The following interview is a conversation we had with Umaimah Khan, CEO & Co-Founder of Opal Security, on our podcast Category Visionaries. You can view the full episode here: $32 Million Raised to Build the Future of Identity Security
Brett
Hey, everyone, and welcome back to Category Visionaries. Today we’re speaking with Umaimah Khan, CEO & Co-Founder of Opal Security, a data centric identity security platform that’s raised about 32 million in funding. UK, how’s it going today?
Umaimah Khan
It’s good. Glad you used the initials. Good. Umami live. But the full name is, for those who are curious, Umayma Khan, or UK for short.
Brett
I really appreciate you giving me the. Out there with UK. I was sitting here on these, like, YouTube videos trying to figure it out. I thought I had it figured out and you told me in the pre intro, I don’t. Or the conversation that I don’t have figured out. So appreciate that. It makes it a lot easier.
Umaimah Khan
No worries.
Brett
Tell us about your background.
Umaimah Khan
Yeah, so I started off life thinking I was going to be a math professor. I’ve always loved math and puzzles. I started doing cryptography research in school and thought that was going to kind of be life. Worked in the federal government for a bit and then caught the startup bug. Ended up being very early at a few startups and seeing them scale and sort of had this, like, not intentionally strange theme that, like, constantly ran through them. You know, I often worked on back end systems, data engineering, ML, and, you know, I would always kind of work at companies that would go through these inflection points as they would start to scale themselves and start to have to harden, systems start to have to think about sort of what they needed to do in order to kind of hit the next milestone.
Umaimah Khan
And security is often a big part of that, security and compliance and specifically around access and identity. So you’re building, you’re building, and all of a sudden you have to stop, and you have to ask yourself, oh, my God, what’s going on here? What are we doing for Authn? What are we doing for AUTHC? And sort of like, this curious thing happens where you realize you need to sort of tighten things up internally. You don’t really have anything, so you start building, and then you can’t scale it anymore.
Umaimah Khan
And I think, like, the second kind of theme was, I’d always worked on very sort of cutting edge abstract research and technologies, and I would see this kind of same theme over and over again where it’s like you’re working on encryption and here are people falling over and getting breached because they just didn’t set up access properly or they failed to, like, kind of apply certain protocols to certain systems. So, I don’t know, it was almost, like, organic. I just sort of, I saw it, I felt it, and it drove me crazy enough that I actually eventually quit my last startup and started to just think about it full time and work on it full time. That leads us to here.
Brett
What did those first, let’s say, three months look like when you started working on it full time?
Umaimah Khan
Oh. So, for me personally, there was just a lot of reading and talking to people. I had, because I had kind of built an early version or prototype at my last job, I had some idea of what I thought the system and the architecture could look like. But I just spent a lot of time also just thinking about it from different angles. So in authorization, there’s a lot of research on kind of, like, building policies, building languages that can kind of evaluate and verify authorization logic. You know, there’s obviously kind of the authentic side of the house. There’s passwordless. And I didn’t really kind of go about it with, like, a whole lot of intention.
Umaimah Khan
Like, in the early days, I just wanted to sort of read and talk to people and understand what they built and why it had worked and why it hadn’t. And sort of, you know, very early on, my thinking was kind of, look, if this doesn’t make sense, at least I’ve learned a ton along the way. And this, like, satisfies my intellectual curiosity. I think over time, that kind of mutated into what the hell? Like, why doesn’t this exist? And why are the people who are working on it not working harder on it? So that’s another story.
Brett
Why do you think this problem exists? Why is no one solving this?
Umaimah Khan
So access management and identity, first of all, is, I like to call it one of the last great enterprise frontiers. And there are people who are working on, and there are people who have tried to solve it. Famously Novatel. And I think, like the eighties or not eighties, like early two thousands, correct me if I’m wrong, was headed by Eric Schmidt before he went to Google. So a lot of really smart people have worked on identity and authorization and authentication. The problem is it’s so fundamentally tied to the way businesses change and grow and how they sort of go through these milestones of technological complexity that it’s very hard to stop the world and design something that’s beautiful and perfect and can keep up with the pace of business.
