Understand the risks facing your cloud & get recommendations to boost your cloud security posture.
logo

EN

Products +

Services +

Customers +

Partners +

Resources +

Modern Security Awareness Programs and People-Centric Cybersecurity

Cybersecurity awareness training can be long and boring. With shorter attention spans and work at the back of your mind, sitting through a training session may seem like a waste of time . How should cybersecurity awareness training be conducted in this landscape? We speak to Theo Nasser, Founder, and CEO of RIght-Hand Cybersecurity, to learn about modern cybersecurity awareness training and people-centric cybersecurity.

Tune in to this episode of Ask A CISO to learn:

  • What is the Modern Security Awareness Program?
  • The inspiration behind Right-Hand Cybersecurity
  • Differences between the US and Asia-Pacific cybersecurity markets
  • People-centric cybersecurity
  • How Right-Hand is helping to change cybersecurity awareness training
  • Maturity of US vs Asia in terms of cybersecurity awareness training
  • Attention spans and cybersecurity awareness training
  • Advice on scaling businesses and pipeline generation

About The Guest: Theo Nasser

Theo Nasser is the CEO and Co-Founder of Right-Hand Cybersecurity.  

Right-Hand provides a modern and interactive security awareness platform to help organizations quantify and reduce their employee cyber risk, build cyber culture and meet compliance standards.  

Prior to founding Right-Hand, Theo was a Sales Leader at FireEye and SonicWall, helping them expand their businesses across Asia-Pacific into Singapore, Australia, and Japan.  

He holds a Bachelor’s degree in Business from Santa Clara University in California.

About The Host: Paul Hadjy

Paul Hadjy is co-founder and CEO of Horangi Cyber Security. 

Paul leads a team of cybersecurity specialists who create software to solve challenging cybersecurity problems. Horangi brings world-class solutions to provide clients in the Asian market with the right, actionable data to make critical cybersecurity decisions.

Prior to Horangi, Paul worked at Palantir Technologies, where he was instrumental in expanding Palantir’s footprint in the Asia Pacific. 

He worked across Singapore, Korea, and New Zealand to build Palantir's business in both the commercial and government space and grow its regional teams. 

He has over a decade of experience and expertise in Anti-Money Laundering, Insider Threats, Cyber Security, Government, and Commercial Banking. 

Transcript

Paul

Hi everyone. Welcome to the Horangi Ask A CISO podcast.

Today we have our esteemed guest, Theo Nasser, with us.

He is the CEO and co-founder of Right-Hand Cyber Security. Right-Hand provides a modern and interactive security awareness platform to help organizations quantify and reduce their employees' cyber risk, build cyberculture, and also meet compliance standards.

Prior to founding Right-Hand, Theo was a sales leader at FireEye and Sonic. helping them expand their business across APAC into Singapore, Australia and Japan. He has a Bachelor's degree in business from the Santa Clara University in California.

Welcome, Theo

Theo

Thank you very much.

Hey, Paul, how are you?

Paul

Pretty good. Pretty good. It's Friday here in Singapore. Friday morning. Think Thursday night for you. So feeling good about the day. Got, got this and a couple other meetings later that, yeah, feel good about. So just trying to, trying to execute.

How about yourself?

Theo

Awesome. Yeah. Awesome.

Looking for, like you said, it's Thursday night for me, looking forward to Friday. It's been a good week, but I'm excited for the conversation.

Paul

Thanks again for agreeing to, to come on the podcast as well. Much appreciated.

Theo

Of course.

You guys have had some great content, some great speakers. I hope to live up to those.

Paul

I'm sure you will.

So, I did give a brief introduction, but maybe you can tell us a bit more about Right-Hand, that I didn't explain and kind of like how long or how, I know you're not in Singapore, but how long you've kind of been in the ecosystem here.

Theo

Absolutely. Sure. I'm happy to.

So as you mentioned, as Paul said, Right-Hand Cybersecurity provides a modern security awareness program. So what does modern mean in the terms of Right-Hand?

For years, almost a decade, security awareness has been around and a lot of organizations have adopted security awareness for their organization and for their employees, but it hasn't always been a frictionless experience. Right?

Most employees within an organization, 99% if not more, within an organization, have security nowhere within a job description, right?

