Umaimah Khan

We are a security company, first and foremost. From day one, we have to build a lot of trust, and that has to show through in our features.

We are a security company, first and foremost. From day one, we have to build a lot of trust, and that has to show through in our features.

It's a balance. And I would say from day one, there was this notion of scale in mind. And at the same time, like recognizing when you're making one way decisions versus two way decisions. There are things you do early on, especially on the engineering side that like could be construed as tech debt. But you have to make those calls so that you can get to the next milestone.

It's a balance. And I would say from day one, there was this notion of scale in mind. And at the same time, like recognizing when you're making one way decisions versus two way decisions. There are things you do early on, especially on the engineering side that like could be construed as tech debt. But you have to make those calls so that you can get to the next milestone.

There is like a small bucket of decisions, I think, architecturally that matter a lot, and it's very important to get them right from day one. So in our case, if you look at how Access products have been built in the past, none of them have really been built for hyperscale or complexity. They're not really built to have flexible data models.

There is like a small bucket of decisions, I think, architecturally that matter a lot, and it's very important to get them right from day one. So in our case, if you look at how Access products have been built in the past, none of them have really been built for hyperscale or complexity. They're not really built to have flexible data models.

This idea of context or being able to be flexible between role-based access control or attribute-based access control, it's quite difficult. And then the other thing is there's latency on all these things, whether it's requesting access or knowing who has access in real time. There's just not been systems that have been built from the ground up.

This idea of context or being able to be flexible between role-based access control or attribute-based access control, it's quite difficult. And then the other thing is there's latency on all these things, whether it's requesting access or knowing who has access in real time. There's just not been systems that have been built from the ground up.

And some of that is just as a result of the fact that some of these companies and products are from a different era. But this idea of being built for scale was always like very top of mind and being able to be flexible enough on the data model. And that's where it's worth like putting in the investment. That's how we think about it, like from day one. And so that's where we didn't compromise.

And some of that is just as a result of the fact that some of these companies and products are from a different era. But this idea of being built for scale was always like very top of mind and being able to be flexible enough on the data model. And that's where it's worth like putting in the investment. That's how we think about it, like from day one. And so that's where we didn't compromise.

On the rest of the stuff, it's very case by case. Sometimes it's better to have something done than have something perfect. And you make that call by, again, understanding what your core strengths are as a product. Our core strengths are reliability, accuracy, speed, and data. So that's where we wouldn't compromise architecturally and continue to make the investment to improve.

On the rest of the stuff, it's very case by case. Sometimes it's better to have something done than have something perfect. And you make that call by, again, understanding what your core strengths are as a product. Our core strengths are reliability, accuracy, speed, and data. So that's where we wouldn't compromise architecturally and continue to make the investment to improve.

I would say the team, first and foremost, like I wake up every day and I'm just like, I can't believe that these people chose to like come here and work this hard with me, basically. That's first and foremost. I think the second thing is a lot of the things we've talked about as a product, and I don't say this as like a diss on us, but

I would say the team, first and foremost, like I wake up every day and I'm just like, I can't believe that these people chose to like come here and work this hard with me, basically. That's first and foremost. I think the second thing is a lot of the things we've talked about as a product, and I don't say this as like a diss on us, but

They are just how you think about good system building to scale across many things. We've seen the entire DevOps space, like CI, CD, mature as an industry in the last 10 years. And a lot of that just came from this idea of good engineers thinking very carefully about what reliability and infrastructure look like there.

They are just how you think about good system building to scale across many things. We've seen the entire DevOps space, like CI, CD, mature as an industry in the last 10 years. And a lot of that just came from this idea of good engineers thinking very carefully about what reliability and infrastructure look like there.

And I think that we're starting to get to a point where people understand this is necessary in identity and access as well. Right.

And I think that we're starting to get to a point where people understand this is necessary in identity and access as well. Right.

And I'm really proud of the fact that as a market, there has been enough maturity over the last couple of years that people are starting to stand up and take notice of that and are now thinking about this problem from this perspective, as opposed to, oh, I'm building a ticketing platform that's going to allow me to have this one workflow for everything.

And I'm really proud of the fact that as a market, there has been enough maturity over the last couple of years that people are starting to stand up and take notice of that and are now thinking about this problem from this perspective, as opposed to, oh, I'm building a ticketing platform that's going to allow me to have this one workflow for everything.

On the product and edge side, there have definitely been things I look back and I say, I shouldn't have prioritized that. For example, there's this class of ill-fated UX redesigns, which are incredibly painful and very resource intensive that I think back to and I'm like, man, it just feels like the team was on a merry goose chase for three months.

On the product and edge side, there have definitely been things I look back and I say, I shouldn't have prioritized that. For example, there's this class of ill-fated UX redesigns, which are incredibly painful and very resource intensive that I think back to and I'm like, man, it just feels like the team was on a merry goose chase for three months.

