#219 Demystifying Identity Management and Automation in Cybersecurity with Paul Querna

0:00:01 - Mehmet
Hello and welcome back to a new episode of the CTO Show with Mehmet. Today I'm very pleased to have with me Paul, joining me from Portland right. 

0:00:10 - Paul
Yeah, Portland, Oregon, yep. 

0:00:12 - Mehmet
Yes, so, paul, thank you very much for being on the show. The way I like to do it is I keep it to the guests to introduce themselves, so tell us a little bit about yourself and what you do. 

0:00:25 - Paul
Yeah, so I'm the CTO and one of the co-founders of Conductor One, a simple high-level as a cybersecurity startup, and we're really in the identity security space where we're helping manage what people can do inside an organization Just the authorization part of who you are inside a business and my background is like very infrastructure, all the stuff underneath the clouds, that kind of work. 

And I kind of just found myself in security because I saw security incidents and I was pretty unhappy with the outcomes and that led me to starting a company, which I think is you talk to. A lot of people start companies. It's from kind of seeing personal pain. That's kind of how I got here. 

0:01:16 - Mehmet
Yeah, that's wonderful, like actually you know. So, if you can like a little bit elaborate on the journey because I'm curious, my sense. So I was in the infrastructure space, I started configuring servers and virtualization stuff and then cloud. So you mentioned, like you saw, some incidents. So what was the trigger for you to shift to cybersecurity? Because, by the way, cybersecurity maybe you will agree or not, but it's not the funniest place to be in actually. So what brought you to cybersecurity space? 

0:01:54 - Paul
Yeah, I mean yeah. So I was working on open source software for a large company and we were building kind of cloud infrastructure and I was running infrastructure teams there. And you know, we saw security incidents at our company and this was back near 2010, 2011. And the reaction of the company is what you're supposed to do at the time, which is you buy everything that's out there, you buy more VPNs, you put multi-factor everywhere, you put all kinds of agents and endpoints and all kinds of stuff to try to lock everything down. You know, the philosophy was like we'll just make it more secure by making it harder for anyone to do anything. 

And it really had two outcomes that blew my mind. So first was the effectiveness Unfortunately, like, security incidents still happened. It wasn't like we did all this work, we spent millions of dollars and there were no more security incidents Like, so the outcomes weren't good. So I was like that's weird. You know, like most of the time if you buy a solution like, at least the outcomes work right. 

And the second one that really bothered me so my background was very, I'd say, like I cared about like productivity and how to be successful and like those that was my ethos, even in the infrastructure space Was it destroyed my team's productivity, like we made it so hard to do work that like people didn't want to be on the corporate network in the office anymore. This is way before the pandemic. People were like I'd rather work from home on my home internet connection because I can get my work done better, and that, to me, was one of my trigger points. Really that led to me starting my first company. But you know it was like how can we spend all this money? And it like hurts productivity so much that people don't even want to come into the office anymore. Like that combination was what kind of shifted my career for now more than 10 years into kind of like well, someone has to work on the security thing and make it not so terrible that people don't want to come into the office anymore. 

0:04:08 - Mehmet
Yeah, makes sense, definitely. Now let's like a little bit dig more into you know this topic and talk about you know identity management. So, and you mentioned like basically it's about you know the way authentications happen and what should, what should you know who does what exactly? So, if we want you know to highlight why it's important for organizations to adapt, because, honestly speaking, you know I was reading a lot of articles previously and people like mix things sometimes, like you know, privileged access management with identity management, with you know all these things, yeah, if you can like I want to you know, of course, like high level, dissect these ones and highlight the importance of each one and why the organizations today, more than any time before, they should have all of them actually. 

