SaaS Security Challenges

Evgeniy Kharam, host of the Cyber Inspiration podcast, interviews Valence Security CEO and Co-founder Yoni Shohet on the reasons he and his Co-founder Shlomi Matichin founded Valence and the overall challenges of SaaS security and the customer pain points that they sought to address.


Hello everyone welcome to Cyber Inspiration Podcast. My name is Evgeny. I've been around security for the last 20 years and a lot of experience working with a variety of cybersecurity vendors. My main work is vendor consulting and cybersecurity advisory for companies. As part of my passion in technology and cybersecurity, I was intrigued to learn how companies start. I started the podcast to understand the thinking process and what motivated people to start their own companies. This podcast is also affiliated with Security Architecture Podcast.

I have the pleasure today to talk to Yoni from Valence and learn about their story. Yoni, can you please tell me about yourself and what you guys do? Thanks again for having me.

So, my name is Yoni. I'm one of the co-founders and the CEO of Valence. We're a startup focused on SaaS security. We help organizations secure their cloud-based applications by helping them discover and understand their risk surface. Whether it's third-party integrations, identity security, external data sharing, or misconfigurations, we provide automated remediation workflows that collaborate with business users to reduce risks. My personal background includes a second cybersecurity startup called Scadafence, focused on industrial IoT cybersecurity. I've been in cybersecurity for almost 10 years, starting from the Israel intelligence forces through different startups and eventually leading to me starting Valence less than two years ago.

You mentioned SaaS companies, and I was doing a presentation about security enterprise browsers a couple of weeks ago. I was wondering about the stats about SaaS. I didn't know that the SaaS industry is growing every year, and it started from 6 percent, 10 percent, 15 percent, and now 80 percent. So, every year it's growing more and more. I think last year we spent something like billions on SaaS, so it's definitely a very important topic to secure and manage. Your company is a relatively new company. I believe you guys started during the pandemic, and I'm wondering what was going on through your life that made you think, "I want to do this company."

I had a lot of different options. I knew I'm an entrepreneur, and I wanted to start another company. I was looking for the right opportunity, doing startup ideation and co-founder searching during the pandemic is definitely not easy. But I think it's part of the determination you need to have in order to eventually build successful companies. So, a lot of the ideation and Shlomi, my co-founder, myself, had that over Zoom or sometimes without even meeting in person. But you also see the peaks while there were maybe lower points in terms of the pandemic itself. We were able to accelerate some of our collaboration and joint work. But I think also, referring to what you mentioned in terms of SaaS adoption, it also accelerated a lot of the security challenges that organizations have, and it also opened a lot of opportunities for innovation in new companies. I don't think the browser isolation companies or the enterprise browser category would even exist without the pandemic. Definitely for us as well since we're focused on SaaS security, the shift towards cloud really accelerated a lot of our thought process regarding the problem space and what we should solve. There are not always a lot of benefits for these types of pandemics, but as entrepreneurs, you always need to find the one percent of things that help you succeed and double down on that. So, I think that's what we mostly focused on.

It's interesting. During the pandemic, using SaaS applications, you found that you wanted to solve a SaaS security problem. How did you know that people are going to buy the solution? What metrics, what market validation did you do to realize that people are going to build this great tool. I always joke that security companies are like mushrooms after the rain, we like to say in Hebrew. Basically, when there's a major breach, you'll see a lot of companies that try to solve problems that the breach disclosed or showed to the industry. For us, the SolarWinds campaign almost two and a half or three years ago was a major breach that the entire industry was focused on. When we looked at the different elements related to the SolarWinds campaign, we realized that we're trusting third-party vendors one way or another. There are different issues related to our trust in these third-party vendors, whether it's SolarWinds itself or the techniques that attackers used during the campaign.

For example, one of the things they did is breach trusted vendors that have high privilege access through third-party integrations. Let's say, for example, through an email integration, which allows the third-party vendor to scan the entire email tenant or the emails within Microsoft and leverage that integration to steal sensitive data from trusting customers. We realized that when we spoke with customers about third-party risk management, nobody really liked how they were doing it. Nobody really trusted their vendors.

We realized that there are a lot of issues related to this general problem space of how we collaborate and work with third-party vendors and external vendors. It required a new type of approach. This led us to focus on what we looked at the beginning as a business application mesh or SaaS mesh in this network of trust between our third-party business applications. Eventually, this evolved into becoming more and more of a SaaS platform.

You mentioned the problem with customers during the pandemic. A lot of people say that sales are declining and it's hard to reach customers. Why would customers even talk to you? Why would they actually open Zoom or take phone calls and listen to your idea? Sales were declining, travel was declining, but CISOs had more time on their plate because they couldn't buy tools or travel. Speaking with innovative entrepreneurs who don't have a product to sell was a good getaway for many CISOs who were stuck at home. If you position what you want from these customers in the right way—meaning, you're not selling anything and you're just looking to build a better platform for the industry—and if you ask for 20 minutes of their time, most people will agree to these types of calls. They don't have to give much, but they have a lot to gain because they're speaking about innovation. It's probably the highlight of some people's day because it gets them out of their day-to-day work. Eventually, it's not something that is transactional. For some people, it's the beginning of a partnership. Some of these people who helped us early on became design partners, then got the product at a very healthy discount. Eventually, we were able to see a platform that has evolved to solve their actual pain points. So, there are a lot of benefits for people who are open to that type of early adoption, innovation, and especially for many, it's fun.

