Ross Haleliuk, Head of Product at LimaCharlie, joins us to talk about product-led growth (PLG) and its role in cybersecurity and cloud security. Ross leads us through exactly what PLG is and how SAAS companies can implement it into their product or service processes for customer acquisition, revenue growth, retention, and engagement. Whether you’re a small business or a big company, PLG can ensure your customers are happy with your products and fully engaged with your services— without even going through the traditional sales funnel. Timecoded Guide: [02:01] Defining product-led growth and how businesses can use it to acquire customers
[08:33] How PLG is different in cybersecurity and customer data
[20:06] Balancing a security risk with ease of installation and integration
[28:21] Understanding metrics, conversions, and the customer retention journey
[35:36] Best hiring practices for PLG companies interested in implementing PLG
What is PLG, and why is everyone talking about it? PLG stands for “product-led growth.” Product-led growth might just sound like another cybersecurity buzzword, but it’s actually a solid business strategy. PLG positions the product as the main drive for customer acquisition, revenue growth, and retainment. Instead of a sales person or team guiding the customer through their purchasing journey, the product itself is fostering engagement, building relationships with paying customers, and showing them its own value. “The part that is incredibly important is that a potential customer has the ability to try the product before they start paying for it, before they purchase.”
How does PLG play out in cybersecurity? Product-led growth can be tricky to implement in a cybersecurity space for a few reasons. The first is that product-led growth requires individual contributors to be empowered to make decisions, try different products, and make suggestions about solutions to problems. This can be difficult to implement in large companies without buy-in from leadership positions. Second, many products in cybersecurity fall under the umbrella of “keeping people safe.” This can be difficult to quantify the specific value of to customers, which is a vital aspect of successful PLG strategies. “The challenge with those kinds of products is: How do you say if it's working? How do you measure if it's working? If you haven't been breached, is it because nobody tried to do it, [or] is the product so good that it stopped it? Did you just get lucky? It's the value that becomes incredibly hard to measure.” How is PLG not just giving away a company’s products for free forever? Implementing a PLG strategy means giving customers a chance to discover the value of your product for themselves, without having to go through a paywall or talk to a sales rep. If customers can immediately see the value of your product, they’re likely to keep using it— and that’s when your sales and/or marketing teams can step in. At the end of the day, PLG doesn’t completely replace a sales team or funnel, but instead makes it easier for your sales team to focus on high-ticket items and customer success. “If a company has 500 people adopt the product, the freemium version in one of their departments, with only 5 people using it, it means that the sales team can now approach and have a conversation, potentially about expanding the 5 people deployment into the 500 people deployment. The sizing of the opportunities becomes easier.” How do you measure the value of a PLG strategy in a cyber company? It can be difficult to measure the value of PLG in a cybersecurity company, but it’s not impossible. What marketers and sales reps need to remember is that there has to be a key event that a customer experiences in order for them to realize the product does what it’s supposed to. For example, if you have an alert set up for someone clicking a link in an email that they’re not supposed to click, that’s a tangible event and alert you can see. That alert shows your customer that the product or software is doing what it’s supposed to do, and therefore illustrates the value of your PLG strategy.
“Building a PLG product requires an incredibly deep knowledge of the customer's needs, motivations, expectations, and everything else that drives the purchasing decisions.”
Grab your ticket to the Cyber Marketing Con 2022.
Follow Gianna on LinkedIn.
Catch up with Maria on LinkedIn.https://ventureinsecurity.substack.com/p/product-led-growth-in-cybersecurity https://ventureinsecurity.substack.com/p/h1-2022-cybersecurity-product-led https://ventureinsecurity.substack.com/p/plg-is-an-oasis-not-a-mirage-making https://ventureinsecurity.substack.com/p/to-bring-plg-to-cybersecurity-lets https://ventureinsecurity.substack.com/p/first-principles-thinking-and-how
Hey, before the show starts, we want to let you know that the Cybersecurity Marketing Society's annual conference, Cyber Marketing Con 2022, will be held this year, November 16th through the 18th in Arlington, Virginia, and yes, there will also be a virtual option.
You really don't want to miss it. We'll have two days jam packed with cybersecurity marketing
strategies, ideas, metrics, insights… it's going to be the place to be. Visit cybersecurity
marketing society.com and click on “conference” to grab your ticket. We'll see you there.
