A Unicorn Security Startup with Todd McKinnon, CEO, Okta

Security is one of the top priorities for every organization. On this episode, we speak with Todd McKinnon, the CEO and co-founder of Okta, an enterprise grade identity management service.

46:36

Sep 18, 2015
1,975 Views

Security is one of the top priorities for every organization. On this episode, we speak with Todd McKinnon, the CEO and co-founder of Okta, an enterprise grade identity management service.

Okta's valuation just increased to $1.2 billion making this company the latest addition to the billion-dollar valuation club of unicorn startups. Our conversation explores security, cloud and mobile adoption trends, and technology startup valuations.

Transcript

Michael:

(00:04) Unicorns, startup, security. We hear about unicorns and of course security is always in the news. What happens when you cross a unicorn with a security, whatever that means? Well today of episode 133 of CXOTalk, I am speaking with Todd McKinnon, who is the CEO and cofounder of Okta, which is a unicorn startup and which is in the security business for the enterprise. Todd McKinnon, how are you?

Todd:

(00:42) Doing great. Thanks for having me Michael.

Michael:

(00:45) And a royal welcome to you Todd (Fanfare)

Todd:  

(00:49) Thank you very much, where’s my crown?

Michael:

(00:51) I think every CXOTalk guest deserves a royal welcome.

Todd:

(00:57) I appreciate it.

Michael:

(00:58) Okay, so Okta, tells us about Okta. Give us a sense of your professional carrer before you founded Okta. Give us context, give us background.

Todd:

(01:09) Yeah Okta is a foundation for secure connections between people and technology, and we do that by providing a service that connects companies, enterprises around the globe to their customers their partners, and their employees letting those people use the best tools available to get their job done and we do that while making it very secure. So it’s not enough just to provide access, but you also have to make it very secure in these days with security being so important.

(01:39) We have about close to 25,000 customers globally and you know, with all the trends movement to cloud and all the innovation of cloud with mobile and then with security being in everyone’s mind it’s really powering a lot of our success.

Michael:

(01:54) So what does Okta actually do? What do you guys actually do?

Todd:

(02:01) The main thing we do is we really focus on making our customers successful adopting new technology. So if you’re a company and you want to roll out a new cloud application or you want to use mobile devices across your workforce more effectively, we make that really easy to do and really secure.

(02:20) And we do that by the category that we’re in it’s called Identity Management As a Service. So we really sit as a layer in the cloud that connects and integrates all of the directory services and all the security systems across all the phones and all the applications, and all the tablets and all the computers a company might have. So again it’s easy to use in security are the benefits we bring as they roll out these new services.

Michael:

(02:41) Okay and tell us briefly about the history of Okta, how big you are. You just raised a lot of money and you now have a valuation of I think its $1.2 billion. So give us a sense of the company.

Todd:

(03:01) I started the company with my co-founder coming on seven years ago, so 2009, and  before that my job was I ran engineering at salesforce.com and I had that job for about six years, and we can get into the history of Okta more and that’s an important point of the story. And then before that I was an engineer and later a development manager at a company called People Soft. So this is my third job.

Michael:

(03:26) So you’re an enterprise guy and tell us about your target market? Who are you selling to?

Todd:

(03:34) It’s any company that any organization that is thinking about the best tools out there. So the best tools being cloud applications, smartphones, tablets, you know computers any company that wants to adopt technology can do it in a very easy and very secure way is a potential customer of Okta. So it’s really - -I mean every organization in the world, every organization is trying to get more effective, trying to get more agile, really any industry trying to become a technology company themselves and we can help all of them.

(04:07) It even makes it challenging sometimes because you know, if you’re a company that’s going after one vertical, like you’re going after the Healthcare vertical or the financial services vertical it allows you to focus. But we have the blessing or the burden in some cases of really have to cover a very broad array of companies, but that’s the potential. That’s why it’s so exciting, that’s the massive potential we have.

Michael:

(04:27) So let’s talk about security…

Todd:

(04:33) …I didn’t answer your question about some of those basic stats about Okta. We have about 600 employees around the world, and you know, like I mentioned before over 2500 enterprise customers growing very quickly. We’re a private company so we don’t disclose revenue. But revenue is double in year after year, you know last year, next year, and the nexy couple of years, so we’re growing very quickly and that’s because what we do we do very well and that’s make our customers very successful.

(05:08) Customers choose Okta and they get benefits. They get these applications rolled out. They get new services built quickly and they become more agile companies, you  know they decrease costs and you know, it’s really resonating with them.