Umaimah Khan
So, like, you know, for a while, like, all of computing was done, like, on hardware, on Prem. Right. And firewalls ruled the world, and network authorization. Then we had this big transformational shift to cloud, and endpoint became king. And then we had the shift again to multi cloud. And now we have like, you know, possibly like non human agents writing software, and we have this, like, complete explosion of, like, identities and applications. And people don’t work in the same office anymore. Like, the way you describe how a person works is not really totally defined by their role. So, like, all of these protocols just, like, break because they can’t keep up with the complexity of what’s actually happening in the world, right? And so lots of stark people try and it’s just really hard to scale adoption.
Umaimah Khan
And sometimes I give this analogy, it’s almost like we’re in a world where people are trying to figure out what the schema looks like for a database that doesn’t exist.
Brett
Basically, what are you doing to scale adoption?
Umaimah Khan
So it’s an interesting, it’s an interesting question. I think one thing that’s, like, sort of uniquely changed in the landscape is that there used to be a time when we built enterprise software. It’s always very information rich, it’s always very workflow dense. Right. Because a lot of business logic defines how you build enterprise products, and each business varies. And these products are, like, very powerful, but they’re not easy to use. And I think one thing that’s changed is people sort of demand a higher bar for UI, ux, even an enterprise, and it’s a good thing. It’s actually what allows other folks to not be intimidated and actually adopt products like opals, which are meant to be workforce products. It’s access applies to everything. No matter what your job is, no matter what systems you’re touching. Maybe some things are more sensitive than others.
Umaimah Khan
And, you know, maybe you think about least privilege in sort of like this, like sort of sequential and systematic way. But at the end of the day, to build a data security or data rich identity security platform, it really does need to have broad coverage. So you do need to have a product that is not intimidating at first blush. So I think an example of a product that has done this really well that we all know is slack. Right? Like IRC has existed for a really long time. Like, I grew up, like, you know, on chat forums that, like, you know, had all their weird key findings and clunky Ui ux. And I remember, like, just sort of being pleasantly surprised and startled when people started using slack outside of, or products, like, slack outside of engineering teams, because it’s like, this is IRc.
Umaimah Khan
Like, this is like eighties chap, nineties chat forums. And now you have, like, marketing teams who are like, totally not intimidated by like, you know, messaging each other on things like this. So you can kind of get these gains for adoption. Sorry if that’s a long, rambly answer.
Brett
No, we like the long, rambling answers. Those are always the good ones. What about marketing philosophy? How are you approaching marketing?
Umaimah Khan
Oh, man, that’s a, that’s a fun one. So there’s this paper I talked to about to people about sometimes that a friend recommended to me. It’s called the market for silver bullets. And it’s basically sort of inspired by a classic econ paper. And it’s about how there are really no rational buyers or sellers in security because nobody has enough information to understand what’s going on. Going on, right. So you end up kind of in this crazy, like, black hole of, you know, security companies. Like, they market like big pharma sometimes, and then you have these vendors on the other side of the house who are just trying to solve a problem, and they’re reading through these white papers and these, like, incredibly polished, you know, decks. And at the end of the day, it’s like, well, is this solving anything?
Umaimah Khan
So the way we think about it, open security is what can we do that really cuts through the fat and shows people real value. And the nice thing is, when we take a step back from this broad category of identity security. We really talk about something like these privileges. You should be able to measure that these privileges definition of getting the minimum viable access to do your job and then thinking about how that applies across different systems and entities and identities, you should be able to measure that is a doable thing. And to be able to market something that is like, here’s what we do, here’s where we provide value, here’s where we’re going. I think is it shouldn’t be unique to us as a product and security, but I think it’s part of the cornerstone of our philosophy.
Brett
I see that you’re going to be at RSA. I think that’s next week or maybe the week after I’ve been to RSA the last couple of years. And whenever I walk around, I just think, wow, everyone is basically saying the same thing. It’s very difficult to stand out and separate yourself from all the noise. Is there anything that you’re doing from a marketing perspective that you’re seeing work very effectively to rise above all of the noise that exists?
