Ashish Rajan does SO many things. He is the producer and host of Cloud Security Podcast, the Head of Security & Compliance at PageUp, a Course Instructor at SANS Institute, a Faculty at IANS, a trainer, an AWS builder, and the founder of the DevSECOps Melbourne meetup and Cybersecurity for Startups— and he even has time to have beef with Ryan Reynolds. We asked Ashish on the podcast to find out how he does it all in cybersecurity, as well as his thoughts on cyber marketing and the latest focus on PLG.
[00:00] Introducing the many roles of Ashish, including his meetups with Cloud Security and DevSecOps in London
[05:21] Missed cyber education opportunities with Ryan Reynolds’ 1Password commercial
[15:02] Vendor process for product purchasing, right from the mouth of a CISO
[25:07] Product lead growth (PLG) and how security product become eligible for PLG
[34:44] Ashish’s strategy for consistent multi platform social media marketing
Recently, you were in London for an event. Can you tell us a little bit about that?
Ashish takes his many roles in cyber and tech super seriously, managing to schedule a variety of professional meetups and live streams on his trip to London. Originally planning to travel for personal reasons, Ashish found himself working with DevSecOps, planning a meetup for Cloud Security, and working through a very different, yet very tech savvy live stream setup. Consistency is key from Ashish’s perspective— rain or shine, he’s been running this live stream for three years, which is a huge commitment but a worthwhile investment in his audience.
“The whole thing took exactly a week to plan, and I think it was really fascinating that we just announced a meetup with the DevSecOps London group over there. We had about 120 people turn up for that event. That was great.”
What was your opinion on Ryan Reynolds’ ad for 1Password?
Ashish had some choice words on a recent Ryan Reynolds’ commercial online, but we wanted to pick his brain even further. Does Ashish have beef with Ryan? It turns out, not really (although he is definitely open to working with him), but he does think Ryan and 1Password missed an opportunity to further cyber education. With that wide of a platform and that prominent of a figure, Ashish would have liked to see Ryan and his team break down the necessity of strong, secure passwords, as well as advocate for everyday people to consider the security threats they might encounter.
“I thought: Why not use that video as a way to educate and piggyback on the thing that Ryan Reynolds was trying to talk about? But give it a more cybersecurity value spin. So, the video that I made was more around what he was really trying to talk about.”
What are your opinions about marketing in the cyber vendor space?
As a CISO friend of the Cybersecurity Marketing Society, we know we can count on Ashish to notice and pay attention to solid marketing strategy in the cyber industry. A major pain point, not only for us, but for Ashish, has been a lack of creative freedom amongst marketing teams in the industry. Ashish has felt honestly disappointed by the tough constraints that certain cyber companies have placed on their marketing departments, including forcing them to color inside the lines of board and investor opinions on marketing strategies.
“I feel the true marketing is where you're just giving value. Someone buying the product is literally just a byproduct of this. You've given so much value, it doesn't make sense to the person to not buy the product.”
Can you expand on your thoughts around PLG?
PLG, or Product Lead Growth, just might be the future for developers in the cyber community. Developers have a voice, and Ashish has encountered a few companies ready to listen to those voices— even though their competitors still might not be. Using ease of adoption, or how fast someone can get used to your product, and time of value, or how fast a developer can see the results of your product, PLG is not only achievable, but profitable. PLG is already happening, according to Ashish, and it's only a matter of time before companies will have to start asking themselves: How do we convince the developers?
“Once you've got there, is it going to take 1 week for them to get the result? Or, is it going to be a few seconds? No developer is going to spend more than an hour waiting for this result.”
Follow Gianna on LinkedIn.
Catch up with Maria on LinkedIn.
The Candy Industry website has a candy-related podcast.
Welcome to the Breaking Through in Cybersecurity Marketing podcast.
Where we explore the hottest topics in cyber marketing.
And help you become a better cybersecurity marketer
Hello everyone, and welcome to another episode of Breaking Through in Cybersecurity Marketing. I'm one of your hosts, Maria, and with me today, my trusty co-host, Gianna Whitver. Today, we are so excited to be joined by Ashish Rajan, one of the original CISO friends of the Society. I think, probably one of our first 10 or so supporters, and we are so excited to have you. Thank you so much for joining us today.
Thank you for having me. I'm looking forward to the conversation.
I have no idea how to start introducing you because you do a shit ton of stuff, Ashish. How do you find time to do all of these things? You are producer and host of Cloud Security Podcast, you are Head of Security and Compliance at PageUp. You are Cloud Security Management Course Instructor at SANS Institute. You freelance at IANS as a Faculty, you are a trainer, you are part of the AWS community, you're one of the builders. You founded DevSECOps Melbourne meetup, and you are the founder at Cybersecurity for Startups. This is insane. Tell us why and how this all started.
