looking for this amount of.

Speaker 2: 8:32

In that way it's very clear, a very precise type of Phrasing, and what you'll find is that those founders who have done this before Really have that nailed down because they understand that the audience needs to be quick and and and needs to be able to take not necessarily a quick decision, but they need to be educated at speed Because they have a lot of things going on in their life and so I really encourage folks if you can't pitch in about two minutes, then your pitch deck is probably meandering. Really need to be concise. Get that message down so that it's repeatable and then you can sort of massage that message over time as you work with different folks, the different types of customers you might have, so that one day, when you hire that salesperson, that first person who's gonna go out and sell, you've already got a repeatable mechanism, mechanism in place. So love that word capability.

Speaker 1: 9:24

Yeah, yeah, and a part of that is the messaging I'm thinking of. When you hire the first salesperson, they want to know what your message is, instead of you go out into the world and and preach about the gospel of what we don't know. You know, and I see a lot of companies Struggle with that, you know it's it's very difficult to craft a good message, but I like the way that you framed it in terms of if you can't do it in under two minutes, then you know that's it's just not gonna work. So two minutes, that's like how many slides do you think? Is that that's like five slides?

Speaker 2: 9:56

about five slides is all I need to see.

Speaker 2: 9:58

Yeah, what I tell folks in order to find that message is and I've written an article about it because I reference it all the time when I'm speaking with startups you can imagine what is it called, so that people can find it one of them is called the value strikes back, and the value strikes back is the one where I really go into what I call the mad lib, and this mad lib is Something where the folks can really Work on communicating the overall value that they're going to present to the customer. And that mad lib we work on for a little bit so that it really resonates, and then I ask them to use that and attach it to every single meeting invite that they have and those meeting invites really. Then that way, when you go and take the meeting, you understand what that company does at a foundational level and how they're gonna deliver value, and it just says this is our company, this is what we do and this is how the world is going to be different, and it's phrased with impact, and so I've got a couple different examples that are out there. But what it helps companies really understand is what type of a play are they? I find that the companies really only are in a couple of areas, especially when it comes to security space, and those are Really. One is gonna be cost reduction, all right. So think about the, the famous triad, which is good, fast and cheap. Not the security triad, but the business triads a good, fast and cheap, and so If you're going to put together a company that is going to return money to me, then ensure that you're tracking that as business.

Speaker 2: 11:26

The first screen that you go into in the morning should show how much money you've returned to each One of your customers and whether or not they had to roll back on those changes. All right, so you want to figure out like total dollar. The next one that I typically see and this is Most security companies all it was all around productivity. There's a million. They call your product a million different things, and that's fantastic, but with all of those things, you're probably just returning some amount of time to my team. Right, time is money, but you can then really come in every single morning as a CEO and see how much time you return to the business across your entire product line and figure out, maybe, where you're lagging.

Speaker 2: 12:02

And then, of course, with all of that is time to value. So my question with companies is great, I'm gonna implement your service Theoretically, okay, time to value is gonna be how long? And they're gonna tell me two weeks. Great, then let's work to figure out how that's gonna be two days, and then how is it gonna be? You know two hours, and then how is it gonna be 20 minutes. So then in a single 30 minute call you can return.

Speaker 2: 12:25

You know value to a customer Right away. Implementation all the way through. Now they can see the value of the product and then they'll be able to take that forward. But it really starts with that mad lib and figuring out what type of company are you. That way you can figure out that You're gonna be really good, you're gonna be really fast, but maybe your product isn't all that cheap, right, and so that you know that and that's really what you're looking for, right? We're in the business of doing business, so we should get down to business, right, and it's. It's fantastic to make the world a better place, but a lot of times it does take capital in order to make that happen.

Speaker 1: 12:57

Yeah, I can let cheap go. That's fine. You know, I love when, when, when prospects love to talk about price, and I think it was zig zig ziglar who's got a whole spiel on this and he says you know, I'd rather, I'd love to have that conversation about price all day, because then it allows me to talk about value and so let's, let's die. I know this is a little bit of a segue, but I want to linger there on time to value, right, when does that? When does the clock start? So we know when it ends, basically when we know the value part, when they're using the tool and they're able to, you know, do all the things. But when does it start? In that? Two weeks, if we're seeing time to values two weeks, when does the two weeks start?