Michael:

(05:19) So you said your revenue is doubling year over year. How do you manage that, and you’re the CEO of the company, so how do you manage a company that is growing to that extent?

Todd:

(05:34) Yeah, so it’s interesting so I mentioned more than 600 people now, and the job I had before I started Okta, I worked at saleforce.com and I joined that company, it was a little smaller than Okta is now. It had about 300 people when I joined. But over the 6 years I was there, my team got up to about you know, several hundred people.

(05:57) So in some sense the company Okta is finally getting to the size where I’m comfortable and have experience in managing it. I feel like I’ve done it before. So I think that’s a key point which is you have to have people in the company that have seen this kind of growth before.

(06:15) So it doesn’t have to be every person, you know we have a lot of people that are early in their career or maybe there first job. We have a lot of people with varied backgrounds, but you have to have at least a mix of people that have seen this kind of growth before because you learn invaluable lesson when you go through it before.

(06:31) When I was at salesforce.com and we were doubling year over year for a number of years, there’s things that happen and you can see them coming and you can see you know, whether it’s technical infrastructure or whether it’s how you’re going to staff, you have recruiting team, or how you’re going to do budgeting, things that worked in the past or haven’t worked in the past.

(06:50) So the first thing I would say is make sure you mix in people that have done it before. The second thing is, which is kind of hard giving the first thing I just said which is you also have to have an open mind to how it might be different this time. Because if you have too many people that have done it before and they are too set in there ways, they won’t recognize how the current growth and the current situation is different, because they are always different. Yu are never going to be the next salfforce.com, you’re never going to be the next you know, company that’s done xyz that’s done it before, your situations going to be different. Your markets going to be different, the macroeconomic environment is going to be different, the technology stack is going to be different. So you have to mix between experiences of having done it before, but also have an open mind and think ahead of how it’s different this time.

(07:38) Then you know the last thing I’ll throw in there before I let you ask a follow up is just it’s hard work. It takes dedication. I mean people come to work at Okta all the time and they say you know, I knew this was going to be hard work, but this is hard work. And that’s the kind of people we want. We want people that want to build something and building somethings hard work and you’ve got to come to work every day ready to take that on and you know, put in a good long day of hard work and build something great.

Michael:

(08:08) So you have to be hiring people then who have a sense of mission about what you’re doing because otherwise you know you need that to sustain it right? so how do you formulate that sense of mission, then how do you share it and cultivate it among the people working at the company, especially given the fact that when you’re growing so rapidly you’re bringing new people all the time.

Todd:

(08:35) Yeah, it’s a really interesting question and it’s one of the things that as a CEO is very different than my previous jobs. My previous jobs I was an engineer and then I was an architect and I was an engineering manager and was a VP of engineering. And those are definitely leadership positions and you have to make sure that the vision is laid out and but it’s different. It’s not like being the CEO. When you’re the CEO, you’re the keeper and the communicator of the vision primarily and you have to focus on that.

(09:12) And first you have got to figure out a good vision that’s compelling for people and when you figure that out I think sometimes people tend to chase the current and maybe attractive thing in industry, whether it’s you know, maybe 10 years ago you were doing something and you started calling yourself social right because social was hot.

(09:38) Then it went onto local, so then peoples visions kind of more often was something about local, right, social local or maybe it was big data. And the one thing I tell people is you’ve got to be authentic. And when you have a vision you have to stick with it and you have to double down on it and be consistent on it.

(09:58) You know, if you go back to what salesforce.com was so amazing at doing, it was very early on, they were the first really big company that said no software and it’s going to be SaaS and cloud and no software. And they rode that vision and they imparted that vision incessantly for years and years and years to great effect.

(10:21) So pick a vision, stick with it and then like when you’re the CEO you have to really really repeat it a lot, even to the point where sometimes you’re sick of hearing it yourself right. but as you mentioned, new people are joining the company and they haven’t heard your vision and the new people you meet in the company are people you haven’t see in a while they want to hear you talk about it.

(10:40) So I’ve had to learn how to do that continuously and you know, whether it’s when we have our weekly all hands meeting, or every time, everything on the agenda in those meetings, whether it’s an engineering demo or whether it’s like a big sales do we won I always try to bring it back and preface the comments or frame it around the vison of the company, which is what I said earlier, our vision is to be the foundation that connects people to technology. It’s very broad, very expansive and just keep repeating that and iterating that, and making sure you know people are onboard with it.

