Techstrong TV: Behind the Scenes of Reaching Unicorn Valuation
On, Tuesday, 2/22 Beyond Identity announced new funding for invisible, un-phishable MFA that pushes the company into a Unicorn valuation. The video and a transcript of the conversation are below.
[Music Playing]
Recorded Voice: This is Digital Anarchist.
Alan Shimel: Hey, everyone. Welcome to another Techstrong TV segment. I’m really happy to have my friend Tom Jermoluk, TJ, returning to us here on Techstrong TV with some great news from the Beyond Identity team. Tom, welcome back to Techstrong TV.
TJ Jermoluk: Thanks, Alan. Really great to see you again.
Shimel: You don’t mind if I say TJ, ’cause I find –
Jermoluk: No. TJ’s easy. That’s what everybody –
Shimel: Yeah, I find it easier. So TJ, it’s probably been – I’m gonna guess it’s been eight or nine months, I think, since maybe the last time we had you on. And I’m sure you guys have been busy, and you’re gonna share with our audience. But before we get to the news, let’s make sure we kinda level set. Not everyone may know or be familiar with Beyond Identity. Why don’t you, if you don’t mind, give people a little – kinda the elevator pitch, if you will, for Beyond Identity.
Jermoluk: Sure. Well, we were born with the simple idea that passwords are the root of all evil. There’s no such thing as a shared secret. What’s the old joke? A secret’s something you tell one person at a time. And then they get around. And if you look at all the mess that’s gone on in the cybersecurity field over the last 10 or 20 years, it all starts because you have this password there.
And people try, “Well, let’s add more characters. Let’s make you change it every 30 days.” And nothing works. And what’s happened is that all these industries have sprung up, like MFA and VPN and – that just add layers and layers, Band-Aids on the open wound of passwords, if you will, trying to make them more secure, unsuccessfully, but adding tremendous friction to the user’s experience.
“Oh, I’ve gotta enter another factor. I’ve gotta get a code. I’ve gotta use my phone to authorize my – ” whatever it might be. And people don’t like it. So the adoption in the industry of these other forms have been – has been very low.
So we started out with a different premise, which is just, let’s remove the password from the architecture altogether. Amazon doesn’t use a password when it goes to get paid by Visa for a transaction when you buy something on Amazon. It uses standard asymmetric public-key cryptography. Only why hasn’t anybody ever taken that and included the users in that? And that’s what we do. So for the first time, we take what’s used on the web and we extend it out and we allow users, on your phone, on your laptop, on your tablet, your desktop at work, to use exactly that same scalable secure technology that banks and e-commerce companies use to move trillions of dollars every day. So that was our premise.
Shimel: Yeah. Absolutely. And TJ, I don’t mean to embarrass you, but this isn’t your first foray into SSL and Secure Socket Layers and stuff like that. You’ve been do – you were there when it was invented, right? You help – you were part of the team that brought this to the web –
Jermoluk: To the internet.
Shimel: – back in Netscape, right, with Jim Clark, and of course the whole net – Marc and Jason and the whole team there.
Jermoluk: Right.
Shimel: It is funny – not funny. I guess “funny”s not the right word. It’s questionable why, when we had this technology for so long and we’ve all known that passwords – I’m in security 20, 25 years. It’s been an issue. It’s been an issue. And we – why hasn’t anyone kinda taken this approach to it?
Jermoluk: I know, it’s – that’s a great question. But look, until somebody rolled a stone-cut wheel up to the other person and said, “Hey, look at this,” nobody thought of it. When I went to Tahar Elgamal, who wrote the original SSL X.509 protocol that’s still in use today, when at Netscape, working with Jim – Jim Clark, of course, has been my partner for 35 years now. And he got the Marconi award for doing that, Tahar did, and has been advisor to our company. And when we first went to him and said, “Hey, we have this idea about how to put that on users’ machines. Here’s what we can – here’s how we can do it,” and he looked at me and he thought about it as we explained it.