0:05:07 - Paul
Yeah, yeah, it is a little bit of alphabet soup. You know, kind of the gardeners of the world have chopped up the space into you know half dozen plus kind of alphabet soup of words. You know, I think just from like first principles you have to start with who someone is and you know it's normally called authentication with an N and you know that's who you are. But I think one of the important concepts there is many times that's, you know, coupled with the device you're on as well, right? So you know, in a physical analogy you're like, oh, you show someone your you know, state issued ID or whatever when you enter a building, that's your attestation of who you are. In a digital analogy, though, there might be a credential like a password or preferably a web, authentic and like a Yubi-ki, you know those are better credentials. But it's also you're always coupled to the device you're on, right, it's not just you as a human, there's like a piece of machinery in between you and the whatever you're authenticating to. So you kind of have this device that needs place of role in a lot of zero trust philosophies. You know we only trust corporate managed laptops and your password that you know preferably is a good one and that's kind of the authentication part and it's who you are. 

The next big buck is kind of authorization what you're allowed to do. You know, in the physical analogy it's you know, are you allowed to open every door in a building? Like, even if you are some you know person, you're not allowed to go in every door in a building, right? So it's the authorization of what you're allowed to do at any given time. And I think you know, historically a lot of organizations you know have been very loose with authorization many times, overprivileging what you're allowed any user to do. You know, should you know, should the you know CEO of a company have access to everything in a company? I mean kind of, except if you're a cyber attacker, you know, you're like, well, if we hack the CEO, we have access to everything, because, but the reality is most CEOs don't need access to everything in the company all the time, and so there's a concept in there called least privilege and kind of temporary privilege access. This kind of gets into one of those alphabet soup things of privilege access management, which is kind of how do you manage the most sensitive authorization? How do you dynamically change what you're allowed to access? So you know, today you're deploying something on a server, you need access to that server. But if you're not doing that work tomorrow or in your vacation for two weeks, you don't need that access and so there's an authorization part there and it's it's challenging to get right. 

I think kind of the connective tissue on a lot of this is there's kind of a governance side. So if you hear the words IGA, identity governance, that's kind of managing the overall architecture. There are many different compliance regimes, regimes that different companies have to adhere to. So you know, in the US if you have HIPAA or SOC2, you know there are. There's a global set of standards you need to hit for various companies and industries. But generally those compliance systems say you have to justify someone's access, you have to review their permissions every quarter or every year. You know there's different versions of this, but the basic idea is you don't kind of want scope creep. You know you want. 

You know I used to work with a guy in an old company and he started in support, he moved to project management, he later moved to engineering, he later moved to a technical operations role. He had access to everything you know and like from a compliance point of view and a risk point of view, that's not great. You know, if his account is compromised you'd have access to everything in the company, and so that's usually. There's some sort of governance apparatus over this whole thing that kind of manages who has what. It makes you recertify who has what. As I say, those are the three big buckets you could splice them three or four big buckets. 

You could splice them in many subcategories, but it's like who you are, what you have access to and then why you have access to things. 

0:09:36 - Mehmet
Right Now, because we you talked a lot about cloud poll and this is something you know, I'm sure we're seeing everywhere, by the way, and it doesn't try to any geography, but people tend to think that when I move to the cloud, part of these things are taken care of right, which is not the case. So I, like you, know when you are a CEO of a cyber security company. So people, please listen to Paul what he will tell us about you know why you should take care of these three concepts that Paul explained. So, paul, what do you tell us about that? 

0:10:17 - Paul
Well, there is good news with the cloud, we do get a lot of a rid of a lot of kind of legacy approaches and legacy protocols for how we authenticate, especially. So, kind of on the authentication side, there's SSO protocols like SAML and OIDC. These are great and they help a lot because they remove a lot of you know, having a different password for every app and, by and large, cloud applications are SSO enabled. Sometimes companies charge more for it, which is a different topic the SSO tax but by and large, the authentication part is becoming very commoditized and generally a protocol that most business apps support, and that is great because it does remove a significant problem. 

The challenge is you know the reality is, with explosion of cloud, every part of a business has, you know, their 50 apps. You know if you go to a financial leader, you know they have NetSuite and 40 other cloud apps that runs the finance team, same with the marketing team. They have their you know, 20 different ways to target ads or whatever, and the sales team has their CRM tool and then their you know video recording tool and, like, every part of the business actually has an explosion of cloud applications and I don't think that's going backwards, by the way, I think it's one of the waves of kind of the next decade is everyone's going to have a lot of niche apps in their business? Yes, there's going to be the big ones. You know Microsoft cloud is going to be huge. But even if you go to someone's all in a Microsoft cloud, they still have hundreds of other apps at scale, and so that's sprawl. 