Sure. I think, maybe the best way to start this is going all the way back. So, someone helped meget into cybersecurity once, and that was the power of the community for me. I've always been a huge believer of cybersecurity community to help others find the same kind of experience that I had. I think this is my way of repeating that for probably a future younger Ashish somewhere, male, female, doesn't really matter. But I think it's just helping the next generation come up. I think a lot of people say this. One of the ways that I found to do this was using community, having meetups, having these podcasts and conversation with people like yourself, Gianna and Maria. I think it's definitely one way. It's funny, I was reading a book called Sapiens, if anyone has heard of that book. They know about why we as homo sapiens survive, which is just because we could communicate. We could just flourish as a society by
building communities. So, that's at the core of what we are as humans, and I'm just trying to build that core for the cybersecurity community.
That's amazing, and that's super noble. I know that you do a great deal out there for advocating for more women in the space, and that's just so admirable. I love that. So, let's get into it. Let's dive right in. Recently, you were in London for an event. Tell us a little bit that. Mostly I want you to tell us about that setup that you had at that hotel, which was pretty kick ass.
Oh, awesome. Thank you. So, the London gig was basically— There were two things that were going on. The conversation started with, "We should surprise my parents on their 40th wedding anniversary." That was the original intent. And then, my co-producer said, "Actually, you should really take the podcast on the road while we're there anyways, considering we actually have a massive audience in London." The whole thing took exactly a week to plan, and I think it was really fascinating that we just announced a meetup with the DevSecOps London group over there. Yeah, we had about 120 people turn up for that event. That was great. So, I still had to do my live stream, considering I've committed myself for three years for doing a livestream around a certain time, I guess, for the audience that I have helped out all these years and the community that I'm helping out. So, yeah, that was kind of like, my hack way. Funny enough, that is not the whole setup. I had the whole lights and everything as well in the bag. And I'm like, "This is gonna be really intense. I don't know. How am I going to play in so many plugs to put all of those in?" It's very different when you have your home setup, and you have everything kind of done right. So, someone had told me once the best light is a window light. So, I found a window, got a good camera, got a mic, and seemed to work. I think I went back and looked at the recording as well. It seemed like, I mean, I think a lot of people felt that was from a minimal setup perspective, that was pretty good. As long as it's daytime and you have a window in front of you, I think you can do a really great setup. So, yes, the initial intent was to kind of surprise my parents for their 40th anniversary. 40th wedding anniversary, which I did. They were really happy with it. And then, I did the Cloud Security meetup as well as I guess taking podcast on the road. So, that was a live stream from London edition. That's what the virtual setup was for.
That's amazing. Happy anniversary, Mr. And Mrs. Rajan. I hope they're listening.
I'm sure they'll hear it. Now they finally understand what I do, I'm not IT anymore. They understand I do cybersecurity. So, I'm pretty sure they get this now, so love you, mom and dad.
My mom listens to our podcast. She listens to every episode and she sends her critics to me.
Oh, hello, Gianna's mom.
They're really good critiques, too. She's like, spot on. We're like, "Yeah, okay, got it, we're gonna definitely do that."
That is definitely the best kind of critique, because we are all looking for improving. What's our next step? I think from that perspective, it's like, "Thank you, mommy."
Alright, so, let's get into something that happened pretty recently, which was this interesting commercial with Ryan Reynolds in it for One Password. We know that you had an opinion on this, can you talk us through? And we'll of course link to this commercial in the show notes, everybody, so that you guys can watch it, too, but talk us through your opinion and the theory you had around this.