Welcome to the Breaking Through in Cybersecurity Marketing podcast.
Where we explore the hottest topics in cyber marketing, interview experts and help you become a better cybersecurity marketer.
Hello, and welcome to another amazing, spectacular, stupendous, fulfilling, life-affirming episode of Breaking Through in Cybersecurity Marketing. I'm one of your hosts, Gianna.
And I’m Maria.
And today we have an esteemed guest. We have Ross Haleliuk, he's the Director of Product at
Lima Charlie, and he has a bunch of other accolades, which he said we don't have to list, but I'm gonna mention a few. He's an advisor at Loyola, VC. He's a VC fellow and included VC. He's a writer for TechCrunch. And he does a lot of other stuff, too. You'll have to check out his LinkedIn after the show. Ross, we're so excited to have you here.
Yeah, excited to be here. Just a standing correction. I'm a guest writer at TechCrunch. So I'm
not a staff member. I'm just asking them to publish some stuff that I think is cool. So…
Nobody send him any fundraising news, press releases, or any of that. Not gonna happen.
Good clarification. All right. So, Ross, you're here to talk about PLG, about product, to illuminate us or elucidate us, I don't know what the word is. But for the uninformed here, what is PLG, what
the heck is that, that everyone's talking about?
Yeah, I mean, PLG, I guess there are two ways to explain it. One is to say that PLG is this new
cool thing which is going to change your life, it's going to revolutionize the way you do business, and blah, blah, blah, like all the buzzwords that you can hear in the industry. But on a more serious note, PLG is a business strategy, which really positions the product as the main driver for customer acquisition, for revenue growth, for retention, engagement, and so on. So when you think about tech startups, traditionally, marketing will drive the leads on the top of the funnel. And then the sales team was the main driver of the revenue, just taking those leads, and guiding them through the whole sales process. And then later on wants to deal with closing the sales and customer support with being in charge of the retention and making sure that the customers are happy. So while all of those functions are super, super, super important, at the PLG company, the key is that at product lead companies, product becomes the driver of the revenue and retention. So it's product that fosters engagement with customers. It's product that builds the relationship, it’s product that allows people to make it super easy to experience value, to start paying and so on.
So the acronym there is “product lead growth.” And Ross, would you say that product in a
PLG-focus company is kind of taking on the role of sales and customer success? The product
actually is doing that or you think there's more nuance in that?
Oh, there is definitely much more nuance than that. So one thing that is definitely valuable and
super critical to say is that product lead growth requires all the digital-facing teams within the
company, whether it's marketing, design, product, customer success, and others, to kind of rally around the customer journey so that the business can provide an innovative and really
personalized product experience. So sales are incredibly important. Marketing is incredibly
important. Product does not replace them, it just changes, in a way, the raw, it shapes the focus of the sales and marketing a bit differently. But those two teams, they're there. They're incredibly valuable, and they're definitely not being replaced.
Awesome. Another quick question about, like, what is PLG? I have heard that PLG means that
you essentially have an “always on” version of your product that people can access for free. So think of Asana which you can use forever for free up to a certain amount of users and you get hooked and then because you love Asana, I love asana and Asana, please marry me, please give us money, please do something with our podcast. And then eventually there's also like the paid version of it right? Would you say that a function appealed to you to be a true PLG-focused company, you have to have that free version?
Not necessarily. The way I see it, PLG is more of a mindset than it is a specific feature of the
product or a specific way to sell the product. So because it is more of a mindset, it's not always easy to say, looking from the outside in what company is pursuing PLG; however, it's super easy to say which companies are not. So whenever you see that the company is hiding their pricing, whenever you see the company requires people to attend a mandatory demo before they can experience the product, whenever you see that there is no way for the potential customer to try before they buy, you can be super confident wherever they're doing is not PLG. Having said that, the freemium model is not a necessity. The part that is incredibly important is that a potential customer has the ability to try the product before they start paying for it, before they purchase. And so a vital form of doing it could be offering a limited free trial, it is a different approach. Having said that, that people are still able to experience the product before they put in their credit card and sign up long term. So yes, having a way to experience it on the freemium such as what Asana does, and by the way, I'm also a fanboy of Asana, I love the product, I'm using it myself, not just because it is PLG. It's just an awesome product. And I'm actually using a free version, too.
