Special RSAC Episode with Karl Mattson
Deepak Jeevankumar (00:32.782)
And welcome Karl, how are you doing today?
Karl Mattson
I'm doing great. Thanks for the invitation, Deepak.
Deepak Jeevankumar
Yeah, and it's great to have you in this DTC podcast. So let's start with the key topic of discussion today, the RSA conference, the most well known and famous conference in cybersecurity. So a quick trivia question for you, how many RSAGs have you been to?
I think about maybe eight or so. I haven't gone every year of my whole career. I know there's a lot of people who've been going maybe 20 years, but I've probably only been maybe eight times.
Okay, any memorable incident you would like to recollect over the last eight plus times you've been to the conference?
Karl Mattson (01:13.89)
My, my best, RSAC memories are having coffee or meetings with young founders, like right at the, the initial moment they founded a company. I remember meeting with the wiz founders and then in a lobby of hotel, meeting with no name founders who be that later became my, my, employers where I worked at no name. so there's about a half dozen of those founder teams that I remember meeting at RSA, you know, for over a coffee and then now years later, they're, know, billion dollar companies or major exits. And so those are really fond memories for me and our sex.
Deepak Jeevankumar
No, that's amazing to know that you actually meet with early stage startup founders who are just getting started. Not many CISOs do that. We will bank that for a little bit, for a few minutes and come back to it. So let's talk about the themes for this year's RSA conference. We probably saw the Innovation Sandbox winners announced today, our day of recording. Anything that's standard from you from those themes?
Do you agree with those? Or do you want to say, wish we had more of these?
Karl Mattson
Well, first of all, the sandbox has always had a prestige to it. so the ability for the RSA commerce to showcase those most innovative companies has really been remarkable. And I think that this year is no exception as there's obviously a big emphasis on AI. But what is sort of unknowable this year is whether there were any amazing companies who were deterred to apply this year because of changing the application model and the investment involved.
Deepak (02:48.302)
now and so I think there's definitely the possibility that there are a couple of companies that we're not going to get to see this year that we maybe would have seen in these historical years.
Okay, okay. So let's dig a little bit more into the AI team. Where do you think the industry is going with AI? More specifically, where do you think AI can be used to make security better? What is your thesis? And where do you think people are going on a wild goose chase where you don't think AI can be used to make security better?
Karl Mattson
Well, I think that generally we're coalescing on AI categories. And so I think of it as is sort of like a tic-tac-toe board of functions. So there's AI for companies who are developing custom software and using models. And there's AI technologies that are there to secure from data loss and discover shadow IT use of AI. There's LLM firewalls. And so I think we've now coalesced into the sort of six or seven categories of AI.
And so now that companies are sort of, we're seeing a couple of companies now emerge in each of those sort of categories as sort of providing that capability to some degrees providing some market leadership. And so now we're starting to see the signal arising from the noise of AI security. And over time, think we might, perhaps we'll see some platformization across AI, but right now we're actually seeing the opposite, which is the specificity of AI solutions is their advantage. And only tackling one of those quadrants, not trying to do the whole thing. And so that specialization is really serving a couple of companies very well. We think that, you know, and, or, our focus on open source LLMs that's our, our focus there is a big advantage to us, not trying to do the whole of AI security. And so I think that's, that's the trend right now.
Deepak (04:41.582)
Maybe talking a little bit about how the Innovation Sandbox helped Endor. Can you shed some light on that? And do you think this is a good use of Startups time to apply for the Innovation Sandbox? And how do you actually get mileage out of it? It's not just enough to apply and be featured. You need to get mileage out of it. What's your advice?
Karl Mattson
Well, I think that the RSA sandbox, along with so many things that you do for the analyst community or for brand awareness or for marketing and sales, um, you really have to look at them as a, as a basket of investments of your time and effort. a company investing in their time into applying for, and really nailing the innovation sandbox, there's a return for that, but it is only one of 10, 20, the ingredients in a whole, in a whole go-to-market strategy. And so for us, that's a, there's a credibility that comes with the sandbox and being a finalist there, uh, the analyst community certainly pays attention. The investor community pays attention. are certain practitioners who pay attention. Um, but I think that, that, that, um, overwhelmingly it's just important that we try to not any company putting all of their eggs in one basket, um, is going to be, you know, over-specializing. And does need to be, um, you have to have your attention in a lot of different areas to kind of, kind of, kind of placing bets, uh, on, on where you're going to attract the, the, uh, the attention of the, of the customer that you're looking for. And so for us, was big, certainly as, but it was just one of, you know, one of several things in the, in the toolkit of, of coming to market as an early stage company.