Speaker 2: 13:41

Yeah, I can give a really good example just using Netlify. So the first time we jump on with a customer, depending on the customer and their size and what type of website it is, we actually go through and, just depending on the case of course, we just scrape the existing website, we throw it up on Netlify and we just show how performant it is right out of the gate, within minutes of the first couple of conversations. In that way and that of course depends on the play who knows what they're in for and what they're looking for, right? But in that moment you're at moment zero and that's the overall goal. Right is to show value as soon as possible, and those are tools that we built out and used for many years. But in that way you can show a potential customer that their performance right, because we're a productivity play at our core. That's what Netlify does. We make things go faster than ever before. Why? Because we take away the need for companies to really tilt up their own DevOps pipeline and in which case they can focus on content. That's true productivity right. How much can we take off of their plate, put on our plate and then deliver it to them as fast as humanly possible and in that way we show the customer right away, at moment zero, right At conversation zero. Whenever we feel that conversation moment is correct, we can show them value right now. And that's what I like to see out of every potential vendor.

Speaker 2: 15:03

How long to value will it be If you come into, let's say, a startup like myself and you're gonna sell a product and you're gonna come back to me and you're gonna say, hey, mark, this is gonna take three weeks to get value from Probably less interest. We don't have three weeks worth of cycle time. We've got a small security team. We need to do as much as we can. It's short a period of time as humanly possible and the overall message really says a lot to me. If you're gonna come to me and say, mark, this is gonna take months to implement, it's probably for a much larger organization. Might not be anything wrong with that. Maybe that's what it's gonna take. But if you haven't come to me and thinking about the size of business that I have and how it's gonna play, that's gonna be really tough right. We're gonna have hard conversations and I think that that's really where vendors typically will fall down. They haven't thought about the value, the outcome that the customer needs out of a particular product and that's really important piece. What's my outcome?

Speaker 1: 16:03

Yeah, you really truly have to put yourself in the shoe of the buyer to do that. And what we found at Trustmap is that we've always been focused on who our ideal client profile is right Typically CISOs, security directors, anybody of that level. But what we've had to do in recent years is really think about who is the customer of our customer, who is the ultimate audience? So you take a maturity assessment, you go through this performance management thing. At the end of it it spits out a report. Who is reading that report? And then you can get even more meta, because that's in the company. But we can even go outside of the company the CISOs reporting to the board, right, and other stakeholders, but the board is ultimately accountable to their customers.

Speaker 1: 16:59

So what is the value of a maturity assessment to that company's customer? Typically it's if I'm compliant and I can use that as a badge of honor. But if I'm mature in security, then I can use that to beat my competitors. We can now compete on who's the most secure, who's got the most due diligence. So whenever there's a breach we can say well, x, y and Z company got breached and you don't have to worry about that happening with us because we're compliant and HIPAA or GDPR, whatever it is. That's very insightful and profound, but it took us a long time to figure it out, yeah.

Speaker 2: 17:44

And the companies that I chat with a lot. They've spent a ton of time thinking about what the CISO's team and what the CISO needs to consume. What they haven't thought of is that the CISO is really a salesperson. They sell internally, they sell externally, and we really need that lens put onto every single product. What I find is that companies go out and they'll say well, we've spoken to 100 CISOs and I know right away that the product is going to be focused on outcomes that I will understand in seconds. Fantastic, yes, I understand the outcome. Perfect. Then I will spend two weeks converting those outcomes into something that the rest of my executive team can digest. Right, it really isn't two weeks.

Speaker 2: 18:28

But the point being is that the vendor really hasn't thought through the sales motion that the CISO needs to go through, because we're actually selling something we're selling to engineering managers that we need to make particular changes within the environment and we're going to need them to spend a week's worth of engineering time to fix it. Maybe it's two weeks, maybe it's four, whatever that is, but it's the CISO, the salesman, right, the CISO, the salesperson. That's really what we've become and that's what we've always been. It's just folks never really realized it. And so when companies take a moment to think about that outcome, like you mentioned, and say, look, this is actually the end person that's going to consume this, Fantastic.

Speaker 2: 19:13

Now you can go through and stat not just CISOs as a part of the overall product roadmap, but you can go out and stat engineering managers and say, if I presented this to you, would you buy? And then you can chat with the CISO and say who bought? Who bought this report, why or why not? What could we do, customer, so that you're able to sell internally? And that's really the most important piece when it comes down to a product Great. Thank you for telling me that I have a million vulnerabilities Fantastic. How will I sell that internally? And that's really where.

Speaker 2: 19:50

I need to be, because a lot of tools will tell me I've got vulnerabilities, perfect, and that's why what you haven't told me is how I'm going to be able to sell those things internally.

