Andrea Swaney (Cyral): Go-to-Market Leadership from Start to Scale

Kaitlyn Henry: Welcome to the OV Build Podcast, Building To Boss. I'm Kaitlyn Henry an investor here at OpenView. This month, we're releasing a special miniseries with female leaders across the enterprise SaaS industry, who all know that the path to leadership is challenging, but aren't willing to let that stop them from building something great. Today, we'll hear from Andrea Swaney, the Head of Go- To- Market at Cyral, a data cloud security company. Andrea's perspective has been shaped by years of experience across a variety of roles, from business development, strategic partnership, sales, product marketing, and everything in between. She's worked at companies from the earliest stages of development to the much later stages of hyper growth and scale. No matter where you are in your go- to- market journey, I can promise that Andrea has practical, insightful lessons for you that we're super excited to share. In today's episode, we'll unpack the ways B2B SaaS companies can use marketing messaging to differentiate themselves, the nuances of selling into a security audience, or a more technical audience, and why it's important to balance builders and managers while hiring and setting up processes at early stage companies. All of that and more in this episode of the Build Miniseries, Building To Boss, let's dive in with Andrea Swaney. Welcome back to Build, I'm joined here by the wonderful Andrea Swaney, Head of Go- To- Market at Cyral. Andrea, welcome to the podcast.

Andrea Swaney: Thanks. Great to be you Kaitlyn.

Kaitlyn Henry: So, you've had an interesting mix of experiences as a go- to- market leader, be that of the strategic partnership, sales, you name it. For those listeners who are meeting you for the first time, tell us a little bit more about your background and what sorts of problems you've been most excited about solving throughout your career.

Andrea Swaney: Yeah, definitely. So, as a lot of people end up in this space, I show into it. I spent a few years in my first job consulting, just learning about general business operations, working with sales and marketing teams across steel industry and tourism industry, it was wild first two years. And then 2008 happened, we were in a recession and I said," Let's try this startup thing on for size." I moved back to the Bay Area after graduating from Stanford and just reconnected with some folks there. So, I ended up with a really technical product in desktop virtualization, and it was a security play to help onboard contractors. So instead of sending contractors laptops, you just send them this local virtual machine and they had access to everything. So from there, I think the first bit of advice that was really helpful was talk to the engineers, learn what they do. Even though I had a policy and econ background, it would actually start to make sense in terms of what they were working on at least at a high level. And so at that company, I spent five years there, which is eons in startup land. I had worked on everything from account management, I started taking over sales and started closing deals and then I moved full- time to New York City to manage and direct our East Coast business there. So, I worked with BP and McKinsey and all kinds of fun enterprise accounts out there, AXA insurance as well. So, I got a feel for the enterprise thing and then I wanted to know what was beyond sales, what would get us leveraged? And I think that's where business development was piquing my interest, where we work with partners to really open up the flood gates in terms of getting access to more deals. So I found that whole deal structure interesting, I just wanted to gain experience there, and then that rounded out my five- year experience. And then I had a friend from Stanford say," Hey, we've got an early stage security company who've gotten interest from enterprises, help us do enterprise sales," they were the founding team at Signal Sciences, they came from Etsy, which is a yarn website, as they would say, I mean a knitting website, but actually was very tech forward and so they had spun out to create a security product and so I just jumped on board. It was the ability to work with someone I already respected and on a problem that was seemingly big from where I stood at least. And so from there really built out the go- to- market. So, everything from pricing and contracts and prospecting and building a sales team, building a sales engineering team, building a customer success organization. So, something that really drew me to it was just a strong vision and fitting into a clear market gap. And that's what has led me to where I am as well, now at Cyral.

Kaitlyn Henry: So, your two most recent roles have been in the larger security world. What do you see as some of the nuances of being a go- to- market leader in security specifically? As opposed to say some of the other experiences you may have had in vertical software or just generally B2B SaaS. What challenges do you face that are unique to the security world?