Deepak
Great, great. So let's shift gears a little bit to talk about the voice of the CISO. And as you have been CISOs of many different kinds of companies, startups, big established Fortune 500 companies, I'm sure you have, you keep talking to your peers very often. So can you shed some light for our podcast listeners on what is top of mind for CISOs this week? What are they talking about? Whether it's macroeconomics, AI, anything.
Karl Mattson
Oh, uh, just yesterday, spent a, spent the day in New York city with a group of about 50 CISOs. Um, and, uh, and, honestly, the only thing people want to talk about was tariffs. Um, and that may sound odd coming from a security community practitioner, but the, the theme there is, um, macro economic wind and, and is there a rising or a sinking tide of macroanomic pressure that will cascade to all of technology or all of security investment this coming year? Um, so I think that very much the CISO who aspires to be business aligned. You aspire to have your security strategy aligned with where your business unit's going, how it drives revenue, how its share price is perceived in the market with its shareholder value. Those aspects have to be prominent now for a CISO to be a credible voice at the table on a security matter. You also have to be very conscious about where your business is going from a business health perspective. And that's why the last week of... macroeconomic conditions is the first thing we're thinking about.
Deepak
Great. So in the current macroeconomic conditions, do you think certain kinds of technologies will capture more attention from CISOs?
Karl Mattson (07:54.382)
Automation, that is a big flashing number one focus at the moment because I think that what this last week, anybody who wasn't sort of hyper-focused on resource efficiency should be now. If thinking about the next year gives us heartburn, then what we should be thinking about is how do we do more with less? How do we do more with less? We capitalize on automation.
Fortunately for security teams, in the golden age or at least the first inning of the golden age of automation right now, agentic AI or even just workflow automation. What a great time to now finally have tools at our disposal that might actually achieve some real efficiency and resources that maybe in the financial crisis of 2008, 2009, we didn't have automation opportunities there ready for us to capitalize on. We just had to sort of absorb that in resource cuts.
Deepak
Yeah, and so what's your advice to CISOs on how to make the best use of the RSA conference? What kind of events or talks should they attend? And how did you approach this for the last eight times you've been there?
Karl Mattson
Yeah. I mean, I think of it as, sort of like a sampling of, of, one-on-one meetings with, with, key vendors. a couple of events with CISO peers, VC dinner, attending some of the, either the keynotes or the RSA sandbox, walking the exhibit hall floor. I do think it is, is important for, for a CISO to be out there and engaging with kind of everybody in your stakeholder universe. I do know that a CISO might feel,
Odd sometimes walking through the exhibit hall with a see-saw badge, getting the kind of attention that they, might get on the floor, or trying to avoid, you know, avoid certain types of meetings there. think that you have to lean into RSA RSA brings a lot to the table. It's important to get, get in front of kind of everybody in that, in that universe that you otherwise are not going to get a chance to meet with during the course of the year, face to face.
Deepak (09:54.154)
What is your strategy to walk through the expo floor? Where do you start? Where do you focus?
Karl Mattson
So the last three years, I've, I've, I've walked the floor with a, with an investor, but with a, with a venture investor early stage. And we, kind of walk around and we, we talk shop about what we're seeing. We're, we're seeing, you know, themes emerging from everybody using AI or posture on their, your headers. We're seeing, what companies appear to have an outlandishly large booth compared to how much money they probably have. And just kind of like thinking out loud with somebody who's really dialed into the business of cybersecurity. That just helps me kind of sharpen my, my, my buyer instinct. know, what companies do I, do I believe in the messaging and whether, whether companies might maybe are going to be around a year from now. so that's really valuable to me to have almost like a, like a sanity check along the way as I, as I walk the hall.
Deepak
So Karl, maybe digging a little bit deeper into advice for founders, any specific advice you would say for stealth companies, seed, and maybe just series A funded companies to do to get the best ROI out of the RSA conference?
Karl Mattson
Yeah, the conference itself is expensive. It's a major investment of money. And sometimes the conferences are hard to calculate ROI. I think of it specifically in terms of the CEO's time. If you can book meetings with prospects and customers with the CEO, whether it's an executive suite or otherwise, that's where the value is and to invest heavily in there. I think there's a lot of companies who do spectacularly well in terms of their return at RSA.
They don't even have a booth. They focus on making sure they have these one-on-one or small group sessions with their CEO. And so that's why I suggest that it's the CEO's time is the most important thing to value in terms of how much to invest in RSA. I think you can wait till a later stage to go big on the booth.
Deepak
Got it, thank you. That's a very good framing. How is your CEO spending the time at a conference? Thank you, Carl.
Karl Mattson
Yep. Yeah. If they're, if they're booked out, if their schedule is back to back to back with prospects and customers, that is going to be very well, time well spent for the, for the company. but the CEO, you know, out there in the exhibit hall floor, trying to flag down prospects, that's not time well spent. And then I think of like, my, my job is to make sure that the CEO is, is hitting the most important element of RSA, which is customer time. I'll absorb anything else just so the CEO gets to spend time with customers.