Speaker 1: 19:59

All right, we've got only a few minutes left and I want to wrap up with this sort of case study. Right, we're sold. Let's pretend that we're in college and we've got a case study. There's a real world problem. They always say real world problem, but this actually is a real world problem. Real world problem what would you say to a company, a founder, you know? Let's say the company's got three people, you have the CEO founder, who has an excellent backstory, there is founder market fit. You have a COO and a chief revenue officer Right, very small staff and you've got a really good product. I mean, this thing just blows everything in the category out of the water. But we're going from virtually zero sales into a round of investment rounds. So I mean, you could even say pre-seed investment rounds, right, if you were working with that kind of customer or that sort of company, what are the top? Let's say three things that they should do to go from having virtually zero sales, having a great product, having the beginning of a team, to pre-seed funding.

Speaker 2: 21:26

Yeah, so I see this a lot and typically what's missing is a focused message, so the product itself. I have a phrase which I use that the product succeeds despite our better efforts, and I really mean that, and that happens in companies all the time, and you especially see that in product led growth companies, where the product continues to succeed despite our better efforts. Couldn't be more valid. And really what I like to see is that folks have a really focused message and that message is able to be quickly tailored to the appropriate audience at that moment in time. That way we can bring in the logos, regardless of what level within companies we're speaking with. If you're talking about an inbound, then we want to ensure that our product is really quick to use. You want to ensure that you, as rock star API, whatever it might be is really user friendly and you've got plenty of documentation in order to bring on those you know quote unquote logos, and they can be all bs, mbs, they could be individual developers, whatever that might be. If you're making a swing at the enterprise space, of course that you want to ensure that you understand who that ideal customer profile is and then take those swings, but the messages need to be focused. So that's number one. Number two you want to ensure that you understand the value that you are returning to your customer so that you can monitor your progress against that value and it really does come down to that good, faster cheat, right. And so that way you're able to quickly measure what the value is that you're returning to your customer. And what I tell all the CEOs that I speak with is that if you could come in and see just a single dashboard every single morning to understand how your company is performing and the eyes of your customer, what would that be and what would that look like? So, really, you know you're going from this having having focus to understanding the value, that a measurable value that you're returning to your customer, right. So that's number two. And then number three you really want to ensure that the overall team understands that value proposition and message.

Speaker 2: 23:38

So, regardless of your team size, ensure that you're aligned internally. And the very first thing I do when I go to speak to any company is I just ask them to articulate to me what it is they do as a business, and I'll do that to each one of the members, and I love to do it when I've already spoken to the CEO and now they have their CRO on the phone and then I just ask the CRO so tell me, what do y'all do as a business? And that really helps the CEO. And I've told the CEO ahead of time I'm going to ask this question and now we're going to find out whether or not your message, your dream, your vision, is resonating across your entire company. If you don't have a team that's aligned and we don't have this sort of one team mantra in the background, it's going to be really tough for us to be successful.

Speaker 2: 24:21

Otherwise, folks will press and pull you into different directions, and what I find is, unless the team is aligned really well, you'll have a lot of trouble saying no to things. You really only want to say yes to a handful of items. You should be saying no all the time. You should be exploring options. You should be saying no with frequency. That to me seems to be it, so hopefully that helps.

Speaker 1: 24:51

That helps a lot and I can hear them, but I can tell that there's somebody out there listening to this, watching this, who is just furiously taking notes. Based on everything you just said, that was a perfect summary and I really appreciate your time here, mark. I really appreciate it. I've gotten to know you a little bit better over the last 25 minutes or so, and I hope this is the first of many conversations. I mean, this is the meat and potatoes of startups in cybersecurity, and the common thread that runs through all of these conversations really is just keep it simple, messaging, coherence. Those are the fundamentals that I keep hearing, and you've illustrated that in stark contrast. I love it All right. Well, thank you so much, mark. Thank you for listening and for watching this episode of Security Market Watch. Now, mark, if people want to get ahold of you, how can they find you?

Speaker 2: 25:55

Just reach out straight up on LinkedIn. That's actually how you and I got to know each other. You can just look for Mark Dorsey D-O-R-S-I on LinkedIn and I'll be happy to connect.

Speaker 1: 26:06

I searched the best CISO ever. No, your name popped up.

Speaker 2: 26:13

Okay, Alan.

Speaker 1: 26:14

Alford. Shout out to Alan Alford. You didn't hear that part because Alan's my old boss and he was my old CISO. I could say best CISO ever to him as well.

Speaker 2: 26:26

All right.

Speaker 1: 26:26

Well, thanks, mark, thanks everybody, Goodbye.