Andrea Swaney: Yeah, it's a great question. In general it just feels good first of all, to be working on making users and companies more secure. It's something I get excited every day to get out of bed and do. And I think it was forming relationships early on starting 10 years plus ago with folks and understanding challenges and what they were trying to do. So, I think security has just a great network, a great community and so it's been a joy to be a part of really. I think the specific things that are challenging are just the general crappiness of marketing messaging. If you had to have to call it something, it's really hard to stand out in the crowd, everyone's saying the same words, the same buzz words, and it's really challenging to how do you separate yourself? And so one of our mentors at Cyral told us the key to success at a startup is talk clearly, proclaim leadership, and grow fast. So, how do we talk clearly is something I always try to focus on how do you distill things down to soundbites that you remember that customers and prospects remember that you can put clearly on your website. So, I think that's a clear challenge in security, is just walk the virtual halls at RSA and see 700 new companies that are talking about cloud security and you have no idea what they do. So, I think that's the number one tricky thing. The second thing is building a team that sells to security engineers. Security engineers can be a tricky group to sell to. And at Signal Sciences, my first 10 reps were just total A players, a lot of that was luck, but I started to figure out how to find those types of folks, I had required reading around Gene Kim's Phoenix Project, to get in the head of buyers. My team came up with a good interview strategy to basically quiz someone on their technical acumen so we know that they could carry a conversation with a security engineer. So, I think that was at the beginning stages really crucial. You find a lot of people that are super eager, but the ones that really actually want to understand the product is really important early on. I think over time, I'm learning myself, I don't need to be as into the product as I am, but it is a passion of mine, I really like strong products. So I think that's another challenge. And I think the other thing is really defining, you face the challenge in identifying with the old way of doing things in your given market, and there can be really negative connotation. So, take an example at Signal Sciences, it took us a couple years to actually succumb to the fact that we were playing in the wharf market, we had just kind of identified ourself as like the anti- wharf, but solving a lot of the same challenges. At Cyral, it's challenging even more so because there isn't a comparison, it's not a DevOps wharf or something like that, we're combining IAM, identity and access management with data activity monitoring with data loss prevention and so you have to figure out which audience you're talking to and who needs to hear which words. And so starting to try it out, matrices of what messages to what people I think is really important, but also challenging. So, those are kind of the top three that come to mind.

Kaitlyn Henry: Definitely, I think that's one of the most exciting and perhaps the most challenging parts even from an investor standpoint about the larger security space. Like you said, precision in messaging and product is really everything and it's great to hear that that's something that you found true throughout different areas of your career as well.

Andrea Swaney: Mm- hmm(affirmative).

Kaitlyn Henry: So I know you were at Signal Sciences through a period of really intense growth period, a period that a lot of Build listeners might be going through right now. As a go- to- market leader, you've got to be getting pulled in a million different directions in these times of hypergrowth, I've got to believe. How do you hone in on what the most strategic things were for the company to focus on? And how did you decide what initiatives to leave behind?

Andrea Swaney: Yeah, that's a great question. It depends on the stage that you're at. I'm always thinking a few steps ahead, it's kind of a trait of an Enneagram three, which I don't know if listeners know that, but it's great, it's beyond Myers- Briggs, but it basically means I have to be cautious at solving problems that don't exist yet, right? I'm a problem solver at heart and so there's a lot of times where I have to pull back from," Well, what happens when we're at this scale and we need to do this, this and this?" And you have to collaborate with the team and realize what's the pressing problem versus what could be a problem later, and I think not over- engineer, overthink processes sometimes. I think in general, it's crucial to be customer- focused and understand as much as we can about the customers in every stage of growth, so we continue finding patterns, we want to make it as easy as possible to repeat the process. So at every stage, I think it's always important to be sales focused and unblock sales and that takes the form. In early days of, obviously, founders being on calls and later stages of having sales and customer success and product meetings to talk about sales blockers, and it's really taking a measurement based approach or metrics to make your decisions in terms of what we're working on in terms of product features and capabilities to unlock new sets of customers. I'm a big fan of putting a lot of things in Salesforce, just to be able to report on them later and starting that from the beginning so you can say," Yeah, these are all the platforms that we want to support in the future and now that we have the support, we can reach out to a hundred new customers because we've talked to them in the past," and so I think setting up basic processes like that is crucial. And I think hiring is always top of mind, I think at the early stages, it's really important to find the builders and the managers and it's a hard person to find, someone that can both get their hands in and build and manage and so it's worth the wait. I think trying to hire for folks that in critical roles to build out teams that haven't done it before, because they're eager, I think, can be challenging, ultimately you can hire and managers later as well, but that becomes challenging too. So, I think trying to get lock- in early folks that have done it before so that you can give away your Legos, so to speak, that article that came out, I don't know, six, eight years ago now, but in terms of management, I think it's really critical to make sure you're focusing on the key problems and others are focusing on things that you've solved.

Kaitlyn Henry: That last point is super interesting to me, around hiring someone who is able to both get their hands dirty and potentially be a leader. We see this with startups that we're investing in all the time, whether it's in sales, it might be in customer success, even finance, they're looking for someone who will be the first person on their team and therefore needs to be able to be both an individual contributor and a team builder at the same time. Any advice for someone making that key first hire in sales or other go- to- market functions who has to play both of those roles?

