Founders on Fire: Nathan Burke, CMO, Axonius Founders on Fire Podcasts Security Posted by Jon Howell | 24/04/2020 Today we have the chance to catch up with one of our runners-up in this year’s Security Trailblazers category. Nathan Burke, CMO at Axonius, talks to Chief Trailblazer Rose Ross about how awards, and the recognition they bring, can be vital for any startup that’s trying to stand out in the crowded security space. He also describes the honour (and pressure) of having to present at the RSA Innovation Sandbox contest at the last minute. Plus he introduces us to CybersecurityCares, a valuable resource for security professionals in these difficult times. Listen to the full podcast here: You can also listen to the podcast on YouTube and Anchor FM Interview transcript RR: Welcome everybody to the Founders on Fire podcast from the Tech Trailblazers. I’m Rose Ross, I’m the chief Trailblazer and founder of the Trailblazers, and I’m delighted to welcome yet again, Nathan Burke, the CMO of Axonius who were our runners-up in the Security Trailblazers this year. So, welcome Nathan! NB: Thank you for having me. RR: Again! NB: Again. RR: I think we will name this, ‘The New York so good they recorded it twice’ episode. NB: A very well-prepared episode. RR: Yes, well, a dress rehearsal and everything yesterday, so no excuses. NB: That’s right. RR: Well, welcome again. Obviously, there are a few things that I would like to run through with you, so if we can kick off with just a description about Axonius, what it’s all about, and where you fit in the cyber landscape. NB: Sure, happy to. We say that what we do is cybersecurity asset management, and I think we also qualify that by saying that asset management is the least sexy part of cybersecurity, and in fact we’ve called ourselves the Toyota Camry of cyber security. What we mean is there’s a lot of really cool, high tech sci-fi technologies out there in cyber security, and in fact when you think of the word ‘cybersecurity’ you’re probably thinking The Matrix and all those really cool technologies, and what we do is something very, very simple, and we’re trying to solve a problem that’s been around for 30 years, and that’s asset management. The idea is, even though it’s 2020 and we have these really cool tools, companies out there are still struggling with understanding what they have. So what kind of devices, what kind of cloud instances, and what users they have, much less how to secure that. So our whole idea is, you’ve already got all the information of all your devices, and your users, so why not just grab all that information from all the different sources, correlate it together to show you exactly what you have, so then you can tell whether or not everything is secure. So, we do something really, really simple, but it’s very foundational and I think it’s part of any security programme, if you’re going to secure something, you’d better know what you have. RR: Yes, absolutely. So, I think as you described it previously, the unsexy part of cybersecurity. NB: Yes. RR: Cool, so let’s look forward. Obviously, we know each other from your previous existences, and you had one of your previous companies Hexadite, which was acquired by Microsoft, that also found success with us. You’re a startup veteran, I think, now you were saying, your third cybersecurity startup now with Axonius. What would you say are key moments in your journey as a startup? And what have you found that’s particularly challenging, or that you’re particularly proud of? I’m sure actually you can answer both of those, which one has been challenging, and what you’re proud of. NB: Yeah sure. So, like you said, this is my third cybersecurity startup, and my fifth overall startup. So I’m a glutton for punishment I guess, and every time I do it again I start from scratch, and I’m saying, “Why did I do this?” But I love it and I think the easy one to say about what I’m particularly proud of, is winning the RSA Innovation Sandbox with Axonius last year, we’ve talked about this already. RR: Yes, behind coming second in the Tech Trailblazers, that kind of… NB: [Laughs] Right, right, yeah second place was good. So, I think the takeaway there is, and I think this is important, is that although it seems like it’s just a vanity thing, awards and recognition really, really matter. Just to go back to the Innovation Sandbox, I’ll tell a quick story of it. For those of you that don’t know, RSA Innovation Sandbox is the top award for startups in cybersecurity, they award the most innovative cybersecurity startup of the year. The RSA conference is like 40,000-50,000 people there, each year they pick 10 companies, those 10 companies have to go on stage and give their best three-minute pitch to a room full of a few thousand people, and a panel of experts as judges. So, you give a three-minute pitch, it can’t go over by a second. So 10 companies give their three-minute pitch, they pick two finalists, and then they pick a winner. So, to do this, as you can imagine there is a tremendous amount of preparation involved. Actually, I’m going to back-up, I tried to get into the Innovation Sandbox when I was at Hexadite, didn’t get in. I tried my first year at Axonius, didn’t get in. So, it took a few times to get in, and then in 2019 we’re named one of the 10 finalists. So, we go through all the preparation and building our best three-minute pitch, rehearsing it over and over and over again. I get to RSA a day early because I’ve got to set up the booth and make sure everything’s fine, then I get a call at midnight from our CEO who was the one that was supposed to give the pitch, saying, “We’ve just had a snowstorm in New York, and my flight’s cancelled. You’re