There's a couple of things that happen because of that. One is the knowledge of who should have what is distributed. In a traditional kind of centralized IT model, you kind of think IT knows all the answers, and that's really hard when you have all these different apps. It barely knows about the app you know it's going to be. Someone in the engineering department, you know knows what GitHub repositories and engineers should have. It is very challenged to figure that out, especially when you multiply across all the apps, all the permissions different apps have. And so one of the challenges, I think is just the volume of apps, the volume of different permissions you can have in that, and the reality is, from just a risk point of view, your company's data is in those apps. That's what makes them valuable. So a breach in one of the data, breach on those apps can affect your business in a very material way. 

Now I think there's some you know silly apps out there. I don't know, you know, a spell checker that's cloud based. I mean, does that really hurt your business if their spell checker has a data breach? Maybe not, but a lot of these apps have very sensitive data and so that sprawl is like the fundamental problem. And the reality is there's no protocol that helps you here, unlike the authentication space where there's kind of the OIDC, saml protocols. In the authorization space there's not a lot of options to just manage who has what in your apps, because all the apps implement authorization their own way. That's really actually the conundrum that brought us to conductor one and starting the company was this sprawl is untenable. So that's how we started the company. It was like, well, that's a big problem. 

0:13:43 - Mehmet
Yeah, it is a big problem indeed. So I understood, paul, that you try also to automate part of this because, as you mentioned so I used to work in the IT department and even I was doing consultancy for big customers, but at the end of the day, as you said, the number of systems we're limited. So we know there's a couple of databases, couple of applications, couple of web-facing servers here and there, but today you have a large scale, as you said. So how important is automating the security stack for such complex and hybrid environment? 

0:14:23 - Paul
Yeah, that's right. I mean, I think it actually is a position that demands automation, which I think is a different level scale To your point. Not that long ago, I think, a lot of IT departments ran a few core systems, a few on-prem apps and maybe you had one or two cloud things. But the reality is, when you have all these different systems, you have to use automation. But seriously, reality, most IT departments the number of apps has doubled or tripled or gone up even more. Your headcount of the IT department is not Like relative to the app growth. Most IT departments aren't doubling their headcount, and so I think that's one reality in the IT space is you are resource constrained. You're actually human time constrained, and so to hey, we're onboarding someone, tomorrow we have a new hire starting you need to go to 50 different apps and invite them to the app. That takes a lot of time, a lot of time. 

And the other reality is, luckily, actually in this decade, most apps have APIs, which I think is a big delta from 10, 15 years ago. 

Apis were hard, apis were rare, like we were still learning what it means to be a product with an API, and I think that's the other big thing that actually enables us automation, right when 10 or 15 years ago, even if you wanted to build automation, it was hard, like some apps had APIs. 

Maybe you could put together a PowerShell, the script, something together, but it was really hard. But now a lot more apps have APIs, and so I think that's the other kind of enabler in this is, yes, there's an explosion of applications, but kind of as a reference architecture, you can go to any cloud app and say, hey, what's your API for adding a user or changing someone's permissions? And the reality is most apps have that already, and so that's the one enabler that. I think it is the good. The goodness out of this is that, yes, there's an insatiable demand for more applications. The good news is we kind of said hey, apps are expected to have APIs, and one of those APIs is user management and therefore you can do a lot of automation. That just wasn't possible. 

0:16:46 - Mehmet
Now, you mentioned at the beginning poll about the concept of zero trust, and zero trust is something mainstream. Now Some people they say it's buzzword, right, but it's not. We know it's not and sometimes, unfortunately, it's misused by vendor. But, for example, for someone like what you do, it's completely different. So now, if I may see so today, right, and I'm evaluating or, let's say, I'm trying to build a zero trust what are the things that I should be focusing on? From the experience that, because you're talking to a lot of customers I think customers I know that for a fact. 