Andrea Swaney: How to find them, you mean? What's the tips on finding them or bringing them on?

Kaitlyn Henry: Yeah. Tips on finding them, and if there's any particular criteria that you've used to assess them or things you've learned along the way that are like," No, definitely don't go for someone with this experience, but go for someone with this experience."

Andrea Swaney: Yeah. It starts with making sure you understand what you want. I think, sometimes it's great we get referrals all day long of great people and then we talk to them and we are like," Oh yeah, I think you can fit into this and do this," but if you don't have an idea... actually, like I said, back to the earlier question, what are you focusing on right now? Not what are the problems down the line, but what do we use to solve immediately? And how would you solve this problem? But how have you solved this problem? Right? It's never asking hypothetical questions in interviews because everyone can paint a lovely picture, but it's more about, what have you done? How have you been in the situation and making sure they have that experience. And once you have an idea of the different components that you need to build, making sure that there's relevant experience across those, I think, is the best way I'd go about it. And then of course, network and referrals, it's always better to hire people they are like," Yeah, I know this person they've done it before," so, that's always, of course the first place to start.

Kaitlyn Henry: One thing that's always stood out to me as an expansion stage investor, is that there is absolutely no magic bullet when it comes to building a successible, repeatable, scalable, go- to- market strategy. Everyone seems to run into bumps in the road or has something that they read in a business book turn into a total disaster when they try to implement in their real life. What are some of the most interesting or unexpected or challenging lessons that you've learned as a go- to- market leader in your career this far?

Andrea Swaney: Great question, I think you're totally right. Books have great ideas and they're great places to start and failing fast is the way to treadmill. I think one of the things that was really interesting, I've seen a couple places now is you can actually have two business models in a way. So, a lot of companies start developer up and then others are totally top- down enterprise play and I think that's changing. What I've seen in a couple of companies now is that there's a repeatable forecastable, mid- market play and then the enterprise is lumpy for the first couple of years, right? And so actually being able to build out those two and not pick one or the other actually was a really good decision in a couple of my experiences. On the hiring front, I learned this the hard way by not doing it immediately, but hire two people like at one time, because then you have a really good baseline to... both just create a good rapport and a good team, but also compare. And so it seems like an investment, but it's a worthy one because otherwise you just have one variable, which is this person, so this person is at the market, I think, especially in terms of sales. I think hiring two people or two BDRs or SDRs is really crucial. And lastly, I would say, I think the challenging lessons, what I would put into that bucket is hire people that want to learn and be someone that always is learning yourself and challenge your own way of thinking. And I think it's a battle, a fight of" Hey, well, I have this experience now and I think though, every time I lay that down, I end up learning more and becoming a smarter team player that can continue to grow." So, those are probably the top of mind.

Kaitlyn Henry: Let's shift focus a little bit to Cyral, the company that you're at now. For listeners who don't yet know the company, can you tell us a little bit more about what Cyral does?

Andrea Swaney: Absolutely, yes. So, I've spent some time, first company, first startup in endpoint security, and then I went into AppSec, so it really only made sense to go up to data security, to jump up the ladder there. It was really crazy to learn that there aren't the same levels of monitoring or access control and security around the places where everyone's data is stored right in these like modern cloud databases, pipelines, warehouses like BigQuery and Mongo and Snowflake and Redshift and all these, and as companies have rapidly shifted to cloud... it's like CI/CD and the development innovations really created the need for application performance monitoring and other tools. We're pushing out code so fast, how do we know how it's doing and how do we fix it? In the same way, infrastructure as code has pushed out all these great cloud data services, but it's created this gaping hole of like," Who has access to my data? What are they doing with it? What microservice is connected to it? Is it pulling more data than it should?" And so really, Cyral has come in to solve that challenge in a couple of interesting ways. I think identity has never been a part of database access, turns out they don't support the same protocols that things like Okta and JSuite and Active Directory speak, so you can't have users authenticate, monitoring hasn't worked so you can't log a database without killing performance. And so without those, you have no access control where arguably you need it most because that's the end of the attack chain, is the database. So, Cyral really solved these by actually being an inline stateless proxy to basically see all traffic from users and applications and into any type of data endpoint and control, monitor, and protect the data that's stored there.