going to have to do it”. RR: Oh oh, no pressure there for Nathan. NB: No pressure! No pressure. Luckily, I was the one that put the deck together and rehearsed the pitch for them, so I just had to change it a little bit to make it more my own. But then we gave the pitch, we were named the finalists, and it was between us and a company that does homomorphic encryption. So, think about that, the unsexy startup versus someone doing something that is right out of a sci-fi movie. They picked us as the winner, and man, you could see at that moment, you can watch my knees buckle when they named Axonius the winner. That really changed everything for us, because from that moment on we went from someone that no-one had ever heard of, to getting calls from Fortune 500 companies saying, “I need you to meet with us right now and give us a demo, drop everything”, and I in fact kicked out our advisory board from our meeting room, and said we’ve got to go meet with this customer. Then for the first time, and probably the only time in my career I had our sales leader say, “I can’t keep up with the volume of leads, you’ve got to stop this”, I actually marked that on my calendar. So, that was by far the moment I was most proud of, just watching that all come together, all the preparation, then seeing the customers coming to us. Overwhelming a sales team is the goal of any marketer right! RR: Because they never say there’s too many leads, they never say that. NB: They never ever say that. RR: Never say that, that is definitely a red letter day. So, I hope you phone them up a year later and go, “Remember this time last year?” NB: Yes, exactly, exactly. So, I think that’s a high point, and then the other side of that, the challenges, yeah there’s been a lot of them. I think one of the things that was a big challenge in my last two cybersecurity startups is that we were way ahead of the market. So, my first one was a company called CloudLock that Cisco bought, we were one of the first CASB solutions, before CASB was a category. I remember standing in a Gartner booth at the Security & Risk Symposium, explaining what we were doing, protecting data in the cloud. I very vividly remember people walking up and saying, “Wait a minute, put my data in the cloud, are you kidding me? I’ll never ever do that”. So, it was just way ahead and it felt like pushing a rock up hill. And then my last one, Hexadite, we were a source solution before that was a category, and only the more sophisticated companies out there want to automate their incident response and trying to get through alerts. So, that was the same thing, we were way ahead of it, so it was a lot of evangelising and a lot of really trying to get people to buy the fact that this was a problem that was worth solving. And so that one was hard, and this one’s very different. I think in every case there are big challenges. In this one right now at Axonius, it’s kind of nice because everyone identifies with the problem, the challenge here is letting them know and making them believe that there is a real solution, since they’ve been sold potential solutions for 20 years. So, in every one of those cases there are unique challenges, nothing is easy. RR: Well, it’s good to have a challenge I find. NB: Oh of course. RR: You just have rise to it. So, what words of encouragement would you give to a company weighing up whether to enter the Tech Trailblazers? NB: Again, I think awards and recognition is really important. The reason why, let’s just take it from the most basic level, there are thousands of companies out there… RR: Something like 15,000 cybersecurity, if you look at something like that. NB: Yes, let’s just take it from the cybersecurity perspective, forget about the broader audience. I did the maths one year, and I wish I had done it today, but I looked at it in a number of companies exhibiting at something like an RSA. It’s physically impossible for every person there to go visit each booth even for a minute, there’s just not enough time to do it. RR: But even in the startup zone there’s over 100, I think. NB: Yes, and that’s the idea is that all of these, there’s just so many of them, and if you just walk through the booths it’s all competing messages. Everyone says they prevent everything, then they detect everything, and they remediate everything, which by the way you can’t do all three things, they’re kind of at odds, right. But with a crowded market, with a lot of noise, just imagine being on the other end and being someone that’s looking for a solution, you just don’t know where to turn. You can’t figure out who to believe. So it’s also the fact that any marketer can say anything about what they do, without any proximity of the truth. One of the ways that you have some filter criteria as an end user looking for solutions, is that idea of social proof. It’s things like customer testimonials, someone that’s willing to put their name behind a product. Then there’s also things like industry awards, and I think it’s really, really important because everyone is just trying to filter out some number of solutions that they’re not going to look at. There’s just not enough time in the day to look at everything. So you look at things like all the awards and the recognition that a company has, it’s really important and especially when you’re just coming out of that – not even stealth mode, but just no-one knows about you yet. So, awards, recognition, customers, anyone that’s talking about you that isn’t you is incredibly important, and we’ve done a lot of awards and it’s been really valuable to us. RR: Do you think that is going to change? We feel that cybersecurity or otherwise are going to be facing a very difficult six