In terms of how you respond to it, my perspective on things like this is honesty is the best policy. You own up, you explain why you made the decision you made, you explain how we got to this point, why it's and just open the space for feedback and how as a team, we won't find ourselves in similar positions. How can we learn from these things? The reality is you make a lot of mistakes.

In terms of how you respond to it, my perspective on things like this is honesty is the best policy. You own up, you explain why you made the decision you made, you explain how we got to this point, why it's and just open the space for feedback and how as a team, we won't find ourselves in similar positions. How can we learn from these things? The reality is you make a lot of mistakes.

The question is, do you make the same mistakes over and over again or are they learning opportunities?

The question is, do you make the same mistakes over and over again or are they learning opportunities?

Up to this point, from a product standpoint, we've talked about data ingestion and workflows and things like that. What really gets me excited about this space is this idea of really building this intelligent layer to calibrate access. We now have pretty good self-driving technology, right? And it's wild if you stop and think about it.

Up to this point, from a product standpoint, we've talked about data ingestion and workflows and things like that. What really gets me excited about this space is this idea of really building this intelligent layer to calibrate access. We now have pretty good self-driving technology, right? And it's wild if you stop and think about it.

We have cars that drive themselves and they're able to navigate these incredibly complex environments and respond in real time to them. And a huge amount of that is a result of the fact that LIDAR technology allowed us to capture a ton of information and actually start to figure out how to model all kinds of heterogeneous environments.

We have cars that drive themselves and they're able to navigate these incredibly complex environments and respond in real time to them. And a huge amount of that is a result of the fact that LIDAR technology allowed us to capture a ton of information and actually start to figure out how to model all kinds of heterogeneous environments.

I think there's something similar that happens in access and identity, that if you can really nail the ability to create a ton of context and data, then you can actually start to build out the automation layer for real, basically. I think that's like a very unique opportunity. It's something like I feel like technologically is where the industry is headed to.

I think there's something similar that happens in access and identity, that if you can really nail the ability to create a ton of context and data, then you can actually start to build out the automation layer for real, basically. I think that's like a very unique opportunity. It's something like I feel like technologically is where the industry is headed to.

If you follow like anything that's happening in the big AI companies, there's a lot of discourse around security and specifically access management and how you calibrate that and how that grows flexibly and how you feel like you actually understand what's going on. I'm excited to see this industry take that leap in that direction.

If you follow like anything that's happening in the big AI companies, there's a lot of discourse around security and specifically access management and how you calibrate that and how that grows flexibly and how you feel like you actually understand what's going on. I'm excited to see this industry take that leap in that direction.

It's just it's been so primitive right now from a technical perspective that there's just a ton of foundation you have to lay down.

It's just it's been so primitive right now from a technical perspective that there's just a ton of foundation you have to lay down.

My first team, like the leadership team, does influence a lot of the way that I work. I really enjoy working with whether it's my sales leader, marketing leader, engineering leader, and then really seeing how they bring their own leadership styles and manage their teams.

My first team, like the leadership team, does influence a lot of the way that I work. I really enjoy working with whether it's my sales leader, marketing leader, engineering leader, and then really seeing how they bring their own leadership styles and manage their teams.

I also, I think, look up to certain like industry founders that I think were willing to do like the hard work, like really roll up their sleeves and figure things out. I'm a big fan of Databricks as an organization. I think they had like kind of an interesting early journey. And there's a lot of similarities. They had a very technical team and then they had to figure out how to build a business.

I also, I think, look up to certain like industry founders that I think were willing to do like the hard work, like really roll up their sleeves and figure things out. I'm a big fan of Databricks as an organization. I think they had like kind of an interesting early journey. And there's a lot of similarities. They had a very technical team and then they had to figure out how to build a business.

And I think they did. And a huge part of that story, it does feel like it's just like being willing to recognize what you don't know and embrace it and just learn things. I would say that I'm fortunate to have a lot of role models and people to look up to in various aspects. And I try to be self-aware.

And I think they did. And a huge part of that story, it does feel like it's just like being willing to recognize what you don't know and embrace it and just learn things. I would say that I'm fortunate to have a lot of role models and people to look up to in various aspects. And I try to be self-aware.

I think it can be hard sometimes when you're in the zone, but I don't know, I feel like I'm still learning.

I think it can be hard sometimes when you're in the zone, but I don't know, I feel like I'm still learning.

It's a weird job. Like nothing preps you for it. There's nothing you could read. There's no one you could talk to. And you can feel very self-conscious about all the mistakes you're going to make and all the things you do. And I think the thing that helped me the most and the advice I got was just being reminded of that. You don't have to know how... Everything works.

