Follow us on - Linkedin, Instagram, Twitter, Youtube, Facebook

TRANSCRIPT

Tim:  You need to be real-Time. And as new exploits are getting published, as new zero days are made known as product companies disclose, new problems that need to be updated, you need to be on top of that, effectively, immediately because attackers’ cycles have collapsed so greatly.”

INTRO

Neelima: Hello, everyone. Welcome to another episode of ZeroToExit. This is Neelima and Ankur, your host. In today's show, we are pleased to have Tim Junio, Co-founder and CEO of Expanse and Attack Surface Management Company, which was acquired by Palo Alto Networks, not too long ago. He has over a decade of experience in cyber operations and large scale distributed sensing prior to co-founding Expanse, Tim worked at DARPA, Office of Secretary of Defense, and the CIA. Dr. Junio, and this is the only Time I'm going to refer to him as a Doctor, holds a Ph.D. from the University of Pennsylvania, and Master's and Bachelor's degree from Johns Hopkins University.

 In today's show, we'll get Tim to share his perspective on how our government thinks about cyber defense and in the process provide insights to future entrepreneurs who want to tap into the lucrative federal market? Hi, Tim. Welcome to the show.

Tim: Hi, Thank you so much for having me.

Neelima: Tim, you have a very unique background for a cybersecurity founder. Your first job out of college was with the CIA. Can you tell us why you decided to join the CIA? 

TIM’S FICTION BASED STEP IN CIA

Tim: So my original motive was not particularly thoughtful. I. Really liked James Bond movies. And as a kid wanting to grow up and be a secret agent, but that got more mature over time. And by late high school, I was particularly interested in counter terrorism. And, as a high school student, I was reading books on that subject and wrote about it in my college application essay as something I'd like to do, go work for CIA as an analyst doing counter-terrorism and this was before 9/11 . And so it was a little bit obscure of a topic. But then I actually went ahead and studied international relations at Johns Hopkins, applied to the CIA as an intern. So, I worked there when I was 20. So before I could legally drink alcohol, I was working at CIA headquarters, which was pretty cool. And then that converted into a full-Time staff position after I graduated.

Ankur: That was great. Thanks Tim. Thanks for being here and taking the Time. I know you had a busy executive. You also spent a lot of Time at DARPA, for the better part of the decade have been spending a lot of Time working for, or working with government agencies. Even like Silicon valley where I've kind of started my career and it's a bit of a taboo to sort of work in government, like versus enterprise. But in Israel, for example, where we're breeding some of the best security professionals, you gotta be working in the military, like two part question, I guess.

Number one, is that, what is the one thing about working for the federal government in, as a technologist that most people don't understand? And number two was, what are the things that you've learned now that you're back on the other side?

WHAT TECHNOLOGISTS MISS ABOUT FEDERAL GOVERNMENT?

Tim: So, I think the question of What technologists most miss about government is understanding how radically different the federal procurement process is. So basically what that means is sales is completely different and there are kind of three personas in how, at least I've built my own mental model of this.

MENTAL MODEL ON 3 PERSONAS

There's the FIRST PERSONA:  “Who actually wants to use your product as a tech company or person in a tech company.”

So you have the SECOND PERSONA (for the government agency) : “Who would actually use the product” and you have another persona, which is whoever is responsible for contracting. 

And then there's the THIRD PERSONA, (which is): “Who actually has the budget.”

Those are basically never the same people. So, it can be for prototyping, like the person who would actually be your user might have some budget for doing a proof of concept. But to do a meaningful sale and be what's called a program of record or a regular product that the government uses. Those aren't the same.

You have to convince the person who holds the purse. So to say, and then the person who is the contracts officer needs to also select you. And that could be a competitive process. Or if you're sole sourced, they have to follow the law that is very different from how selling to a company or selling to a consumer would look.

And then your person who wants to use your product needs to of course, be a champion all along and say they want it. And they may not have the money and they may not have the contracts officer moving quickly enough or, supportive enough and getting all three of those aligned is very challenging and it's something that I think software companies end up discovering when they decide it's time to enter public sector markets and hire specialists.