Sure. First of all, I think it was a good ad for Ryan Reynolds. Probably, I don't think people thought what he was trying to say apart from nighttime moisturizer, as well as him being involved with a company in cybersecurity. I think that was the two kind of big takeaways. When I watched that ad, I was like, "Oh, my God, Ryan Reynolds is involved in cybersecurity. So cool." And I was kind of expecting him to talk more about, I guess, when you're trying to educate at such a massive level, you would think he would give some more value instead of just making it very high touch from a cybersecurity perspective. I mean, the whole video is titled cybersecurity, but the only thing cybersecurity was him asking questions around, "Have you used one password? If you haven't, aw, that sucks." If I didn't use it either, I guess that would be good enough. So, I thought, at least for everyone else who, kind of like me, has been
trying to convince their parents to use better passwords. It is really hard to convince parents to use, I guess, a strong password, and it's funny how openly they call out the password as well. I think I remember I was in a bank somewhere with my dad, and he was just like, "Yeah, my password is blah," and kind of like me, he has loud voice. So, I'm like, "Oh, my God, now we're gonna change it." 'Why do we need to change it? It is such a great password." Like, "But you do realize you're talking in a bank, and I don't know how many people listening to this." "But no one's listening to us. No one cares." Like, no, no, you just don't know people who care, but anyway, it was a whole thing. So, I thought why not use that video as a way to educate, maybe piggyback on the thing that Ryan Reynolds was trying to talk about, but give it a more cybersecurity value spin. So, the video that I made was more around what he was really trying to talk about, in terms of why should people care about username and password, especially people who are in, I guess, the social media world and use that for making money. Most of us use social media to connect with family, but the funniest thing is when you're on a highway
somewhere on the road, there are speed limits. They're like, "Oh, Sharpton approaching, do this, do that." There's a lot of warning signs that you see on the road, but there are no warning signs on the internet. Like, we have my nieces, nephews, my parents, people just go online, and they can literally do anything that they want, irrespective of what kind of material it is, there is no saying, "Hey, this is probably malicious." Some browsers are starting to do this, but there is no general information for, "You should be careful about these." So, this is my attempt at potentially informing people for why it's important to have the right kind of username, password, maybe different ones, if possible. That's where having a password manager maybe helps make sense. So, hopefully, the message came across. At least the messages from the community that I got, everyone seemed to think that this was definitely more valuable than the Ryan Reynolds ad. I've been trying to get in touch with the Ryan Reynolds media team. If they actually will hear this and they want to work with me, I will be more than happy to work with them.
We'll definitely tag him on LinkedIn when we tease the episode.
I'm sure he'll be delighted to hear that you think that his commercial could be improved.
I think it'd be fine because the funny thing is, because he hates— Well, I don't think he hates Hugh Jackman, but the only other Aussie he knows is Hugh Jackman and I kind of had this bit in the end where I hope he doesn't start hating me after this, like the other Aussies that I know. So, it'd be really fun if he started hating me because of this and I get banned from social media.
We'll definitely link to your video as well. It was a reply video, we'll link it in the podcast notes here. Before we move on to what your actual job is, which is being the Head of Security at PageUp, I guess what was so interesting about that commercial and how you're explaining it, Ashish, too, it's like, for us that are in the field or adjacent to the field as marketers slash in the field as marketers, it's like, "Where was all the details?" Right? This was so high level.
For him to market the fact that he's an investor in One Password and the SOC company, all of his friends. Apparently turns out the whole Avengers team from Marvel, they're all investors in One Password.
Oh, wow. Man, we missed that call.
Why didn't I know that? One Password, huh.
Including Pharrell Williams, as well, is an investor.
Oh, I bet he's happy.
Yeah, I bet he is very happy he's got a password manager.
Maria, we can't do that, we're gonna get a takedown request on our podcast for copyright infringement.
What are you talking about? Our listeners love my mom jokes.
Okay, Ashish. So, let's switch gears fully to your CISO, Head of Security role. One thing that us
marketers always want to know about is the buying process at firms at different sizes and different industries and different teams and different accounts. They all have different processes, and it's all different. And depending on who you talk to, it was different for someone who's buying from an IT perspective versus a compliance perspective. Can you talk us through how you usually vet vendors and how the process is for you, as someone who buys cybersecurity products?
It all starts with a problem. I can tell you this right now, every CISO does deal with most of the problems that people talk about in the industry. And even though we have 25 plus problems to deal with on a given day to day basis, we only get budget for one or two a day in reality. So, we would love to do a lot of things. So, a lot of the conversations in terms of thought process that we go through in our mind, with the team that we work with, is more around, "Okay, what is the priority for this particular year?"
I think any salespeople listening to this will totally understand because this is technically part of the script as well. What's the priority for you folks? What are you working towards this year? Because they all know this, they'll know that, "Yes, I would like to buy the latest cloud tool, I would like to buy the latest possible tool for anything else." I would definitely love to do it, but there's only so much budget and so much problems one team can deal with in a given day, or even a given financial year. So, the first thing that we normally come around is I guess, one, is the problem that we're going to solve this year. The second one being: When are we going to get the budget approval for it? Am I in the middle of my cycle, when I realized what the problem is? End of the financial year is usually a great time to kind of start planning for, "What do I need?" which is great, but I'm one of those people who kind of try and identify problems and make a note of it.
I think it sounds like I'm a very planned person, but I think I normally am the person who towards the end of the finish line, I'm like, "Oh my god, I had to do this." I've got this list, but I'll still go, "Which one was important again?" So, it's great to build that list, but towards the end of the financial year, when you get there, you're like, "Oh my god, I should have just started this conversation back then." And then, I'm left in this frenzy of reaching out to people and saying, "Hey, how much would you quote me for this? How would you quote me for that?" But I guess the experience is very similar for a lot of other CISOs as well, because in the day to day, you're fighting so many fires, you're trying to understand it all. I wish buying products were the only thing that we were doing, then it would be so much more easier, but as you kind of go through the journey— So, you've identified the problem, which one do you want to solve? Now you've potentially have a quote as well. And then, you kind of go through this battle with either the board or your CTO, CIO, for how much something is worth spending for the company as well. The easier part is when they say, "Yes, this makes total sense," but I have to convince a CTO, and then once you've done that, then you're convincing the board potentially for spending money on this as well.