0:17:24 - Paul
Yeah, well, my history with zero trust is a long one. My company started in 2015, was doing zero trust before anyone knew what zero trust was and no one would listen to us. We're like, hey, there's this crazy idea out here, we're calling it zero trust. You know, I think in the modern context we've kind of settled in a couple categories. So you know, there's a zero trust network access space, which you know, I think if you really simplify it down, it's a better VPN, you know, and as silly as that sounds, that's helpful, right, like having a better VPN, a software controlled, a software defined VPN. That's a great building block and that's good and there are advantages to those products. I think the next kind of bucket is you know, the root of zero trust was like we had these, you know, basically network-based firewalls with IP addresses for identity. That's bad. Ip addresses are not a good proxy for identity, so we have zero trust network access. The next is kind of, in my opinion, is the proliferation of SSO and using SSO to drive access, and so there's products that kind of you know, let you use Octa or Azure AD to log into a database. Those are helpful because then you're out of the space of managing a password to access database and that's great. And then I think the other spectrum of Zero Trust is kind of the last thing that is less figured out. 

I think it's actually kind of the least privileged story and if you go back to a lot of early Zero Trust writings, you know some of the stuff from Google about BeyondCorp and some of the original writings about Zero Trust. There's this embedded idea of least privilege that you know any given person in your workforce shouldn't have access to everything in the company all the time, and that sounds really simple. But the tension there is productivity right, if you lock everything down so no one can access anything, no one can do their job, right. So there's the unique tension. There is productivity, and I think that's one of the ones that's the hardest actually for a lot of businesses to figure out is how do I restrict access to data in such a way that people are still productive but my risk is diminished? And look, there's simple ones. Like you know, everyone in the company doesn't need access to all your financials all the time Like, okay, let's go implement that. But it's harder as soon as you get to like customer data or customer contracts or support dashboards. 

You know these are real hard challenges for business to figure out who should have access to what, and so I think in my mind, that's the most under delivered part of Zero Trust so far is figuring out how to, at scale, do least privilege. And I'll throw another buzzword in there AI, I think, is actually somewhat helpful here, right, like it's good at understanding large dimensionality data and things with mixed cardinality, which, whatever I mean by that is. You think about a company with 10s of thousands employees. They have 10s of thousands of groups and those groups are assigned access to resources and figuring out what groups are even need you know, or, or who should be in what groups or who should have access to what. 

It's not a human scale problem, right, and so I think that is one space where we will see more innovation in the next couple years is can you leverage a lot of AI technology to help with this authorization problem? But again, the tension still productivity. So no CSO, this is a challenge. No CSO wants to get in trouble because, like you know, they revoked access to things you know and support team could do their job for a day. That's like not okay, and so there's a lot of kind of deployment hurdles there to make it successful. 

0:21:32 - Mehmet
Yeah Now Paul, how we are seeing you know the adoption of you know, because you know it started to be, you know I remember like when, when I started my career, you know everything was, you know, getting centralized, getting the things. Now we are seeking a trend of actually relying on you know third parties to do even our sock analysis Right Now. And coming back to your point about access, so what are you seeing? You know big enterprise and even like small medium businesses, what are they doing to make this balance between you know you're giving your soul to someone actually to defend you from one side, but the same side you're faced with, you know, overwhelming. You know issues you know security related or not security related, plus lack of, you know, of skilled workers, I would say, in the field of cybersecurity. So what are you seeing? You know like big enterprises and clients you talk to doing in this space? 

0:22:38 - Paul
Yeah, so there is a definitely decentralization. I prefer the word democratization. Maybe it's hard, you know, but it's in my mindset. It's really about enablement. So, as the central it or even central security departments or central compliance departments, you know you want to create a golden path for your business units to be successful on right. If you color within these lines, you will be successful. And so, from my point of view, a lot of times it is, you know. 

Look, here's our authentication solution. It's cloud based, it has all the protocols, it plugs into every app. Here's our authorization management strategy where, hey, if it has customer data in it, whatever this app is, we need to look at who has access to that every quarter. You know, we're going to do that for a compliance point of view. If it doesn't have customer data in it, or if it you know, I don't know is some silly tool like, we'll look at it once a year. 