And he goes, “How did I never think of this?” And then he goes, “Wait, no. How did nobody ever think of this?” And we’re like – like a lotta things, it is absolutely simple – like when I explain it to potential customers or partners, in five minutes, they get it, like, “Oh, my God, I – ” so it’s just one of those things that sometimes it’s sitting there waiting for somebody to think of doing it that way, turning the problem on its heads, so to speak. And it’s been fantastic. So Taher was on our technical advisory board, and now he’s actually joining our full board as the representative of Evolution Equity Partners, who’s our lead investor for our new Series C round.
Shimel: Great. Very cool. Well, that – that’s a great segue. That’s what we – that’s what we’re here to talk a little bit about. You kind of alluded to it. Give us the news on that.
Jermoluk: Yeah. So we’ve just closed our Series C financing. We raised a hundred million dollars for the company, all new money, all primary investment in the company. We’re very excited about it. Taher Elgamal will be joining our board, our board of directors, representing Evolution Equity Partners, who’s our lead in that.
We have some great other partners who’ve joined in. They’re a tremendous experienced investor in cybersecurity, have followed the company and known a number of people on my team for a long time, so it’s really great having them partner with us. We also have potential partners who are based in Australia and will help us with our Asia Pacific expansion, and Expanding Capital, who come out of Latin American and will help us with our expansion there, as well. So we’ve got some really good people who’ve joined in the round who are gonna help us kind of launch this next growth phase for the company.
Shimel: That’s fantastic. And look, in today’s world, after two years of dealing with the COVID stuff, it’s good to be thinking about global expansion, right? I think a lot of – I mean, even us here at MediaOps, we’re – excuse me, Techstrong, formerly MediaOps, we’re looking at doing in-person events this year. And our initial thing was, “Well, let’s stick to North America for now. We’ll stay in NFL cities. And then Q3, Q4, if things are good, we’ll look for EMEA and then APAC after.” But I think we’re all hoping, TJ, that we go back to being a global economy, and that – especially in the tech space, we don’t know borders, right? We bring solutions to the world.
Jermoluk: That’s right.
Shimel: And – important.
Jermoluk: We’re –
Shimel: So let’s talk – I’m sorry, go ahead.
Jermoluk: I was just gonna say we expanded last year into EMEA. And we’ve started traveling again over to EMEA for conferences and customer visits. Myself and my team are out here right now in California, in Silicon Valley. We have quite a few customer visits in person. So it’s really – you’re feeling like some of that is starting to open up again. I think we all learned that having Zoom available is tremendous. It’s been a great benefit for us in the era of COVID and remote work, to be able to stay connected. But there are certain activities that are still better done in a face-to-face setting.
Shimel: Most, yeah.
Jermoluk: And certainly the ones in our industry, where we’re very tech-forward, very creative, very innovative, it helps to be sitting in front of a whiteboard. When a customer asks a question or comes up with an idea, you can just go up and sketch out, “Okay, here’s what we do in the architecture. Here’s how it could solve that problem. Here’s where we’re going” and, in a very simple interchange, be able to get very complicated ideas across. So I think there’s no substitute for some part of our time being back in an in-person setting.
Shimel: I couldn’t agree more with you. I – Zoom – when you’re – what’s the saying? When you’re at one-eyed man in the land of the blind, you’re the king, right?
Jermoluk: You’re the king. That’s right.
Shimel: Right. But it’s a poor substitute. Anyway, all right. So hundred million dollars is a lotta of money. What does it mean for beyond –beyond expanding globally into new markets, from a – from a technology – from a solution perspective, for our audience, what might we expect to see kind of new product or features in?