It's a weird job. Like nothing preps you for it. There's nothing you could read. There's no one you could talk to. And you can feel very self-conscious about all the mistakes you're going to make and all the things you do. And I think the thing that helped me the most and the advice I got was just being reminded of that. You don't have to know how... Everything works.

You're not going to be able to know how everything is supposed to be. I remember when I was earlier in my career, I would think to myself, oh, I have to become like a C-level somewhere to be able to start a company. And the reality is, even if I had done that, I would still not be prepared for it. the level of like ambiguity and the questions and open-ended questions and mistakes I would make.

You're not going to be able to know how everything is supposed to be. I remember when I was earlier in my career, I would think to myself, oh, I have to become like a C-level somewhere to be able to start a company. And the reality is, even if I had done that, I would still not be prepared for it. the level of like ambiguity and the questions and open-ended questions and mistakes I would make.

And so just being really comfortable with the fact that you're just constantly going to be learning and, and not lose that enthusiasm or excitement, I think is like the most important thing.

And so just being really comfortable with the fact that you're just constantly going to be learning and, and not lose that enthusiasm or excitement, I think is like the most important thing.

Thank you. Thanks for having me.

Thank you. Thanks for having me.

So Opal Security is at the highest level. I like to think of it as an identity security platform. And what we really do is basically build the data layer and the workflows and then threat detection and response to actually understand who has access to what in your organization and how to calibrate that and eventually fully automate that in a way that actually scales with your work.

So Opal Security is at the highest level. I like to think of it as an identity security platform. And what we really do is basically build the data layer and the workflows and then threat detection and response to actually understand who has access to what in your organization and how to calibrate that and eventually fully automate that in a way that actually scales with your work.

I did more academic security in a past life. I studied some cryptography and I did a bunch of math and found myself repeatedly drawn to real world problems at the same time. I enjoyed the technical challenge, but then would have this desire to fix things that I saw happening in the real world. And one of those things was access management was this incredibly messy, fragmented issue at every scale.

I did more academic security in a past life. I studied some cryptography and I did a bunch of math and found myself repeatedly drawn to real world problems at the same time. I enjoyed the technical challenge, but then would have this desire to fix things that I saw happening in the real world. And one of those things was access management was this incredibly messy, fragmented issue at every scale.

tiny 10-person startups to open source to big government labs. And it just felt like a strange thing. It's clear that this matters. It's important. It's almost ignored until it's too late. And I think a huge part of that is because people aren't willing to look under the surface and ask themselves, how did we get here? A huge part of that is the reality of how businesses grow and how they scale.

tiny 10-person startups to open source to big government labs. And it just felt like a strange thing. It's clear that this matters. It's important. It's almost ignored until it's too late. And I think a huge part of that is because people aren't willing to look under the surface and ask themselves, how did we get here? A huge part of that is the reality of how businesses grow and how they scale.

Another example of this is like building in our back end, our product itself, which is something that you will often see in like B2C or product-led companies gets left until way too late. I'm Umema Khan, also known as UK, the co-founder and CEO of Opal Security.

Another example of this is like building in our back end, our product itself, which is something that you will often see in like B2C or product-led companies gets left until way too late. I'm Umema Khan, also known as UK, the co-founder and CEO of Opal Security.

Security sometimes ends up being an afterthought, especially in product-led organizations, when it hinders the business. You just get to a point where you got this like insane wild west of like authentication and authorization and you don't really know what's going on in your org and you're a little bit scared to pull the trigger anywhere because of what could happen down the line.

Security sometimes ends up being an afterthought, especially in product-led organizations, when it hinders the business. You just get to a point where you got this like insane wild west of like authentication and authorization and you don't really know what's going on in your org and you're a little bit scared to pull the trigger anywhere because of what could happen down the line.

I found myself like just fascinated, like both from an organizational and technical perspective that like this kept happening and eventually got so frustrated that I was like, you know what, I'm going to go figure out why this is the case and possibly build it. I was confused.

I found myself like just fascinated, like both from an organizational and technical perspective that like this kept happening and eventually got so frustrated that I was like, you know what, I'm going to go figure out why this is the case and possibly build it. I was confused.

It just seemed like there would be these big legacy players that were just built to check boxes from a compliance standpoint so that you could say, oh yeah, we definitely do this internally. but not actually solving the problem at some deep technical or product level. And I at some point just said, you know what? Screw it. I'm just going to build internally and try to build a good system here.

It just seemed like there would be these big legacy players that were just built to check boxes from a compliance standpoint so that you could say, oh yeah, we definitely do this internally. but not actually solving the problem at some deep technical or product level. And I at some point just said, you know what? Screw it. I'm just going to build internally and try to build a good system here.