Umaimah Khan
Well, it’s early for us, but I do think, like, the way I think about Opal is we are a product company, and the product should speak for itself. And what marketing’s function is to do is to, like, provide sort of an explanation and a value of the sorts of information you wouldn’t necessarily get otherwise. Like, for instance, why are you suitable for the enterprise? And also, like, an ability to kind of teach folks, right, because to your point, everyone copies each other. It’s really noisy. So anyone who can really come into the space with an opinion point of view and explain why they do something the way they do it, and also a little bit, like, call out, like, look, I don’t know what these acronyms mean. Do you know what these acronyms mean? I think goes a long way.
Umaimah Khan
The second thing I will say is your best marketing is doing right by your customers and letting them speak to the value of the product. So allowing our customers, and it’s early for us, but sort of letting them speak to what they’ve been able to do with Opal and how they’ve been able to sort of solve problems like that goes a long way.
Brett
So you founded the company in 2021. How long did it take for you to start getting paying customers through the door?
Umaimah Khan
Yeah. So Opal is kind of unique in regards to the fact that we never really did this kind of design partnership after Ouija. So in the sense that we qualify all of our early customers and we build with them. But we understood that there was a real need in the market and that if we could kind of build in the right direction and show people meaningfully the value that they would be able to get, that it was worth paying for. So I think when we felt that the product was ready to GA and we felt that were in a position where we could continue to provide value, it felt like a more straightforward conversation than perhaps like, trying to sort of find product market fit. You know, product market fit, by the way, is like always, like a negotiate.
Umaimah Khan
Like, it’s always a work in progress. But like, that conviction, right from having built before meant that we knew. We knew that this was a problem that needed to be solved and no one was solving it adequately.
Brett
And were you tempted at all to go the design review partner route, or did this just make logical sense for you?
Umaimah Khan
That’s a great question. The truth is, like, you know, it’s more of an art than a science at this stage, and it could make sense if there was a really unique opportunity. But, like, you know, were able to show that we really did provide value from day one. Right? So it was really a question of, like, having that conversation with potential customers of how much do you think this is worth? And working with them and figuring that out.
Brett
What about your market category? So in the intro, I called you a data centric identity security platform. Obviously, I stole that from your website or from LinkedIn. Is that the market category or what do you think is the market category?
Umaimah Khan
Yeah, so this is a great question. You know, I think there’s a little bit of to be. To be determined kind of in terms of the market. But broadly speaking, I would say there’s sort of like four main silos that happen in identity security. One is identity providers. Then there’s. That’s IDP. So this is like Microsoft Entra and Okta, et cetera. And then you have privileged access management. So these are like, tools that are designed to, like, you step up privileged access. So cyber arcs, there’s IGA, identity and governance, and this is companies like sailpoint and savion. And then there’s sort of cloud infrastructure, entitlement management. And broadly, these four combined are on the order of a $30 billion market. And there’s a story kind of on how you feed from idps and sort of consolidate to some extent, those silos. Otherwise you.
Umaimah Khan
What’s happening is like people are sort of looking at different parts of the horse, right? And then trying to sort of frankenstein it together, which is one of the reasons we have a lot of conviction that it really should be one platform. I think from there, if you really do design like the infrastructure well and the platform well, there is potentially a way to continue to grow and expand and go into more markets. So I think when people talk about security in particular, I think Palo Alto famously did like a fantastic job of this in terms of how they expanded into the cloud market.
Brett
So is this a new line item then, that customers are creating, or is this taking away from one of those existing line items for other identity security tools?
Umaimah Khan
A little bit of both. It actually, it depends when we think about those latter three, cloud infrastructure, entitlement management, IGA identity and governance, administration and privilege access management. It does solve for a lot of those use cases. So you do have in some sense a built in line item. The difference is you’re also sort of creating space to also provide net new value in something that may not have existed before. So what we’ve seen is like customers will like realize they’re getting that value and maybe create more budget on top of what they sort of had thought was like pre existing or what was just this use case were solving for.
Brett
What’s the go to market motion look like?
