Ian Yip is the founder and CEO of Avertro, a venture backed startup that creates software to help teams manage and measure their cybersecurity performance. In this episode Cole Cornford spoke with Ian about how being a salesperson is a valuable skill for any security professional, the common fallacy in software of “if you build it, they will come”, the similarities between starting a company and having kids, and plenty more.
Secured by Galah Cyber website
Mentioned in this episode:
Call for Feedback
Hi. I'm Cole Cornford, and this is Secured, the podcast that dives deep into the world of application security. Ian Yip is the founder and CEO of Avertro, a venture-backed startup that helps teams manage and measure their cybersecurity performance.
Ian Yip (:Security people sometimes think we know best, and by sometimes, I mean all the time. We always sit there lamenting the fact people aren't listening to us, and why is it so hard to get people to care, et cetera, et cetera. But if you leave your ego at the door, then you're more willing to listen to what's going to move the needle.
Cole Cornford (:I really enjoyed this conversation. We spoke about how being a salesperson is a valuable skill for any security professional; the common fallacy and software of, if you build it, they will come; the similarities between starting a company and having kids, and plenty more. Whether you're an industry veteran or just entering the world of AppSec, I'm sure this episode will have something valuable for you. Let's jump right in.
(:Welcome, Ian. How are you going, mate?
Ian Yip (:I'm all right. Thanks for having me.
Cole Cornford (:Yeah, no worries. Just to get started, I usually ask all my guests, what kind of bird are you and why?
Ian Yip (:Yeah. The first thing that comes to mind... My little one's currently reading Harry Potter for the first time, so I guess an owl is a good one. They're known for being wise; I don't know if that's factual, but that's the stereotype. At the same time, they're a bird of prey and they're also quite predatory, in a good way, right? I think they're strong and they can make decisions and they're wise, so I like those qualities. Maybe not the predatory part, but the positive side of it.
Cole Cornford (:I was going to say, you probably don't want to be jumping on a podcast, saying, "Yeah, man, I'm a bit predatory." I think the history of the owl is in a lot of... Because it's basically... It's a nocturnal animal, and with a lot of, I guess, ancient mythologies, so both Norse and Greek, it was always associated with wisdom. So I think that that's just permeated through history, and nowadays we're always assuming that owls are associated with wisdom because they were back then.
Ian Yip (:And actually you do bring up a good point. I think back from when I was in uni, I used to stay up late doing assignments and things, and that probably hasn't changed. I'm still sometimes up at... Not that I'm encouraging everyone to be up at midnight doing work, but that does still happen sometimes. So I am nocturnal, and then sometimes I do my most efficient work at midnight as a force of habit.
Cole Cornford (:That's probably a good thing is... I have kids, and so I find that the best situation for me is either really early in the morning or really late at night because my baby's going to be asleep and my daughter's going to be just basically crashing around eight or nine o'clock, and then I've got a few hours to smash stuff out, or I get up early in the morning. The problem is it's too bloody cold in the morning.
Ian Yip (:Yeah, now winter it is. It is. But yeah, you've got to work your life into there as well, and if that's the way you got to work it, that's the way you got to work it.
Cole Cornford (:So whereabouts are you located?
Ian Yip (:I'm usually in Sydney, Australia, but this year I've been around the place. I've been in the US a little bit. I've got a trip to Singapore coming up. I'll be in the US again at least two more times this year. That's usually the way I've answered the question. I'm supposed to be in Sydney, but doesn't mean I'm always here.
Cole Cornford (:So you're traveling around a fair bit. Is that because of your company, then?
Ian Yip (:Yes, it's work-related. I think in one of my prior roles... I've had corporate roles in the past, and the more recent ones were fairly regional, meaning I wasn't playing lots. Obviously we had the pandemic in 2020 that stopped all travel, so I didn't travel at all, obviously, like most people in 2020. Not really in 2021. But as the world has got back to the new normal, not the old normal, I think we've been able to travel a little bit more. And for what we do, I think it's helpful, especially if we're talking about expansion and business-related reasons. You kind of need to be at different places. I've made it a point, or we made it a point to expand our wings, so to speak, like an owl, this year. So, yeah, I've been traveling a lot more in 2023.
Cole Cornford (:I've been seeing I have a lot of founders I know locally, at least Laura and Peter, if you know both of those, and even Susie. They all go traveling a fair bit for work as well. That's probably a good segue, actually, is maybe you could tell us a bit about your background and how you came to becoming a company founder yourself.
Ian Yip (:My background... So about 20 years in security. I was a graduate at IBM straight out of university. I have a computer science degree, or software engineering degree, so I've been technical from way back. I obviously did learn a little bit of security, but back then it wasn't called cybersecurity. It wasn't even called information security. It was just called networking security or IT security or whatever you want to call it, right? It was IT. And like a lot of people who have been in security for a little while, I kind of fell into it by accident. I was doing the grad rotation thing at IBM, and various things were interesting, various things were not.