And actually, you bring up a good point about the unlimited free trial. And I think most
cybersecurity companies, at least the ones that are probably thinking PLG would be more
comfortable doing that versus anything else, that's like completely freemium.
I see what you mean, I would probably rephrase it a tiny bit. In my mind, it's not so much a
matter of comfort as it is a matter of understanding the customer. You see, when you're offering a free version of the product, before you go there, before you start offering the free version of the product, you truly need to understand, what does the customer need? What are their pain points? And what are they willing to pay for? Because if you don't do it the right way, there is a potential for you to just give out the free product and realize that while all of those extra features, which we deemed to be a paid tiere, are not actually that useful. And people can totally get by by just using the free version of the product. So it's a bit more nuanced. It's just like before getting into this free meal model, you truly want to make sure that you understand like, what are those points that are going to trigger the customer to upgrade, otherwise, you might just end up with a free product, which is not the goal.
You might end up with Zoom, which is right now, July 2022 right now, and they've ratcheted
down on the free meetings and the free unlimited minutes. And now even a meeting between
two people has a time cap to it. And when several months ago, it was like only meetings of three or more have a time cap on it, so you might have to do some ratcheting down otherwise, like you said, you do have a free product.
Exactly. And it's interesting, like the psychology of those changes is incredibly interesting
because people respond much better to being given something than to have something taken
away from them. So if Zoom did not give those abilities to begin with, you would feel less bad
than you feel now when you look at Zoom and it's like, “Oh, now they're really trying to force me to pay like they're really making it hard for me to get the product for free.” That's interesting.
As humans, if you take something away, it's like, “Oof, I feel that a lot more than if you gave me
a gift.” So, PLG, we just gave two examples, Zoom, Asana, both are just regular B2B tech,
which is not what this podcast is about, because we're in cybersecurity and cybersecurity is
different. So how is PLG different in cyber, Ross? And you've written a lot about PLG inside
Verbal, we’ll link to your articles in the show notes. Tell us a little bit more about PLG and cyber, what are you seeing, how is it different?
Yeah, that is an interesting question. I think there are a couple of factors that come into play.
One is cybersecurity is fairly new as a discipline. Historically, security has always been a part of IT, and therefore did not really have a seat at the table. The reason this is important to
understand is because the product lead growth requires that individual contributors are
empowered to make the purchasing decisions. They're empowered to try different products.
They're empowered to try different solutions to the problems they're experiencing. They're
empowered to bring their own ideas to the table and suggest what could be a good fit for their
specific use cases. The problem is, it's pretty hard to do when security does not have a strong
champion in a form of let’s just say Cisco or a director or a VP of security. When you don't have
a strong presence at the leadership level, it's hard to empower the security professionals, like
the individual contributors, to come forward with those ideas and to even do the research and
suggest some solutions on their own. Secondly, there is definitely a challenge of sharing data. You mentioned Asana. When you wanted to try Asana, how did you do it? Well, what I did, I went in, I created an account, I added a couple of tasks, and off to the races, like now I'm using Asana. It's simple, right? With a cybersecurity tool, well, you have to install it on your company's network, or you have to install it on the cloud, or you have to install it somewhere else. Of course, the technical professional can get something set up in their home lab. But at the end of the day, after they've tested the tool, after they confirm that, yes, it does what it says it does, we can give it a shot, you now need to go through the more traditional purchasing process, because it's your company's data that is getting into that tool. In fact, it's the most sensitive data that is going to get into that tool. So traditionally, in many other fields, let's take productivity apps, since we're talking about Asana, there is this idea of landing and expanding. Like two people in marketing adopted Asana and one person in accounting, and then Assana’s sales team can start approaching those people and saying, “Hey, you know what, how about we get your whole company on board?” It doesn't always work the same way with cybersecurity, because the dynamics are very different. You can't have one security engineer adopt a tool that is going to collect the company's data, and then spread it around. The way the purchasing decisions are made is different. And lastly, there is also the process of understanding value. So in order for a PLG product to be adopted, the customer needs to understand what is the value of the product offers? When I think about cybersecurity and the concept of time to value and the concept of product value and cybersecurity, I think about two categories of products: there are products that solve a very specific, narrowly defined problem for a security professional. Let's just say I want to store passwords, there is one password, or I want to automate workflows, there is simplify, there are times there are a bunch of other products. So when you're solving this specific problem in security, you can quantify the value, you can measure the value. However, many products in the industry fall under the very broad category of “making somebody safe.” So I'm going to install this tool, and it's going to keep my company safe. For those specific products, it's incredibly hard to measure value.