months. Obviously some of those will fall by the wayside, but there is a natural fallout from that environment. But I would say that cybersecurity is going to be the healthier of the areas in enterprise technology. I think there are going to be some great winners in consumer tech, and a lot of losers in consumer tech from a startup perspective. Do you see your strategy changing around entering awards, or do you think this is the better time now where you’re facing even more challenges potentially? NB: I don’t see it changing, I think we’ll still do them. One thing I didn’t mention which I think I should is, even if you don’t win, I think it’s a great forcing function to sharpen your message, because a lot of these have requirements that are like you can only do a three-minute pitch, or you only have this many characters in your description. I think it’s a great exercise anyway because it’s really easy as a marketer to just throw the kitchen sink at anything, and say, “Here’s all of the things we do”, but it forces you to really figure out what’s important and what makes you different, and even if you’re never going to win anything, and you come away with a way of talking about yourself, the idea of the elevator pitch, or just something that’s really succinct, that’s valuable in itself, and I would say do it anyway. That’s the other thing, we are all so busy all the time anyway, you never get to that. You’ll never say stop everything on the lead generation front, and let’s revise our message and try to get it more succinct and concise. No-one is going to do that, but if you’re trying to submit for something, now you have a reason to do it, and that’s the trigger for spending the time and effort there. So, even if you never win anything it is absolutely valuable to go through that exercise. RR: Well certainly we’ve been looking at ways we can sharpen things and be more supportive, because we’ve always said it isn’t just about getting an accolade per se. It’s about getting your name in front of CSOs, CIOs, analysts, journalists, people who would not see you otherwise, who are influencers, so people like Stephen Foskett. We’ve got Carrie and Dave who are both CSOs here in Europe, Stephen O’Donnell who is also a CIO over here. So to have been shortlisted you have had to have captured their imagination, and impressed the people who are looking at your entry. Moving forward, also looking at how we can engage with the public more, as in the enterprise technology professionals outside of Axonius’s friendship circle, so that we can say, “Look, these are interesting companies, and we’d love you to have a closer look and vote, and hopefully then also engage with you if they think that what you’re doing is of interest and of value to them”, which hopefully it will be, right? So, are there any tips you would give? You’ve talked about looking at honing your message. What other tips would you give companies who are entering the Tech Trailblazers, or any other awards? NB: It’s a really good question, and I’ve thought a lot about this. I think one of the biggest hiccups, and the biggest things that we do as marketers, and I mentioned that a little bit before, is we’re living our product, we’re living this day-to-day. I feel like almost everyone thinks, “If I just had 10 minutes with everyone in the world, and told them everything this thing has, every feature, how awesome this is, then we’d have every customer in the world. Because of that we end up just blurting out every feature and function of our product, and we don’t think about the problem that it’s solving, we don’t think about how it’s different from anything out there. We don’t think about the people that are living the problem that we’re trying to solve and how they think about it. When you’re coming up with any award submissions, or really anything that’s aimed at someone that has never heard of you, and may not be thinking about it in your terms, I think it’s one of those things where you have to think about your audience. So, when you’re submitting for an award, you’ve got to think that the person who is reviewing that may not have any idea what incident response is, or what asset management really means, or any of these things. So, you really need to figure out how to say it in a way that makes it the trailer to the movie, and that’s the way I think about it, is you’re not going to convince someone, and you’re not going to educate them enough so that they can actually do a demo of your product in an award submission. So, what you want to do is just come up with something that tells the story about why there’s a problem, what is different about the way that you’re approaching it, and how it stands out from the thousands of other startups out there, or other companies out there that are saying the same thing. So, one of the things that we did, and I mentioned it earlier when we were doing the Innovation Sandbox, was talking about the least sexy problem in cybersecurity, the Toyota Camry of cybersecurity. These were conscious decisions not just to be cute, but you need to have something that sticks in someone’s mind. After we won the Innovation SandBox I had people walking by saying, “Oh yeah, you guys are the unsexy guys”. I was totally fine with that because other than that it would have meant no recognition whatsoever. So, I think having something that sticks out of your mind, making a claim that you can support, but at least being a little bit bold is really, really important. You have to do something that stands out, and I don’t mean do some kind of marketing gimmick, or something that is just out there for the sake of being out there. But I think it’s okay to make a bold claim if you can support