But you know, it's become mandated in so many different industries and so many sectors around the world to implement security awareness. So it's always kind of felt like we were shoving a square peg into a circular hole, right? Trying to mandate the security awareness training.

And so what we try to do at Right-Hand, our vision is to really just modernize that entire experience, build something much more interactive and employee user-friendly for your employees. And then on the other hand, for your InfoSec teams and your, your security leaders and practitioners create something that's automated and also frictionless for them to deploy.

So we're really trying to disrupt what is, soon to be a $10 billion market globally within security awareness. And, and that's what we're trying to do.

Paul

Yeah, that's awesome.

I mean, you know, having spent my entire career pretty much in security, I have done my fair share, given and completed my fair share of security training. Varying levels of interest to be honest, but I've seen your stuff and it is quite impressive, and I'm glad to see you guys continuing to grow as well.

So yeah, just about yourself, Theo, like, how'd you kind of get started in the cybersecurity industry? Tell us the story.

Theo

Sure, sure. I can date myself a bit.

So, I started in security working for a company called FireEye. I'm sure most of your, your audience, and your ecosystem knows, Paul, but, but for those that might not, FireEye was most well known for being the company to call when a breach has occurred. Right? So kind of that hotline for incident response.

And we were on the face and on the frontlines of so many of the largest breaches, not just across Asia Pacific, but all across the world.

And what I would just repeatedly see, when looking at some of these breaches, was that the root cause of the attacks and the root cause of the actual breach itself was caused by an employee. It was caused by a user.

So it was during my time when I was at FireEye when I first started realizing just, we were just at the tip of the iceberg at the security ecosystem as a whole. I really just felt, as fast as FireEye was growing and as much innovation that was happening in the security industry, you know, this was 10 years ago. It was still just the tip of the iceberg with what we were gonna see across cyber.

So it was at that time, I was hooked on the industry. I knew that's what I wanted to pursue in a career. It wasn't right away that I decided to start my own business insecurity, but it was, you know, pretty quick after joining this industry that I knew that this is where I wanted to spend.

Paul

Awesome. Awesome.

Yeah, I mean, it's an exciting field and I think, you know, some of the aspects that draw me to it is that it's like constantly changing. So, yeah, you're always learning new stuff, and forced to because, otherwise, you kind of, will slowly become, well, maybe not even slowly anymore. You will become irrelevant pretty quickly if you don't kind of stay up with the times. Right.

So I think that's, that's also why I enjoy it, is you get to, to kind of be on the cutting edge of what's happening and need to be to really be successful, I think.

Cool. So like, yeah, maybe you can tell us the story kind of around like how you started Right-Hand and, yeah, like what was the catalyst or inspiration there?

Theo

Sure.

So I, I guess you know the story with Right-Hand started when I first moved to Asia Pacific, so this was, I, I left the Bay Area, which is where I'm from in California, and I moved to Singapore back in 2012. This was when FireEye was partnering with Singtel, and the idea from FireEye's perspective was to essentially launch a 24-by-seven incident response capability where we could respond to any breach at any time, day or night for any customer.

And in order to do that, we needed to build this follow-the-sun model with our Security Operation Centers. So the business wanted to launch and build a SOC in Singapore, hence that partnership with Singtel. It was an opportunity just to accelerate FireEye's expansion into, Asia and into Singapore.

And quickly after that, FireEye wanted to grow and, and do it again in Australia and then again in Tokyo, Japan. And so, throughout a couple years when I was with FireEye based overseas in Asia, it was just all-around accelerated growth, right? Hypergrowth, trying to build this 24-by-seven incident response presence.

And like I had mentioned before, when we were on the front lines of all these breaches, we just repeatedly saw the root cause was due to a human. A, a mistake, right? A, a good corporate citizen, just someone who is not necessarily practicing the right type of cyber hygiene, not understanding the dos from don'ts. They might have been trained. They might have gone through that annual check-off-the-box training, right?

But at the same time, it wasn't impacting behaviors for what they were actually doing every single day. And so it was really at that time, after several years of living in Asia Pacific, several years of helping expand FireEye's business across that I saw this opportunity, and that was kind of what gave me the gentle nudge to decide to start my own business.