So you can kind of, from my point of view, it's about setting the policies and kind of the control regime over these systems, but not actually having to own the systems themselves, which is a you know, you're there to enable the team to adopt something and then say hey, to adopt it in the best way. Here's the few things you need to do and make it a checklist that a business unit can achieve, and that's why I see most both large and small businesses are kind of moving towards. It is a service orientation of helping your business be successful. And there's a thing look, here's the important things we need to control is who people are, what they have access to and how we make sure that's the actual state of things. 

0:24:24 - Mehmet
Yeah, makes sense, and I like the word you know, the authorization of that instead of decentralization. Yeah, 100% agree with you on this. Now, maybe a little bit. You know we're not related directly to cybersecurity in the sense of this technology, but from a CTO perspective, paul, what do you think is the difference between being a CTO for anything and start up and being a CTO for a cybersecurity company? 

0:24:58 - Paul
Sure, yeah, I mean there's a couple categories. I mean, I think within B2B software security is a couple other attributes. So well, first of all, I guess actually yeah to your point I am dual-hatted. I'm effectively a CISO at the very least and a CTO, and so every part of our business you know, I think it's cultural the other day is like how you build secure infrastructure, how you build secure software, that is on me as a leader to help our team be successful. So it's culturally as a team we care about security a lot. And how we build our software, how we deploy our infrastructure, you know, so that's embedded within. 

This is like you're kind of a double hat. You know, at all times, I do think the security space, you know, in some of our businesses it feels like we're kind of like a data company. You know we have a lot of data ingestion, which I think is different than you know certain other SASSes, where you're kind of you know you have your SASS, people click buttons, everything's okay. So I think we're, you know we're coming to data ingestion company, which architecturally is different than I think some of the simpler SASSes. But I think the primary thing is, yeah, we're just everything is security oriented right and it's expected of our customers. Especially when you're selling to a security team or IT team, they don't skip the security questionnaire. You know it would be great if they did, but they don't and they honestly, just you know they're trusting you with their reputation, and so there's a lot of trust building between us and our customers and I think, in the CTO role especially, I'm there to help communicate to our customers how important their data is to us, how important them trust in us is and how you know. Here's all the thousand things we do to show evidence that you know we're doing the things we talk about. 

You know I try to show instead of tell, and I think that's different than you know if you're making a CTO for an app, making for designers or something. It's like you know there, you know you just have different priorities, and so for me, yeah, it is security embedded in everything. At the same time. We're still a, you know, startup venture backed. We got to move really fast. It's one of those tensions. It's a tension to both be growth oriented and how you know, can we, what's the fastest we can go as a team. At the same time, a security incident can ruin our company. So you know, I try to think of architecture as well, as like what's the? How do we limit the blast radius, how do we isolate systems? So there's a lot of kind of architectural stuff that I think goes into that to. Even if there ever is an incident, it's very limited impact, which I think is different than if you're just going as fast as you possibly can. You know you'll just put everything in the MargoDB and see how it goes. 

0:28:01 - Mehmet
Yeah, true, now, because you mentioned this now, paul, the question just popped up in my head Now cybersecurity. I'll let you know where I'm going trying to go with this. Cybersecurity is, from one side, a very hot, you know, for venture capitalists or any investor out there. But from the other side as well, and you need to move fast. As you said, from the other side it's a crowded market, so it's like a business, but plus tech makes question. 

I would say you know how, how you see, you know, like the position in the market and the right messaging and the right product and you know the right, I would say, team plays a role in taking. You know your offering and you know, in my opinion, all cybersecurity products are important. Like there's no nothing you can say, oh, like this is good to have All of them. Actually they fill some hole in the in the castle that we're trying to protect. But how do you, you know, balance this? Because from one side you have competition, from one side you have other people trying to take your pie actually over there. So how do you manage all this pressure from market, from investors, when you are in a cybersecurity startup? 