(:I think IBM in their foresight back then saw that security was going to be an up and coming thing. They started a security consulting practice and they were obviously looking for a lot of people to join that given the work that was coming up. I heard about it, I put my hand up. I think this was one of the lessons I learned very early on; if you don't put your hand up and you don't actively go seek something, it probably ain't going to happen. So I went to look for the hiring manager and said, "Hey, I'm a grad. I'm interested. I hear you're looking for people. Security seems interesting. Can I join the team?" So they went, "Yeah, you seem like a smart enough guy. You're proactive. Sure. Come join the team." And next thing you know, I'm in the security consulting practice, IBM. That's how I fell into it, and that's how I got my start in security properly.
Cole Cornford (:Yeah, so it's kind of funny because I had a similar situation myself. Because I graduated from my university in 2011-12-ish. I can't remember the exact date. And then I just did freelance software engineering for a few years until I got into a grad program at the ATO. I did like three rotations. First rotation was in an agile software development world where I learned things like stand-ups, where people would turn up and then move punch cards on the wall around randomly. And then they realized there was a thing called Jira a few years later. And then eventually I moved into a contact center rotation, which was, funnily enough, one of the reasons I actually know my taxation stuff fairly well at this point is they made everybody do a month of sitting there on the phones taking calls from people around tax time. I think it's a bit ingenious, honestly, that you get graduates as a way to get extra labor during the period when it's really stressful and there's a lot more demand on the tax system, and then the graduates finish up when that disappears just around August. And then I moved into cyber. I got into an AppSec team. So it's kind of funny that when I joined that team, almost everybody left.
Ian Yip (:Wow. Not through your doing, obviously, right?
Cole Cornford (:I joined and I was like, "Hey, guys, I'm here," and they're like, "Yep, we're going. See you." No, they went to go create a SOC, so they just picked up that whole team and pushed it somewhere else. They said, "Oh, we still need an AppSec function so, Cole, you can lead it." I'm just like, "Okay, sure. I guess I'll figure out what AppSec is." It's funny, the deep end is really good. It's a good place to be. You learn a lot. But yeah, man, those grad programs, I really encourage people all the time to go give them a go. Even being able to understand a lot of different parts of an organization, instead of just saying, "I'm the cyber guy. I work in cyber," and then not understanding how the development team works or the risk team or the policy and governance teams, or even accounts payable/receivable or HR, just being able to move around an organization and meet different people really does matter, I think. That's what grad programs did for me.
Ian Yip (:Yeah. I think that's one of the good things about a bigger company. Obviously we now run smaller companies, but I think we have to be quite realistic about things. A bigger company like the ATO or IBM, they do give you that ability to probably get your fingers in a lot of the stuff that maybe you wouldn't get otherwise. So depending on your stage of life, yeah, I think it's served both of us well. That's something we have to be grateful for.
Cole Cornford (:You did say something interesting now, which is that you have to always put your hand up. I've always felt that that's the case as well. I actively seek and say, "Hey, I like this person. I want to go talk to them and just say hello," and not necessarily anything will come out of it, but I figured that if you don't do that kind of stuff, then you're not going to really... There's this common trope I see with software engineers called, if you build it, they will come. We're going to focus on building the best product available, and then that's it. It's the best. But I know that that doesn't work.
Ian Yip (:No, it absolutely doesn't work. If you talk about entrepreneurial journeys, people will ask, "Is this the first company you've ever started?" I kind of dipped my toe, so to speak, in the waters 10 years ago, and I think that naivety when you're a little bit younger does play a part from a technical background. I did think as well, if you build it, they will come, but if you don't realize that you've got to actually sell things and there's a go-to-market in there, you've got to market things, you've got to know how to do all that, both from a business standpoint and a personal standpoint... More recently, we hired a grad into our team earlier in the year. We weren't actually hiring for the grad. And to the point we're making around, you could have put your hand up, he just sent me a cold message out of nowhere, saying, "This is why I'm great for the company. I know this about a company. I heard about you. I like to do A, B, C. I'm going to align with your values. Please have a chat to me." And now he works in our team, and that wasn't a headcount we had, because he put his hand up. I was smart enough to realize that he had all the qualities we want, and he's somebody we want to bring on board.
Cole Cornford (:Yeah, I really encourage people, just go out there... Don't be obnoxious and message everyone on LinkedIn constantly, but if there is something that you are willing to give it a go... People are generally relatively friendly in cybersecurity. I know there's the occasional bad egg, but what's the worst case is they reject you, so you just move on with your life.
Ian Yip (:Yeah. That's right.
Cole Cornford (:But yeah, going back to your entrepreneurial journey, I've made a lot of mistakes myself running a consultancy business. Initially, let's just say that I've never done consulting prior to starting my consultancy business, so that's been a really good learning curve. I imagine that for yourself, moving into a product company from cyber consultant would've been interesting too, right?
Ian Yip (:Yeah. I've worked for a product company in the past, obviously. I've done various kinds of roles. I was at EY, I was at McAfee for a little while. Obviously McAfee is more of a product company. EY is pure consulting. So I've run the gamut of different things. I always like to say every role I've ever done is a training course to do what I currently do. You were talking earlier about being the ATO and learning about accounting and all those kinds of things that have nothing to do with security. Not that I worked the ATO, but I think there were various bits of different roles that I had to pick up skills that maybe weren't naturally about technology or security. There's a lot of leadership management things that you pick up along the way. But talking about starting a company, I think those things served me in good state. I know how to do various things, not that I know all the answers, but there are various things I just naturally know how to do that I didn't realize would be useful in terms of running a startup, particularly one that is focused on delivering a piece of software to the industry.