If I can interrupt here for a second. For all of us listening who work at cybersecurity companies, both product companies and services companies, I mean, we are all charged with when we sell our product, you know, our product is theoretically going to keep people safe, in that high arching level, or keep companies safe or keep data safe or something, because that's the end sort of reason why they will buy our products unless they're trying to reduce work or whatever. So what are some companies you think that are in that more, broader, keep people safe, as opposed to like, The Times is of the world?
That's a good question. Like, frankly, there are tons. I will name two companies that are falling
under the PLG bracket. Again, they're fairly young, they're cybersecurity startups, super active, great product line companies. So there was a company I was looking at the other day called Blue Mira, and —
Oh we know Blue Mira!
Yea, we know them.
Yeah. So either Blue Mira or companies like Malwarebytes, any EDR kind of product, the
endpoint detection and response kind of product, essentially says like, “Hey, install us, and we
will do the work for you.” The challenge with those kinds of products is that, how do you say if it's working? How do you measure if it's working? If you haven't been breached, is it because nobody tried to do it, is it because the product is so good that it stopped it, did you just get lucky? So it's the value that becomes incredibly hard to measure. To be clear, hard does not mean impossible. Still companies are very smart and product people and marketing people at those companies are incredibly smart people, they are making an effort to surface the metrics related to what the specific product is doing in Sivan. Having said that, it's still not always easy to answer a question: If you really need this product, would we be better off not having it at all? Would we be at the same place? Like it's hard because the problem of security and keeping somebody secure, is so generic and so broad. And for that reason, the time to value is a much harder metric to track. Having said that, I do also want to call out that yes, there are some factors that make it harder for cybersecurity startups to adopt the PLG model. Having said that, there are also so many reasons to actually do it. Like for example, we have been seeing that the traditional sales channels in the industry are incredibly expensive, and they're getting more expensive every single day, like companies who have been selling — exactly —
Our listeners can't see but I'm doing the money dance.
Yeah, like companies in the industry who have been selling to CSIS are finding it harder and
harder to get the meeting, to get like an invite-only event going, to get the conference, to get
some sort of a dinner organized. It's becoming much more expensive. Then there is the vendor overload issue, when the security leadership, every company is being pitched five to 700 security products every single year. So getting through that shield is becoming much harder. Investors are understanding that and they're also looking for new ideas. I was talking to a friend the other day who works at the venture firm, and I'm hearing that one of
the main reasons they turn down cybersecurity startups is their go-to-market strategy. If a
startup comes in and says, “Oh, we've got this cool product, we're just given to get the CISO
into a demo and sell it” it's often an automatic “no,” because it's hard, like, it's generally hard to
get somebody's attention. We are seeing that individual contributors in the industry are
becoming more able and more encouraged to recommend different solutions. And lastly, the marketing budgets in the industry are super high. And that's where I would actually love to hear from you. What are you seeing from the marketing standpoint, that could potentially be a factor encouraging the adoption of the PLG?
I mean, the ever-so-growing sales cycle, I think that's like immediately what I could think of, and there's a lot of like, really weird dynamics happening with this new mixed funnel and the dark social and all of these things, and it's getting even more and more confusing. In terms of, “Okay, this is going to be our growth strategy is going to work” because there's so many, “it depends” that adding a little bit of PLG sprinkle into that funnel could actually help you while you figure out okay, is this more inbound? Or is this more outbound? Or I think, in my opinion, yeah, why not? You can consider it an experiment, right? If it's not going to cost you too much on the dev or product side, and if your leadership team is open to it, yeah, why not?
I'd add in that it's about the buyer experience, too. So the frictionless buyer experience, like you said, Ross, and like you mentioned, Maria, breaking through that noise is so difficult now. Even with this market downturn, which is also another reason I think PLG could be a good thing, because we're all, not all of us, but some of us, will have less budget to work with to pay for these very expensive traditional channels. I think that the buyer experience can be better using a PLG focus because nobody has talked to sales, basically. And one thing would be if you really believe your product is super cool and you have all the metrics and everything set up right to track it and like you said, Ross, if it can prove that it solves a problem, or it does solve a problem, then that is a reason to explore it. I mean, Botero is going to be thinking about this, it's in the roadmap. I don't know how much I could say about it, but it's in the roadmap.