it, and you have to have something that sticks in their mind, or else you’ll be forgotten just like everyone else. RR: Yes, stand out from the crowd, and it’s a pretty crowded place with 15,000 startups, aside from what the bigger vendors are doing. So yeah, good stuff. Now obviously we’re in a very, as the Chinese say, “interesting time” at the moment, perhaps more challenging than any of us have ever experienced in our work lives; what advice in general would you give to startups who are looking to not just survive but thrive, in this economic climate? NB: I’m going to give an answer, and then I’m going to give a reason why. I want to have a little caveat out there. So, my answer is, experiment; so what better time than right now to try new things? When I was thinking about it, every marketer out there, because there are no events right now, and because there are no face-to-face meetings, everyone is just saying double down on digital, do more ads, do more webinars, do more of those things. That’s fine, and you should, but that’s what everybody else is doing too, and if you look at your inbox you’ll get tons of invites to webinars, there’s more LinkedIn ads than ever before, so everyone’s doing the same thing, so how do you stand out and how are you different? I kind of reverse engineered something and had an idea that I wanted to try. My thought was everyone is doing all these campaigns that requires end users, or viewers, or whatever you want to call them, to sign up for something, to register, to give their information in exchange for viewing content. My thought was, what if we did exactly the opposite of that? So, just giving the example through Axonius, we have a lot of people that go to our webinar, sign up for our content, download stuff, but they’re not necessarily ready to say “I want a demo”. To me, “I want a demo” means, I’m willing to get on the call with the salesperson, get a ton of emails from people like me, and hounding me all day long. So, the bar is pretty high there, I had better be pretty ready to buy before I’m ready to do that. All of these other people have indicated some interest in Axonius, but they’re probably not ready yet, they haven’t seen the value enough to say, “Alright, get me on a call with a salesperson, I want to see the product”. So, I came up with this idea of, what if we did what I was calling an invisible webinar, and it’s important that I call it that, I’ll get back to it… RR: Unfortunately, I know the punchline here, so I’m laughing already. NB: You can probably see where this is going. So, the idea was instead of having anyone register, we just promoted this webinar that was going to be a live broadcast, just the same thing we would do on a sales demo except I’m just doing the full-on demo, anybody can see it without having to register. They just go to a page on our site, we embed the live webinar, anyone can see it, anyone can chat with us anonymously, we don’t know who is on the other end, and the call to action is if I’ve convinced you that there’s enough value here, sign up for a real demo. So, went through it, it’s a little bit complicated because you have to do a Zoom webinar, which then broadcasts to YouTube Live, and then YouTube Live is embedded on your site, so a little bit complicated. But we ran through it, practiced it, even recorded it, I swear I did this at least 15 times no joke, and I was prepared as I could possibly be. On the day of the webinar I signed in early, I do the same process I’ve done 15 times, and for whatever reason right then and there when we were about to go live, it just didn’t work. I got all these errors from YouTube, and these were errors that were like, “Your screen resolution is wrong”, and I’m arguing with YouTube saying, “No it’s not, there’s nothing different! It’s exactly the same”. But that argument didn’t really do anything because nothing worked. So, I had to scramble, I had 200, or something like that, people on the live thing just waiting for it to start, and then I started getting the emails saying, “Well I guess this webinar is extra invisible”. So, we scrambled and, since I had the recording, I dumped the recording on that page and sent an email to everyone saying, “Hey, I’m sorry it didn’t work out, here’s the recording. Serves me right for calling it the Invisible Webinar”. So that didn’t work out. Then I just shot a quick video on LinkedIn admitting my errors! But then the result of it was unbelievable, I started getting emails from people, from companies that would have never emailed me or wanted to talk, saying, “Hey I understand, this happens, it’s technology. I’ll checkout the recording”, or some people even saying, “I looked at the recording, I want a demo”. So, although it was a miserable failure operationally, it actually worked out, and in the end I think people empathised, everyone’s had technology problems. But it’s just an example of something where we want to be willing to try new things, and even if they don’t work out, I’d still do it again. Call me nuts, but I’m going to do it again. So, that’s a long way in giving an example of the idea of just try new things right now, because you’ll never be able to do this again. In an environment where all marketers are doing the same thing, the people that stand out are the ones that are going to get some kind of exponential returns. RR: So, this is a chance to do the survival of the fittest. NB: Yeah, and don’t be afraid of it. I think a lot of companies out there, or marketing departments say, “We embrace failure” or “We want to try new things”, but it’s one thing to say that, it’s another to do it. RR: Yes, those are brave words said by people who aren’t anticipating it’s going to