It's almost like, a two-month process, even after you know what you want. Two, three months process, depending on the organization. Some organizations, I've seen, one organization before, it used to take a lot longer, because they would only have a board meeting once a quarter, and if you don't get the slot, because I don't know, the person before you went longer, then you didn't get the slot. Now, you just have to wait for the next quarter. So, they did that with everything as well. It almost sounds like, from the outside that, "Oh, this person is taking way too long," but the reality of it is that you can't get in front of the person who can give you the money, or even get an audience with the people who you need to convince to give the money for it as well. And in the past, that has been one of the reasons why I've always gone and I've told people like, "Hey, man, I'm really interested, I would love to do this, but you just need to hold on with me." And no matter how much I tell them, when it comes to end of
financial year, every salesperson is also on the end at their end as well. They're like, "Oh, I want to close this financial year." I'm like, "I would love to. I would love to, but this is my dilemma at my end. I haven't been able to talk to the board to get the money for this."
Anyway, this is kind of like the rough process. Once you get the board approval, it's often smooth sailing after that. Hopefully, you don't have to do some kind of procurement process, which has its own thing, depending on the kind of product you're going for. It's funny, I used to think when I was a graduate just coming out of university or college, that people would just buy cybersecurity products and they'd just have it tomorrow. It doesn't happen. It's like, almost an eight or nine month process. And no matter how many times you've watched a YouTube video on how suddenly all your problems are solved because you use the tool, the reality is, it's an eight nine-month process to get to that point. So, that's kind of what my experience has been in the past, I don't know, 15 years of just doing this, but yeah, hopefully that helps someone else as well.
Definitely, I mean, me and Maria buy products, too. Not cybersecurity products, but we buy stuff too, and it's always a slog and a process, once it's over a certain amount then you have to make a case, and you have to have the vendor help you make the case. What can vendors do, Ashish, when they're helping you create a business case? Do you ask for things like that, from vendors that you're trying to get in front of your CTO or the board in order to convince them to let you buy this product?
Yeah, I definitely feel it's a good collaborative effort, especially if I've landed on a product that I think would really be valuable for the organization. I think a few things that normally helps is if it's a new organization, if they have any references for people that they've gone for. And depending on the kind of data that's being ingested by the company, having some kind of security certification definitely helps. I mean, I'm convinced with the idea, but after being Head of Security or CISO, you kind of realize that, "Oh, it's not just about me," because the processes that I started for everyone else to vet their vendors with, I have to go through that same process as well. Then, I have to go through the process of security review, depending on the kind of data they're sucking in, say, if they are taking sensitive information, like first name, last name, email address, maybe even home address, and you're like, "Okay, this is gonna go through a lot more scrutiny than something which was just using a password, and doesn't use
anything else." It's just me getting some analytics. And that definitely is something that I've worked with vendors on, where they have been kind enough to show references.
Some of the specific use cases we talked about, I think that's been really helpful. Some of the vendors that I've worked with, they had worked with me on building up three to four use cases that explain exactly the problem that I'm trying to solve, and whether they can solve it. This does two things, at least for me personally, it validates that the product can work, and also validates that I can show it to someone else and say, "Hey, this is how we can use this and this is how we can solve the problem." And there is a whole conversation around how quickly we can do this as well, which is usually quite helpful in terms of, most conversations that I have these days, nd I'm really happy with this as well, where the demo does not take more than a couple of hours, or an hour to set up. Within an hour, you have things synced up and you're like, "Wow." Compared to where it used to be earlier where I had to assign a person, someone is basically working on this for, I don't know, weeks before a proof of concept can be done. From that perspective, I feel definitely working with a vendor definitely helps for building a use case, which you cannot just present to your team, but also to the CIO, the board, in case they ever want detail on the board. But the second one being the time to value. That is definitely a great thing that I've seen recently. Most of the vendors that I've worked with have been really effective in that space. So, I just love the fact that people are able to do this is these days.
When you look at these vendors, are you looking at a lot of SAAS vendors?