0:29:32 - Paul
Yeah, so I think you know where they get thrown around. A lot is product market fit and I think specifically though you know I think people sometimes gloss over it, you know, but I think it's really important to both have product fit and market fit so you can have an amazing product, but if it's, you know, if you can't communicate to the right buyer, the market has to be there for it to be an effective fit. You know like you could build an amazing product, but if, if you have to convince 10,000 people in a company that it's cool before they can buy it, it's actually not a great market. And so I think that's one of the issues sometimes in security is, you can build an amazing technology, but you have to be able to find, preferably, one person in the company of any business that can say, yes, I want to buy that thing and yes, it's critical to my job that I buy that thing tomorrow. So you have to have that urgency. And I think sometimes, especially with CTOs like me, like technical founders, we go after the problem and we're like we're going to make a product that solves that problem, but if you don't figure out who you're settling it to, you're going to have a hard time, and you're going to have a hard time as you get bigger. You might have some great initial demos, but until you figure out who you're selling to and how, that one person can have urgency and say I want to buy that thing tomorrow. That's really the critical part of my mind for especially for cybersecurity. 

I think the other side of this is, at least for conductor one, how we go about it is we are extremely customer centric. I would say we listen to our customers obsessively. It's a cultural element to our company that we take their feedback. We're passionate about making them successful. I think the thing I'm really proud of is we don't have shelf wear customers. 

Everyone gets deployed successfully and that is critical to our company and it's not just something that the customer success team cares about the entire engineering org. We devote significant resources to customer X, whether it's a bug or they're missing a feature. They deployed something on prem. They have a weird use case. We're still going to go out of our way to make them successful and I think that kind of customer obsession is one of our ways that we kind of differentiate in the market. There's a lot of shelf wear in cybersecurity, where people buy out of fear and a good demo and going around. There's a lot of cool products out there that can show you all the things wrong in your company, but if you can't deploy it, it's just going to get ripped out in two years and so for us that's like. Our passion is just customer focused and whatever Amazon says, that too, they're customer obsessed. 

0:32:19 - Mehmet
But I do think in cybersecurity it's a differentiator to just say we're going to do whatever we can to make our customers successful 100% and I like always this approach from any company, whether in cybersecurity space or not, because you're solving a problem to them and I believe I was checking the list of your customers. It's really decent. You have some public reference of big companies and I'm sure these guys. They have seen the add on value. And this brings me to because usually people when they take decisions, they like to see tangible results and in cybersecurity it's not always easy to measure it in dollar value maybe, but you can measure it in something else. So how do you approach this? 

0:33:16 - Paul
So we approach actually honestly in our sales process. We walk our prospects, potential customers, through what we call a business value. It sounds silly even for a startup to do that Maybe something you expect from Microsoft or something but it's really important to us to communicate the value and, honestly, the way we communicate most of our value is yes, there's an awareness thing of insurance policy stuff. That's really ambiguous. What hard numbers, though, come down to automation, where, hey, previously, every time you hired someone or you fired someone, or to do an access review, it took thousands of hours across your organization. When you ask every manager in the company to justify their employees' access, you can measure how long that takes as a business, the amount of kind of spent time on things, and then, when it turns out, you need to revoke 200 groups. Who's doing that work? How long does it take them? 

So to the point earlier kind of about discussing automation. That's actually where we anchor a lot of our business value is hey, this is a third of someone's job, or multiple people's jobs. You want them doing higher value stuff in IT? Don't have them wasting time on this. We can give you a product for a reasonable price that saves you weeks or months of someone's time, and that's really where we anchor business value. It's just fundamentally actually the automation part of this, the workflows on top of visibility. 

0:34:52 - Mehmet
That's great to hear, paul. Also, I figured out that you are a fan of open source as well. So where do you see, in general, as a CTO and with all this experience, what's the future of open source? Because there's a huge debate sometimes about this topic and some people they see it as not fair, some people they see no, it allows like and I am fan of open source, honestly and there are a lot of companies that manage to monetize that model also as well. So where do you see the open source heading with all this noise around us? 