So that was several years ago now. We started the company out of Singapore and we've been growing ever since. Today we've got customers all across Asia Pacific, Australia, New Zealand, Singapore, Philippines, across Southeast Asia.

And then I've also relocated and am now based in the US and over the last year and a half, two years, we've been expanding in the US as well to bring on board a lot of really great customers here. So we're kind of, you know, standing up and building these two regional businesses all under the Right-Hand umbrella, of course, and looking to, to quickly become and grow.

Paul

Yeah. It's awesome.

Yeah, like, I mean, you know, as you, as you know, you met Dave who runs our US business. We're also doing the similar things. You know, personally curious, but also, like, for the listeners, like, yeah.

How, how do you see the US market, like from a cybersecurity perspective being different from APAC and like, what are the, maybe the couple major things that you've noticed so far?

Theo

Well, it's extremely different, Paul.

You know, I, I always kind of go back to this notion that I believe a business like Horangi and a business like Right-Hand has a, a massive competitive advantage with Asia Pacific, right?

Most companies, not just in security, but think any type of SaaS business, right? We're, at the end of the day, we're, we're SaaS companies. Most will traditionally start in the US, right? They'll, they'll start in the US Maybe they'll, they'll raise couple rounds of funding from US investors. They're gonna hire and, and recruit the majority of their employees in the US.

Now, most of their customers will therefore be in the US as well. That's where they achieve their early traction. And then when the business is ready to grow and enter into new markets to find other opportunities to gain revenue and grow faster, then they decide to move into overseas territories.

And so maybe they're looking into going into Europe. Maybe they want to enter into Asia Pacific. So businesses will hire people or expand offices in Singapore or Australia or other types of regional location.

With us, with Right-Hand and Horangi, we were born in Asia. Our businesses were born in Asia. Right? You know, you and I have known each other for years and, and that goes back to when I was also living in Singapore and, you know, Horangi was smaller than where you guys are today and, and Right-Hand was much smaller than where we are today.

And our presence was more tightly regionally based, where all of our customers were really, at first, for us, in Singapore. And then we were able to expand that Asia Pacific presence a little bit into Australia, New Zealand, and other regional countries just around Southeast Asia.

And when you make that conscious decision to move to the US, that's a big change, right? But we have this advantage where we've been able to knock out an Asia market with early traction and really the establishment of our business when most companies, you know, when they want to enter it years later, it's a challenge.

So I see our Asia early traction as a massive competitive advantage to our business.

Paul

Yeah, yeah, I agree.

I think having a customer base, especially if you have some well known customers, at least globally, really helps, especially when you're entering into the US cuz I think starting out in the US, you know, in Asia too, like taking the risk on a small company, especially in cybersecurity, I think is somewhat difficult.

So I see that as a big hurdle for all companies kind of entering in the space, no matter region. I think even, you know, more acute in the US sometimes.

Theo

And then when you look at just kind of the nature of the regions too, right? The US, you're gonna have a bigger market to go after, but it's more competitive, right? It's a lot more competitive. You've just got X factor the number of vendors that are competing in your space.

And then in Asia you have a little bit more greenfield. It's a smaller market, but there's a lot more opportunity in a less competitive environment in a lot of ways.

So, you know, it's got its pros and cons, but ultimately, you know, for both of us, I know our goal is to build successful businesses and, and high growth businesses in both regions.

Paul

Yeah, exactly, and excited about the opportunity but also cognizant of the challenges as well. Yeah.

Theo

Of course, yes.

Paul

So I mean when you think about Right-Hand, how do you think about people-centric cybersecurity?

You mentioned something I thought was pretty interesting, which is a lot of people go through the training, but they don't necessarily use what they've learned in their actual practice, which I can equate sometimes to golf, which I know both of you and I love, is it like you, I do a lot of training stuff, but then like sometimes when I get out there on the course, I just revert back to my instincts. Right?

So it's more about like just creating those instincts that you're reverting back to what you know in the heat of things.

Theo

I've golfed with you before. Probably not giving yourself enough credit.

Paul

Yeah, yeah, I'm not bad. But, yeah, definitely. I'm working on changing my swing right now which is difficult cuz I grew up playing, so I grew up doing it one way and now I'm trying to do it the better way. So that's been a challenge, but, yeah, I think, I mean, it's similar with training, like any type of training, right?