And if you're a founder of start-up and if you're thinking about selling to government, understanding this well, and like going and reading about resources for how to do sales to government actually will give you a disproportionate advantage because it's really hard to find the talent and bring them in to a start-up for that specialized knowledge on how do you sell to all three of those personas.

So, actually knowing that yourself could lead to huge revenues that are very hard to get in the private sector because the government is just so big. So in terms of other things that I've learned from selling to the government, the idea that the government is just like spending insane amounts of money is accurate but where it's spent matters a huge amount. So there are a bunch of pockets of things like the Defense Innovation Unit (DIU), and other kinds of prototyping shops like In-Q-Tel for the intelligence community, where they can go very quickly. But recognizing they're sort of a death valley of, you can do a proof of concept, but that doesn't mean Congress is going to appropriate funds in the budget for a federal agency.

MOTIONS IN SALES

These are completely different motions in sales. And so the first sale can actually be a pretty easy one, but actually having a recurring sale is extremely difficult because it literally requires an act of Congress. And so just looking at Who are the different people in Congress, not even like looking at who's the buyer who is the user, what's the agency, but from Congress, if you're selling to the defense department, there's an armed services committee, there's an appropriations committee. So, you need to be kind of recommended as part of what armed services is supervising, but then you also need to be in appropriations for the money actually being spent. And that's both in the Senate and the house. And then you have specialization in the technology area. And specialization is hard to find--

Ankur: Okay. 

Tim: --on Capitol hill. So imagine the average staffer who has to deal with everything from procuring software for IT all the way through they're dealing with foreign policy may be on, North Korea like these people are very busy and overtaxed for them to what a company does, especially if you're a startup with new technology is asking a lot. So it's pretty.

Ankur: It is. Yeah. And it is good for him by the way, the committee that manages all the others. So I think you provided a lot of good insight in terms of the buying process, but maybe take a step back for us a little bit, if you're an entrepreneur you're trying to sell into it, there are civilian agencies and then there are like three letter agencies, maybe if there is a two minute primer on, sort of, the big pockets of money when they are. And I think you touched upon this, but maybe crystallize it myself and our listeners who own the decision making process on which tools to select, and then who owns the budget, which aspects are centralized versus completely decentralized across the civilian agencies and these other agencies, that federal government has.

Tim: So, if you were to sort where the most money is spent on information technology across the board, many people don't realize the US government is number one on the planet. And then when you decompose that into different agencies, like you're asking about Ankur, you start with the defense.

ARMY : A TOP IT PROCURE

And then if you break up the defense department and look at different parts of it, I think the army is the top IT procure, on earth and then you have each of the military services and you have DOD agencies that are not military services like NSA, (National Security Agency), NGA (National Geospatial Intelligence Agency). And so on. Those are actually DOD agencies too. If you look outside of DMS, it's surprising which civilian agencies are actually spending huge amounts of money.

So, I think DMS is probably second because it has so many agencies grouped under it. And then you get to like health and human services, veterans affairs, but some of the biggest spenders in the world are actually the civilian agencies. Like health and human services. So then who is the buyer or who is the user?

So, for cybersecurity, part of what's interesting is, you do have CISOs, you have federal CISOs and federal CIO and CTOs. They may not necessarily be the people who have the budget, or who may even be the end users.

So that varies dramatically between the different parts of government. And so Congress can actually decide what product somebody uses. And so a military service may not actually be doing the whole selection process. Now, obviously there's stuff happening behind the scenes to coordinate because you don't want to buy a bunch of software that nobody wants, but in the end you could actually end up with appropriations deciding Congress, deciding, the executive branch, like White House, having some influence.

 But if you look at something like the Jedi contract award, which was apparently canceled in the latest news, that was a case where the vendor was effectively being chosen. And there was some coordination, with DOD, but like it was effectively, someone else's decision, not like the people, right, in a military branch who might be setting up a cloud instance in Microsoft or AWS, like they're very far removed from the decision of who's going to be the consolidated DOD cloud vendor. So, just using that as a very public example of how, depends a lot on the circumstances and You're usually going to be not the same person.