Yeah, I think we definitely are because we are primarily building cloud. I'd imagine most companies that I would work in the future also would be cloud vendors, considering I run the Cloud Security podcasts, and that's my expertise. I definitely feel most of my future companies would still be hosted in cloud. So, SAAS model would definitely make sense. However, what I would call out is if I were to go to a product company, which is a, I don't know, some kind of a bank, or FinTech, or one of those ones, then I think my stance might change because over there, you probably want something which is very much in your domain, hosted by you. So, outside of that, there's a lot more people open to the idea of using a SAAS as an offering because the time to value is really quick. From an implementation perspective, it doesn't really take a long time for you to show value.
Awesome. Yeah, it'd be a bummer if you moved somewhere and then you had to change your podcast name to like, the On-Prem Security Podcast.
Oh, yeah, honestly, or the FinTech podcast. Or, maybe if they give me a lot of money, maybe I'll go change it.
The private cloud podcast, okay.
What do you want to call me? Email me the details and make the payment and I'll change the podcast name tomorrow.
Yeah, everyone has their price.
Actually, it was funny, even though I joke about this, but everyone thought that Twitter doesn't have a price as well. Twitter holds values above everything else. Did you say 6.3 billion? Oh, okay. Like, you know, I didn't have my checkbook ready, I don't even know why we're discussing this. We should just sign it and we'll walk away from this. You know, I haven't reached my number yet, but it'd be really interesting to see what the number for that for my podcast. I technically called my little baby, so it would be really interesting if I have a number for my baby.
Well, you could have a second baby, too. Oh, you could always have another podcast, right?
What are you thinking? Is that an offer coming in? Because that was what it sounded like.
We're thinking of acquiring you.
I'll actually just make all my podcasts with Gianna and Maria. It's gonna be really interesting and it will be all fun.
We'll just talk about Ryan Reynolds.
We'll talk about Ryan Reynolds and his nighttime moisturizer routine.
Doesn't he also have an alcohol company?
Yeah, actually he sold it for like, a bazillion dollars or something. He's smart. I think he's definitely a great marketing person. I did not know this, but when I was researching for that video, in terms of where else he's invested, I found that he's sold his alcohol company and the marketing company, or the media and creative agency that he runs is a branch that was taken out of his production company, which he was using for that tool, whatever. So, he basically took it out, sold it, and became an active member in it. So, he's the creative head for it, but he's also the owner for it. He still made money by selling it, he's an employee. If you go to the LinkedIn page of the company, it just basically says that this is where Ryan Reynolds makes things for fun. I mean, at this point, he doesn't really care, he's just making stuff that he likes. That's why he gives it his face, and he said, "Oh, people are gonna connect to it," and people do connect to it. A lot of people do love it. I mean, if you look at the number of views on that thing, it's like over 1.2 million views on that, but I really wish he actually spoke about more than
nighttime moisturizer as to why people should care about One Password, even if it was an ad for One Password, saying, "This is why you care about it." That never came across, that was more Ryan Reynolds putting a spin on his way of. "Hey, so this is pretty funny," instead of, "This is why I won't be able to use my product," but I'm sure he'll come around when he hears this podcast.
I know he will. We'll have him on with you on the next episode.
And now, we'd like to take a moment to thank our sponsors and producers, Hacker Valley Media. Chris Cochran and Ron Eddings run an amazing studio here, which produces not only the Breaking Through in Cybersecurity Marketing podcast, but a bunch of other shows that you're going to want to listen to as well. So, all these shows, plus more and then, on top of that, probably even more coming soon are available to look at, listen to, and sponsor at HackerValley.com. Make sure you go over there and say, "Hey, Gianna, and Maria said I should come check out your website, listen to your shows, and sponsor
a podcast or two."
That will be awesome.
Aside from Ryan Reynolds, who else does good marketing in the cyber vendor space, in your opinion?
Who. What other companies are doing good marketing?
I would probably say, I think folks who are— I definitely would count the Cybersecurity Marketing Society in there, because I definitely feel you folks are doing, and I'm being genuinely honest, right? Because I think the fact that before this call started, we were talking about video audio. So, you guys have already thought about that, we did the whole teaser thing as well. I don't know how many people are giving that kind of freedom to their own cybersecurity. I think this is probably the highlight for, hey, if you actually allow the marketing team to have more freedom. I don't know how this works, me looking at this from the outside, I feel like there's a lot more potential in the space for people to do a lot more than what they are being allowed to do, if that makes sense. And it's more on the fact that, like, oh, you could have a teaser, because this is technically, what we have spoken about so far, is still value for people, right? And if they decide to sign up for and subscribe to the podcast that you have running, or they might just leave a review or rating, which I would definitely encourage them to do for this, because I think definitely means a lot for every podcast person out there. I would definitely encourage them to, while they're listening, they could just start it on Spotify or just drop a review or rating as well. I'm sure it means a lot for both of you, spending hours on this outside of your work. I feel the true marketing is where you're just giving value. Someone buying the product is literally just a byproduct of this because you've given so much value, it doesn't make sense to the person to not buy the product. I think that's what you folks are trying to do over here. So, I think marketing like that, and people allowing us to do more of this, is kind of where the secret sauce would be.