Cole Cornford (:So what kind of skills have you been able to pick up in your career that have helped you with Avertro?
Ian Yip (:I think the most important one is how to sell. People always realize a little bit too late that selling is an art form. It's not as easy everybody thinks. If you can't sell it, well, you can't keep a company going. Whether you're doing professional services or you're selling a physical product or a piece of software, learning to sell is one of the most useful skills anyone can learn. Early on in my career, I didn't think I wanted to be a salesperson, but as I got into trying to grow my own skillset, I realized I wanted to round them out a little bit more than what I was learning early on. And I think you used the word you seek different things. Well, I like to say I like being comfortably uncomfortable. You're always looking for something that you don't really know how to do, but you realize along the way that you will need it; it will serve you in good stead moving forward. Sales is one of those skills.
(:Leadership obviously is something that is really important when you're starting a company. You're leading the company. You're leading yourself. You need to self-motivate. No one's telling you what to do. If you don't do it, it doesn't happen. If you don't motivate yourself, it doesn't happen. If you don't manage yourself, it doesn't happen. If you extend it to learning to lead a team, I think that's one of the things you learn along the way. That's probably a little bit harder to do if you try to start a company straight out of university, for example. People obviously do do it and they learn along the way, but then you end up making more mistakes, and you need the buffer to make the mistake, so ideally you want to make fewer mistakes once you start a company than other things.
(:And then I think the third most important thing is just patience. Things always take longer than you think they're going to take. And even after you account for the fact they'll take longer, they will probably take longer still. It's one of the most, I think, useful skills in being an entrepreneur that... You realize that a lot of things you read are the exception, and extreme exception. You hear about companies selling within a year or getting to certain metrics within six months. That's not normal. If you optimize for what you read in the press, whether it comes to entrepreneurialism or business or security, you're setting yourself up for a lot of disappointment.
Cole Cornford (:Lots to unpack there. I think that sales is something I've had to pick up. I'm naturally a good salesman. And I've never really thought of myself that way, but I seem to be able to walk into a room and then come out of it with a statement of work, a purchase order, and an invoice. I guess that's from being pretty good at my craft, but also being able to listen to what people want and knowing what's the right opportunity and when to walk away from things. And I don't know where I learned this skill. I really don't, because I've pretty much always worked back-of-house kind of roles. I'd say that the only way I could have really picked it up is having to sell applications security to engineering teams. There's the whole, "Oh, yeah, let's just shift left and then you save money," and stuff, so I guess over time I would've developed that kind of skill. But I know early on I used to think, again, that I would be able to just make lots of sales really quickly with just my existing network and everyone would buy because awesome, and that's not at all the case. It's a very humbling experience getting rejected by people who are close friends, and then suddenly you realize, wait a second, there's a difference when you become a vendor as opposed to someone who's a professional colleague within your industry, right?
Ian Yip (:Yeah. Yeah, you actually do make a good point there. I think a lot of people think sales is a dirty word, but the most effective security people are actually really good salespeople, because even if you're trying to communicate or convince people internally... Because security, for the most part, is about change management. You have to change the way stuff is being done to be effective, and you've got to do a lot of internal selling. If you talk about internal comms within the security team, or even outside of the security team where you're trying to convince your dev team to write secure code or to value security, you're talking to a board and getting under the care, you are selling security as a function. If you're not a good salesperson internally, it's very hard to be an effective security person. The best security people are maybe not naturally good salespeople, but they've had to learn how to sell and market security internally, which I think may be where some of those skills just permeate into our skillset as we become more experienced and be more effective in our roles as we get older.
Cole Cornford (:I guess I see a lot of people who do work in cybersecurity who are a little bit bitter and disappointed and really emotionally tied to the types of vulnerabilities that they encounter and in the fact that businesses choose not to do things about them. And ultimately, I do feel like it comes down to a communications and sales problem. Everyone's really willing to go out there and get your certifications, your qualifications, and at the end of the day, the person who actually signs off on these kind of things doesn't care if you have an OSCP or an OSCE or [inaudible 00:16:15], whatever. All he cares about, or they care about, is does this matter for my business? How expensive is this going to be? Am I really at risk? What's important? Tell me something that means something to me, right?
Ian Yip (:Yeah.
Cole Cornford (:I always take that into my consulting nowadays, is I say that context is everything. If I come across a hard-coded credential, the first question I'm going to say is, "Hey, developers, instead of raising a high-severity finding like a lot of people would do," I'd say, "What are you using this for?" And then they'll come back to me and say, "Well, it's a development because we're trying to test things really quickly, and it's hard for us to use the security provider tools like HashiCorp Vault," or whatever, "so we just can't put it into code so we can get it done quickly," in which case, yeah, it's not perfect, but at the end of the day, the context then says that this is for a test environment or a dev environment and they're using it because we provided a bad user experience for the engineering teams. So I feel like those kind of scenarios are why I have become and gravitated towards being a good salesperson over time, because I'm willing to listen to people about what their concerns are and then come back with a reasonable solution.
Ian Yip (:Yeah, absolutely.