Michael:

(11:13) Okay, so you said that as the CEO you have to keep and maintain and communicate that vision. Is that the primary goal of the CEO? What is your primary job as CEO? I know it’s very important maybe that’s the key thing.

Todd:

(11:35) Yeah, well I think the main thing is that you’re the keeper of the vision and the strategy. You don’t want to necessarily have to invent, you don’t have to make up the vision but you’re the keeper of it. Meaning you have to own it and you have to communicate it, reiterate it, and make sure it’s consistently communicated across the organization.

(12:02) So, that’s the first thing and then the second thing is it’s your responsibility as the CEO to make sure the strategy of the company is employing is the right strategy. And that’s very important. You have to own that strategy.

(12:20) And then the last thing which is you know, equally important is, you have to be able to get the company to do what that strategy entails and executing on. So it’s not only having the vision and making sure the strategy’s right, but you have to be able to get the company to do the tactics and execute the tactics that will effectively implement that strategy.

(12:44) And that third thing is hard because that’s leadership right, and so you have these amazingly talented people at every company and you know if you’re running the company you have amazingly talented people and they have a lot of options to go to different places and they’re going to follow you, and why are they going to follow you. Well one of those things is get back to that vision right, and keep communicating it and have an interesting vision that they feel that they can really be a part of.

Michael:

(13:11) Okay so this is such an important topic. It’s so crucial both for a startup like yourself, equally as much for large organizations in terms of being able to get people on the same page, to believe that vision, to support that vision, to want to participate with that vision. And for any company it’s one of the most important and difficult challenges and you’re in the hot seat so to speak at Okta. How do you do it? How do you get people, how do you coalesce people so that they want to be part of that vision? How do you do it?

Todd:

(13:49) Part of it is – it’s interesting by the way you call us a startup. It kind of pains me to say this but I don’t really think of us as a startup anymore. I mean, 600 people, growing quickly, some of the biggest companies in the world are entrusting their infrastructure on us.

(14:07) I don’t know, sometimes I would love to be that startup, that five person people in a garage, scrappy, no brand. But you know, we’ve grown and we’re not a startup anymore. We’re on our way to being very important and independent long term technology player.

Michael:

(14:24) It’s a really god point and sometime in the conversation we should actually have a  quick discussion of what a startup actually means. But anyway, but please tell us how you get people to coalesce and support that vision and dig in. How do you do that?

Todd:

(14:43) Yeah, well the first thing is it goes back to communicating it consistently but a little bit different importance in terms of when you hire new people, you’ve got to lay it out their early when you interview and when you talk to people so they can self-select, right. I mean if when we talk to people that we want to hire to join the company we try to lay it out there, like here’s what we’re trying to do. We’re trying to connect everyone with all of technology. We’re trying to be the foundation for that secure connection, and that’s very broad.

(15:20) And if you’re not excited about the future of technology, whether it’s mobile or cloud computing, and if you’re not excited about companies being more productive and more secure because of that new technology then you should go and work somewhere else.

(15:33) So lay it out there and tell them. It’s hard work. I mean building the future and implementing this service is not easy, and selling it is hard work, and you have to self-select in, and that builds like an esprit de corps. You know, like you know how and this is not the perfect analogy but to go through in the military you have to like go to boot camp right. and boot camp is they’re training people, but it’s also like a hurdle. If you pass that hurdle you’re aligned with the mission right and there’s a lesson to be learnt from that. not that we have boot camps when you join Okta, but if you communicate the vision you have to make it really clear that when they join the company they’re going to be more aligned with that vision.

(16:20) And then now that once they have joined the company have a sense that they can affect your progress towards that vision. So in other words they have to feel that the vision is their own and feel that the company’s their own, and feel like that they’re a key part of it versus just joining something right.

(16:46) One thing I like to say, we’re not looking for people that want to get on a rocket and ride it. like we want people that want to build a rocket, and there is a difference right. people that want to build a rocket, it’s more ownership and they feel it more deeply than people that are just maybe a long for the ride. So again, it comes back to communicating the vision and  helping people self-select into it and once they’re in giving them space to you feel like what they can do really makes a difference.

Michael:

(17:16) So when you’re growing so rapidly, I totally get what you’re say that you want people who are interested in building the rocket and not just riding the rocket. But when you’re growing so rapidly, how do you maintain consistency, how do you find all of these people who share this what is truly a unique attribute, this desire to build. How do you find these people, how do you ensure that you are getting the right people, it’s a really hard job.