You really nailed it. I think that is probably one of the biggest pain points for cyber marketers is just not having the ability to branch out and be themselves and be creative.
I mean, that should be why people hire marketing teams as well, because they want them to be creative, because they can't be creative themselves. They hire great people, but put shackles on them. You wanted me to be creative, but at the same time, you want me to do what again?
You want me to do what the investor said is good marketing, or what the board members said is a good strategy?
That's exactly right. I think, I mean, I definitely feel that's why I had my massive support of you folks from the beginning because I definitely feel there's a lot more talent here than we are otherwise allowed to see. So, I'm looking forward to seeing what this actually becomes in the next six or seven years, as well.
So, Ashish, in terms of kind of like— Well, selfishly going back into you as a security practitioner and essentially, as someone who's a budget holder, at the end of the day, when you go into a new job, how likely are you to bring your favorite tools over? What does that process look like?
I probably would say the right tool for the right job, because of what I have found. I started this current role two years ago and unfortunately, I don't think I've brought any of the previous tools into this company, because this was a completely new stack of things that I was working on, that the older products could not work on. So, I definitely find it's always easier if you have the same problem in an organization. You can always bring back the same tool because you know exactly what it is. You don't have to reach out on the website saying, "Hey, can someone give me a call?" It's more like just call the person you have dealt with directly, and that kind of happens. So, I definitely feel if anyone has had a good experience from the product, and I mean experience not just in the context of how smoothly the salesman, but the customer success that would happen after that as well. Were there regular touch points? I think there are only a handful of people, no matter how big they are, who are doing a great job in the whole customer success aspect of it. I don't directly get to work with a product these days, but I get to hear the experience that my team is having with the products. When they talk about frustration, and I'm looking going, "Oh, I brought this product in," and now they're frustrated by it, it sounded like it would do the job, and it is going to do the job, but when you need support, suddenly no one is there.
So, things like that are definitely crucial, because I have had to not accept renewal of a product because I never heard back from anyone from that company for a whole year. And this is not us spending $100 or something, right? When you spend thousands of dollars with a company, and it could be the fact that it was a small company to begin with, maybe they're tried to focus on growth and you may try and be a bit more patient. But beyond a certain point, you're like, "Okay, I definitely pay a lot more money for this just $100, $200, that I don't expect anything back." So, the reality of it is, no matter how great the product is, if you don't complete the loop of ongoingly looking after people who are signed up, who believed in you, I definitely feel that is one place that I will not go back to them. Unfortunately, that's the reality of it and I'm pretty sure most everyone would agree with that. I mean, we do this in general life as well. If you buy, I don't know, a mic or whatever, right? And they don't give you any kind of support, you will not go back to them, no matter how amazing it is. That's just human
Absolutely. That's horrendous. I think we heard something similar about how satisfying your team or
how boring your team is, will influence you signing that check at the end of the day. That was in our recent Ask a CISO Your Marketing Questions, I don't know if you saw that.
Actually, that is one of the reasons I don't buy the product. So, I definitely recommend people should check it out, but I definitely find the extension of a team and the other party that's getting a lot more voice is the developer community in the organization. They're also getting a lot more voice in— I'm sure you would have heard about the whole PLG side, the product lead growth side. That is definitely getting— I think most of the companies that I'm talking to, they're all talking about the fact that the VCs are not finding them anymore if they don't have PLG. Like, they're always asking: What's your PLG strategy? It's already happening. So, it's only a matter of time before companies have to up their game for, "Hey, how do we convince the developers of this?" Because ultimately, security may be responding to a threat, but to resolve that problem, you need to talk to someone on the other side of the business. And having them on board is quite crucial, so it'll be really interesting as to if people have already
started recognizing that PLG is happening, and people want to know more about how you increase the adoption of your product, it will definitely make things like this standout even more.
That is so interesting, it's interesting that you bring up PLG. Let's expand on that just a little bit. We have a few minutes. What is the checklist of what makes a security product eligible for a PLG growth strategy?
Yeah, I think, I mean, I'm not an expert, I'll probably share what I've seen in the industry and what I have heard from other people. So, one of the examples that keep coming up in front of me is a company called SNYK. Those guys are probably looked at as the first ones to make a mark in the whole PLG space. Honestly, it's funny, I spoke to one of the co-founders as well. They spoke about the fact that, even before they went for a cybersecurity conference, they started going for developer conferences. They were doing developer conferences for years before they went to security conference, but if you ask any cybersecurity company today, they all went to cybersecurity conferences first. They never went for a developer conference. The developer conference comes much later, once you've established yourself. These folks took a gamble and when straight for the opposite direction first. Maybe that's one of the reasons why SNYK saw huge success. But I definitely find the ease of adoption and time to value are two things that make it really crucial for a big success. I think I'm going to use a
SNYK example here. They have a massive developer adoption, like in my organization, at the moment, we use SNYK. And we had people who were just able to use it straight away, because it was already in their workflow. It was not something that, "Hey, there is this amazing dashboard that you can go on, and then, you will be able to see all these amazing things."