Neelima: Let's say as a company, You decided you're going to sell to the Federal, So there is the certification piece of it, but how should you also be thinking about structuring your sales team? What would your first sales hire look like?

GET TIPS ON STRUCTURING THE SALES TEAM

Tim: I would actually focus on behavioral interviewing above all else, because there's so much to figure out for the first time. Especially if you're in a new technology category, so if you're doing a startup that's competing with an existing category, maybe you want to go for more of a traditional federal sales persona, but if you're doing something that you would truly consider to be.

I would “focus on somebody who can deal with high degrees of uncertainty and hopefully is conversant in government, and maybe even transitioning out of government”.

So the kind of persona I would personally recommend would be somebody who, for example, might've been a congressional staffer or might have been a national security council staffer.

If you're trying to sell to the military or Intelligence customer, because even if they haven't sold software before, they're the kinds of people who need to learn a lot quickly and distill it. They need to create briefings. They need to create content. They write memos.

ENGAGE IN KNOWING THE MOST IMPORTANT SKILL SET

And so translating technology into something that a non-technology person can understand is actually the most important skill set. And then you kind of have to let them loose to figure things out, and you also have to be comfortable with the goals being possibly unachievable except on a Multi-Year Time horizon. So you need to commit to uncertainty, make that bet and figure out kind of a measurement of whether or not that person is doing a good job.

That can't just be a quarter revenue number because that's not how federal sales cycles work. Finally, I would say there are companies that you can look at and I wouldn't strongly endorse poaching from existing defense contractors, in technology, including cybersecurity. However there are definitely companies that have done this better than others. And so there is the possibility that you can find really good talent, looking at scaled businesses where maybe somebody would be interested in doing something at an earlier stage, and that's like a fit where maybe they would have left anyway. And so as an executive at Palo Alto Networks, I don't want to go endorsing poaching people from big tech companies.

POSITIVITY: However, sometimes the stars will align and you'll get a good candidate that way.

Ankur: Got it well said. The next question I have is more as a citizen than as an entrepreneurial or a product builder, which is that, our government spends give or take about $10 billion in cybersecurity, close to a trillion dollars in national defense and yet we see the election hacks and we see the colonial pipeline or the nation state actors, right,  really trying to get at our sensitive data. Like what's going to have to happen to flip the equation where the Congress people, a government has the recognition that cyber security is a percent of our total national defense budget? It's gotta be significantly higher than what it is today.

IT >>> CYBERSECURITY

Tim: You could also look at IT as kind of in between. And so cybersecurity has a ratio of IT, IT is as much bigger than cybersecurity. And this is the case in the private sector too. Security is something like five to 7% of IT spend, depending on which market segment you're looking at. So for part of overall national defense, I think that's a great question where, unfortunately, I like hardware is extremely expensive for the United States because, for defense you have to manufacture here and we have extremely expert labor, and it's just, you're going to have these insanely expensive programs like over trillion dollar over decade programs, like the F-35 program, et cetera, that will just continue.

Like you just need to have, defense of your airspace. And unfortunately for people who sell software, The psychology of the marginal cost. And this goes back to the nineties, right? Like Microsoft stamping out the next CD. We all know. And like pharmaceuticals, it's like the perception of the R&D costs to do the zero to one are high.

And then the incremental cost of the software is nothing. So I think there's still that perception problem and the wrapper of buying a solution and having services is actually part of the answer. So that's a practical answer for a company trying to do sales. If you're trying to just sell software or data or whatever, to the government, you're going to have the same pressure of what is the value pricing and wrapping it up as a solution like you can sell to the government, a software plus services at a much higher price.

So anyway, that's, kind of, a practical recommendation to people who are trying to sell to the government, but in terms of national. Policy, I think we are seeing the demand. 

So actually “the Biden administration had a discretionary budget that was worked out with Congress specifically for federal cybersecurity.”

And that was kind of an emergency response measure following SolarWinds and other, major events in the last year. And, as part of COVID emergency spending, work from home for federal workers was actually a cybersecurity spend category that was additive. So, I don't think there's an easy answer where people clearly recognize cybersecurity as a priority, but maybe there is some translation problem of how you would actually spend it.