Todd:

(17:50) Yeah, I mean there’s no magic. I mean we don’t always get it right, I mean not everyone we hire works out. You know, either they choose to leave or you know it doesn’t work out and we part ways. But you know just laying it out there and it’s the brand of the company. I mean just having this conversation with you and maybe people that watch this could be potential recruits for Okta, and they’re going to hear what I’m saying, and hear what we’re about and you know, that will help them opt in or opt out. And you  know, people are smart and people are capable and people can do amazing things if you just layout the high level parameters and let them flourish underneath that.

Michael:

(18:35) Okay, so we have a question picking up something that you said from Alan Bergson, who is from Freshdesk, and he’s a loyal listener of CXOTalk, and Alan we love you for that thank you.

Todd:

(18:48) Freshdesk, that’s awesome, an awesome company.

Michael:

(18:50) And so Alan asks, so when is a startup not a startup? When does a startup stop becoming a startup? Everybody talks of unicorn startups and all of this and the billion dollar evaluations, and yet, you described yourself as an enterprise company with 600 people and a lot of customers. What makes a startup?

Todd:

(19:14) It’s interesting, it used to be when you went public. You were a startup then it went public and you were not a startup. But know you know, companies are waiting longer to go public, so you have companies that are – I mean companies that are big companies. I mean Facebook probably had 4000 people – well maybe not that big, but it’s probably like 2000 people before they went public, so that definition doesn’t really work anymore.

(19:39) I think there’s probably three stages. The first stage is you know, pre-product, pre-revenue. The second stage is you have a product but no revenue. And then the third stage is product and revenue, and I think once you get passed product and revenue it’s different. It’s not really a startup. It’s more like growth and scale.

Michael:

(20:04) So once you get passed product and revenue and yet the world still thinks of these companies. We hear about unicorn startups, we don’t hear about unicorn big companies.

Todd:

(20:15) Yeah, so the original TechCrunch article which kicked off the unicorn name it actually just didn’t distinguish between public and private. A lot of companies in that first article if you read it a few years ago was all about you know, it had to be founded in the last 10 years and had to have over a billion dollar valuation, and a bunch of companies on there that were public. And the whole concept of unicorn was that it’s very rare. You know, thousands and thousands of companies started every year and at the time only 30 or 25 companies had a billion dollars.

(20:52) So unicorns were actually nothing to do with being private or public it was just valuation. But I don’t think necessarily valuation is the right metric. I tend to look at those three things you know, do they have a product and revenue. If they don’t have product and revenue it’s really a startup, you don’t know what’s going to happen. If they have a product it’s les of a startup, but you know, once they get revenue and product then it’s probably called something else.

Michael:

(21:19) So Steve Blank I’m sure you know is a great entrepreneur and teaches at Stanford, and dose a bunch of other things and he’s been a guest here on CXOTalk…

Todd:

(21:33) …Just ask you a question I was going to be flattered.

Michael:

(21:37) I wish. Steve if you’re out there we want to hear osmosis, hypnosis, however you do it, mental telepathy, we want questions from you.

Todd:

(21:45) My co-founder Freddie Kerrest and I started Okta, we read that book, The Four Steps to the Epiphany, it was kind of an inspiration to some of the early things we did.

Michael:

(21:54) Steve is amazing, he is truly amazing. So he makes the comment that he believes that a startup is a temporary organization in search of a business model, temporary meaning it’s changing, it’s evolving in search of a business model, and so can we add business model stability to that list of what actually defines a startup or not.

Todd:

(22:17) Yeah, you know it’s interesting and I think in my definition you notice I said product and then revenue right. I kind of glossed over the fact that there needs to be revenue and a sustainable business model and that shows maybe my perspective right, because in our business which is if you can get revenue from the largest companies in the world and you’ve built a cloud service that’s very scalable, you have a business model.

(22:43) So it’s almost like a client in my definition, but it is a good point, you know, you could have a product that is selling dollars for 85c and that’s not a business model. And there are some industries and companies that fall into that. That’s a more precise definition of what I said and I probably agree with Steven on that.

Michael:

(23:04) Okay, so we’re talking about these valuations and when you as the CEO and the co-founder of the company, decide to take that much money, that much invested money, there are implications. Please, share with us what those implications are and also you’re logic process. What are the pros and the cons that you weigh as you were thinking this through.