Like you're basically changing the way you look at something and the way you react to it, which is, which I think actually gets harder as you get older. Just because there's more history there. But curious how you guys define people-centric cybersecurity and how you kind of change that instinct, right Cause I think that's, that's sort of key.

Theo

Absolutely.

At the, the end of the day, an effective security awareness program is not to drive awareness. It's, it's all around driving behavior change.

How can you actually influence long-lasting behavior change that gets retained for the long term for your organization?

Ultimately, that's the goal of every program. And, you know, the way that it's been historically done is you'll launch and deliver an annual training module, or, you know, maybe every six months. And it's gonna be anywhere from 30 minutes to two hours long, and it's gonna be like a lecture style, almost like a PowerPoint or just a lecture where someone's just speaking at you, and they're telling you the do's from don't, but what do we all do during those moments and all those training modules?

We're multitasking.

You know, we're trying to see if we can brute force our way to the end of the quiz. We're trying to see what we can do to just get ourselves to be done with that so we can get back to our core jobs. Right?

If you're a salesperson chasing purchase orders, do you wanna spend your two hours in training on cybersecurity if you know you don't work or have anything to do with cybersecurity in your job or you want to go achieve and hit your commission.

Paul

Yeah.

Theo

Earn your commissions and hit your quota. Where are those, where are those two hours better spent as a salesperson?

So you, you gotta understand that's how people think, right? And so when we talk about people-centric security, how can we break down those barriers? How can we actually create an experience for the learner, for the end-user that is not gonna impact or interrupt their day, but actually flow into the rest of their operational day and teach them the lessons they need to learn in the moments they need to learn them, cater to their individual risk.

So that's really the philosophy of what we do at Right-Hand. There's a lot that's baked in just with psychological best practices around. Right.

So we do a lot of what's called adaptive training, where it's not one size fits all for every individual. Our system will actually analyze the behavioral profile of a user and assign adaptive personalized lessons or, you know, training nudges to users based on what they need to know in that moment.

So that's really our philosophy, rather than this brushstroke one-size-fit-all eLearning module.

Paul

Yeah, I mean, that, that's really cool, and I think a great idea.

I mean, yeah, I've never, ever actually like tried to brute force a training in my life. Of course, I'm being sarcastic. I'm sure most people do that and you know, they don't actually sit down and take the time.

But if you can put it in tidbits where, it's interesting and adds value, like, you know, I think you can really change the mindset from the user perspective around how they think about it. Right?

And ultimately, like I talk up this all the time. I think security is kind of a culture thing more than anything else. And it is the cheapest way to affect an organization that's just by implementing security cultures, have people thinking about the things that they do from a security perspective any given day is gonna make a much bigger impact than any piece of software, honestly.

So I think, I mean like training is one way to sort of enable that, which I think is quite cool. And I guess, it seems a lot of orgs, like, as I just kind of mentioned, are really focused on tech then process and kind of lastly the people.

Why do you think that is? How are you guys going about, going about, like kind of changing that for your customers?

Theo

It's just, things move in cycles, right?

So, you know, as security philosophically was always thought about it, if you just go back to the castle and moat example, right? If you're trying to protect your organization from warfare, and you kind of put yourself back in medieval times, you create this moat around the castle to stop the intruders from penetrating your walls and your drawbridge and stealing or doing anything that could negatively affect your organization or your castle, your property.

And that's the mindset that most organizations started with, with security. So they'd implement their firewalls. They'd implement email security platforms or endpoint security platforms.

And you know, in the last handful of years we've had the massive adoption of cloud security, right?

But it's all about protecting that perimeter to stop the adversary or the bad actor from doing something to negatively affect your network. I see a world in the future where every organization has created multiple layers of defense. I think that perimeter layer is always gonna be wildly important, and it's always something that I would recommend to every one of our customers, that it's important to have a layer of perimeter security that fits your organizational needs, right?

That technology piece of people, process and technology. But in addition to that, being able to have that secondary layer if something were to get through the technology, right? Cuz there's no single email security vendor that gives you the guarantee that you use our technology and you won't be breached right there.

It just doesn't exist.