Cole Cornford (:Yeah. I also heard a really good one there was about pushing to be uncomfortable. So what scenarios have you pushed yourself into to say, "Hey, this is my comfort zone. I'm going to really push myself out of"? Because I've got a lot of those myself.
Ian Yip (:I think every role I've taken has been slightly uncomfortable, and it was done, I think, deliberately that way. I'm not saying I went and deliberately looked for new roles. I think sometimes roles will just come to you, as happens in security, particularly nowadays. But you have a decision to make there whether you want to go pursue it or go, "No, that's not for me." I tend to not try to do roles where it was the same as the role I was doing. We talked about early on in my career at IBM, it was mostly technical, but even within IBM I had three different roles. I did security consulting a little bit and I realized that my skillset for communication needed to be built out a little bit. So I actively went and sought a different role within IBM to move to the software sales side of the business. It was still in security, but then I thought, "Why don't I try out how to sell something?"
(:And then I joined the IBM software group and sold the identity access management suite for IBM. Identity access management was kind of a comfort zone for me because that was a lot of what was delivering, but the whole trying to sell it for IBM and dealing with a software of Tivoli and so on was a little bit outside my comfort zone. The selling part was absolutely outside of my comfort zone. So that's one example, moving into different areas.
(:I think you talk about being much more external-facing. Probably the most uncomfortable thing for some people was public speaking. Having to do sales and being in that kind of evangelistic role is absolutely public speaking, and if you want to shy away from that, it's not something that's very comfortable. Most people say that they have a bigger fear of public speaking than a lot of other things. I really didn't like public speaking in high school, and it was something I had to force myself to do very publicly. And then the nth degree of that is to deal with media. So a little bit later in my career, I took roles where it was very much outward-facing kind of roles, on top of all the stuff I do internally. I had APAC-led roles both for IBM and at NetIQ, and I had to do things like speak with Sky News and CNBC and Bloomberg and the ABC News and Channel 7, et cetera, which is very scary from a person who had never done it before. Because the first time I had to do that, I was sitting there going, "Hang on a minute, this is national news and is in there for perpetuity. I better not screw it up."
(:So those are just a handful of examples where I deliberately sought roles that would give me both a way to build out my skillset to be a little bit uncomfortable. At the same time, the payoff is very high if you do it well. Obviously the risk that you take is that you don't do it very well. But ultimately the biggest risk I think I've ever taken, maybe similar in terms of their pay packet and obviously the success and demise, hopefully which never happens to anyone who does all the right things, rests very much with the good decisions that you make and sometimes the bad decisions that you make. It's going to come down to, okay, what's your risk appetite for being able to do that versus sitting in corporate and having a very safe job that pays you a salary?
Cole Cornford (:I think that there's a lot unpack there. So risks, I feel like actually starting a company is not as big a risk as people seem to think, because the worst case scenario generally is that you'll declare bankruptcy and then you'll go find a stable corporate job within a few weeks probably, right? Yeah, it might take you a bit of time to get on top of some of your director obligations if you, I don't know, screw-up with your GST payments or something, but at the end of the day, I don't think it's too bad if you start off small. It's just if you grow too fast and then it becomes really unmanageable, then that's a big problem because you are affecting other people. But I encourage people to start businesses and actually learn what it's like, because if you want to be a better security professional, you need to be able to speak the language that basically business stakeholders use. If you understand terms like cashflow management and to your total addressable market and what your go-to-market strategy is and so on, you can have far better conversations than if you turn up just throwing cross-site scriptings at people and then hoping that they understand what that means, right? I actually really hate cross-site scripting. It should just be called content injection, but whatever.
(:The public speaking thing really is something that I really understand quite personally too. When I was in high school, I remember getting up in front of I think a year nine or eight class, and it's a topic I really loved. It's, again, ancient history. It's funny you bring up the owl earlier. I'm really, really into Greek mythology at that point in time, and I just needed to just talk about a few things that happened then. It was like... I can't remember exactly what, but basically it felt like a Sisyphean task, if you've heard of that before.
Ian Yip (:Yeah.
Cole Cornford (:Pushing that rock up the hill indefinitely. I ended up getting up there and stuttering in front of everyone and just saying, "Ah, stuff this," and just walking out the room, upset with myself. I got a big fat zero for public speaking, and my parents are very angry with me about that.
(:So I guess over the years I just kind of recognized, why am I so bad at this? Why am I an awful public speaker? There's got to be a reason for it. And then I just pushed myself into positions that were increasingly baby steps, but getting better at practicing being in front of an audience and talking about things. It started off at university, taking the lead on group assignments, or going to... at the ATO, having regular sessions with development teams to say, "This is what cross-site scripting is," or whatever. I would do it badly and I would never like it because I just wasn't good at public speaking at that point in time. But then over time, you do build those skills up and you get to a point where... Actually, now I have no problem going to meet-ups or conferences and standing in front of hundreds of people and saying, "Hello, I'm a giant galah. Let's have fun."