Todd:

(23:34) So it changes over the years and over the stage of the company and the realms of investment so it’s hard to answer in abstract because it kind of depends on the stage. But one thing I will say and we can maybe get a follow up question for more specifics if it will be helpful.

(23:53) One thing I will say though is when my co-founder and I started off, one of the things we did very very early was to have a talk about personally and professionally what are our objectives, what are we trying to do. And we were very clear from the beginning that our goal was to build a important independent technology company that would be around a long time.

(24:19) And in tech it usually means the companies are big right, because in technology the companies get big, so big and independent technology company, so along the way with that being our goal that makes the funding decisions much easier. So for example, if you’re not sure you want to be independent it really makes a different context for funding decisions, especially early on. You don’t want a certain high valuation early on if you think you might want to sell the company, because you’ll basically price out the time it acquires, right.

(24:56) So you see a lot of entrepreneurs struggle with that and it’s like, if we do this round and the valuation is going to go up and it takes a bunch of requires off the playing field and things like that. Also our early alignment on that also informs a lot of other decisions like for example, every time you raise a round of financing, you’re selling part of the company right. So the employees and the founders owns less of the company, but they have more money. But if you’re thinking about, this might be an acquisition, or this might not be a big company someday, you’re hesitant to sell shares because  you don’t want your percentage to go down.

(25:36) For Okta, since we had this vision of being an independent company long term, it was easier for us to say, hey we would rather make his pie much larger, we might own a smaller percentage of it but we’re aligned and we want to be a long term independent highly valuable company. We’re okay taking investment and maybe our own percentage goes down a little bit. And you see a lot of entrepreneurs get hung up on that. They don’t want to get to have absolution and they don’t want to own a small percentage so they get hung up on that.

(26:05) The last thing is you know, you look at the competitive market and environment and you say, how are we doing, how can we invest more to extend our lead, what are the competitors doing, what would our budget look like if we increase the budget with more money, and every time we’ve done that at Okta we’ve you know, it’s made a lot of sense that our rely on more money in the company has been very good, so that’s a short description of kind of how we got here.

Michael:

(26:32) So Alan asks a follow-up question and he says when you started Okta there were other players in this space, so how did you get traction initially. I think this is a key question that every entrepreneur wants to know, how do you get traction?

Todd:

(26:49) I was just talking about this to a friend of mine the other day. The first thing a lot of people have is they want to do something different. Their company or their idea, and what they want to do it’s got to be something that no one has ever done before and it’s totally different and you know, that will make them successful.

(27:08) And ironically I think that’s the wrong way to do it, because when you take that approach, you end up coming up with an idea that’s so narrow and such a niche that it’s not big. No one wants it. or only a small group of people want it. so you can dominate like the people that want a video on demand for like cat videos right so very small.

(27:29) Ironically what you really want to do is you want to take the biggest most obvious market and that’s what you want to attack. And you get bonus points if it’s a big obvious market and it’s very hard to see that it’s a big obvious market. You know the great companies you know like Facebook. There were a lot of social networks around but they were able to see that they weren’t scared of doing that. They were able to do it in a better way and started with colleges and so forth.

(28:01) Like Google, there are a lot of search engines around but they did it better and you know, the huge mass of market that was everything went on the web and all needed search right.

(28:11) And so with Okta, was the first thing we did was web, single sign on for cloud applications, and there were a bunch of companies that were doing that. So the first thing for some people it’s like yeah, there’s a bunch of people doing that, it’s a commodity, it’s not that interesting. And our belief was always that web single sign on had a couple of very interesting elements of it.

(28:37) The first one’s that it’s yeah, there are a lot of solutions that did it but no one did it really well. and it was a problem that every company had or soon every company would have. And yeah, it might be theoretically easy to build or a commodity, but it was a commodity that everyone used, right. it’s like sugar. It’s good to be in the sugar business but it’s a commodity but it’s good to be in the sugar business.

(28:59) Also the other important thing about web single sign on is that if you build a platform that could do very easy web single sing on for web applications, what you would really be building on the back end was a universal directory service that could be the foundation for much more. Very strategic. It could be this foundation for securely connecting people with technology. So it had an entry point that was needed by everyone and relatively easy to adopt and then long term could be very fundamental platform for all these companies.

Michael:

(29:32) So we were just talking about getting traction in an environment where there are competitors. How about know, how much time and effort do you spend thinking about your competition, because I know sometimes some people obsess about their competitors, other people say no, we’re focused on our thing and let them do what they want. So where do you fit on that.