Kaitlyn Henry: I definitely resonate with a lot of that. I was speaking with a founder in the data quality space the other day, who I actually think painted the picture of this moment in time that you're describing quite well. He basically said everyone went straight from building data infrastructure to building ways to consume that data analytics, machine learning, et cetera, just right on top of it, without this ops layer in between to do things like monitoring, and security, and access all these things that today are just a no brainer part of the software infrastructure stack that hasn't quite translated over into the data world. I guess, from your vantage point, how have you been seeing the data infrastructure and data security landscape change in recent years? And why is something like Cyral more important now than ever?

Andrea Swaney: Yeah. Kaitlyn I think you just hit the nail on the head. To me, I remember it, data was the last thing to move to cloud. So I just remember it was some infrastructure to start, some non- critical, non- business critical or mission critical applications, and then data came along, right? And so I think that's why we hadn't seen this problem until the last five or six years. I remember walking in and seeing Snowflake on a conference floor and having no idea what they did. Right now they're how many billions of dollars in valuation? But I think because now every microservice can have a database attached to it... I was talking to a friend who works in analytics at a big financial services company, he's like," Yeah, every time we just spin up whatever database, we load some data into it and model out what we need to because the business is looking for us to provide analytics and IT and security have no idea." And as you said, I think it's just table stakes, it has to be table stakes because in terms of application and infrastructure, you exactly what's going on. And in data, one of our customers in the health care space, who's a VP of engineering, basically said any engineering team its master needs to know which apps and users are accessing data, it's just part of the whole picture. And we face this in the application security space, you talk to a customer sometimes and it's," Why lock down access to my applications?" I know exactly who's accessing my application, and when you realize it's a user interface, it's a website, you can't lock down access to that, it's being used, it's out there in the open. It's is the same for data, so sure you can lock down access, only these applications and only these users can access your database, but you still have no way of knowing if those are normal user or application or malicious one. So, without monitoring, you really just don't have the intent there. I've seen it change really where we've just gone from everything has a database and there's really no understanding of where it is and that's why I think there's a big push now to understand and put the monitoring in place there. And it's just been a challenging problem, like I said before, just logging database activity has always hampered performance, so you can't really use it, so you just get some basic error logs. And so that's why, thankfully there's a lot of smart people working on this problem to figure out ways to actually get the real time data.

Kaitlyn Henry: One thing that I seem to hear more and more often, as well as it relates to infrastructure and data infrastructure is folks talking about the relationship between developers and security teams. There seems to be this trope that developers don't care about security, which I don't find to be true at all. And particularly folks who are building data- driven apps, it seems that is even more top of mind for those people. Why historically, do you think it's been challenging to get security teams and developers to work together? And how is that dynamic changing?

Andrea Swaney: So, coming from Signal Sciences, I think this was Zane Lackey, he's beat the drum on this pretty hard like," As a security person, you have to be approachable, otherwise your company's going to lose out in the long run. You can't be the department of no anymore." And so, I think it used to be where you'd have security team, either work on a pen test or have some outsource pen test company and provide a 300 page report of all the bugs to fix and give them to the developers, that doesn't work anymore in terms of preventing applications from going out. So, I think it's changed from being able to honestly go back to data, right? So, self service data, can you give engineers... instead of just noisy... most engineers just didn't have access to security products before or the data from them, so they just had no idea. They were saying," Look, I don't have to worry about secure coding practices because we have a security team for that. They're bolting on all of these products to make sure that whatever we build can't be attacked." And I think now we know that's not true, right? You can't completely isolate, but actually having alerts, log details, SIM dashboards, things that are consumed by developers actually gets them way more interested, right? So, in the application security world, it's," Hey, show me my part of the app that I developed, how it's being attacked," and you could see that, everyone had a view only log in to see logs and data and things like that. And same thing with what we're doing at Cyral is providing full logs and details of," Hey, which service is causing this database slowdown?" And that was just never possible before. And so they get excited that... and also even just who is the user behind service account? All of these things that were hidden before, they're like," Oh, that makes my job easier. I can go and troubleshoot more quickly," it doesn't even have to be a security incident, it's just a performance issue that they want to address. So, I think it's all around self- service data.

Kaitlyn Henry: You guys are obviously on the forefront of data security at Cyral. If you were able to wave a magic wand and make every enterprise just have a best- in- class data security strategy, what would that look like? What does a best- in- class data security strategy look like in 2021?