Ian Yip (:Yeah. I think you make a good point. A lot of times ultimately it's about the old adage, "Just one step at a time." It is a bit of a cliche, but it's true. If you have a task that's too big and daunting in front of you, you would just never do it, for the most part it's a mental block. If you think about breaking it up, you could actively decide to make that step one at a time to eventually get there. Same for business. You take one step at a time. You don't need to do big bang because, yeah, big bang like you alluded to sometimes can end in disaster from a business standpoint. Obviously not disaster in the truest sense.
Cole Cornford (:I see a lot of security people who do want to start businesses, and they're to thinking themselves, "Oh, I need to..." They create themselves a task, a list of infinite tasks, to be able to actually start the business, right? Have you ever heard of Yak shaving before?
Ian Yip (:No, but I'm sure you can enlighten us on that.
Cole Cornford (:So it's a software engineering story. I'm not going to be able to retell it very well. But basically a guy needs to change a light bulb or something, and then he realizes, "Oh, I need to get my ladder from my neighbors to go up to get my light bulb." And then you realize that to get that, you forgot to give a tool back to the neighbor, so then he needs to drive the car. But then you forgot that your other neighbor's car, you've made a mistake and you need to go help him out, so you go pick up some fuel. And then by the time you've done like 30 actions, you're going to go shave a yak so that you can get stuffing for the pillow so you can give it to the neighbor so you can take his car to go get a light bulb, right? Then the idea is that if you're making a list of tasks like this so that you can actually do the one thing that matters... Which honestly, if you're looking to change a light bulb, it could just be as simple as just going downstairs and getting a lamp or using a flashlight on your phone, which is more important if you need light in that room than doing 50 different things to actually avoid doing the task that you really need to be doing, right?
Ian Yip (:Yeah.
Cole Cornford (:I feel like as software engineers, we always go for perfection first. We just tend to actually yak-shave most problems. I guess with a business... Actually the probably easiest one to think about is a gym routine. My view is just go to the gym and pick things off randomly, and then that's better than sitting there, planning a routine, planning a diet meal, diets, and then thinking about checking your form for every single machine. I just think if you just go in there and just sit on a bike for 10 minutes, that's the best way to start, or if you do rowing for 20 minutes, do that. And with businesses, I see the same thing. I'm going to make a website, I need to get my marketing collateral ready, I need business cards, I need to get my CRM sorted, and it's like, no, no, no, no, you don't need all of this to start. All I did when I started was just walk up to people at meet-up groups and say, "Hello, do you want application security," and they're like, "Lawl, go away."
Ian Yip (:Yeah. Yeah, right. There's a lot of parallels between starting a business and having children, right?
Cole Cornford (:Yeah.
Ian Yip (:If you ask anyone who's ever had kids, "Were you ready..." Because some people wait. "I want to wait until I'm ready." Same for business. "I want to wait until I'm ready. I want to wait for the right time." But for those of us who are parents, we're both parents, you're never really ready to have a kid. You work it out along the way. The same can be safe for starting a business, whether it's a side hustle or your main gig. It's like, I don't think you're ever really ready. You get ready by doing it. That's really the only way to do it, because there are things that you have to learn along the way that you're never going to be able to write on a piece of paper to tick off that you've done, because you're not going to be able to do it until you actually do it.
Cole Cornford (:I swear that reading all of the Y Combinator stuff, it was all nice and helpful and all of that, but at the end of the day, the most important things that I learned from just actually doing it and... Being a dad, I had a whole book of What to Expect When Expecting, and then another one's What to Expect in the First Year, and I think I read the first chapter of each and then realized that, no, I should just take care of my wife and just do tasks, right? Feed the baby, change the nappies. It's like, you learn these things as you become a parent. And I've seen a lot of people in their careers actually choose to delay children for a long time because they don't feel like they're ready for it. I actually know a lot of people around my age group who've specifically chosen... They said they're not going to have kids until their mid-30s or early-40s. And I'm sitting there thinking to myself, "Well, when will you be ready? What's the stability look like?"
(:How did you go with having kids? Because I made a very specific timeframe where I said, "At 30, that's when I'm going to have my kids." For me, I didn't want to be too old so I couldn't be an active grandparent, and I didn't want to be too young where I didn't have enough financial surety with my career at the same time. That's kind of where my benchmark was. But what about you?
Ian Yip (:I think we had a similar mindset. It was a whole, how old do you want to be to be able to play with your grandkids? You've kind of got a window there. I suppose the first question is, do you actually want kids? Not everyone wants kids. We did. But at the same time, I think... I lived in the UK for a little bit, so I think we probably didn't want to bring a kid into the world while we were not at home. I think we also had to be at home while we did it, so it was either going to be really early on or had to be after that. So to a certain extent, that was the timeframe, to be stable to a point where it could feel like home and we had a support system around us, the grandparents, the brothers and sisters, and the aunties and uncles and all that kind of stuff, and the friend... The support network I think was useful.
(:We obviously had the whole, "Are we ready to do this," kind of discussion a little bit younger, but then, like we were just talking about, as you get older, you realize you're never really going to do that. All you can do is make sure that your comfort level is sufficient, or you may not feel ready, and that if for whatever reason certain things don't happen the way you planned out, you've got the support around you and the stuff like being home to do it. I think that was probably the main thing we had to get unwinds around before we went, "You know what? That makes sense now."
Cole Cornford (:There you go. Same thing with businesses and starting families, just do it. Give it a go. See how it is.