Yeah, it is. It's a very good point. And you mentioned two parts that I would definitely like to
expand on. So you mentioned the economic downturn. And that one is incredibly interesting,
because one of the things that PLG does really, really well is driving the cost of revenue as
close to zero as possible, because the access to product is not gated, because the person can get started without having to talk to anybody. It forces the company to ensure that the cost of infrastructure is low, that the cost of providing that free service is low, and it also means that you're essentially saving money on sales. And it doesn't mean that sales is taken out of the picture, but what it does mean is sales in the PLG model is focusing on the parts, on the kind of customers that are more likely to yield positive returns. If a company that has 500 people adopted the product, like the freemium version of the product, in one of their departments, with only five people using it, it means that the sales team can now approach them and have a conversation potentially about expanding the five-people deployment into the 500-people deployment. The sizing of the opportunities becomes easier. It's not about PLG replacing and taking cells out of the equation. It's about PLG making it easier for the sales team to focus on the high ticket items as opposed to just everything and anything under the sun.
And now we'd like to take a moment to thank our sponsors and producers, Hacker Valley Media. Chris Cochran and Ron Eddings run an amazing studio here, which produces not only the Breaking Through and Cybersecurity Marketing podcast, but a bunch of other shows that you're going to want to listen to as well. So all these shows plus more and then on top of that probably even more coming soon are available to look at, listen to, and sponsor at hackervalley.com. Make sure you go over there and say, “Hey, Gianna, and Maria said I should come check out your website, to listen to your shows, and sponsor a podcast or two.”
Ross, I have one more question because earlier you said that a lot of security products deal with interoperability of data, right? You're plugging in a security tool, it's going to connect into your email, it's going to connect into the web browsers of your employees, it's going to connect them to your cloud environment… I'm curious about your opinion on this — because also we'll link to this in the show notes — there was just an article that TechTarget did a survey and they were saying that ease of install and ease of integration is really important to security professionals. So I have this thought in my head, this conundrum: you want to make your product PLG, but in order for it to work, it has to connect to things in your customers' environments. How do you get over that hump? Because I assume, or I think, not having that PLG myself yet, that maybe there's pushback from the security folks, because they're like, “We don't want to connect. We don't know you. This is the analyst who wants to install this thing but we don't know that. And that's a security risk.” How do you get around that from a PLG perspective?
That is a great question, and frankly, I don't think there is an easy catch-all answer to that
question. Having said that, there are definitely some things that can work and that do work. An example would be giving people access to the test data. Whenever they create their account, you're getting started with a new security tool, you don't necessarily want to get your production data funneled into that tool. Maybe there is some dummy data that can be pre-loaded into the product itself that you can start exploring to understand how it works. That's probably one of the easier things to try. On the other hand, making it easier for people to trust, getting them over that initial hump. So client testimonials, things like SOC2 reports, and similar, making it all easy to access. I was looking at Cloudflare the other day, and guess what? In their UI, you can go to the compliance section, and actually download all of their compliance documents, including their SOC2 report. I know the majority of the companies make you request their SOC2 report, Cloudflare does not do it. You get it all in the UI, like they're 100% transparent about their security posture and their compliance when it comes to that.So taking steps to show that yes, you're open. Yes, you are honest about your security posture, you're honest about the degree of care with which you handle the customer's data. And you are there, other people and other companies already trust you. Yeah, and just reducing the barriers to somebody else to even get their data in, like this is totally outside of the PLG per se, but so many security companies make it incredibly hard to get the data out of their tool. Like the vendor lock-in, in this industry, is real. Like so many companies are trying to make sure that “Oh, only vendors who are a part of our ecosystem can send us the data, can receive the data from us.” That is not where I personally believe the future of this industry is going to lie. And yes, there are no shortcuts, there is a need to change, there is a strong need to change, like the vendor lock-in should not be a thing. We all benefit, not just from the PLG standpoint, but we all as an industry benefit when companies have full control over what tools they can try, what tools they can install, what data they can send and where, and so on.