And what I found was that I wasn't the only one who had gone through this. There were many companies, especially in the Bay Area, who had a similar realization. And then they would hit this point where they're like, I can't scale this internally anymore. I can't justify this internally anymore. And it was like such an intense conviction.

And what I found was that I wasn't the only one who had gone through this. There were many companies, especially in the Bay Area, who had a similar realization. And then they would hit this point where they're like, I can't scale this internally anymore. I can't justify this internally anymore. And it was like such an intense conviction.

This was like the right place to start that I took sabbatical from that job and just worked on it full time. I thought about it from many different angles. And it was funny. Two and a half years ago, I would meet people and they would just be like, isn't this a solved problem? I don't get it. It doesn't like so and so like company already do this.

This was like the right place to start that I took sabbatical from that job and just worked on it full time. I thought about it from many different angles. And it was funny. Two and a half years ago, I would meet people and they would just be like, isn't this a solved problem? I don't get it. It doesn't like so and so like company already do this.

And I would just constantly just be like pushing back and saying, no, have you actually looked at the guts of what gets deployed and like what happens? No, people are just buying things and nothing is actually like solving the problem.

And I would just constantly just be like pushing back and saying, no, have you actually looked at the guts of what gets deployed and like what happens? No, people are just buying things and nothing is actually like solving the problem.

So the MVP was born from this, what is like a really obvious, like tactical problem or pain point to solve and how do you get there? And so like in our space, if you think about all of the context and the data necessary to even begin to like build scalable access, it's overwhelming, right?

So the MVP was born from this, what is like a really obvious, like tactical problem or pain point to solve and how do you get there? And so like in our space, if you think about all of the context and the data necessary to even begin to like build scalable access, it's overwhelming, right?

And so then you scale back and you say, what is a way we can solve the problem knowing everything and having all the context would in a faster time to value? And that's this concept of just-in-time access. How do you just patch through access that's very time-based, that's very role-specific for a period of time that's tied to very specific events?

And so then you scale back and you say, what is a way we can solve the problem knowing everything and having all the context would in a faster time to value? And that's this concept of just-in-time access. How do you just patch through access that's very time-based, that's very role-specific for a period of time that's tied to very specific events?

And in our case, that was building for syncing with on-call schedules. This is like... Huge pain point for a lot of engineering teams. You're on call, all of a sudden some production system goes down that you may or may not have been granted access to at some given point in time. And now you're on the hook to figure out how am I getting access to this? Am I making a ticket? Am I paying my manager?

And in our case, that was building for syncing with on-call schedules. This is like... Huge pain point for a lot of engineering teams. You're on call, all of a sudden some production system goes down that you may or may not have been granted access to at some given point in time. And now you're on the hook to figure out how am I getting access to this? Am I making a ticket? Am I paying my manager?

And all of that got distilled into a very simple entry point. And when we would show it, people would be like, oh my God, I get it. You know what I mean?

And all of that got distilled into a very simple entry point. And when we would show it, people would be like, oh my God, I get it. You know what I mean?

Oftentimes when people think like you're a product first organization, I think that means like you're just building stuff and it's just as important what you don't build early as what you do. When I think about where our products and vision really shines, it's in organizations that are incredibly large and complex and really basically need this firewall for like access, right?

Oftentimes when people think like you're a product first organization, I think that means like you're just building stuff and it's just as important what you don't build early as what you do. When I think about where our products and vision really shines, it's in organizations that are incredibly large and complex and really basically need this firewall for like access, right?

They need to be able to understand the complexity with which Different entities are moving around and what they have access to. And that can get very complicated very quickly on the edge cases and how you implement least privilege for those things, right? We had to make some decisions on, one, who can we sell to in the early days, even though we know that this is where we're headed?

They need to be able to understand the complexity with which Different entities are moving around and what they have access to. And that can get very complicated very quickly on the edge cases and how you implement least privilege for those things, right? We had to make some decisions on, one, who can we sell to in the early days, even though we know that this is where we're headed?

And where can we provide value in a more direct fashion? So what that ended up looking like was saying no to certain integrations or very complicated workflows.

And where can we provide value in a more direct fashion? So what that ended up looking like was saying no to certain integrations or very complicated workflows.

And coming back to this concept of JIT, this concept of here's actionable lease privilege, here's like actual reporting we can show you on like mission critical systems you have today, even though you may have like thousands of applications you want to cover.

And coming back to this concept of JIT, this concept of here's actionable lease privilege, here's like actual reporting we can show you on like mission critical systems you have today, even though you may have like thousands of applications you want to cover.

And then really tying that back to looking at our like cohort of early customers and making sure it resonated with all of our other customers who are in the same direction and looking for the same sort of like product vision.

And then really tying that back to looking at our like cohort of early customers and making sure it resonated with all of our other customers who are in the same direction and looking for the same sort of like product vision.