Ian Yip (:Pretty much. I don't want to tell people to not do any planning. You obviously have to think about it. You can do some research. You and I both did some research, but you research to a point so that you don't go in completely clueless. But at the same time, you don't need to be a PhD in whatever the topic is to do it, right?
Cole Cornford (:Yeah, I think people overanalyze everything. Even going back to what I was saying about being uncomfortable with something, right? You can jump in the deep end with absolutely no research, and I think that that's actually not necessarily a great thing to be doing. I still think there's a healthy level of planning that you need to do. You should get at least some floaties on before you jump in the pool if you've never done swimming before.
Ian Yip (:Absolutely. You have to do your homework. I'm always an advocate of doing homework, but you don't have to do your homework to the point where you only want to do it if you are sure you're going to get 100% on all the exams.
Cole Cornford (:Moving to a different topic, I'd like to chat a bit about your business, actually, because I know that it's a software as a service company and it deals with managing risk, but otherwise I'm pretty new to it. I see you stand at lots of events, so you're clearly doing a lot of marketing. Can you tell me a bit about where you started and why you felt there was a gap in the market to create Avertro?
Ian Yip (:Yeah, I think I alluded to it. Earlier in my career, I was in identity access management. Security has always been a very technical pursuit. It continues to be. It's still important that we understand security is a technical pursuit, but given what we've seen over late, I think executives, boards, leaders, it's become much more mainstream... As security professionals, we probably keep saying to people; it's always been mainstream. Just no one noticed. But if you talk about the zeitgeist and what really shows up in the main tier-one newspapers and news outlets, it's really only been the last couple of years where it's become that level of visibility for boards and executives.
(:Now in my roles at EY, McAfee, I think that really started to become really clear to me. There was a lot of work I was doing in those kinds of roles where there's some things that the ecosystem can provide for you for executive and board and leadership visibility and understanding around security. You can get consulting help, which I literally did for people when I was at EY. You can get some technology help, but there's technology where you can piecemeal it together, where you can use multiple kinds of technology alongside the consulting help, alongside the people you can hire, to try and solve a problem. But ultimately, there was still a gap between what execs and stakeholders had in terms of trying to make decisions versus what security teams could provide for them in a way that makes sense. You kind of alluded to it. You've got to be able to speak the language of business if you're trying to tell a board or executive that isn't a security expert why it matters, why you need certain amounts of money, why you need to do certain initiatives, why AppSec's important, for example. And the operational way that teams were being forced to do it, in my mind, wasn't efficient.
(:I saw a gap in the market as I was about to start Avertro, where we needed to operationalize the business of cyber, so to speak, which involves risk management, involves compliance, involves strategic management, involves communication, involves reporting, all of the above. And because I had to literally do it for people manually and I also had to listen to people complain to a certain extent to me about how inefficient the system was and how they were being forced to do it, I thought there's a way for us to build a system that ties everything together in a manageable way. So we've evolved the system over the years. We're about three and a half years old now, but when we first started, it was more optimizing for, how can we just optimize for helping people communicate this better in an operationalized, sustainable, repeatable, defensible way? That was the impetus for why we started Avertro, to solve what we solve for and for the mission that we're on. The mission hasn't really changed. What has changed, obviously, is the market's changed a little bit, and the way we've been able to listen to the market and iterate on how we solve for this problem has changed a little bit. Yeah, that's why we exist and that's why we are still going.
Cole Cornford (:It's really cool that you've been able to recognize that what you built three and a half years ago is not what is necessarily the same now, and you needed to go pivot and change your focus. Why did you have to move? Was it because the fact that the compliance changed, or that there wasn't product market fit, or the market itself, it's in a downturn so it's hard to do cyber sales? What's driving these core product changes for you?
Ian Yip (:I don't think any company ever gets to product market fit within year one. So we didn't expect we were at product market fit in the first year. All we had to do was have a hypothesis for what could get our first couple of customers, which we did in various ways, but then if you don't adapt to the market, you probably won't be able to serve your first customers very well moving forward. Secondarily, yes, I think the market changed. The pandemic had a lot to do with it. People's appetite for what they wanted to spend on security changed over time, no matter what area of security, again, whether it's AppSec or risk management or governance and compliance or SecOps or whatever else. These things will always change. So as a product-driven company, we have to iterate on what the market is telling us, what our customers are telling us. There's no sense us going on an [inaudible 00:34:53] saying, "It would be cool to build A, B, C," and then you build it, and then people will sit there and go, "That looks very cool, but I can't use it. It's not practical." So there's a lot of pragmatism that goes into what you evolve.
(:When we say pivot, we don't really pivot in the macro sense. Like I said, our mission hasn't changed. But what you need to do is you have to pivot little, little micro capabilities to either adapt to what people want or how they use it. I think I said earlier on, security for the most part's about change management, meaning you can't completely shift how somebody does something and get in the throat all the way. All you can do is get the change what they do to be more efficient, and that's how we've had to adapt what we do over time and also just make sure that people are getting the most value out of what we are providing versus, "That sounds cool, looks great, but I can't use it."
Cole Cornford (:So what lessons have you learned for aspiring security SaaS startup founders? What would you give as some advice?