If that existed, there would be a lot more companies that wouldn't make it because they wouldn't be needed, right? Because there is no silver bullets, no magic silver bullet, that's what creates, you know, need for other types of innovation and, ou know, people-centric security being that second layer, that second protective layer to really help arm the users within an organization. That's why it's so important.

So, I mean, I see a future where every organization has to have two layers of security, the perimeter layer, and the people layer and that's really what we're going through right there.

Paul

Yeah, that's, that's definitely true.

And I'm also quite curious like how you see kind of the maturity of the organizations like US versus Asia and then like, especially within training, how serious is it taken in both markets on average, I guess, cuz it probably varies quite a lot, and the major differences you see in, in terms of that aspect?

Theo

Well, the major parallel I see in both markets is kind of the industry adoption.

So, in Asia Pacific and in the US, there's compliance that mandates a lot of organizations. Based on your industry, you need to comply and take these trainings. That's actually what I attribute most of the tailwinds in our market. The reason why our security awareness space has grown, again, it's projected to be 10 billion by 2027.

Part of the reason why it's grown so significantly, it's growing 19% every single year is because of compliance. That's a big, big reason. You have, you know, think back to the birth of GDPR in Singapore. We have the equivalent in PDPA, and you have the financial sector that's regulated by MAS, with MAS TRM.

And then you look in the US you have the privacy equivalent CCPA, and Australia's got their own privacy laws that, that they're adopting. And a lot of the language in all of those regulations, it's very vague, but a lot of the language in those regulations, say you need to adopt security training for your workforce and/or your executives, right? Something along those lines where it says you need to do this to comply with this regulation.

And then you look at all of the major security certifications, SOC 2 and ISO, right? There's language in SOC 2 to be compliant and to pass an audit for ISO and SOC 2. Or to get your ISMS, you need to do security awareness training.

And so this is really driven both in the US and in Asia-Pacific. Right? Because you're actually mandated by a compliance need. So, you know, it's more, I guess, directly answer your question when, when you're going after kind of the right market, the organizations that have not just a want, but a need to adopt something like this, you're able to have a pretty serious conversation pretty quickly, and then the conversation for us just becomes, this is why we're better than another option. Right?

We know you need to do something. This is why this is the right choice. So for us, you know, those markets that go after, those industries, excuse me, that have to comply with those regulations, it's a massive market in of, in itself. That's really where we focus most of our time.

You know, it's the software sector that has a lot of regulations. It's the finance sector. It's the education sector. It's energy and utilities. So where compliance goes, security awareness is gonna flow, and we wanna follow that.

Paul

Yeah. I mean, like, it's super interesting and I think there's a lot of, sort of growth opportunity there in the space. And especially what you're talking about in terms of like giving bite size pieces of value, I think is, is key because of attention spans are only getting shorter.

Theo

Social media's, you know, directly responsible for that. I mean, you, you're so right.

Think about the way people consume content today. You're so right, Paul! Like, how do people consume their content? It's Twitter, which is what, 200 characters?

Paul

Yeah. Instagram, right?

Theo

A hundred, Is it 220 characters? Something like that.

And then you have TikTok and Instagram has a one-minute max...

Paul

Yeah.

Theo

for a video or something? I'm off all these social media platforms, so I'm probably butchering this, but you know what I mean, right?

Like it's, people are used to consuming that content in a really short period of time. And so why is the industry providing hour-long trainings, whether it's security awareness or any other training. If you're trying to get people to actually comply, adopt, retain the information? You know, it just seems silly that we're kind of mandating these, these really long things when

Paul

Yeah, just interesting.

Like. Yeah, like, I mean like, obviously most of the information we consume on a daily basis is very small tidbits. News article here and there. Not like, I mean, people still read books, but even, like with the book, it's not like they're sitting and reading the book in a whole day. It's like, you know, 10 pages, 10 pages, 10 pages, right?

So like it's, I guess security training can go in the same aspect of giving you those, like, little tidbits that hopefully you'll remember instead of one long, sort of, class that, yeah, maybe you'll remember some of it, but probably not. Definitely not all of it, right?

Theo

Yeah, it's, it is just the concept of the forgetting curve, right? You learn something, something goes in one ear, you, you know, you're, you're reading something and you're learning something, and this concept of the forgetting curve is over time you're gonna forget more and more of what you learned.