To me, like the way I think about this philosophically is it comes back to positioning. So access touches a lot of different stakeholders in an organization and a lot of different departments and economic buyers. Like you can think that if you just think about it, right, like access is about it's a workforce issue, right? It's not just like directly security or engineering issue.

To me, like the way I think about this philosophically is it comes back to positioning. So access touches a lot of different stakeholders in an organization and a lot of different departments and economic buyers. Like you can think that if you just think about it, right, like access is about it's a workforce issue, right? It's not just like directly security or engineering issue.

It's also a security issue. It's also a compliance issue. when we think about our positioning and what's unique about us at Opal Security is that we are a security company first and foremost. And that means that like from day one, we have to build a lot of trust and that has to show through in our features.

It's also a security issue. It's also a compliance issue. when we think about our positioning and what's unique about us at Opal Security is that we are a security company first and foremost. And that means that like from day one, we have to build a lot of trust and that has to show through in our features.

So we made very specific choices on what we would prioritize from that perspective, such as being able to work in hybrid environments, because we knew that even as a small company, if we wanted to be the backbone of people's access management and least privilege like infrastructure that they needed to feel like they could manage us entirely and work in these complex environments.

So we made very specific choices on what we would prioritize from that perspective, such as being able to work in hybrid environments, because we knew that even as a small company, if we wanted to be the backbone of people's access management and least privilege like infrastructure that they needed to feel like they could manage us entirely and work in these complex environments.

So we made very specific choices on what we would prioritize from that perspective, such as being able to work in hybrid environments, because we knew that even as a small company, if we wanted to be the backbone of people's access management and least privilege infrastructure, that they needed to feel like they could manage us entirely and work in these complex environments.

So we made very specific choices on what we would prioritize from that perspective, such as being able to work in hybrid environments, because we knew that even as a small company, if we wanted to be the backbone of people's access management and least privilege infrastructure, that they needed to feel like they could manage us entirely and work in these complex environments.

Another example of this is like building in our back in our product itself, which is something that you will often see in like B2C or product led companies gets left until way too late.

Another example of this is like building in our back in our product itself, which is something that you will often see in like B2C or product led companies gets left until way too late.

There's like these things that I think got prioritized very early on the integration side, just like doubling down and like the cloud security space and building like really first class native integrations into the hyperscalers because we knew that while folks wanted to figure out what was happening in like their lower priority SaaS.

There's like these things that I think got prioritized very early on the integration side, just like doubling down and like the cloud security space and building like really first class native integrations into the hyperscalers because we knew that while folks wanted to figure out what was happening in like their lower priority SaaS.

applications today, they had no visibility or ability to remediate in these mission-critical production systems. There's no vendor serving that. It was flowing directly from that positioning again. What does it mean to be a security and infrastructure company solving access? And then once you've got that, you can start to engage and think about what do the other stakeholders need?

applications today, they had no visibility or ability to remediate in these mission-critical production systems. There's no vendor serving that. It was flowing directly from that positioning again. What does it mean to be a security and infrastructure company solving access? And then once you've got that, you can start to engage and think about what do the other stakeholders need?

The user experience is really important if you want to have that data and that coverage. And so talking to our customers, understanding how important it was with them, working with them and making these parts of the roadmaps possible. a partnership helped us sequence. I will say that in the early days, as much as you want data, like sometimes it's just not there.

The user experience is really important if you want to have that data and that coverage. And so talking to our customers, understanding how important it was with them, working with them and making these parts of the roadmaps possible. a partnership helped us sequence. I will say that in the early days, as much as you want data, like sometimes it's just not there.

And also as you're figuring out who you're selling to and who your power users are, you're going to get a wide variance of feedback until you tighten that up. So there is like an element of like art versus science to it as well. You just have to Spend some time using your own product. We dog food our product here internally and just talking to people and like really digging in.

And also as you're figuring out who you're selling to and who your power users are, you're going to get a wide variance of feedback until you tighten that up. So there is like an element of like art versus science to it as well. You just have to Spend some time using your own product. We dog food our product here internally and just talking to people and like really digging in.

Even if somebody says I need X feature, like trying to get behind that and say, what are you actually trying to solve for? And let's be creative about it.

Even if somebody says I need X feature, like trying to get behind that and say, what are you actually trying to solve for? And let's be creative about it.

It's very much being self-aware enough about who you are and building a team that's complementary to your own blind spots, as well as folks who amplify you. In my case, I would consider myself a fairly spiky individual. And so I knew that I would naturally gravitate towards other folks who spiked. in certain areas, right?

It's very much being self-aware enough about who you are and building a team that's complementary to your own blind spots, as well as folks who amplify you. In my case, I would consider myself a fairly spiky individual. And so I knew that I would naturally gravitate towards other folks who spiked. in certain areas, right?