Ian Yip (:I would say leave your ego at the door. I think security people sometimes think we know best, and by sometimes, I mean all the time. We always sit there lamenting the fact people aren't listening to us, and why is it so hard to get people to care, et cetera, et cetera. There's a psychology behind all of it, but if you leave your ego at the door, then you're more willing to listen to what's going to move the needle on what we're trying to get at. Because ultimately, as security professionals, if you leave your ego at the door, you can realize, "Okay, here's the impact we're trying to make. Here's the outcomes we're trying to get." It is not a perfect world, so there has to be some level of compromise in the middle, and ego gets in the way of making actual, real change. And as a security industry where we're not very good at leaving our ego at the door because of the brick wall we've been banging our head against for the last 30, 40 years or whatever it is, right?
Cole Cornford (:Yeah, it's not working very well, is it?
Ian Yip (:No.
Cole Cornford (:The approach of, go back to Ancient Greece, because I guess that's all I'm on about nowadays is just talking about that. I can't even remember who said it, but he said, "I am the wisest of the Greeks because I know that I know nothing," right?
Ian Yip (:Yep. Yep.
Cole Cornford (:I feel like taking that approach... I guess, again, going back to my AppSec background, what I know is that every developer is smarter than I am. I can go out to them and say, "Hey, you have SQL injection," and then they'll say, "Did you read the documentation for SQLIs," and I said, "No." They're like, "Well, maybe you should." Then I learn that if there's only a few areas within SQLIs that are actually injectable parameters. So I feel like since I've been humbled, eaten a lot of crow many times in my career, that I've now come into pretty much every conversation and say, "Hey, I probably don't notice as well as you, but how about you tell me more about it?" So I guess it applies with your startups as well, because when you're saying leave ego at the door, is this more from a, "I'm going to build a product and people will think the product is great," or is it more the sales side of, "You need to buy this because you have problems," or just everywhere?
Ian Yip (:I think it's more the product side of things. Obviously if you had a sales approach that relies on ego, you're probably not going to be very successful because people must like you if you're selling. But I think a lot of the mistakes that are made when you're trying to build a product is that the product managers or whoever the leader of that product is think they know best, and the graveyard of products that nobody uses are littered with people who had big egos. They just thought they knew best. There's only so many people who can be Steve Jobs or Henry Ford or Elon Musk in terms of having a vision where maybe the market doesn't agree with you, but you've got this insight. The often quoted thing from Henry Ford, I think, which is, if he'd asked the market what they wanted, they would've said faster horses, not cars.
(:Now, that's really an edge case, right? When you're building a product, for most part, you have to make sure that you still remain... The hardest part of product management is remaining on your track that you want to get to and understanding what your goals and your mission is. You shouldn't deviate from that too much, but how you get there is going to change. It is not a straight line. It is a very, very jagged line where you have to listen to people and take that input and understand that sometimes you're not right. As long as you're not completely changing what you're doing that had nothing to do with your mission in the first place, you have to be able to take that input and then inject and ingest that into your product management and build process so that you can really provide something of value that people will be able to use.
Cole Cornford (:I guess a lot of startups are really incentivized to grow at all costs in the past, and that meant that when you were making those decisions, you basically had the money to spend on anything. Just whatever sticks, just do it, right? And I feel like that's absolutely flipped around nowadays. So pragmatic expenditure and being actually able to think about the fundamentals and how you're sustainably going to grow to business is what I'm seeing as becoming a lot more important. Are you finding that that's the same when you talk to your investors?
Ian Yip (:Today, yes. If we talk about the excesses of 2021 and where people would just throw money at something at ridiculous valuations, we probably didn't get enough credit for doing that. We've always built Avertro to be a sustainable business. We have raised VC money, so we do have the VC side of things to deal with. At the same time, we've been very careful not to lean into those excesses and crazy, crazy startup-type valuations and narratives, so to speak. So we've been able to have the benefits that come with being VC-funded, but at the same time not be headed off the cliff because we are burning way too much cash like so many startups were doing in 2021, 2022, and we saw what happened with those, right? You got these startups to raise a heap of money, and you're sitting there going, "How did they run out of that money in 12 to 18 months?" Because they spent way too much money in unsustainable ways. So I think we've been very sustainable along the way and we're finally getting some credit for it today, which I'm very, very pleased about, obviously.
Cole Cornford (:It's good to see a successful cybersecurity company that's been able to just slowly grow over time and be able to respond to changing market dynamics and not just burn for a pile of VC money and crash and burn. I see a lot in the AppSec space last couple of years where they've just gone and invented something to solve things, and then they've somehow said their total addressable market's 500 million or something, and I'm just sitting there thinking to myself, "Mate, that's like global sales for the entire sector. Yeah, of course it's your tam, but you can't replace every AppSec product globally in all markets at all points in time." You are silly to even go to your investors and say that.
Ian Yip (:That's always the balance you're making, right? They want entrepreneurs to have ambition, so you kind of have to show them that you have ambition, but at the same time there's a level of realism you have to inject in that. That's probably one of the things I learned through this journey. Very early on I felt I had to show that ambition, so some of the early numbers that we always throw out there happened to be quite huge. Maybe not as unrealistic as that, but as time's gone on, I think I've learned to be more pragmatic and realistic about things. Sometimes that will mean certain vessels say your ambition doesn't seem big enough, but I think the good VCs or the good investors will understand that pragmatism is going to take you further than pretending you're going to sell to the whole market and replace everything.