This is a very interesting point you bring up because the industry is screaming that we don't want to buy immature vendors, we don't want to be afraid they're going to go away and take our data. On the flip side, you're saying that if you jump on the train early enough, you may influence the product and the future, and you'll get a good discount as well. It's definitely an interesting point for CISOs that maybe potentially brings them to have a call with you in the beginning. I think it's also something that we're very grateful for because in retrospect, we started by focusing on a very specific problem space. But what our customers helped us understand is that what we're doing is great, but there's so much more that we can do for them without much more work. They really guided us through the requests, sometimes not even realizing what they were saying. They just threw ideas up in the air. As entrepreneurs, as product-oriented and customer-obsessed entrepreneurs, we took everything they said and brought it in. We figured out the problems we could help them solve, which helped us build a better platform and solve more problems. It allowed us to provide a better solution for the industry.

If you're listening to the podcast right now and you want to start your own company, my recommendation is don't start anything, don't write anything. Instead, go find design partners and people who can help you shape the problems you need to solve. A good company solves important problems. They don't build products right away. You need to iterate and work with your customers because if you build something in a lab and wait a few months until it sees the first touchpoint with the market, it's probably too late. You could have improved significantly if you had worked with customers and they had given you immediate feedback.\

You mentioned the mushroom analogy earlier. In the cybersecurity industry, companies are either the first or the fifth. It doesn't really matter because over time, the market converges. You need to continuously maintain a competitive advantage, and that comes from execution and attention to detail. The high-level ideas or problems you identify and discuss with customers won't give you a lasting advantage. It's about your execution and the small details that set you apart.

You have an idea, you have a team. What's next? Do you raise money or start building code? It depends on the stage. Initially, we did a lot of things manually. We told customers, "Yes, we can do it," and we did it for them manually. We saw value in those actions, and then we built it. It was a more efficient way to experiment and decide what to focus on. Now, as a more mature company with a sales team, we need to be straightforward and honest with our customers. We can't promise everything. We need to ensure we can deliver what we promise within a reasonable timeframe.

Let's talk about hiring people. How do you let go and let others sell? It's not easy. It's a challenge for entrepreneurs, including myself. In the early stages, most sales are founder-led, but over time, it's important for the maturity of the company to transition away from being founder-led. It happens gradually. You can start by not being present on certain calls, gradually letting others take over certain aspects of the sales process. It's about finding the right people and trusting them to manage those processes.

Now let's switch gears and talk about the dark side. Every company faces challenges and failures. One dark moment I experienced in a previous company was when I met with a plant factory manager who didn't believe they would experience a cyber attack in the next 10 years. It made me realize that it wasn't the ideal space for innovation. Lessons learned from such situations involve choosing the right industry to focus on.

Another dark moment can be related to company culture. Hiring the wrong people can lead to a toxic culture. It's important to recognize when someone isn't a good fit for the organization and be willing to separate from them. It's not easy, especially when you have personal relationships, but it's necessary to maintain a healthy work environment.

Lastly, we all have bad days and face problems. Personally, I disconnect from everything, go offline physically and mentally. I rely on my strong household, and my wife helps me overcome challenges. I know when I need to disengage, regroup, and take control of the situation. I disconnect to gain a fresh perspective and find solutions.\

That's something that is always challenging for entrepreneurs in general, but I think also specifically for me. In terms of struggling or facing challenges, we all have problems. We all know that startups have their ups and downs. So how do I personally cope with problems? When I have a bad day or I'm not in the mood, what do I do to get myself back on track? I usually disconnect from everything. I stop communicating, go offline both physically and mentally. Luckily, I have a very strong household, and my wife is probably the best resolution for every problem I have. But usually, I just disconnect. I know to identify when I'm in that situation, and I know that I just need to disengage from everything. I need to regroup with myself, understand how to take control over the situation, and take over the situation. Usually, it happens more when it's items that are more dependent on me, where I could have done better in a certain situation. But sometimes, it's just not my fault. For example, let's take what happened with Silicon Valley Bank a few weeks ago. Everybody was panicking and wanted to know what's going on with their cash and everything else. But at some point, I realized that once the announcement was made, the bank is closed, and we did what we could have done beforehand, the rest was out of our hands. It's out of reach. There's nothing I can do. I don't have to feel bad about it. I'll make it work. I'll make it work like the entire industry. In other cases where it's internal things that are more dependent on me within the company, they usually hit me harder in terms of my mood and atmosphere.

I would say that's a good point to make. Thank you for sharing your thoughts and experiences.