0:35:39 - Paul
Yeah, I think what's hard. So in my context there there's a generation of startups and businesses that started with one premise that we're going to license software under a very liberal license and then a decade later, in some cases or around that time, they're extremely popular and then they, for various reasons which is totally fine they've chosen to change their license. That to me is really challenging, because one of the pillars of open source in my mind is community and having people outside your business interested in your software. It's part of being in that community, and when you change the license like that, it's actually a betrayal of why people contributed to that community, and so that to me, is very challenging. 

I think, going forward, I think I hope if you're a startup today starting a new company and you there are other licenses out there that aren't necessarily true open source, but they are source available If you start from day zero without license and you're clear with your community, this is how we're gonna make our source code available, I have no problem with that at all and that to be makes total sense. I just think it's really challenging when you you've been telling people something for 10 years and you kind of walk away from it is like hard on communities and you know the Terraform case is a pony at one right now. There's an open TF foundation that are you know it's gonna try to take it to the CNCF, I think that's you know. One of the outcomes is you're gonna have forks of some of these soft, the software to stay and kind of an open source license, you know. But at the end of the day it is you know whoever owns the software is their choice. 

You know it's the same way. It's the same way. The license allows you me to build a competitor right, like it's okay for someone to choose to kind of make a more stricter license. I just I struggle with the community part of it. You know it's like the people I had dinner with, you know at OS con, like they're no longer really open source and that to me is just kind of weird. It's like you're you're leaving that community and that's kind of a bomber at some level. I wish there was a better, I'll say, business model or Way they can continue to scale their businesses and still be part of like an open source community. But I I just don't see it happening right now. And it doesn't mean it's not bad for open source, by the way. 

Open this is like the craziest thing about open source. I've been in it. You know 20 plus years is like it's just really really big. You know like like 20 years ago there were like a couple thousand people in open source. You know like Like people talk about like GitHub, how fast GitHub has grown or something. It's like the. 

The pyramid of like number of people in open source is just Exponentially bigger than it was 20 years ago, and I actually think that's really amazing. You know, you think about like as humanity we invented a way to share knowledge and one of those ways. This is an open source thing and it's bigger than it's ever been and that's great. And so I think at some level, I'm like Concerned about how businesses interact with this. But at another level, like If you're a young kid today, you can actually see how systems work and it's all open, it's all in GitHub, like that's amazing. 

Like when I was a kid, like yes, there was Linux. You know, like 90% of the software out there, even cool hip software, was not open source. He had no idea what's going on. And so I don't know, is it the technologist, the kid? And means like we're still in a great spot as a society. There's a lot of open source, a lot of open things. So it's okay. You know, just just remember the pyramids really big. You know, it's not like there's only like three software projects in the world. 

0:39:31 - Mehmet
Yeah, that's, you know like it resonates with me, because from one side, I think, even if someone for and Build their own products, that's fine with me, because still, you know there's a community as long there's a community that Still taking care of that project, and you know I can understand that people need also to generate some Some source of income, you know, by doing totally right. So I don't. But you know the only thing that would piss me off if someone goes and shut down a project and to make it completely. You know open source and you know one of the best thing that I ever saw. You know Companies who managed to have both models simultaneously somehow. 

Yeah, like having a community edition which is kind of a open source one, and having you know another edition which is, you know it has the licenses right, it has, and I think it worked well for them and they proved themselves. You know, on the long run, um, Shifting again poll to start ups, and you know you mentioned about the product market fit and then the buyer fit as well. Right, so, with all the experience, because you started many companies and this is for fellow startup founders who are listening to us, whether they are in cybersecurity or anything else. You know what piece of advice you would give them. 

0:40:59 - Paul
I would say Look, patience, persistence, um, and you know a little bit, stick to your intuition. There's a balance there, like, I think, being very customer centric, but still stick to your intuition a little bit, and it takes time. You know Any startup you see out there that's making headlines and you know Having their IPO parties or what. There's no IPOs right now, but yeah, whatever you know at least this big, high-flying, successful startups. Go read about when they started, and they all started 10, 15 years ago. 