Who were just like incredibly good at whether it was because I'm a technical leader, engineering, or sometimes like on the sales side and building a team that like when you have a lot of personalities, you also need to like make sure you're building the infrastructure for like good communication, for good understandings.

Who were just like incredibly good at whether it was because I'm a technical leader, engineering, or sometimes like on the sales side and building a team that like when you have a lot of personalities, you also need to like make sure you're building the infrastructure for like good communication, for good understandings.

Early stage companies are largely built by sort of bad students, good test takers on across every department. And you need to like be very comfortable with that, maybe be a little bit like that yourself to let people run around the field and do their thing and like basically figure it out with you and experiment. and be very comfortable not waiting for like marching orders.

Early stage companies are largely built by sort of bad students, good test takers on across every department. And you need to like be very comfortable with that, maybe be a little bit like that yourself to let people run around the field and do their thing and like basically figure it out with you and experiment. and be very comfortable not waiting for like marching orders.

The other thing, and this kind of touches into how we're talking about roadmap, is obviously we built very critical infrastructure. Building a team that had the experience to know what they were building was also very important. because this is a product that requires a lot of trust and understanding.

The other thing, and this kind of touches into how we're talking about roadmap, is obviously we built very critical infrastructure. Building a team that had the experience to know what they were building was also very important. because this is a product that requires a lot of trust and understanding.

So having a balance of those two things keeps the pace of execution going, but also the experience of having seen things before.

So having a balance of those two things keeps the pace of execution going, but also the experience of having seen things before.

We are a security company, first and foremost. From day one, we have to build a lot of trust, and that has to show through in our features.

It's a balance. And I would say from day one, there was this notion of scale in mind. And at the same time, like recognizing when you're making one way decisions versus two way decisions. There are things you do early on, especially on the engineering side that like could be construed as tech debt. But you have to make those calls so that you can get to the next milestone.

There is like a small bucket of decisions, I think, architecturally that matter a lot, and it's very important to get them right from day one. So in our case, if you look at how Access products have been built in the past, none of them have really been built for hyperscale or complexity. They're not really built to have flexible data models.

This idea of context or being able to be flexible between role-based access control or attribute-based access control, it's quite difficult. And then the other thing is there's latency on all these things, whether it's requesting access or knowing who has access in real time. There's just not been systems that have been built from the ground up.

And some of that is just as a result of the fact that some of these companies and products are from a different era. But this idea of being built for scale was always like very top of mind and being able to be flexible enough on the data model. And that's where it's worth like putting in the investment. That's how we think about it, like from day one. And so that's where we didn't compromise.

On the rest of the stuff, it's very case by case. Sometimes it's better to have something done than have something perfect. And you make that call by, again, understanding what your core strengths are as a product. Our core strengths are reliability, accuracy, speed, and data. So that's where we wouldn't compromise architecturally and continue to make the investment to improve.

I would say the team, first and foremost, like I wake up every day and I'm just like, I can't believe that these people chose to like come here and work this hard with me, basically. That's first and foremost. I think the second thing is a lot of the things we've talked about as a product, and I don't say this as like a diss on us, but

They are just how you think about good system building to scale across many things. We've seen the entire DevOps space, like CI, CD, mature as an industry in the last 10 years. And a lot of that just came from this idea of good engineers thinking very carefully about what reliability and infrastructure look like there.

And I think that we're starting to get to a point where people understand this is necessary in identity and access as well. Right.

And I'm really proud of the fact that as a market, there has been enough maturity over the last couple of years that people are starting to stand up and take notice of that and are now thinking about this problem from this perspective, as opposed to, oh, I'm building a ticketing platform that's going to allow me to have this one workflow for everything.

On the product and edge side, there have definitely been things I look back and I say, I shouldn't have prioritized that. For example, there's this class of ill-fated UX redesigns, which are incredibly painful and very resource intensive that I think back to and I'm like, man, it just feels like the team was on a merry goose chase for three months.

In terms of how you respond to it, my perspective on things like this is honesty is the best policy. You own up, you explain why you made the decision you made, you explain how we got to this point, why it's and just open the space for feedback and how as a team, we won't find ourselves in similar positions. How can we learn from these things? The reality is you make a lot of mistakes.

The question is, do you make the same mistakes over and over again or are they learning opportunities?

Up to this point, from a product standpoint, we've talked about data ingestion and workflows and things like that. What really gets me excited about this space is this idea of really building this intelligent layer to calibrate access. We now have pretty good self-driving technology, right? And it's wild if you stop and think about it.

We have cars that drive themselves and they're able to navigate these incredibly complex environments and respond in real time to them. And a huge amount of that is a result of the fact that LIDAR technology allowed us to capture a ton of information and actually start to figure out how to model all kinds of heterogeneous environments.