Umaimah Khan
Yeah. So for us, you know, taking a step back, if you think about where the complexity and the challenge of a problem like this truly lies, you have to be a business of a certain scale and size, and largely that’s enterprise. So we are an enterprise business. It’s just when you’re our size, you also have to think a little like sort of a little intentionally about how you choose who to work with, whether they’re sort of bought into your vision, and whether it can be a strong partnership. Right. And you can kind of deliver. So it is what I like, it is top down. Right. It is sort of like a classic enterprise motion, but it’s also sort of coming from this very like strong product partnership perspective.
Umaimah Khan
So having people actually test out the product, having people like, give their feedback, seeing the value in those evaluations. Right. And then sort of like, sort of using that also as like an avenue for education.
Brett
What have you learned about building go to market teams so far?
Umaimah Khan
Oh, this is a fun one. I think the biggest thing is there’s two parts to this. One is how you hire teams in any business, especially in technical enterprise businesses. Go to market is not actually that different from engineering. And I remember really kind of having the sudden realization, like in the early days of building, sort of thinking about go to market. It’s not that dissimilar from systems engineering, and you’re working off certain assumptions. You’re thinking about scalability and robustness, and you also have to have a pretty high tolerance for experimentation and just trying things out. And I think that’s one thing that’s really important. There’s not, like, there aren’t playbooks, like, you know, in cloud enterprises, like, you know, we talk about triple thrice, double or triple twice, double thrice.
Umaimah Khan
And, you know, there are businesses like Rubrik, for example, who have, like, completely blown past those expectations because they’ve maybe been, like, a little bit more open to trying some things out and not others. So I think one understanding. Understanding kind of where you’re at as a business, being open to experimentation and hiring for a team, an early team that is open to experimenting and is sort of like high curiosity, willing to run around the field, figure out what it needs to be done. That’s important in technical products also having a very strong sort of the closest, the technical sales. So, like, having a strong kind of sales engineering team is important.
Umaimah Khan
On the other side, I think enablement and positioning is really critical, especially if you’re in a space like ours where you have lots of legacy tech, being able to very crisply explain what you do, why you do it, and why us and why now. All those classic things, you want to get ahead of the positioning, even maybe necessarily before all the pieces are in place in the product.
Brett
What’s that been like for you, learning positioning? I’m guessing you started the company not having spent a lot of time doing positioning in the past.
Umaimah Khan
That’s interesting. I mean, one of the things you always have to kind of, like, tempering yourself if you’re from, like, a really tactical background like myself, like, is you get in the weeds, you’re, you know, you spend all your time thinking about something, and you can kind of forget, like, when you’re in a sales call that you’re explaining something to somebody who’s, you know, just seeing it for the first time. And, like, they’re not as investors as you. Like. They’re here to learn. They’ve taken this meeting, and it’s, like, a little bit on you to, like, explain to them, like, why. And I think, like, you have to kind of fight that, like, instinct if you’re. If you’re the one who’s, like, sort of grinding yourself, right, to sort of be like, well, my baby isn’t ugly. It’s great, and it solves everything.
Umaimah Khan
So that’s one thing I would say. The other thing is just that, like, I don’t know, I, for me personally, I sort of just approached it as a learning experience and kind of had that framing before from having built an internal tool and having to basically sell it internally. It doesn’t feel that different because, you know, at the end of the day, we also sell to technical means. Security also is largely, I think people forget that there is like an element of empathy as well. Like recognizing that, like, people are under an immense amount of pressure, right, for them to even be considering a startups product for something like ours, which is, you know, changing access and infrastructure. That’s a lot of trust, like somebody’s putting in you.
Umaimah Khan
And just like labeling that and being able to speak to it and how you’re thinking about it and being prepared, I think goes a long way to date.
Brett
What do you think has been the most important go to market decision that you’ve made?
Umaimah Khan
Oh, wow, this is going to sound, this is kind of interesting. I think it was, it’s a combination of sort of having that conviction to go sell pop down and not sort of widen the net and sell to whoever wanted to come through the door and not do PlG as a result of that. In the early days, it allowed us to be choosy in the enterprise and really build a mature product by having the ability to kind of partner strongly with folks who had very real enterprise problems.