Todd:

(29:57) I just realized I didn’t answer Alans question or your question before. I got too excited about what I was saying. Alan hinted at and you asked the question about how do we get customers and how did we get started. And one thing I’ll say is that one thing we did very early at Okta was we were sales people very early. Even before we had a product, we were out there with a drawing of the product, with a mock-up of the product, you know, talking to customers, getting feedback, pouring that into the product design.

(30:34) And that really helped us get a couple of early wins and a couple of customers, that even though there were other choices out there, they knew us and they liked us. But more importantly it made that customer feedback loop strong in the company. And those kind of cultural things pile on and really become a key part of the culture as the company grows. Because everyone knows that we listen to customers. Everyone knows that the product strategy is formed by customers. We’re not in some lab dreaming up something that no one will want. We’re going to test the market and see what customers need. And that’s how we did it.

(31:06) It was like a lot of leg work and a lot of you know, on the road, on the ground talking to customers and building what they wanted.

(31:14) Now your question about competition, it’s super interesting. So in the early days of the company you are, you know, it’s a little bit daunting. You pick a space that you think is big so that there’s probably going to be some competitors, and there are a lot of competitors. And you kind of get worried about every release that they do and you know, you get a little bit lucky and you have some good execution and you get some key wins and you start pulling ahead of all these little competitors.

(31:39) And then at least in Okta’s case it was, oh this is interesting, but it’ll never be big enough. This is just single sign up for cloud applications, it’s not big enough. Aren’t there enough cloud applications, I‘ve heard that. Do people really need this, you know, oh it’s a commodity; you know it’s not a big enough opportunity.

(31:36) And then you have a bunch of more success, a couple more years go by and you get thousands of customers, your revenue gets really material. And then, which is at the stage where we are now, now all of the biggest software companies in the world want to do what we’re doing.

(32:12) Microsoft wants to do what we’re doing, salesforce.com wants to do what we’re doing. You know and people always ask me like, oh you have all these big competitors, is it scary? And yes, it’s kind of scary whenever you have a competitor, but it wasn’t as scary as four years ago, five years ago when everyone told me like there’s no market for this. You don’t have a company here, it’s like, it’s not as scary as that. so it’s a deferent world, but it’s a much better world to be in.

Michael:

(32:38) So we have a follow-up question on this traction issues from Constance D Woodson and Constance than you for your question, who asks, is it safe to say traction is not something that no one else dose, but do the obvious things better.

Todd:

(32:58) Yeah, I mean it has to be obvious in the sense that if you’re working at a company or a startup that you can’t explain to people in like a minute, you need to think about that, because you should be able to explain it in a minute.

(33:15) I mean think of all the great companies it was you know Microsoft, you know makes your PC work. Google, we search, Facebook, social media, Uber, car on demand. These companies are you know, you have to be able to simply explain what they do. For Okta it was like, cloud apps, web single sign on, one user ID one user password.

(33:38) And another thing about it is like, if it’s so obvious and there’s got to be a little bit of luck involved right. like for Google, they were the best search engine and by the way everything in the world went online. Then all of a sudden you couldn’t have a directory like Yahoo had, you had to have a search engine.

(33:37) You know, for Facebook it was you know this massive thing that college students adopted and once they had, you know, tens of millions of college students it spread from there. So it has to be obvious and there has to be some luck and some fortunate timing. You know for us, it’s really kind of yeah, everyone wants web single sign on, but with this massive move to cloud and mobile having the infrastructure of what you had to build, if you have web single sign on is a very powerful platform to extend from.

(34:27) So it’s like it’s tricky right. It’s obvious, Plus you have to have some luck or some advantage that it won’t be too crowded and big companies won’t just com you know, eat your lunch too soon.

Michael:

(34:39) Okay, let’s take another question from Twitter. I love you guys asking questions on Twitter. This is all about connecting the audience to great thinkers and practitioners like Todd McKinnon, who is our guest whose the CEO of Okta. So Arsalan Khan asks, do you think there will be one ID system for the internet like the social security numbers of the future.

Todd:

(35:12) I do not think there will be. I think it’s very hard. My view of the world is that it will get better at integrating the various systems out there. I think the grand unified theory of one ID for the whole internet is probably not practical. I mean the reason that – and this is me speculating, but I think the reason why that the people who built the internet and built the protocols didn’t build in a protocol for universal identity was because it would be too centralized and hard to manage. They did some, centralized things like the DNS services is centralized and logically centralized than physically distributed but everything else was very decentralized. You know, everything from hoe TCP/IP works to you know http and all these things were very decentralized.