I think there's something similar that happens in access and identity, that if you can really nail the ability to create a ton of context and data, then you can actually start to build out the automation layer for real, basically. I think that's like a very unique opportunity. It's something like I feel like technologically is where the industry is headed to.

If you follow like anything that's happening in the big AI companies, there's a lot of discourse around security and specifically access management and how you calibrate that and how that grows flexibly and how you feel like you actually understand what's going on. I'm excited to see this industry take that leap in that direction.

It's just it's been so primitive right now from a technical perspective that there's just a ton of foundation you have to lay down.

My first team, like the leadership team, does influence a lot of the way that I work. I really enjoy working with whether it's my sales leader, marketing leader, engineering leader, and then really seeing how they bring their own leadership styles and manage their teams.

I also, I think, look up to certain like industry founders that I think were willing to do like the hard work, like really roll up their sleeves and figure things out. I'm a big fan of Databricks as an organization. I think they had like kind of an interesting early journey. And there's a lot of similarities. They had a very technical team and then they had to figure out how to build a business.

And I think they did. And a huge part of that story, it does feel like it's just like being willing to recognize what you don't know and embrace it and just learn things. I would say that I'm fortunate to have a lot of role models and people to look up to in various aspects. And I try to be self-aware.

I think it can be hard sometimes when you're in the zone, but I don't know, I feel like I'm still learning.

It's a weird job. Like nothing preps you for it. There's nothing you could read. There's no one you could talk to. And you can feel very self-conscious about all the mistakes you're going to make and all the things you do. And I think the thing that helped me the most and the advice I got was just being reminded of that. You don't have to know how... Everything works.

You're not going to be able to know how everything is supposed to be. I remember when I was earlier in my career, I would think to myself, oh, I have to become like a C-level somewhere to be able to start a company. And the reality is, even if I had done that, I would still not be prepared for it. the level of like ambiguity and the questions and open-ended questions and mistakes I would make.

And so just being really comfortable with the fact that you're just constantly going to be learning and, and not lose that enthusiasm or excitement, I think is like the most important thing.

Thank you. Thanks for having me.

So Opal Security is at the highest level. I like to think of it as an identity security platform. And what we really do is basically build the data layer and the workflows and then threat detection and response to actually understand who has access to what in your organization and how to calibrate that and eventually fully automate that in a way that actually scales with your work.

I did more academic security in a past life. I studied some cryptography and I did a bunch of math and found myself repeatedly drawn to real world problems at the same time. I enjoyed the technical challenge, but then would have this desire to fix things that I saw happening in the real world. And one of those things was access management was this incredibly messy, fragmented issue at every scale.

tiny 10-person startups to open source to big government labs. And it just felt like a strange thing. It's clear that this matters. It's important. It's almost ignored until it's too late. And I think a huge part of that is because people aren't willing to look under the surface and ask themselves, how did we get here? A huge part of that is the reality of how businesses grow and how they scale.

Another example of this is like building in our back end, our product itself, which is something that you will often see in like B2C or product-led companies gets left until way too late. I'm Umema Khan, also known as UK, the co-founder and CEO of Opal Security.

Security sometimes ends up being an afterthought, especially in product-led organizations, when it hinders the business. You just get to a point where you got this like insane wild west of like authentication and authorization and you don't really know what's going on in your org and you're a little bit scared to pull the trigger anywhere because of what could happen down the line.

I found myself like just fascinated, like both from an organizational and technical perspective that like this kept happening and eventually got so frustrated that I was like, you know what, I'm going to go figure out why this is the case and possibly build it. I was confused.

It just seemed like there would be these big legacy players that were just built to check boxes from a compliance standpoint so that you could say, oh yeah, we definitely do this internally. but not actually solving the problem at some deep technical or product level. And I at some point just said, you know what? Screw it. I'm just going to build internally and try to build a good system here.

And what I found was that I wasn't the only one who had gone through this. There were many companies, especially in the Bay Area, who had a similar realization. And then they would hit this point where they're like, I can't scale this internally anymore. I can't justify this internally anymore. And it was like such an intense conviction.

This was like the right place to start that I took sabbatical from that job and just worked on it full time. I thought about it from many different angles. And it was funny. Two and a half years ago, I would meet people and they would just be like, isn't this a solved problem? I don't get it. It doesn't like so and so like company already do this.

And I would just constantly just be like pushing back and saying, no, have you actually looked at the guts of what gets deployed and like what happens? No, people are just buying things and nothing is actually like solving the problem.

So the MVP was born from this, what is like a really obvious, like tactical problem or pain point to solve and how do you get there? And so like in our space, if you think about all of the context and the data necessary to even begin to like build scalable access, it's overwhelming, right?