Jermoluk: Yeah. So our product originally, we launched, was intended for companies to protect their employees and their own internal assets, their data and their network and their servers and their employees, from outside attacks. We are shifting to be able to also support two other populations for a company, that is, their customers – so a direct effect from a e-commerce company or a service provider to their customers and downloading their applications onto those customer computers or allowing browser access, to be able to protect that securely, so customer setup, and then also developer setup. The supply chain hacks that have happened, SolarWinds being the best example, but there’s been so many of them, all have to do with malware being injected into your source code system by bad actors and then not being found by whatever process you’re sort of searching through your code before it gets compiled and sent out down the supply chain. So we created, from our core product, the only product in the industry that actually verifies and signs the code as it goes into the source code directory. So we’re on what we call the prevention side instead of detection and response. There’s a lotta people who play later in the – in the stack, and they’re trying to find bad malware once it’s in the source code and respond to that. Well, we’re like, “Well, why don’t you prevent it from going in in the first place?”
So today, when people use a source code repository, GitHub, GitLab, GitBucket – and it’s not a fault of theirs, but those systems have no way to protect and identify who’s checking the code in. So SSH keys, GPG keys, are just commonly used by developers on any system to push code in. And now, what we have is a system whereby we know that TJ checked that code in. So if there’s anything wrong, we can go back and say, “Hey, TJ, what was up with this code,” instead of you going into your Git repository and it says, “Who checked that code in,” it says, “Daffy Duck” because the developer can make it be anything they want. So that’s a very –
Shimel: And sometimes developers like to do that, too, by the way.
Jermoluk: Oh, all the time, all the time.
Shimel: Yeah.
Jermoluk: Or it’ll be a machine name or something that you don’t know how to type _____.
Shimel: Agreed.
Jermoluk: So that’s – those areas are taking our current product and going to these adjacent markets with the same technology so we’re able to have a go-to-market strategy into employees, into customers, and into developers. And so that’s what we’re gonna be pushing on with this new funding and capital, is expansion of the product into these new markets.
Shimel: Yep. TJ, from my time in startup world, you always get into the argument, is that a feature or a product? It would seem to me, as it – as it – as it applies to Git, or repositories in general, not just Git, that that should be a feature of every repository, the secured identity of those who are uploading to it. And I don’t know. It sounds like a great BizDev kinda role for someone to go out and do OEMs into the repository providers. That should be built into every repo.
Jermoluk: Yeah. Well, we’ve already got joint marketing agreements with all of them. They’re very, very excited about it. And we’re in their online marketplace. People can select us as one of the tools that you can use for the – for those repositories. So they’ve been very supportive of the whole thing.
Shimel: Yeah. I would imagine.
Jermoluk: And yeah, we’re totally open – if they wanna actually integrate it into the product, obviously, that would be fantastic thing for their companies, as well. Look, they wanna be as secure as possible, so they’re very open-minded towards these kinds of innovations. For us, the benefit of doing it is that it’s already part of our product, so why not offer it that way? So we didn’t have to invent it as a separate feature, if you will. It was already part of how we do our core architecture.
Shimel: Sure.
Jermoluk: Yeah.
Shimel: Yeah, no. Well, it’s a case of – for Beyond Identity, it’s a product, right?
Jermoluk: Yes.
Shimel: For the Git – or for the repository people –
Jermoluk: Right. It’s a _____.
Shimel: – it has to be a feature of them.
Jermoluk: _____.
Shimel: But like everything else, it’ll happen when their customers ask for it.
Jermoluk: Right.
Shimel: Right? ‘Cause that’s what that makes the world go round.
Jermoluk: And they are.
Shimel: And they are. They have _____ –
Jermoluk: There’s a number of companies working in secure DevOps that basically try and take your source code repository and run these tests against it to try and find malware, “Oh, this string or that string or that configuration,” just like McAfee runs on your computer looking for viruses and that sorta thing. But again, that’s all the next step down. It’s after the fact. That means the malware already found its way into your system. And so there’s two problems with doing that way. One is that it’s already there instead of having been blocked.
The second is if you find it and try and go back to see who put it in, you can’t find out who put it in. So you might find that code. Great. But you can’t go back and say, “Oh, it was this person, and that’s how it got in. And let’s stop that from happening.”