(36:01) So I don’t think so. I do think that there will be much better tools to integrate and hand off the identities that we have. There have been some attempts at this like open ID and other things and there’s been some collaboration, but I think we’ll get better at that. but I don’t think there will be a universal you know, Michael has his one internet ID and that’s used across everything.

Michael:

(36:23) Okay, so we have about 10 minutes left…

Todd:

(36:26) You can play that video back when I’m wrong in like 10 years and I’ll look like a fool.

Michael:

(36:29) Well we definitely plan to file that one away and check the prediction in 10 years and we’ll see.

Todd:

(36:34) I’ll link that video to Steve Bonner saying that the iPhone was an overpriced you know, crappy computer without a keyboard that didn’t work (drumroll)

Michael:

(36:45) So much for the iPhone on what did you just call it? Say that again.

Todd:

(36:49) There’s that video of I think Steve Bonner called it a overpriced computer without a keyboard that didn’t do email very well. (Wha-wha wha wha) Very nice.

Michael:

(37:01) Okay, so we have 10 minutes left and there’s actually a lot of topics we could talk about. I just have one last question on the unicorn and startup topic, it’s got to be fun having everyone saying, oh, Okta is the next, newest unicorn it has to be fun right, it has to be.

Todd:

(37:28) Define fun. So for me – listen, what’s exciting for me is that people are hearing our story, and people get excited about success and the press wants to write about success  and talk about success. And we’ve had a little bit of success which is great, and if they want to give it a name and talk more about us, I’m all over that. because I want people to understand about what we’re doing and I want them to understand that we can help make their companies more productive and more agile, and more secure. And we have a really really great product to help them do that. and if I have to get called an imaginary animal to get that word out, I’ll take it.

Michael:

(38:09) That is good, so if you have to be called an imaginary animal to help get the word out of what you do, then it works for you.

Todd:

(38:17) I’m all over that.

Michael:

(38:18) Alright, I love it. okay, so before we go, I think we should spend a few minutes talking about security in the enterprise and maybe giving advice, so if you’re the CIO balancing with the needs of security on the one side versus giving open access and availability to resources and mobile devices and so forth to your employees and even your ecosystems in some cases. This is a very very hard job so,

Todd:

(38:54) Every company has a heard job.

Michael:

(38:55) Yeah, it’s really hard so what are your thoughts or advice that you can share to CIOs who are having to face this issue now on a daily basis.

Todd:

(39:05) Yeah, it is hard and I would not trivialize it by saying that any one or two pieces of advice could solve all the challenges they have. but I think the right place to start is, the CIOs that have been successful that I’ve talked to and I’ve met and I’ve learned from, they’ve been effective at dividing up the data and the assets they have and knowing which ones are very important and require a lot of security and which ones don’t. in other words you’re going to go wrong if you just look at everything you have in your portfolio, and all these portfolios of a company of any size are incredibly diverse and have a hybrid nature and their complex, and there’s different vendors, different data centers and different SaaS applications and cloud infrastructure. And you’re going to fail if you take a blanket look and say, we’re going to try and secure all of these at the same level. You’re going to lock it down too much. You’re not going to allow your users access and ease of use.

(40:12) But then you’re also going to fail if you go the other extreme and you’re totally open and say, hey we’re going to have low security posture on everything. So the ones that I’ve emt that have been successful have had an effective way to classify different things, whether it’s this is a financial asset, this is R&D, this is properties we’re going to secure that differently.

(40:31) And then they’ve kind of built their framework around those different classification and they’ve done the right security policies based on those classifications. So if it’s stuff that’s very sensitive and they’re very open and allow all kinds of tools to collaborate on applications and data, if it’s the crown jewels it’s maybe not even on the internet right. The people I’ve seen have been effective to do that.

Michael:

(40:57) So basically you’re saying take a realistic and nuance view of the acceptable level of risks associated with each type of data system department whatever it might be.

Todd:

(41:12) Yeah, you know and starting by classifying it which is the hard thing. Like come up with five classifications and say this is top secret, this is you know some risk and then work everything out of that, you know. I’ve seen some companies that if it’s the most sensitive kind of thing it’s not even on the network.