So many of us in marketing are either working in this traditional one-funnel model, right, of “Let's get the leads in, let's nurture them, and get them to sales.” How does that change with PLG and how do you even do attribution, in terms of whether it was a marketing source or a sales source? If they're coming in, converting on the website, creating an account, and then the sales team is expanding them, what is the attribution there?
That is a very interesting question. One thing that the PLG definitely makes easier is to get
people to experience the value quicker. And once they can get to this “aha” moment, it becomes much much easier for them to get down the purchasing journey, and actually adopt the product. When it comes to the attribution, tell me more, what do you think having an open product would make harder? And I guess, what are the challenges about it? So in my mind, ultimately, what we're all trying to accomplish is to get more people to use the product, start paying for using the product, and so on and so forth. It matters less if it's a result that can easily be attributed to marketing versus the results that can easily be attributed to sales, in my mind, at least.
I mean, I'm with you there, 100% the mindset is aligned. However, you'd be surprised how many companies, how many sales teams, how many leadership teams, actually don't understand that this is the healthier way of looking at it, and are very much in this super tunnel vision of silos of inbound and outbound, that they don't actually give the chance for an amazing idea, for PLG, to actually take place and be born. I don't know, I don't know if it's an ownership thing, I have no idea what would be the issue in not thinking this way? But I always wonder, with PLG, for those that are so adamant to know what's what and who brought in what, how would it even work?
I think it comes back to the conversation to where we've started, essentially, what PLUG is, is a mindset, is a business mindset, is an organizational mindset. And PLG being an organizational mindset means that it is a mindset that has to be shared across the company. We cannot talk about product lead growth, and changing the way products are bought and sold in the industry where, if you look at the company, you have a sales team that works in a silo, you have a marketing team that has its own metrics. And those metrics are created and tracked, without the consideration for kind of a bigger picture. You cannot have a product team that goes entirely in a different direction and it's totally misaligned, you have to have it all brought together. And so that's where the question of leadership, that's where the question of alignment comes in. What does not work — and I have seen it at some companies — what definitely doesn't work is hiring a bunch of product managers with a background building PLG products and just saying, “Okay, our company is not going to PLG.” It does not work that way. If you don't have buy-in from the highest levels of leadership, if you don't have the buy-in from the sales team, if they feel threatened, if people in marketing feel threatened, you will never be able to accomplish anything, especially if you're talking about the larger organization. It's easier in a smaller startup, because you've got a couple of people you can bring all together,
have a quick and transparent conversation. It does not work at a large enterprise, because for
them, it is a monumental change to the way they've done their business for years and often
decades. It is not an overnight change and it's not a change that can happen by just saying,
“Okay, starting tomorrow, we will be looking at different metrics, and we are going PLG.” There
is a lot of internal alignment, there are many hard conversations that have to happen. And also, realistically speaking, it has to make sense from the business standpoint, like PLG is not a cure all, it is not this magic thing, is not one of those buzzwords — I mean, it is a buzzword at this point — it's like zero trust in security, you go to any conference and everybody's talking
about zero trust. You go to any conference about product and marketing, and everybody's
talking about PLG, but not enough people understand what product lead growth is.
What if you do hire those product managers that have experience with PLG and alongside you
hire a hypnotist to take care of the skeptical leadership, and the threatened sales team, and the threatened marketing team, and there, boom, you have a successful PLG strategy?
Maybe! You see, I'm a skeptic by nature, and I like to take an empirical approach, so I believe it
when I see it.
I’m going to add a line item for a magician. No, I'm gonna add a line item for a hypnotist on my
budget for [unintelligible].
I mean, yeah, that's a very critical hire when you make a new pivot to PLG. So Ross, yes, of
course, it's a change in mindset and all of that, but I imagine there is a change in the set of metrics, too, that you're going to have to start looking at. Walk us through how those metrics
actually are either different, or they're similar ones, to the traditional marketing funnel.
Yeah, when I think about metrics, I like to think about the fundamentals and thinking about the
customer journey, how it all breaks down from the first principles into the specific items that we can measure. So talking about the metrics, I think about the fundamental questions that we need to answer, whether we are implementing PLG or not: Are people signing up for our
product? Let's talk about the conversion. And see, maybe there's some challenges that we need to dig into there. Maybe there is a question around positioning, maybe people don't understand what the value proposition is, maybe they don't understand what the pricing is.