So we’re complementary to those. There’s nothing wrong with detection and response. I’m all – big fan. You wanna protect at every different level. But the industry has to focus a lot more on preventative than they have in the past.
It’s the same thing with endpoints. CrowdStrike, SentinelOne, these people are doing a fantastic job at detection and response for looking for all these threat factors. That’s great. But hey, how ’bout preventing it in the first place by stopping all this credential theft? Everybody knows that ransomware comes from account takeover and credential theft. I mean, the vast majority of it is caused by those kinds of intrusions. So let’s stop that. Let’s slam the door on all this account takeover stuff, close that whole attack vector down, and move on to other forms of security, zero-trust.
Shimel: I agree. Absolutely. I think as it – as it relates to development today, app development, what we’ve seen here is that it’s not just the person who’s uploading their code. Today’s applications are kinda Frankensteins of a lotta third-party code, a lotta third-party components.
Jermoluk: Open source.
Shimel: And that is a – right, open source, whatever, right? And that’s another place where – for instance, in the world of containers, I may have a contain – there may be a very popular container that everyone uses for this particular function, and that container and its payload is called ABC. And then someone else puts up a container called ABC1, but the “1” is a little – and people don’t realize it. And they hit “ABC1” instead of “ABC.” And they – boom, [claps] they brought in malware.
Jermoluk: That’s right.
Shimel: Right?
Jermoluk: “ABC version 2. Oh, I want version 2.”
Shimel: Exactly.
Jermoluk: Yeah.
Shimel: “Oh, yeah, I got the latest one.” So – and again, if you have a means of verifying – not scanning the payload of the container. Yes, you could do that. But it would be good if right off the bat, we say, “Hey, wait a second. This isn’t what it claims to be. This isn’t from whom it purports to be or should be or would be.” And it gets into this whole identity thing of not only people identity, but machine identity –
Jermoluk: Machine – that’s right.
Shimel: – and everything.
Jermoluk: You have to have both. You have to have both.
Shimel: Yep.
Jermoluk: Yep.
Shimel: No doubt about it. Anyway, man, this is great. TJ, first of all, congratulations.
Jermoluk: Thank you.
Shimel: You’ve done this once or twice, but raising a hundred million dollars is still a hundred million dollars, right? And it’s a decent amount of money. It’ll allow you guys to continue on this mission, to get beyond –
Jermoluk: We’re very, very appreciative of our current investors who invested alongside, of course, and the new investors that’ve come in. We can’t be more appreciative. ‘Cause it gives us plenty enough funding that for the next three years, we just keep our head down, hire more great people, and keep putting out great product and adding great customers and not having to worry about going to the markets or what’s going on with the ups and downs of the external stock market. It’s always a nice luxury to have when you’re a startup, focus on what we do, which is do insanely great new technology that’s gonna really help change the lives of the companies that we partner with.
Shimel: Yep. I don’t know of anyone who’s dying to play with the stock market right now.
Jermoluk: No.
Shimel: Anyway – who knows what’s coming? TJ, congratulations. Thanks for the update. Hey, you know what? For people who wanna get information on Beyond Identity, it’s beyondidentity.com?
Jermoluk: That’s right, www.beyondidentity.com.
Shimel: Perfect. Hey, congratulations. It’s great seeing you. I know – well, you’re down here in Florida, usually, where we are. Come visit us. Let’s do something in-person in studio next time.
Jermoluk: Great. Great to see you again, Alan.
Shimel: All right.
Jermoluk: Be well.
Shimel: Good luck.
Jermoluk: Okay.
Shimel: Be well. Tom Jermoluk, CEO Beyond Identity, raising a hundred million dollars to help remove the scourge of passwords. TJ, we’ll be in touch. Bye-bye.
Jermoluk: Thank you.
Shimel: We’re gonna take a break. We’ll be right back with our next guest.
[Music Playing]
[End of Audio]