And of course, some things that you learn, you retain for some reason, you know, you're really attracted to a concept or there's a, you know, some drive or some motivation that really, maybe it's just a, a passion of yours, right? There's pieces of information that you'll always hold onto, but if it's not something that's necessarily resonating with you or you don't have a lot of passion for, right?

The forgetting curve concept is you're just gonna forget what you learned over time. And that's, that starts within days of, of hours of, of going through and absorbing some content. And over a period of time, you've completely just overlooked and forgotten what you had learned previously, and so that's kind of the, you know, reinforcement is important.

Gamifying an experience to make it more competitive or to feel like people are incentivized and motivated in some way. We always tell our customers you know, when you're creating your awareness program and you're starting to derive and build a policy around an awareness program or just a security program in general, right?

You want to create an environment where you're rewarding your champions and your top performers rather than building a culture of punishment and you know, embarrassment for your laggerts or for those that are struggling to adopt these concepts, right?

Because what you can do with that notion and that simple mindset is you can start to build contagious security where if you see someone succeeding and you see someone adopting and learning something, maybe they receive some type of award, recognition, or even a tangible prize that can start to become contagious, making other teams, other individuals, other departments wanting to see that same success.

And, and so before you knew it, before you know it, you can start to truly build a positive security culture across the organization.

Paul

I agree and, and think I mean it's powerful as well and I think can affect a lot of change inside of organization from a security perspective as well.

Just to kind of like switch topics a bit, I did wanna talk a bit about like, some of your experience in terms of scaling business. You have a lot of experience in, obviously, in terms of what you sort of explained in your career and then also with building Right-Hand.

Can you give us a little peek into the advice you dish out around pipeline generation and potentially tell us more about where we can find that?

Theo

Of course. Yeah.

You know, I've lived and breathed this just being a, a first-time founder here as I launched Right-Hand. And one, one of the things that, you know, I always love thinking about and love implementing with our company, and it's been a great learning experience and I think we've done, you know, decently well, and we definitely want to grow off this, but it's this concept of pivoting from like a founder-led sales motion to a sales process-led sales motion or a, a team-led sales motion. Right?

It's a, it's something that every founder, Paul, and I'm sure you can remember, and you know, back when, when you guys were building out and scaling out your sales team at first, and you know, just some of the learnings that kind of go with that.

Every founder, when they start their business, they carry so much passion about, you know, their baby, their company, and obviously they understand their market extremely well and they understand their competitive landscape extremely well. And they can tell an amazing story about why, what they're building, you know, their vision, why it is so meaningful and impactful for the industry that they're in, the world that they're trying to change.

And you know, that can lead to a lot of early success for startups, right? If you know, you can tell that good story and you can back it up with a really good product or service, but then every company goes through that, that shift where, you know, eventually as you grow and scale, you gotta start thinking of, well, how do I scale me as the, you know, the founder?

How do I get other individuals involved to be able to share that same passion and, and tell a similar story and maintain the sales efficiency?

That's the most important thing, is maintaining the sales efficiency. Being able to, to hopefully close deals of the same size in the same amount of time or less. And, you know, for us, I, I mean, I'll, I'll pause there, Paul. I mean, you must remember that process too, just having, you know, built and scaled Horangi.

Paul

Yeah,

I mean, like, I wouldn't say we're like perfect in any of those aspects of it, cuz like, I, I do think it's always like a process where you're iterating constantly cuz like, you know, things will start to slip. Or things, you know, hopefully are getting more efficient.

But it's always gotta kind of understand why, which I think is what's important around that whole process. Just so, okay, if I know it's getting more efficient because of this, then like, how do we do more of that? Or if I know it's getting less efficient because of this thing, like, how do I do more of that?

So I think like tracking everything is really important.

Just like in security in terms of like managing your patching, like updating your HubSpot or Salesforce or whatever CRM you're using is something that generally salespeople hate. And I also hate it, but I understand how important it is in terms of being able to understand the sales process of your organization and being able to pull the strings to make it better which I think is ultimately why we're all there and make it scalable too.

Cuz ultimately some things don't scale which can be complicated, cuz the things that worked yesterday or they worked. from zero to 1 million doesn't mean they're gonna work from one to 10 million, for example. Right?