If I were to use a marketing example, as well, if you go to Salesforce for lead, but then you kind of have to understand: How was this linked from the website? You kind of have to go to Google Analytics to understand, "Oh, is this lead because of this particular click. Which one?" It's kind of like that, where if it was already all on Google Analytics, it'd be amazing, or if it was already on Salesforce, it would be amazing. It's the same kind of thing with PLG space as well. It's about going to where your audience is and not having a plug for where these people are going to be hanging out, asking them to go around and say, "Hey, can you go to this separate thing?" And somehow correlate these two completely different things into this one thing. It'll be great, we'll have fixed security. But it doesn't work like that, because they're not being paid to be security people, we are. And we're expecting them to come to, "No, no, this is the product we use, you should come over to our site." And I think, to point, that kind of is too late on the point of the adoption curve, where you have to find: How do you get in line with the
existing workflow for developers? That would definitely be a massive plus for PLG strategy, in my mind. The second one being time to value. Once you've got there, is it going to take one week for them to get the result? Or, is it going to be a few seconds for them to get results? No developer is going to spend more than an hour waiting for this result to appear from, I don't know where, someone just wakes up on the other side of the world. So, yeah, those two are definitely major features that I feel would definitely call out the fact that, "Oh, this is a great PLG strategy."
Wow, some gold advice right there. Thank you, Ashish. And also, really nice to hear because the first conference that I decided to sponsor at for root was actually Developer Conference. So, it was actually good to hear that from you.
Yeah, I did not know this, but the more I talked to people, the more I realized. Actually, if that is the intended audience who's gonna fix or use it, they probably should be the first ones to critique it as well.
So true. Well, this has been an amazing conversation, Ashish. Gianna and I, at the end of each
episode, we play a game. Essentially, what we tried to do is guess what you would be doing for career if you weren't in cybersecurity today, or if you weren't a CISO today. We're not going to count podcast host and producer because he's already that. What other secret trades do you have that we shouldn't count in this game?
I don't think we should count teacher or professor because he's already a teacher and professor.
I actually really love fashion, travelling, food.
Wait, don't tell us.
No, no, I'm not giving you my profession. I'm just saying those are my some of my interests.
Oh, you're cheating on our behalf though. Like, we're going to win now.
No, I'm going to take that because you know what? This is gonna help me win because I never win this game. Gianna always wins, so thanks, Ashish, for slipping me that info.
You go first, Maria, because I can't copy what you say.
Okay, Ashish, you would be personal stylist to the elite IT security community globally.
That's actually— Funny enough, I did think of that one day. Well, I did. Like, if you would have spoken to me four years ago, that is exactly what I'm trying to think of. You're on the money, or close to money there. Not that you'd be wrong, Gianna, but just saying that was very, very close to work that I atually had in mind for myself.
Good. I mean, no offense, community, they do need a little fashion help.
But now I'm really curious about Gianna's as well. What's your thoughts?
So, I was gonna say a designer of clothes. I think it's too close to what Maria is saying. So, I'm going to instead say that you would work around some sort of luxury travel experience company. So, yachting, or really cool private jets, and you would— I don't know what the heck, you wouldn't be like, someone handing out drinks? You'd be the one receiving drinks. Is that a job?
Ah, so like a poster boy?
Yeah, you'd be the influencer, you'd be a travel influencer.
I appreciate that, and that is definitely some work in that space already being done. I mean, I'm pretty sure I should have mentioned that already, but outside of all of that, I create content for men's fashion, food, and travel, as well.
Oh, we didn't see that on your LinkedIn profile.
Because that's not related to LinkedIn. Marketing 101, the right screen for the right audience.
So, you are actually doing that on Instagram?
Yeah, so, I've got an Instagram account called the Peacock in the Room.
We're going to link to that in the show notes.
You can totally do that as well. I started this again, because I was on a different one, which I stopped using, because I like to challenge myself. I completely turned off my social media account and wanted see how much time it takes for me to start from scratch. So, my new account at the moment is Peacock
in the Room.
That's insane. Do you sell the old accounts? You know you can do that.