happen. That’s cool. So, anyway, we chatted before recording the podcast about some stuff that we might… I wouldn’t say it’s collaboration, but shall we say we’re going to recycle something that you’ve been working on, and broaden out. So, could you tell everybody a little bit about Cybersecurity Cares, which has come up over the last couple of weeks, and was an initiative that you came up with, which was quite an interesting story in itself, where this eureka moment happened. NB: I think this is another example of experimenting on something, and just trying new things right. So, a few weeks ago when all of this stuff started, and I won’t name it by name… RR: It’s the Voldemort thing. NB: That’s right, exactly. I woke up really early, like 4am, on a Saturday and I just wrote a blog post. I think I called it, “Things are going to be weird in cybersecurity for a while” and all I did is I brought together a bunch of resources. I’m thinking now that everyone is working from home, why not grab a bunch of things, like charities worth donating to, free tools that again in my world of cybersecurity, that cybersecurity professionals can use to help secure their newly remote workforce, and finding free offers from vendors that have commercial products, but are offering it free during this time with certain limitations. Now that we have people that are at home with their kids at home, and we’re now all home school teachers, where can you find resources on how to teach your kids, and where to find resources, even webinars, and all of these things. So, I just grabbed these all together and put it in a blog post, and I didn’t really think much of it. I posted it on LinkedIn, and it just blew-up. There was I think over 10,000 views of it on a weekend! I couldn’t believe that. And then on that Monday during my team meeting, I said to my team, “What can we do to make this bigger and better, and not just about Axonius? I think having something that’s not just on the Axonius site is going to be an awful lot better”, and so we came up with this idea of cybersecuritycares.org. We built a site in about a week and a half that does just that; that grabs all of these resources that can help cybersecurity professionals that are now at home trying to secure their remote workforce, that are now ad hoc home school teachers, and people just looking to learn. So, we put all these resources together and once we launched it, we allowed anyone that shows up to the site to either submit things like news stories, any offers that their company has for people during this time, free tools, any online events, anything like that, and we’re just putting it together in a site. The idea is it’s just to be helpful and valuable, and nothing other than that. You have to hunt around to find any mention of Axonius whatsoever. And the idea is we just want to put together something that’s useful. We got some pretty good response out of it, and a lot of people are submitting resources there too, and so the idea is to try to bring that to a larger audience through what you’re doing as well. RR: Cool. Well, you’ve inspired us to kind of broaden that somewhat to the wider Tech Trailblazing community, and look at what your alumni are offering other startups, and also bigger players, because we don’t want to make them feel that they can’t play with the startups as well. The Tech Trailblazers resources will be hopefully going live very soon, if not, hopefully depending on when people are listening, it will already be live. So, yeah it’s a tough time, but I think we all need to be resourceful and think about the community element of it, which I’ve always felt cybersecurity has been a very open community in many ways, which I’ve always found very interesting to begin with, that all of these very high-profile cybersecurity individuals were on Twitter, chatting about all sorts of interesting stuff! You go, “Well, this is not what I would expect”. So, obviously we’ll be looping back round with that. Is there anything else that you’d like to share Nathan, because obviously we did do a kind of dress rehearsal yesterday of this, and I think we covered a lot of what you’ve shared today, but I’m just thinking is there anything else come to mind that I haven’t asked you about, but you’d like to share? NB: No, I think we’ve covered it all and I just want to end on what you said there about the cybersecurity community. It’s funny, because when you think about it you think of people in cyber security being kind of gruff and thorny, and instead they’re willing to share, because when you think about what cyber security actually is. It’s not something that’s done on an individual company basis, it’s people that are trying to protect the same kind of information, regardless of what company they’re at, or what organisation, or even what role, so collaboration is such a huge part of what they do. I think you have to be collaborative by nature. If you look at anything in cyber security, there’s a lot of value in understanding what’s worked for other people, and what doesn’t work, and so they’re an incredibly close community of people that share a lot of information. I just love being a part of it, and after three of these and talking to hundreds if not thousands of security practitioners, there’s nowhere I’d rather be, and I’m going to stay in this for the rest of my career, for sure. RR: Fantastic, it sounds great. Well thank you very much for joining us today Nathan, it’s been an absolute pleasure. Nathan has been here on the Founders on Fire podcast from the Tech Trailblazers, and yeah, we hopefully will be welcoming you back at some stage in the future, to talk about how things have progressed. Thank you very much, cheers.