Deepak
Okay, so let's shift gears again to talk about startups. And you had already touched a little bit about this before, that the RSA Innovation Sandbox and the RSA Conference are part of a larger strategy. Of course, first time startup founders want to get attention of CISOs. Is this a good place to get attention to CISOs? Should they even focus on CISOs? What's your advice?
Karl Mattson (12:57.446)
probably, probably not. think the CISOs, are only, when there's a, let's say an investor or a, or a customer peer introduction where you can sit aside, you know, get a one-on-one time scheduled in advance with a CISO that's time well spent. but it's really hard for an early stage founder just to target a CISO without having like a warm relationship. like a warm introduction provided by somebody who's a trusted intermediary.
So, I'd say that for, for founders, typically it's not time well spent to focus on CISOs except to the extent where they, can draw in their partners to help them, you know, put those, those sessions together. so I'll, but I'll always take three or four or five, you know, coffee one-on-ones during the course of the week, usually brokered by, by an investor or by a, by a peer who's just suggests the technologies.
Deepak
That's good to know. Should founders focus on people who report to the CSO? Are there any influential people who report to the CSOs that you would suggest?
Karl Mattson
Yeah. And I think that that kind of comes down to the definition of, of who your customer is. I think that, a more sophisticated view view of the customer is looking at the CISO as is the economic buyer. Yes. The CISO is going to typically be the budget holder or the line item with the approver at some point. but they are very rarely the actual, person who selects the technology amongst alternatives. They're very rarely the person who's at the keyboard every day using the technology. And so it's typically, think of it, I think the, default answer is always to look at a director of a function, a director of IAM, a director of vulnerability management, a director of a SOC team. That director person, I think of as that's the real customer. And that real customer is the person who's influencing up, down, across. That's the person who's, who's, you know, hearts and minds I want to, I want to win over at RSA. And there's a lot more of those people on the floor at the exhibit hall, there's a lot more of those people in the, the speaking, the speaker halls with the keynotes. And I, that's where I really think that the, the time well spent is on that director level leadership.
Deepak
Yeah, makes sense. So let's talk about Endor strategy this year for the RSA conference. Anything you can share and give us a preview of how you're going to capture people's attention?
Karl Mattson
Yeah. so we have, we have like, we're kind of turning the exhibit hall experience, on its, on its, on its head. first in the exhibit hall, we're really just doing sort of like a, like a photo booth, with the laser swords and you'll get to take pictures, but it's not really an indoor, you know, kind booth traditionally speaking. So instead of what we have is we have a restaurant takeover, in the W hotel, the whole, like three days, we have a whole restaurant takeover where we have a room to meet with prospects and customers, but also like we're hosting several events that week. And that restaurant takeover is going to be sort of resurfaced as, as the, as the, they're the indoor planet. and that that's going to be sort of our experience center of indoor. we'll be outside of the exhibit hall. It's going to be this restaurant takeover that really excited about.
Deepak
Is this the biggest event of the year for Endor in terms of conferences?
Karl Mattson (16:03.726)
Um, I mean, significantly, I think that the reality is, is RSA is an expensive conference. as a, a, you know, as, as an expense, it's, it's a big deal. Um, but even, even aside from that, there's, know, from Microsoft and Amazon, Google, GitHub, um, get lab there at these large conferences that we definitely participate in. Um, but our RSA is just more expensive. And so, you know, we, we, we pull out of the stops to do that one, you know, to the best of our ability, because it is the largest, um, is the largest place where we're spending money,
Deepak
Great. So what is the secret of the RSA conference? Why has it been very successful after like three decades? Because many conferences come and go after a decade.
Karl Mattson
Well, I think what really makes the RSA conference work is it is a choose your own adventure conference. the, organizations or individuals who aspire only to meet with, you know, venture capital firms can do, can do that. the others who want to meet only one of only be in front of like the world's best speakers on topics, they can do exactly that. And so there really aren't limitations on what you can gain out of the RSA conference, other than just what you decide to schedule for yourself.
Um, there are a lot of conferences that are, are kind of sort of constrain the attendee to be only within the, within the building, within the exhibit hall or within the conference. And our say is not like that. It's much more of a choose your own adventure conference. And I think that's, I really enjoy being there because I get to pick and choose. And I think that's why people keep coming back.
Deepak (17:33.23)
That's great. Great to know and Carl, thank you for joining us. Thank you for sharing your wisdom, experiences and advice to founders and CISOs. Looking forward to seeing you at the RSA conference.
Karl Mattson
Great. Thanks for having me Deepak. We'll see you there.