The other fundamental question is: Are people able to experience the value quickly? So then,
one of the key metrics in a PLG product is the time to value, the amount of time it takes for the
customer to reach their “aha” moment, to reach this activation event when they realize, “Oh, this is what the value of the product is. I see it now. This is how it works. Yeah, this works for me.” And then there are definitely metrics around the product qualified leads, people who have completed the key action within the product that makes them realize the value and makes them realize that, “Yes, I've experienced this, I am now ready to start using the product.” This is the warmest lead you will ever get, a person who has tried the product, who looked at what it does and said, “Hell yeah, this works for me, this is what I'm here for.”
And the value is how do you measure that? Is it like the number of projects they created? Is it
the number of users that they invited? I mean, it's gonna depend of course on the product, but, let's say your product you have to create a project in order to do something, or a dashboard, or whatever. Is that how you would kind of measure the value?
The way I would measure the value is by looking at the key event that the person needs to do in order for them to realize that the product does what it claims to do. In some cybersecurity
companies, it would require them to install an agent or a sensor on the endpoint. And to see that first detection coming in, or, to see that first alert coming in, or to see that first Slack message coming in. So it's that point in time when you've configured the most basic flaw, which allows you to experience something within the product. And when you experience that something you're like, “Oh, this is how it is.” So if the product is promising, let's just say, a human readable alert in Slack, which pop up whenever a person clicks on the email they're not supposed to click, then the first time somebody gets that email, and they look at it, they understand what it does, they understand how it works, they click on it, then somebody on the product side is able to see it show up at the dashboard or somewhere else — it's that “aha” moment that they're like, “Oh, this is how it works.” It's going to vary from one product to another, and that's why you see, one of the challenges for PLG is the need for people to truly understand: what does the customer need? Building a PLG product requires an incredibly deep knowledge of the customer's needs, motivations, expectations, and everything else that drives the purchasing decisions. All of that is only possible when you have empowered product teams who are capable of having the conversations, who are capable of doing the customer research. All of that can only happen when product and marketing and sales all work together so that they're sharing the insights they're sharing their learnings. All of that can only happen when there is the mindset of continuous discovery, where we are not just making assumptions and running on those assumptions but instead, we are probing the assumptions, we asking powerful questions. We are talking to people, we are listening more than we talk. We understand the user needs. If you can anticipate the changes in the customer behavior and the consumer expectations. Only when we are doing the fundamentals that make good product managers, good product managers, good product marketers, only when we're doing those essential, fundamental things that make us good at what we do, can we talk about improving and can we talk about implementing the product lead growth in a company.
Talking about the metrics, are people increasing their usage? Are people paying for the
product? How much are they paying? Let's talk about the expansion revenue. Let's talk about
the revenue generated from the existing customers by upsells, cross sells, add ons, and so on.
Let's talk about the average revenue per customer, the customer lifetime value — an incredibly
important metric for the product lead growth company, how much revenue is your business
going to get from this single customer over the duration of the relationship as the company?
A number of other things, like are people coming back to the product? Let's look at the daily
active users, let's look at their monthly active users, let's look at retention. Are they leaving?
Let's look at churn, let's look at the reasons for the churn. So when we are talking about the
metrics, measuring the numbers is important, but what is also critical is understanding the
drivers for each of those numbers, digging deeper, having the conversations. If you're thinking about the sales cycle, doing that win-loss analysis in the end, to truly understand why did this customer not adopt the product? The general answers are, it's either the price that's not right, or the features that are missing. But digging deeper, obviously digging deeper, to understand underlying reasons. So metrics, honestly, when it comes to picking specific metrics and numbers to use, if you just go to Google and search, “PLG metrics,” you will find tons of articles highlighting the specific components that can be measured. I think what's more important than picking the metric is understanding the “why are we measuring this,” “what are we measuring?” It's easy to track the daily active users, but why is the daily active users metric significant for your specific business? Those are the kind of products where the customer is only going to be logging in once a month. So daily active users metric might not even be relevant for your specific product. So you have to understand your product, you have to understand your customer, and based on that, make the decision around what metrics to track.
And I imagine that you need more of an education internally on the “why” versus the “which”
Absolutely. Absolutely. As with anything in life, if you know what constraints are impacting your decision making, if you know what you're trying to optimize for, then making a specific decision is much, much easier. And it's much harder, on the other hand, when you have no idea when you're looking at the thing and you're saying, “Well, we have to increase our sales, where do we start?” Well, start by looking at the fundamentals: what is the product you're selling? How are you selling it? Who is your customer? What does their buying journey look like? Where do they draw? Let's then start looking at the metrics and optimizing it.