Brett
As I mentioned there in the intro, you’ve raised about 32 million to date. What have you learned about fundraising throughout this journey?
Umaimah Khan
Well, it’s interesting. I think I just kind of approached it with an open mind and I’m always, like, very curious how other people approach these things. But maybe I kind of just sort of took it from first principles. Like, here’s the things that I know make a lot of sense for the business. Here’s where I think we’re headed. Here’s where I know that the numbers are. I want to just go and find the right folks who are aligned with us and want to be a part of this journey. And it’s my job to show them why this is a good bet. And I don’t know if that’s like a.
Umaimah Khan
If that’s really the answer you’re looking for, but I didn’t really, I don’t know, I didn’t read like anything on the Internet or really honestly, like, ask for a ton of advice, frankly, I sort of just kind of thought about it from a first principles perspective, which, by the way, like, was. I don’t add to each their own. I think it worked because I knew we had a strong product and then were growing and it made sense and we had this very clear plan of how were going to continue to grow.
Brett
How do you get good at thinking and operationalizing first principles thinking? I feel like everyone talks about it these days and it sounds great on paper, but it’s hard to actually execute on it, I think. Do you have any advice for the listeners on how to do that?
Umaimah Khan
Yeah, I mean, this is an interesting topic, I think for me personally. I mean, I was trained in first principles thinking in many ways. Right. I enjoy zero to one a lot. And one is you have to kind of be not scared of failure. Like, you have to, like, be willing to, like, widen the net and consider possibilities and perspectives, and you have to be willing to take in a lot of information without acting on it. And then you have to take a step back and ask yourself, what am I actually trying to solve for? And you get a ton of feedback, like, I mean, even like, especially in go to market, like, you can google a bunch of things and, you know, ask a bunch of people and everyone will have their perspective and advice.
Umaimah Khan
You have to kind of be very clear with yourself about what the axioms are and what you’re trying to solve for and then be comfortable with the fact that it might be wrong and that you’re going to have to change the axioms and try again. And I don’t know if that’s too high level, but I highlight that part because I think that’s the scariest part for a lot of people to really be comfortable in ambiguity and to ignore what other people or what conventional wisdom might be. Enterprise is so interesting because there are all these industry metrics and standards and ways to build businesses to that seem to kind of follow similar patterns, and they do exist and you should take in that information.
Umaimah Khan
But at the same time, like, really big businesses, like data rigs, like, you know, they don’t necessarily follow a standard play. There is a ton of experimentation. It’s kind of obvious in the DNA that there were some first principles thinking that went into play.
Brett
Final question for you. Let’s zoom out three to five years into the future. What’s the big picture vision here?
Umaimah Khan
Yeah, like I said, I think this is one of the last great enterprise frontiers. And I also think it’s like a very exciting time to be thinking about access and authorization because, like, the world is undergoing yet another technological shift, which means you kind of get to be at the forefront of deciding what that looks like this is a little bit left field. But, like, you know, I talk about this sometimes. Like, a lot of AI regulation, for example, is largely around access because it’s easy to prescribe and define. And so being able to sort of help carve out what the future of identity security looks like and build a great business sort of in service to that, I think is like, it’s a big opportunity. I think this is a space where, like, there’s going to be a lot of competition.
Umaimah Khan
There’s going to be a lot of folks who try, a lot of really smart teams who try, and there’s only going to be a couple of big winners, but the winners who win will be big, basically.
Brett
Amazing. I love the vision. All right, we are up on time, so we’re going to have to wrap here before we do. If there’s any founders that are listening in that want to follow along with your journey, where should they go?
Umaimah Khan
Oh, well, you can follow us on LinkedIn and Opal Security. Reach out to us at any time. We’d love to talk, especially if you’re interested in what the future of least privilege looks like.
Brett
Amazing UK.
Umaimah Khan
Thanks so much. You can visit us at Opal dev.
Brett
Perfect. Thanks so much for taking the time. Really appreciate it.
Umaimah Khan
All right. Thank you.
Brett
All right. That was awesome. You’re a great.
Twitter
facebook
linkedin