So, like what's the of cybersecurity and this gets into a broader conversation about consolidation. Platforms. And how can you get more things from one vendor? And I think that is actually going to be part of the answer for how you have bigger cybersecurity budgets. Because right now, like where does the roughly 10 billion go that you were mentioning Ankur?

It goes to a very large number of things. Sold through big systems integrators. So like people actually buy cybersecurity from Raytheon, Lockheed Martin, et cetera, in addition to all those other things. So I think having cybersecurity from other companies that specialize in security. Like we do at Palo Alto networks, that actually starts to make it look more appealing to spend more money, because you're actually going to get more value than distributing your dollars over traditional systems integrators to go, and then subcontract to solve problems on like five to seven year time horizons, as opposed to you can buy what we're selling as software as a service today, it's a very different cybersecurity market. So I think that's part of how the perception could change in a way that's favorable to increase spend.

Neelima: Totally. And We're seeing SaaS adoption across the board in your enterprises, when do you think that the federal will start adopting SaaS products. Do you see that changing in the next couple of years?

SaaS ADOPTION BY THE FEDERAL GOVERNMENT

Tim:So, there's obviously a security problem. We're going all the way back to Edward Snowden and the insider threat. I think there was a bit of a trend toward more compartmentalization in parts of the government that have sensitive national security information that is, but then there's also sensitive personal identifiable information.

And in other events like the OPM hack and other government agencies that have been breached, unfortunately that creates a risk aversion to the government. Data is very sensitive. So imagine all of the mental health data you have on veterans who have PTSD and all that, kind of, sensitive treatment that they might not want their family or neighbors to know about.

You can just go through so many different examples. Imagine a military service member whose kid is getting health insurance benefits from the military, but they're on some kind of medication that would be embarrassing for outside parties to know about. I mean, you could just go on and on with those examples.

PONDER OVER GIVING CONTROL TO A THIRD PARTY

So I think if I'm giving control to a third party and even a software company that is generally trusted, by consumers and by other companies, in government, I think this concept that I learned a long time ago, how much classified information is acceptable to lose.

If you ask any agency head, they can't say any non-zero number, but zero is impossible, right? So it's actually a risk approach. But due to politics, both bureaucratic and then like electoral politics. It's extremely hard to get around. That problem. Whereas in the private sector, we do this all the time.

We say what's acceptable risk because I could only afford to spend so much on prevention and resilience of all kinds of different events, not just security events. And so you can actually get to numbers because you kind of have to, and then you have governance with the board of directors, et cetera. 

In government, it's extremely hard to get to like, what's the acceptable rate of failure in these kinds of areas. So last comment, which is more of a positive remark,

 “There is actually SaaS adoption happening in the government”.

And so if you look at mature SaaS companies and their revenue breakdown, when you do get to a state of like, nine figure ARR, you do start to have a public sector business that's serious, including up to, like 10% of ARR as a modern SaaS company.

I think the adoption could certainly be higher than we have been seeing. But, I don't think so. completely not a trend. I would say, yeah. Trend. And part of the challenge is the upgrade cycles are long. So the last comment I'll make is just when the government wants to go from on-prem to a SaaS product, you have to be cognizant of when the on-prem contract ends.

So, contracts are also potentially awarded for a really long Time. And then they have services, contracts attached to them and possibly staff augmentation. Contracts attached to them. So you actually have to have multiple things happen simultaneously to move from one technology choice to another in the federal government, complicated by a lot of the reasons I described earlier related to.

Ankur: Staying on that subject. I do want to spend a little bit of Time on obviously your journey in Expanse, which obviously, you had an incredibly successful exit in a relatively short division that was acquired by Palo Alto, too long ago, but before we start there, Equifax and Capital ONE happen not too long ago. It's still in the average consumer psyche. Perhaps, describe what Expanse does or did, and, and tied up with like what happened with Equifax and Capital ONE so that our listeners understand sort of the key constructs of the technology.

EXPANSE : AN ATTACK SURFACE MANAGEMENT COMPANY

Tim: The product category we created at Expanse is Attack Surface Management, and we do continue to sell attack surface management as a solution from Palo Alto networks, with cortex Expanse and, what attack surface management means is basically, that we are now dependent on public internet for the backbone of almost all IT operations.