And so then you scale back and you say, what is a way we can solve the problem knowing everything and having all the context would in a faster time to value? And that's this concept of just-in-time access. How do you just patch through access that's very time-based, that's very role-specific for a period of time that's tied to very specific events?

And in our case, that was building for syncing with on-call schedules. This is like... Huge pain point for a lot of engineering teams. You're on call, all of a sudden some production system goes down that you may or may not have been granted access to at some given point in time. And now you're on the hook to figure out how am I getting access to this? Am I making a ticket? Am I paying my manager?

And all of that got distilled into a very simple entry point. And when we would show it, people would be like, oh my God, I get it. You know what I mean?

Oftentimes when people think like you're a product first organization, I think that means like you're just building stuff and it's just as important what you don't build early as what you do. When I think about where our products and vision really shines, it's in organizations that are incredibly large and complex and really basically need this firewall for like access, right?

They need to be able to understand the complexity with which Different entities are moving around and what they have access to. And that can get very complicated very quickly on the edge cases and how you implement least privilege for those things, right? We had to make some decisions on, one, who can we sell to in the early days, even though we know that this is where we're headed?

And where can we provide value in a more direct fashion? So what that ended up looking like was saying no to certain integrations or very complicated workflows.

And coming back to this concept of JIT, this concept of here's actionable lease privilege, here's like actual reporting we can show you on like mission critical systems you have today, even though you may have like thousands of applications you want to cover.

And then really tying that back to looking at our like cohort of early customers and making sure it resonated with all of our other customers who are in the same direction and looking for the same sort of like product vision.

To me, like the way I think about this philosophically is it comes back to positioning. So access touches a lot of different stakeholders in an organization and a lot of different departments and economic buyers. Like you can think that if you just think about it, right, like access is about it's a workforce issue, right? It's not just like directly security or engineering issue.

It's also a security issue. It's also a compliance issue. when we think about our positioning and what's unique about us at Opal Security is that we are a security company first and foremost. And that means that like from day one, we have to build a lot of trust and that has to show through in our features.

So we made very specific choices on what we would prioritize from that perspective, such as being able to work in hybrid environments, because we knew that even as a small company, if we wanted to be the backbone of people's access management and least privilege like infrastructure that they needed to feel like they could manage us entirely and work in these complex environments.

So we made very specific choices on what we would prioritize from that perspective, such as being able to work in hybrid environments, because we knew that even as a small company, if we wanted to be the backbone of people's access management and least privilege infrastructure, that they needed to feel like they could manage us entirely and work in these complex environments.

Another example of this is like building in our back in our product itself, which is something that you will often see in like B2C or product led companies gets left until way too late.

There's like these things that I think got prioritized very early on the integration side, just like doubling down and like the cloud security space and building like really first class native integrations into the hyperscalers because we knew that while folks wanted to figure out what was happening in like their lower priority SaaS.

applications today, they had no visibility or ability to remediate in these mission-critical production systems. There's no vendor serving that. It was flowing directly from that positioning again. What does it mean to be a security and infrastructure company solving access? And then once you've got that, you can start to engage and think about what do the other stakeholders need?

The user experience is really important if you want to have that data and that coverage. And so talking to our customers, understanding how important it was with them, working with them and making these parts of the roadmaps possible. a partnership helped us sequence. I will say that in the early days, as much as you want data, like sometimes it's just not there.

And also as you're figuring out who you're selling to and who your power users are, you're going to get a wide variance of feedback until you tighten that up. So there is like an element of like art versus science to it as well. You just have to Spend some time using your own product. We dog food our product here internally and just talking to people and like really digging in.

Even if somebody says I need X feature, like trying to get behind that and say, what are you actually trying to solve for? And let's be creative about it.

It's very much being self-aware enough about who you are and building a team that's complementary to your own blind spots, as well as folks who amplify you. In my case, I would consider myself a fairly spiky individual. And so I knew that I would naturally gravitate towards other folks who spiked. in certain areas, right?

Who were just like incredibly good at whether it was because I'm a technical leader, engineering, or sometimes like on the sales side and building a team that like when you have a lot of personalities, you also need to like make sure you're building the infrastructure for like good communication, for good understandings.

Early stage companies are largely built by sort of bad students, good test takers on across every department. And you need to like be very comfortable with that, maybe be a little bit like that yourself to let people run around the field and do their thing and like basically figure it out with you and experiment. and be very comfortable not waiting for like marching orders.

The other thing, and this kind of touches into how we're talking about roadmap, is obviously we built very critical infrastructure. Building a team that had the experience to know what they were building was also very important. because this is a product that requires a lot of trust and understanding.

So having a balance of those two things keeps the pace of execution going, but also the experience of having seen things before.