Like, I think that is always a challenge and something that, you know, I think every company goes through sort of struggles there. But it's great that, like given we talk a lot about this, like not on podcast, but always appreciate the advice you've, you've given Horangi, and sort of building out our machine too.

Theo

And vice, and I mean, and vice versa.

But I mean, what you just said, Paul, is so important. Like being able to be able to pull on those levers of what's working well and what you want to pour some fuel on and then what wasn't working or what isn't working, and being able to pull back on those things so you're not wasting cycles on something that isn't actually scaling.

The only way you can do that, obviously as you know, because you did this, is implement a process, right? Actually have something documented, have a playbook that is built out, something that you can quickly test, validate, and then ultimately when it's successful, scale and train and get others to adopt it. It is so wildly important.

If you've got, you know, aspiring or existing other startup founders that are kind of in that phase earlier than Horangi looking to build something out, I think it's the best advice you can give to a founder like that is just the importance of pouring everything you can into documenting an actual process around that sales motion. Whether it's just trying to pick it up and move to a new region, which is something that both of us have, have been working on or, you know, trying to go up or down market, right?

If you're trying to sell into larger enterprise, if you wanna scale something more ... or the SMB community, it's just being able to actually document exactly what you want it to look like, quickly validating what works and what doesn't, right? Being laser-focused on what those levers are, and then pouring fuel.

Paul

Yeah, I agree.

I think that's really good advice for people in cybersecurity, but also people and other verticals as well. Like, I, I think it's pretty transient across. I mean, you know, the levers may be different but as long as you're have an understanding of what the potential levers could be, and you know what's working for your sort of sector or, or region, you can constantly shift, and ultimately, when raising money with investors, what they're looking for is, yeah, if I put X amount of money into this marketing channel, it's gonna give me y in terms of pipeline. If you can't answer that question, I think very difficult to justify any sort of financial plan.

Definitely it, it does help a lot with sort of convincing people that you can grow the business in a, a certain way and, and also understanding that, like ,you need to find more than one channel eventually. Right? As well, Right?

So I think it's interesting sort of process. Not one that everyone thinks about, but I think, you know, most ... the difference with cybersecurity is most of the problems that people face are more GTM than anything else. It's pretty hard to get the product to market even if you have a really good one.

Getting people to know about it with all the noise is not that simple.

Theo

The former CEO of FireEye, Dave DeWalt. I'll never forget when he said this.

I was at FireEye, this was like maybe my first year at FireEye. This is more than 10 years ago, and he's addressing the entire sales organization. And the message he essentially was saying to the entire sales team at FireEye at the time is that the measurement, the difference in measurement of IP between cybersecurity vendors might be measured in millimeters, but the difference in measurement of measuring two different go-to-markets can be measured in miles.

And what he's essentially saying is just pouring the emphasis on how important it is to build out the right go-to-market for your organization to scale. Right? Because you and comp, you know, company A and company B could have a very similar product that solves a very similar problem priced in a very similar way, entering the market at a very similar time.

But if one of those companies has a much more strategic approach to their go-to-market, I mean, it's the, the difference between making and breaking an entire company. One being a company that becomes a dinner table name and, you know, the other company being one that no one ever hears or, or knows anything about and doesn't have the impact that they all dreamed of having.

So I completely agree. Right? It's, it all kind of rides on the go to market, Paul.

Paul

Yeah.

Well it's been a interesting conversation so far and I really appreciate the insights about Right-Hand, but also about, sort of, the challenges that we face as entrepreneurs, especially in the cybersecurity space.

I did wanna ask if there's any like, kind of last piece of advice that you wanna give to the audience. Can be security related, can be go-to-market related. Can be about their golf games. But let us know.

Theo

I'm not in a position to give anybody advice on their golf game, so I'll let that one, I'll let that one go.

My funny story about that, actually, I was at, I was just getting a new driver. This was in the last couple of weeks and I go up there and I, you know, my daughter's with me. She's three years old, almost three years old, and she's sitting in this chair behind the simulator, and I go up there and, you know, take a swing. I'm trying to figure out what golf club I want to buy, and I go on and take a mighty swing and I completely whiffed, like, just completely, completely missed the ball.