It is a long journey and you know the way I talk about even our team is. You know, let's make the, the whole company, 1% better this week and Do that again next week and every following week. You know it's a stacking wins. It's how I think you build a great company and so I think that's me. It's like persistence, persistent persistence. It's you're gonna have good weeks, you're gonna have bad weeks. You just got to stay in the game and if every week your company is just a little bit better and you stack those For a long time, you end up with a good company. And that's hard, like you know. People, this people burn out. It's hard, it's not trivial, but you know, take vacations too, and that's the other thing I think, as I've done more startups and everything else like I'm better about, I'm gonna take my, my two week off vacation and be in the forest and you know that that helps me kind of reset every year and be ready to keep going. 

0:42:51 - Mehmet
So it is a long game. 

0:42:52 - Paul
Is that it's the the real message. 

0:42:55 - Mehmet
It's a long game indeed, and I think also they need to accept some time that they need to prefer, they need to Try multiple things after they succeed right. So, oh, yeah, yeah. So so it's a long journey and yeah, please go at. 

0:43:09 - Paul
The pivot thing is, I think it's you try to. You got a center around learning. You know, like, even if you're working with a prospect or someone who might buy your thing, your current thing, you just got to learn as much as possible, like from them what are the problems they're they're facing and what you know. If they can you know, ask them if you could maybe wave a magic wand and fix anything in your business. What would it be? And, like, you probably want to build the thing in their first or second idea right there, right, like, if you're the 40th problem they want to solve, it's still gonna be hard, right, and so I think that's part of it is like, be persistent, always be learning, always be talking to people and and you'll find your thing. 

0:43:54 - Mehmet
Mm-hmm. Yeah, yeah, 100% about this. Yeah, it's like you know. I had it another guest and said, like you know, also don't rush Implementing features, because just one it was Joe like who I to expect? So, yeah, like you need to prioritize things and make this balance all over there. So, 100% on this. All like where people can find, you know, of course I'll put all these things, I have them, but just you know for you to mention when they can find about you and about your company sure? 

0:44:31 - Paul
so Uh, I mean, I have an x account, if anyone still uses that P-corner, of course but, yeah, yeah, but it's conductor one, conductor one, com. 

Um, you know we're Uh very visible in all the socials conductor one, all those things on linkedin. We post things there pretty often. We do have a company like podcast to cross with that for a second, called all aboard Uh, where we interview a lot of uh kind of cyber security Leaders in various forms and function, um, talking a lot about these identity problems and and what they're doing in their business To figure out how to address them, because they're just they're complex problems and they're not things you can always Solve in a one-day deployment. So it's a always a good time to talk to those people. 

0:45:22 - Mehmet
Yeah, that's great, paul. Anything you wished, anything I missed to ask you. 

0:45:28 - Paul
No, this is great. Uh, you know, I think, uh, we hit a lot of different topics. Um, that's great. 

0:45:35 - Mehmet
Yeah, so I asked this fine question just in case, maybe because we wanted to say something or my guests want to say something, so I asked this question. It's not a tricky one, guys. By the way, people think that I try to trick the guests, but no, it's just to open a window. No, in case to me myself, I I missed something during the preparation. Well, paul, thank you very much for being with me today. I think you Enlightened a lot of seizures and even you know people interested in cyber security and fellow entrepreneurs today with your Wards. So thank you very much for being on the show. 

And, as usual, uh, this is how I end my episodes. If you have any questions about this, you know episode or you know the show in general. If you have questions to Paul also, you can feel free to reach out to me. I will forward that to him as well. Um, you know, keep the feedbacks coming. I'm enjoying reading them. We are trying to make a, you know, mix of topics, so I'm not jumping. I'm trying to, as much as possible, to squeeze all the topics from cyber security. You know, deep tech and all the other functionalities of technology, plus, of course, startup slash entrepreneurship With everything related there. So, whether it's marketing, sales and all this stuff, um, thank you so much, paul, for being here today again, and thank you for the audience for tuning in, and we'll meet again next episode. Thank you, bye, bye, thank you. 

Bye. 

Transcribed by https://podium.page