(41:34) If you look at some of the big high profile breaches it’s clear that they weren’t doing that because they had the same level of or lack of protection  across everything, even though some of the things were incredibly sensitive that were revealed but some of them weren’t, so it’s that coarse grain approach doesn’t work.

Michael:

(41:58) And basically it’s impossible to eliminate every risk that’s out there. So there for taking that nuance view of classifying the risks will help you determine where to allocate your resources and your degree of stringency of your security policies.

Todd:

(42:16) Yeah it’s like life is risky right, it’s all about managing the risk. The other thing I’ll say is that a lot of it is the basics right. sometimes people make security really exoteric and they get talking about sophisticated vulnerabilities and worms and cryptographic algorithms, but a lot of the issues are basic, like who is authorized to log into this system, is this basic port open tot the internet, and it’s not getting caught up in all the complexity and the hype, but doing the basic things.

(42:58) And I think when you can do that, especially around the most sensitive things once you decide which ones are most sensitive. If you only know that some of your infrastructure is most sensitive, you’re much more likely to go around and make sure the basics are locked down, right. It’s the ports aren’t open to the internet and patches are applied to the machine and and it has strong two factor authentication and the basics right. but it’s very daunting to go into this environment that is hybrid, complex, and expansive and say, I’ve got to make sure that all the ports are locked down, all the virus scanners are on and all the two factors across everything, all the patches are applied, that can be very daunting to do it for large scale infrastructure.

Michael:

(43:39) So we have just a couple of minutes left, so Todd before we go why don’t you give us the full on sales pitch of Okta.

Todd:

(43:53) I already did. It was so subtle you didn’t notice it! So Okta is, I said it upfront. If you’re any organization that needs to connect their people with their technology, in an easier and more secure way, that’s what we do and you should think about Okta. Whether it’s like I said, you know enabling employees, partners, or customers that use their own phone to access their mobile apps or whether it’s building a new web app to get better customer service. Or whether it’s just some simple thing like rolling out a new cloud application to all of your employees, we make that really easy to log into that, and to make it secure so you can do the right security policy across different types of environments and very easy. Really, it’s an unprecedented ease of use for an industry like identity management that kind of has some history of not being the most easiest and most productive of use.

Michael:

(44:48) So ease of use was a core design goal for you?

Todd:

(44:50)  Yeah, we really started the whole thing when we started was we’re not going to build a toolkit, we’re going to build a solution. So it’s not going to be, here’s some protocols and here’s some codes bits that you could use to wire up. The single sign on it was, it’s going to be a pre-integrated directory server with direct implications, all the protocols hidden under the seat, packages. And even now, people look at Okta services and are blown away by how fast and easy it is. There have been people in data management industry forever and they are unfathomable in how fast and easy it is.

Michael:

(45:22) So today, when you’re designing the product I’m assuming that you’re always balancing functionality against ease of use.

Todd:

(45:31) Yeah, and you know we’ve a great design team that helps with that and the product team makes that tradeoff, but I would say, even beyond that, ease of use and functionality. I would say like what are customers going to use in the these successful ways, getting back to that customer driven approach. You know, if there is something that is so hard to use, the customers are never going to be able to use it, then I don’t care if it checks some checkbox on some RFP, we’re not going to do it.

Michael:

(45:58) Make it easy for customers?

Todd:

(46:00) Yeah, sounds basic.

Michael:

(46:02) That’s a pretty good place to end. That’s a great message. So we have been talking to Todd McKinnon who is the CEO of Okta. Todd thank you so much for taking the time.

Todd:

(46:22) I really appreciated it, thank you Michael.

Michael:

(46:24) And I hope you’ll come back and do this again another time.

Todd:

(46:26) I will.

Michael:

(46:27) Alright everybody, thank you for watching and we will see you again very soon. Bye bye.

 

Companies mentioned in today’s show:

Facebook:                    www.facebook.com

Freshdesk:                   www.freshdesk.com 

Google:                        www.google.com

Microsoft:                    www.microsoft.com

Okta:                             www.okta.com

PeopleSoft:                  www.oracle.com/us/products/applications/peoplesoft-enterprise/overview/index.html

Salesforce:                   www.salesforce.com

TechCrunch:                www.techcrunch.com

Uber:                            www.uber.com

 

Book:

Steve Blank; The four Steps to the Epiphany:

http://web.stanford.edu/group/e145/cgi-bin/winter/drupal/upload/handouts/Four_Steps.pdf

Published Date: Sep 18, 2015

Author: Michael Krigsman

Episode ID: 291