So completely closed and private networks almost don't exist. So even ones that people think are effectively air gapped, actually often have some kind of bridge to the internet. We are increasingly moving toward zero trust architecture. And other network architectures that are running over the public internet.

ATTACK SURFACE

We are increasingly going in a direction where large organizations don't have full control and they have to have security between their assets. So they need to continue to have private communications while using the public internet. 

So, “The attack surface is any aspect of the network that can be communicated with via the public internet.”

And so what we did is build a platform to identify for organizations, “What is everything that is round-table over the public internet that is exposed over the public internet?.” And then what is the security risk associated with each of those? So in some classes, of devices or assets, the asset or device should never be on the internet period.

So imagine something like an industrial control system should never probably be connected to the public internet. You'd have to have a really good reason. And then there are categories of things that are supposed to be on the internet, but are unpatched. So for example, you have a web app, but it's not up to date and it's exploitable immediately with things that we know are publicly accessible, open source, et cetera. And then in between, there's kind of a gray area of what's an organization's policy. So are there services that are permitted to be internet facing under some circumstances and not others? So for example, you could have part of your network for research and you don't care what anybody does there because it's a research network and it shouldn't be connected to the rest of your network.

And part of the intelligence that expands can provide is down to an individual internet protocol address or a particular IP address range or a segment of the network, what is supposed to be the policy? And what do we see? Like what can Expanse observe as we do continuous monitoring for the customer? So we can say, oh, this policy was violated on the core corporate network and you permitted it elsewhere, but you do not permit it for the core corporate network.

And so that level of intelligence is native to the product. When we set up a customer, when we do onboarding. We go through that process and we can start with, what do you want globally? So these things should never be online. Okay. Check phase one, phase two. More granular. Fine-grained rather, for different parts of the network, what are supposed to be the policies for what is permissible, not permissible by employees on what they're doing on the public internet.

And then we can do all of what I just described for commercial cloud environments, which is obviously a big deal. So how is AWS supposed to look? How is Azzure supposed to look and similarly segment four business units. And then on top of all of that, you have complexity of change. So, as part of a tax surface management organization, grow and contract, they do acquisitions.They sell. They create cloud environments, they stand down cloud environments. So as the network is changing, how do you ensure continuous visibility into all of the network? So a major part of our technology platform is just the mapping component and attribution component of what across the entire internet belongs to the customer organization. As the customer organization day to day looks different.

Neelima: A follow-up on what you've often talked about, companies buying a lot of flashy security products, but not focusing on the security hygiene. Can you talk a little bit more about that? 

A DEEP PERSPECTIVE ON SECURITY HYGIENE

Tim: In the kind of media narrative until pretty recently, there was a focus on the nation-state level actor and companies having kind of a learned helplessness around, oh, it was a government. So what are you supposed to do? Like if they have that level of capability, but in, I would say especially the last year or two, we have seen a very large number of events associated with purely bad hygiene, poor hygiene. And that means, misconfigurations, failure to understand that assets were exposed on the public internet. And even though. Organizationally, they might have known that something should not have happened. It did in fact happen and the security team, the IT team were unable to, get alerted to it and act on it quickly enough.

An example this year that has been in the news(25:35) quite a bit is ransomware. And organizations having exposed a windows, remote desktop protocol, a very common way in which a low class of criminal actor could get access to a network, even one that spends a lot on security products and that kind of low-hanging fruit unfortunately, because of the availability of open source tools. The low cost of cloud hosting makes it possible for attackers to search the entire internet for available targets, as opposed to trying really hard to get into a particular company. And so that changed logic, which has really accelerated over the last year or two.

 I think it is the central idea to respond to your question Neelima, of what's going on with hygiene versus sophisticated attacks. And there's this quote, it's a little old now, but he's still actually a prominent figure in government. A guy named Rob Joyce, who is an NSA official, made a comment at a public conference that if you're a security person and you're doing all of your checks and 97 out of a 100 are fine. you shouldn't feel good. Because those last three, the ones that might be associated with hygiene, like things that are basic compliance, those three are where the attackers are gonna focus. 