No, I don't sell the old accounts. No, I just leave them there. I think it just makes an interesting
experiment that I come across. So, in fact, if you search on LinkedIn, there's another profile of me. I just find that whole concept quite fascinating because social media drives so much of our day to day that we just don't realize, but having an understanding of it is something that I am fascinated by. It's like, asking a watchmaker, "How does the watch movement work?" It's like that kind of thing for me. So, I normally look at this as an experiment. Some of it clicks. Some of it doesn't click. My wife and I started a fitness one when we were in the middle of lockdown. We still work out, but we stopped posting there for a while. It was called When Not Traveling and Tasting, because my wife has an account called Travel and Taste, which is for our food blog, as well as for our travel vlogs, but yeah, I think we are a couple who are totally into the whole content space. Like, knee deep into it.
Oh, my gosh, we need another episode just to cover this part of your life.
Sure. I'd be happy to. I mean, we should totally have a meetup. everyone who's listening in, we can all form a circle or have a bonfire. I mean, I don't know if the middle of a hotel is safe for a bonfire, but somewhere that is safe for bonfires, and we'll talk about all of this.
Totally, you're gonna have to tell us about the algorithm, because you're like, probably the most knowledgeable person about this.
I'm the most knowledgeable? I'll probably say this. I think the funny thing is, it's kind of like the secret for getting abs. Everyone knows the secret to get abs, but no one has them. It's the same thing with algorithm. Everyone knows what it takes to become popular on social media, which is just to provide value and not expect anything back, and it happens. It takes two, three years, sometimes even longer, but people don't have the patience for it because life goes on. I don't know, I changed jobs, then I moved to another job. It's funny, I don't know who I was talking to, I think we're talking to a company with a podcast, and they were talking about sponsoring us. Somehow, the conversation went into the whole bigger space for long-term sponsorship, and it was really interesting. My wife and I listed out all the social media accounts I had, I think about 20 or 25 accounts, and it was insane. I thought like, "Wow, I didn't realize I had so many," because now I'm on this new thing called Hi Ho. Have you heard of it? No. So, Hi Ho is a video platform where you can ask questions. It's all driven by people asking
questions. So, I'm asking the question, I start a, quote unquote, thread, when I ask the question, and both of you can respond with, "Hey, this is what my answer would be," or any kind of a follow up question, I can respond to that. It literally a thread of videos with question and answer.
Is the security community on that? Because you know I'll be switching my ad strategy to that right now.
It's very new. It's literally new to the point that the founder himself is starting threads. I came across it like, six months ago, but it looks really interesting for what they're trying to create there. I mean, if you think from an ad perspective, as well, video is something that's more engaging for people. They're definitely trying to do something. Oh, what can this be? So, I'm just curious as to what this could be. So, there are accounts like that, that I had just hanging around in different places. There are things that I have shut down since then. I followed Gary Vee quite a bit, and he kind of would drop these things here and there, right? "Hey, I'm using this new social media." There's another one that I came across recently called True Social, which is another one. Like, there's so many social media accounts that are popular, but they have their own pockets. So, my hope is I can understand this space enough that I can tell other people about, "This is what works." I was using that as an example, but the simple truth that I've found so far is that if you provide value with no intent, and as you kind of keep improving slowly, as you go forward, what you realize is, every little critique that you get would help you improve that much more.
So, it took me six months on the podcast to kind of get to a point where people started asking, "Hey, can you do this topic? I would really love to hear about this. Can you get someone to talk about this idea?" So, it took six months, and I think that was still pretty quick, but sometimes, it takes a whole year to kind of have someone have the confidence to reach out. I know a lot of us consume content. Everyone consumes content, either on Instagram, LinkedIn, somewhere, but you aren't actively commenting on every little thing over there. It takes a lot for someone to comment on something. Being patient with that particular app, because once you have that, that is true engagement, someone is genuinely interested in what you're trying to do. So, that's my secret, but hopefully that helps. But unfortunately, it's not a hidden gem. Everyone knows about this. It just that a lot of us have a lot of changing priorities, because the jobs we do sometimes, that makes it really hard. That's the honest reality of it. I mean, I like real personal stuff, which is why I keep creating more of them. Because I'm like, "Oh, I'm bored with that, now I want to do something else."
I wish there was more hours in the day. Well, you know, at the end of every episode, also, we also ask our guests where can people find you if they want to reach out, but you know what? Everyone, find every social media platform out there, you will find Ashish there, just look for his name.
I feel grateful because I'm at that point where I can just tell people to Google me and I'll just come up. I don't really tell people which social media accounts anymore. I just tell people just Google me and I'll just come up, even though I'm sure Ashish is a very common Indian name, but I've taken over now.
The one and only Ashish, thank you so much for joining us today. This was such a good conversation. I can't wait for the episode to come out and for everyone to listen.
No problem. Thank you for having me. Thank you, Gianna. Thank you, Maria.
Thank you, Ashish.