Well, I think we just took our grad course in PLG and now we can all go away with a few things
we could possibly hypnotize our sales team and leadership team and convince them to do PLG. What do you say, Giana?
I think we definitely did. This has been so fun. Ross, it's been so great to have you here. I think
we have one very last question before we get into our game, because our game, that's our real
final question, but do you think we have the right talent? There's a lot of demand for PLG and
PLG positions and PLG in cyber, but do we have the right talent to execute? I will say what I first think that yes, I think we do have the right talent, because anyone who listens to this podcast will have just completed their MS in PLG—
Yeah, it's a good question. My answer is definitely yes, we do have the right talent. The
fundamental problem is that security companies have to be willing to start hiring outside of their comfort zone. First, hire people outside of security. We do know that security products are less user-friendly than products in other industries. We know that most of the products in the industry are traditional or old fashioned. And the problem is the requirements for cybersecurity experience doesn't do any good for our industry. If you choose to only hire people with cybersecurity experience, you're essentially limiting your options to people who have worked in those huge old fashioned enterprises you're trying to disrupt. So do you think they will pivot into a small company and start innovating in your startup without having done it anywhere before? So hire people outside of cybersecurity, hire people outside of B2B Yes, the majority of the companies we are talking about are B2B enterprises. But B2B enterprises, as of today, are at least two to five years behind when it comes to customer expectations. Think about it from this perspective: let's think about the B2C experience. If it takes you 15 minutes from the moment you download an app on your phone, sign up for that app, place an order, and get your food delivered — All of that can be accomplished in 15 minutes. How can you then sit down and wait for three weeks before you can get access to the cybersecurity product?
Great, that's a good point. How can we make our products more like DoorDash, or Uber?
Exactly. Well, how do we do it? We hire people who come with different experiences, like they
hire people who come from B2C, who come from different fields, we change our hiring patterns. I'm seeing this change and I'm looking at the Marketing Society Slack channel and it's incredible to see people coming from so many different backgrounds. I can't imagine that even being the case five years ago. So the industry is changing and we need to do more of it in marketing, in product, hire people outside of the comfort zone, hire people outside of what you're used to.
Awesome. All right, Ross, thank you for the plug for the Cybersecurity Marketing Society, by the way, anyone who wants to be in the Cybersecurity Marketing Society, visit
cybersecuritymarketingsociety.com. And there is a “join” or “apply” link at the top of the page
and you can come hang out with me, Maria, Ross and a bunch of other people, and talk about
the fun, crazy world of cybersecurity marketing. So Ross, we're gonna jump into our game, and let's make it quick, because I'm just aware of the time here. Basically, we're both gonna guess what you would be if you weren't doing what you are doing today, which is venture capital and product and smart thinking. So, I think you would be a basketball coach, Maria?
Oh, I could see the personality there. I'm actually going another route. I see maybe like a radio
Okay, Ross, which of us was closer?
Definitely not the basketball coach. I think I will totally go for the radio piece. Maybe maybe a
podcast host who knows? Maybe after this conversation, I will rethink my plans! [laughter]
[laughter] Obviously, what you're doing today is your passion, it sounds like you're passionate
about it. But if you were not doing it today, what would you rather be doing?
I think I would still stay around tech. I would still stay around startups, maybe venture capital,
maybe operations? I don't know. Honestly, no idea. I feel like I fell in love with product so maybe I could totally be doing marketing! Who knows? But it would definitely be something around tech and startups and very likely cybersecurity.
Love it. Love how noble and loyal you are to your current passion.
Ross, where can people reach you if you're open to being contacted?
LinkedIn is definitely the place. I'm not active on Twitter, I've created an account before Elon
Musk was planning to buy it, but I never became active. But LinkedIn is definitely the place. Yes.
Awesome. Thanks so much for being on the podcast. We've loved having you here and
everyone who listened to all the things that we mentioned that will be linked to in the show notes will be in the show notes. And if you want to be on Breaking Through in Cybersecurity
Marketing, send an email to Podcasts@HackerValley.com.
Thank you so much. Thank you so much for inviting me.
Thanks for coming on!