It's where governments are going to focus, if they're targeting you. And it's where opportunistic attackers are eventually going to find that you have left something exposed. And that mentality is very different from mine. I feel great because my pen testing report was mostly fine. That's not the case anymore. 

TAKEAWAY: “You need to be real-Time. And as new exploits are getting published, as new zero days are made known as product companies disclose, new problems that need to be updated, you need to be on top of that, effectively, immediately because attackers’ cycles have collapsed so greatly.”

 So, with something as recent as the Microsoft exchange server, exploits that were published earlier this year, we have seen, organization time to remediation in the Fortune-500 drop to a few days on average, which is an unbelievable, almost unbelievable improvement, from say five years ago when we were first putting our product to market from Expanse.

So, I think that we've actually been trending in the right direction. In the market, recognizing that attack surface management is really important and that hygiene is not actually something that is low cost and low importance, but actually has to be part of your absolute first line of defense, or you're going to have an expensive, bad day.

Ankur: Got it. I'd imagine that a big part of the poor hygiene is a function of the cloud and how easy it is to build and ship applications right now and approve them, given the cloud. Do customers still have to make the trade off between easy and secure? Because they're not going to be able to tell the developers to stop developing and shipping fast.

A SHIFT: TRADITIONAL MECHANISMS TO CLOUD

It's just a function of, they're going to have to shift their focus from the traditional mechanisms to secure their applications to now focusing a little bit more on cloud to mitigate this poor hygiene problem.

Tim: I don't think we yet know what cloud security will look like at maturity because the way that security has functioned has been kind of independent of how cloud is set up and deployed. And so some of those personas are emerging. Like how DevOps might be more responsible for security.

And so you have SecDevOps as a new category. But for cloud, if you have to do an investigation or there's a threat, then it's still traditional. Security operation centers for the most part that have to respond and that is not a specialized function yet. And except for some very large organizations that have made those investments.

But it's actually a new set of problems because employees can use their credit cards to pay for things and do activities in the cloud. That's completely outside of traditional IT. We have a new set of problems. the democratization of access to extremely powerful computation and data storage, where you can just put huge amounts of sensitive data in a cloud environment with no IT policies haven't been followed and the most sophisticated organizations have built a lot of controls to try and prevent that sort of thing from happening. 

But the kinds of controls that I'm aware of for even the biggest IT and security spenders are things like we automatically look in purchase order for spending on AWS and credit card statements for spending on GCP to figure out that employees have done Shadow IT. It's not actually a technology first solution, a very small segment of the market. Does things like use products such as from, Expanse for discovery in cloud, or has deployed a product like Prisma for all of their cloud environments, as opposed to part of their cloud environments. 

So a challenge is even if you have a best in class, cloud security suite, like from Prisma cloud, you have to put it everywhere. And do you actually know everything that your employees are doing? That's a really hard problem. So you've got a discovery problem and you've got a configuration problem and you've got an investigation remediation that how do you deal with threats? Set of problems. So I think putting them all together, It's not actually one organization today. And over the next couple of years, we're going to be seeing, in my opinion, more of that emerging with standards and best practices, personas that are specific to cloud security and organizations, forming within companies and within government agencies.

So, we have seen at the leading edge things like a cloud security center of excellence, but that's not quite a CloudSOC, yet. And I think we're going to see the evolution of cloud security into something that is a more specialized function, which may be within SOC for some customers or as a separate function for others, depending on how they manage their IT and Security.

But I don't think there is yet a fixed set of patterns that we can say is the organizational solution to the Cloud Security problem. 

Ankur: You've had one of the most successful exits in recent memory in our industry. As a matter of fact, it might be one of the biggest yeah. Palo Alto has had a lot of acquisitions.I guess the question I have for you is, what does the process of getting acquired look like? How do you negotiate to get the top dollars and what's good for you and your employees?