Andrea Swaney: Yeah it's a great question. As privacy as well, dovetail into security too, which is," How do I go from policies that I need to be in compliance with to enforcing those in my technology, in my stack?" And that's really a huge disconnect and I think there's a lot of frameworks out there that talk about," Okay, start with classification and discovery," which is definitely important. I think what we would say at Cyral is actually monitoring is more important as a first step. The thing we saw all the time in the AppSec space was like," Oh, I bet the attackers are really after my payments application," so you deploy monitoring everywhere and you'd see actually they're not going after the payments app for some reason, they're going after this other corner of the app to try to make headway and break in, right? And I think that's the similar case with data which is just, there's so much out there, and there's not a clear view of what's going on. So, actually by getting coverage over every data request, you start to see patterns and you can actually then determine," We want to focus on this sensitive data here," I think monitoring is really the key to all of that and then you can kind of fit that in with classification and discovery tools and processes as well, but monitoring shows you just where you need to focus. As we think of all of the cloud native tools out there, you have to look at where the gaps are for your organization. I think what we see... What I got excited about in Cyral was that they're the biggest hole seem to be around, all of these cloud databases which are holding the business intelligence data, which are being accessed by all of the data scientists and data analysts across any company from a hundred people to 10,000. And so I think it's just got to be more about cross collaboration between departments in an organization of what is the most important in terms of what are the biggest gaps. So, sometimes it's just getting basic SIMS in place, basic identity and access management in place. And then understanding who has access to which servers and things like that, obviously that's table stakes, so when you've done that and you're looking at the data itself and who has access to data, that's where I think it all goes back to monitoring.

Kaitlyn Henry: Well, clearly the best is yet to come for you and for Cyral. If you and I were sitting down 10 years from now, what would make you look back and say," Wow, we, myself and the company, we really crushed it."

Andrea Swaney: It's a great opportunity to think about the future. I think, what I'm really excited about is that we've gotten out of the gates A free trial, just to really test out that bottoms- up and tops- down approach. We've seen a lot of companies go into the bottoms- up to start and work a lot on developing... Sneak has done this super well, right? Go from bottoms- up and then focus on how do we get the larger deals out of that, Datadog did that later on. I think it's interesting to see if we can actually crush both ends of that at the same time. And now, I think it's challenging to find a product that doesn't have to be customized so much for those two use cases, for the smaller... just a handful of developers versus the large enterprise. But I think this is another one that actually fits that and so being able to empower developers again, going back to data with real- time alerts and logs in terms of who's accessing data, and then obviously plug into the large zero trust for data or role- based access control, those larger strategic initiatives at the top and then drive that. So, I think we can do that, I think it really show that that's possible, yeah I think that would be a good indication.

Kaitlyn Henry: Yeah. Well, it's awesome to see folks like yourself, like Sneak leading the way in some of this product led growth who are security more broadly. I think it's an area that's traditionally found it pretty challenging to take the bottoms- up motion in the same way that perhaps infrastructure or developer tools have been able to, but it is really great to watch people like yourself, push the envelope just because, I think, especially as security individuals become increasingly strategic and important parts of an organization, building tools that really speak to the end user need is super important. And it's amazing that you guys are recognizing that. Andrea, thank you so much for sharing your time and your wisdom with us. I know I can certainly talk about this stuff all day and it's always great to connect with someone who feels the same. Before I let you go, we're wrapping up each episode this season with some fun, rapid, fire questions so that listeners can get to know our guests a little bit more. You ready to try them out?

Andrea Swaney: Let's do it.

Kaitlyn Henry: All right. Question one, what is the most important quality in a leader?

Andrea Swaney: Listening.

Kaitlyn Henry: Any advice for women beginning their careers?

Andrea Swaney: Ask a lot of questions and emulate the people who will answer them. And maybe I'll tack on a second, pick something you're passionate about that you can acquire specialized knowledge.

Kaitlyn Henry: What's your morning routine?

Andrea Swaney: I do pour over coffee from my friend, he ships me coffee from LA called Latigo every month. And then I walk the dog and try to throw in a 30 minute hit workout.

Kaitlyn Henry: Nice. What is one thing you can't live without?

Andrea Swaney: Wine.

Kaitlyn Henry: And favorite city?

Andrea Swaney: Paris.

Kaitlyn Henry: Oh, I've got to agree, Paris, absolutely, one of my favorite cities.

Andrea Swaney: Like everywhere.

Kaitlyn Henry: Amazing. Awesome, Andrea, thank you so much again for joining us at OV Build, it was awesome to have you on the podcast.

Andrea Swaney: Thanks so much, great to be here.

Kaitlyn Henry: Thanks for listening to this episode of OV Build Podcast, Building To Boss. We hope you learned as much as we did, we'd love to hear what you think about the show. Please leave us a review on Apple Podcasts and subscribe to stay up to date with all the new episodes. If you're looking for more OpenView content, feel free to follow me Kaitlyn Henry on LinkedIn. See you next time, here on OV Build.