My daughter's right behind me and she goes, "I wanna try!" And so the lady who is working at the store brings over a driver for a three year old, right? A just a, a mini version. And my daughter gets up there, the ball still teed up, right? So she walks up there and she, she takes a swing and she hits it dead center. And the ball just kinda like dribbles, like right up the middle of the simulator. And you see, you know, you see like on the simulator, the ball flies and moves and everyone in the store just thought it was hilarious.

Just, you know, here comes, here comes dad taking a whiff. Yeah!

So long story short, no golf, no golf advice, but if there's any advice, I guess in general, Paul, I'm not gonna take the security approach to answer that question. I'm gonna take, I guess just the founder approach to answer that question.

If there's anyone here who's thinking about starting a company or currently has recently started a company, I think there's a lot of sentiment now just for the market globally, right? With a lot of fear and a lot of, worry about macroeconomic trends. And I think there's a lot of concerns around startups being successful in this climate.

And what I would urge to anyone who does have that dream to start a company or is currently in the process of starting their company or has started their company for years, and is just trying to navigate through this period, just to keep your head down because when it's dark, it'll eventually become light.

And if your startup is doing well, fantastic, that's great.

And if it's not doing well right now and you're struggling, just given customers' budgets freezing or any type of challenge or headwind you might be facing, whatever industry you're in. If you can navigate through this period, just know that it will turn lighter for you and your startup as long as you stay consistent and you keep doing the right things.

And you follow what Paul was saying around, pouring fuel into the right areas of a go-to-market. Simply, you know, put, I think a lot of startups fail just because I think a lot of people quit too soon. Right?

We always talk about startups. There's a very small percentage of startups that get to grow, to scale where they want to be. But if you can just outlast challenges that come your way as a founder, and I don't mean this to be a rah-rah pep talk, but if, if you can actually just navigate your way through a little turbulence, I believe that there, there will be some light at the end of that tunnel.

So hopefully that's a little inspiration for any founders or aspiring founders through the startup grinds that, that you and I have.

Paul

Yeah. Yeah.

No, I mean, I think that is good advice and like, yeah, grit I think is one of the things that us as founders somehow have managed to put up with and are, yeah, I wouldn't say you're good at that. Just like, like, are you good at being gritty? It's just like a personality trait almost, and something potentially you can learn, but it's just like, there's this Buddhist saying that I think is quite interesting.

It talks about like, well, what do you doing for before enlightenment? You chop wood and carry water, and then like, what do you do after enlightenment? You chop wood and carry water and it's just like, you're just like constantly, basically taking one step forward and continuing to like, whether it's chopping wood and carrying water and like cold outreaches on LinkedIn. Maybe that's how it started, but now you're like running through the task of the day, meeting with customers, doing whatever it is that you need to do to get to the place that you're going.

And as long as you're like being mindful throughout that process, and continuing to execute and not letting the distractions bother you, because it's terribly stressful as both of us know, then you will eventually get there or you'll learn something as being part of the process and get better at it over time. Right?

But you can't underestimate how difficult it is, which I think you kind of alluded to and it is a difficult time now for a lot of companies and all you can do is put your head down, and do your best.

Theo

You gotta love the journey. It really just comes down to loving the journey.

I mean, you and I both played, you know, played sports. You kind of put your, your mindset of going through that, you know, that preseason or that hell week or the, you know, the most challenging period of being part of a team and, and playing sports, right? Athletes go through that all the time.

But you know, when you get to that season, you have that successful season, you have to look back on the blood, sweat and tears that you put in to get yourself there, and you have to appreciate the journey.

So I think there's a ton of parallels in the startup world that you can talk for those experiences as well.

Paul

I totally agree.

Again, Theo, thanks a bunch for agreeing to the podcast and giving all these interesting insights about go-to-market and of course, training to the audience. Look forward to sharing this soon.

And yeah, very much appreciate you participating.

Theo

Absolutely Paul. Thanks for having me.

Paul Hadjy
Paul Hadjy

Paul is a technology visionary working across the US, Middle East, Singapore, Korea, and New Zealand to build business in both the private and public sectors. Paul spent over 6 years at Palantir and was the Head of Information Security at Grab.

Subscribe to the Horangi Newsletter.

Be the first to hear about Horangi's upcoming webinars and events, up-and-coming cyber threats, new solutions, and the future of cybersecurity from our tech experts.