Cole Cornford (:I guess it just depends on what kind of investors you want to attract, right? One of my friends worked for an Australian company that took a lot of VC funding, and the VC funding's whole thing was to say, "You now need to expand globally immediately." And the unfortunate thing that they had to do is that they couldn't actually use their product in the US because the way that the product worked was fundamentally different in how Australia does it, so they had to re-architect it from scratch. And that burnt through almost all capital, and then no one even used it in the US. Now they're in a situation where they have to go and merge with another company locally to actually be competitive moving forward. You'll be able to read about it in the AFR in a month, I'm sure.
Ian Yip (:Yeah. That's the danger sometimes with having that external funding and them having too much control. We've been very careful.
Cole Cornford (:Yeah. Good to hear.
(:So we're getting to the end of the interview. I'd like to ask a few quick-round questions for you if you like.
Ian Yip (:Absolutely.
Cole Cornford (:All right, so number one, best purchase for under a hundred dollars and why?
Ian Yip (:I'll give you a book actually. It's an old book. It's Start with Why by Simon Sinek. It's one of the most impactful books I've ever read, and I think it shaped the thinking for what we do. It also changed a lot of people's thinking, including my own, those years ago when I read it. This still continues to be one of my key book recommendations, and I think you can buy it for 20 bucks now.
Cole Cornford (:I feel like I'm going to have to get a self-help Secured podcast book list because I've had Dale Carnegie recommended a few times, I've had Mark Manson with The Subtle Art of Not Giving a Fuck, I've had Tim Ferriss, Tools of Titans. Everyone's got their own special one that inspires and motivates people to move forward. I haven't read Start with Why, but I've read Leaders Eat Last. Simon Sinek's definitely someone who's pretty good at that. My second question was actually going to be what book would you recommend and why, but I feel like we've already got that one, so covered.
Ian Yip (:I did two in one. Talk about efficiency.
Cole Cornford (:Too bloody good at this. I need to think of a third question for you now, man. How about, for people who are aspiring to start a company, what would be the one thing they should focus on and why?
Ian Yip (:Who's going to pay you for it? Because there's no sense... I think we can encourage entrepreneurialism, we can encourage the risk-taking. We probably need more entrepreneurs in Australia. At the same time, you're not going to get very far if you can't figure out who's going to pay for it. And what I mean there is that you have to do your... If you make decisions to start a company, you have to go and speak to people. You alluded to the fact that you went around and spoke to people, right? You've got to speak to people and adapt your approach to make sure that you are solving a real need. One of the biggest mistakes entrepreneurs make is that they don't solve a real need. So do your homework, figure out who's going to pay for it, and then optimize for that.
Cole Cornford (:Yeah. I've seen many people make that mistake before, where they're just like, "I'm going to do security consulting." I'm like, "Have you worked out who you're going to sell to?"
Ian Yip (:Exactly.
Cole Cornford (:And they're like, "No." I'm like, "Okay, good luck."
Ian Yip (:Yeah.
Cole Cornford (:Cool. And one last question is, for people who are just moving into cybersecurity, what advice would you give them?
Ian Yip (:I would say be bold, like the grad I was talking to earlier, right? He deliberately went and did his homework to figure out what kinds of companies he wanted to work for, and then he took action. That took a level of boldness that you don't normally see in people, and the most effective people, I think, and the most growth you see in people are the people who are willing to be bold.
Cole Cornford (:Yes. I've had that a few times. Some of my staff members, one of them drove two and a half hours up to come meet me in person for a beer on a Friday afternoon, and then I was like, "Okay, cool. You genuinely are committed to actually driving a few hours up from Sydney to Newcastle just to meet me for a beer," right?
Ian Yip (:Yep. Absolutely.
Cole Cornford (:That shows commitment to me. I now actually do that myself with a lot of clients, is I'm going to actively make the trip to Sydney or to Canberra or to wherever to go meet people in person because I want to show that I value their time and I value them as a person.
Ian Yip (:Yeah. That's right.
Cole Cornford (:I love video conference, but I guess me and you will have to catch up for a beer in the future.
Ian Yip (:We will do. I have to find you in person.
Cole Cornford (:Okay. Hey, Ian, thank you so much for coming onto Secured. I really appreciate it. Any parting words for our audience?
Ian Yip (:My parting words are be comfortably uncomfortable. We said it a few times. I think that'll serve you in good state, whether you're trying to be entrepreneurial, whether you're trying to expand your career, or just in life in general, right? You grow in being uncomfortable.
Cole Cornford (:All right. Thanks, mate. Thanks for coming on.
Ian Yip (:No worries, Cole.
Cole Cornford (:Thank you for listening to this episode of Secured. We hope you enjoyed today's conversation. Don't forget to follow the podcast on your favorite platform and leave us a review. Want some more content like the above? Why not subscribe to our newsletter at galahcyber.com.au/newsletter and get high-quality AppSec content straight to your mailbox. Stay safe. Stay secure. I'll see you next episode.