TIM’S ADVICE TO FIT IN THE TOP ROLE

Tim: We didn't set out when we created Expanse to chart any particular course. So I wasn't looking to sell the company or necessarily IPO or necessarily, you know, stay private forever. So we knew we had some great ideas about what we wanted to do from a technology perspective. But we didn't have a particular outcome in mind. And so, our acquisition came about through personal conversations between me and Nikesh, the CEO of Palo Alto Networks. And, I think what motivated our team, in the course of getting to know Palo Alto networks, was the idea of being part of something bigger, having more resources, being, within the largest cybersecurity product company on earth as giving us away to take what we were doing for Attack Surface Management to the entire global market, much faster than we could have done as an independent. And better because of how we would be able to make it work with other Palo Alto networks products. So I'd say, the early motivation, why would you sell your company?, came through, really I joined a product related conversation of this could be a partnership, and it could turn into potentially more. And Palo Alto Networks was actually a customer, and it ended up turning into more. Which was great for us. So, in terms of advice regarding a negotiation and going through an MNA process, I would say, it's first off, you should recognize it's going to be emotionally very taxing.

It's first off hard thinking about selling your company, and selling your company and going through the actual process. Probably if you have a startup, you are really good at something that is- Investment banking or negotiating deals, and your board, an advisor probably have a lot of experience in this regard and they're going to be able to help you.

But at the same time, there's just a huge amount that you're going to have to learn to be successful. And so talking to other founders who have gone through the process, how they learned and kind of getting a 360 as best you can. Of what's happening from a legal perspective, a contracts perspective. Like, What is the revenue story on the other side? Like how do you think the potential acquirer is pitching your acquisition to their board? And we'll tell the story of why it was a good idea. That might be very different from your story of why you would sell or we're thinking of selling. So I would say my advice on going through the process would be recognize you have to build the time for you're doing something you've probably not done before, unless you happen to be a repeat, founder selling your company, in which case, but going through it for the first time, the complexity is tremendous and, worth it, like to actually invest the time, in my opinion, in trying to learn as many different details as possible and not just let, all the components get, specialized by people you hire.

Thinking like an owner and recognizing you may have created a great product. You may have created a great technology, you might've done great sales to your initial customers and great distribution, but you've actually got to do something totally different. Going through the process of becoming part of a bigger company, is super important to recognize as early as possible, and then carve out the Time and get good at it.

Neelima: Last question. Before we wrap up the episode, besides the negotiation, and the selling aspects, are there any other lessons that you can share as an entrepreneurial CEO and a leader? 

LESSONS TO IMBIBE FROM THE ENTREPRENEURIAL CEO

Tim: I would say the most important personal lesson, looking back is, how many times my job changed as the CEO-Founder. And I hope it doesn't sound too cliche, but the different steps of growth for a startup really do require a bit of reinvention of yourself as a leader, as a manager, working with your team and actually being part of an initial building of a prototype is extremely different from trying to scale. And obviously continuing to double year after year after year, is a very different job in terms of distribution size of team kinds of talent, and the initial biases you might have about wanting to work very closely with a certain class of tech persona and Grasping instead as a multi hundred person team, how you bring a product, not just to market, but then sustain it.

And for me that was Enterprise software. And so recognizing the difference between the first six customers being incredibly happy and supportive and helping us design future products through the, how do you have thousands of customers under the scope of responsibility. You know, now at Palo Alto networks, it is a completely different job.

And so that happens over and over during the course of a startup's history, if you're successful. And so thinking ahead of where I need to be as a leader and manager, Six months from now?

 And I kept saying manager, not just a leader because actually getting the people component right. And understanding how your team is working or not working is going to almost certainly determine how quickly or slowly you operate as an organization. You're going to be reinventing yourself, literally that quickly, like every six months you have something new.

That was, required for your skill set that was not previously part of your skill set or required for your, be successful, realizing that that's the pace at which you're going to have to change and getting comfortable with that, like psychologically getting on board with that. And then also getting ahead finding the right people to help you get to the next stage, which may not be the same people who helped you earlier in your personal growth curve, I think is the most important lesson that I could impart to anyone who's early at it.

Ankur: Yeah. Thank you so much, Tim. Really appreciate you taking the Time. 

Tim: Thank you again for having me on the podcast today. Really appreciate it.