SteveT: Today our guest is Dr. Steve Herrod. As Managing Director at General Catalyst Partners, Steve invests in enterprise infrastructure startups including Datto, Illumio, Menlo Security, ThreatStream, and Runscope just to name a few, and is a board member of 14 start-ups since 2013.

From 2001 until 2013 Steve was CTO and Sr. VP of R&D at VMware and was named InfoWorld’s CTO of the Year in 2009. Steve is credited with taking VMware from obscurity to massive success during his 12-year tenure there.

It’s also noted that Steve enjoys Italian coffee, California wine, Belgian Beer, and US sports (Cowboys fan, right?)

Steve holds a Ph.D. and a master’s degree in computer science from Stanford University, and a B.A. with distinction in computer science from the University of Texas, Austin.

Steve, I think you might have the qualifications to be on this show.  I’m glad you made the time, and it’s great to have you on the Nonconformist Innovation Podcast today.

SteveH: Yeah, great. This is great. I have to spend a lot of my time trying to think differently from other people, so it’s a great fit.

SteveT: Now, when I invited you on the show you replied almost immediately and more or less said, “You had me at Nonconformist Innovation,” but that you would always take up a conversation with another person named Steve, so we could call this The Two Steves Show today, but I think Nonconformist Innovation would be more interesting to our guests.

SteveH: There are not a lot of Steves left in the world, so we’ve got to stick together.

SteveT: It’s funny how that happens. It’s like, you can tell their age by the way we spell our name.

SteveH: Exactly.

SteveT: So, first things first: you have a love affair with Italian coffee. You’re the co-owner of a fine coffee shop in Palo Alto located on University Avenue, Café Venetia. Is that right?

SteveH: Yeah, yeah.

SteveT: So, is it a pre-requisite to being a great CTO/VC, or do you just really love Italian coffee? What’s the story there?

SteveH: Well, I would say that I do love good coffee. My wife is from Italy and so we wanted to have a good Italian place, but on a more serious note, it’s really interesting because that is where most of the conversations between people looking to start companies happen. It’s where venture capital people meet with others, so just generally it’s where, I think, interesting conversations happen, and that’s really the core of what we do as an investing firm.

SteveT: That’s great, and keeping it local, also, so next time I’m in Palo Alto I’ll need to stop there. I know you’ve invited me before; haven’t had a chance to make it. What is the best-selling coffee blend, so I know what to order?

SteveH: Oh, oh, you got to go with a classic Italian roast, and try one of the croissants, too. They’re really good.

SteveT: Will do. So let’s jump right into it and turn back the hands of time a few years. The year is 2012, and at VMWorld you acknowledged the threat of Microsoft’s Hyper-V product and vowed to win with value rather than price. Roughly speaking, that translates into the category of innovation that companies engage in not because they have to in order to be compliant with say, SOX, for example, but in order to remain relevant in a highly competitive market space. VMware has been one of the fastest-growing software companies this decade, with the company commanding a sizable share of the virtualization market, so you’ve been face-to-face with innovation. At one point you ran a 2,000 person R&D department for several months during leadership transitions. Why is nonconformist innovation, the discipline, not this podcast, so important to business today, and what’s at stake if companies don’t compete on value?

How am I 10 times better on some vector than everybody else out there?

SteveH: Yeah, and this is quite a mouthful of a question, because it is the core to kind of every startup or every big company, for that matter, and I think the main point as I look at startups as well as life at VMware, you have to really … you know, I think of almost everything, how am I 10 times better on some vector than everybody else out there? And especially these days, if you’re not competing and being 10 times better, it’s easier to switch vendors than ever before. It’s easy to  move to something else, and so you have to continuously be that much better than everyone else.

And what the value that you refer to refers to is a lot of different things. You can be 10x better on price, on the level of quality, on performance. In the early days of VMware, it was actually a very easy sales process. Our job was to consolidate a bunch of under-processing servers into one server that was being utilized a lot more, and so a very clear metric of value was what we called the consolidation ratio, how many existing servers could you fit on one VMware-powered server? And we spent tons of engineering power and thinking differently about how to do that, and as a result any bake off between us and competitors would show very substantial difference, and that ultimately was directly translated into having to buy fewer servers.

That was our core value, and that stake, as you asked, at the end of the day, this is how you first and foremost win deals, but there’s a lot of secondary effects.

That was our core value, and that stake, as you asked, at the end of the day, this is how you first and foremost win deals, but there’s a lot of secondary effects. This is how you get partners to choose to work with you rather than to a competitor. This is how you command pricing advantages. You can charge more if you have substantially more value, so it really is everything, and that’s what we focused on.

SteveT: That leads me to my next question. This is the one I’m just going to spring on you, tying innovation to value. There’s this belief that big companies don’t or can’t innovate, so how did your beliefs about nonconformist innovation materially affect VMware’s financial performance and ability to compete and even dominate the marketplace during your time there?

SteveH: Yeah, it manifests itself on two fronts. The first is your existing product lines; how do you stay ahead of everybody else? And in that world, it’s really understanding why are people buying your products and understand how you can do something that makes them continue to do really well, so we continuously made it easier to manage, easier to consolidate more servers, et cetera.

But the other vector, and what you read about mostly as you think about how companies are disrupted is not losing track of other products in other areas. We were certainly able to look into new categories of software. we knew, you know, we were selling to server buyers, but there was a ton of money to be made on the storage front, so we launched storage efforts. There’s a lot to be done around networking…

SteveT: With the acquisition of Nicira and so forth.

SteveH: Yeah, a combination of internal work as well as acquisitions. That is one way that bigger companies tend to bring in innovation.

SteveT: It started on the desktop. It went to the data center, and it disrupted big data centers. At one point, I think there was even some effort to virtualize mobile operating systems.

SteveH: Yeah.

SteveT: So very interesting stuff. You know, we’re … within the security space, we’re in a very competitive security marketplace today. At RSA this year there was reportedly over 1,600 security vendors. That could be wrong, but I think it’s fair to say there’s over a thousand. You know, there are a few security companies that you’ve invested in in your portfolio, Contrast Security, Preempt, Anomali, Illumio, Menlo Security, et cetera. They’re not immune from competition and they, too, must embrace innovation. You know, what guidance to you specifically provide to companies in your portfolio, and really any company looking to benefit long-term from nonconformist innovation as it relates to competing on value?

The first question on every single startup I meet with is how are you 10 times better than something else people are doing today?

SteveH: Yeah, I love the cybersecurity space. It is super crowded, as you mentioned, but it is an increasing area of budget and a focus for companies. So this is actually, I think, a great Petri dish for discussing nonconformist innovation. The first question on every single startup I meet with is how are you 10 times better than something else people are doing today? And that really matters deeply because to get above the noise, to either disrupt and get rid of existing vendors or just to get the attention of a very busy security CISO, you have to be substantially better.

So if someone says, “You know, we’re three times better,” I just walk away immediately.

And again, that is kind of core, is how do you get … in a very crowded market, how do you get above the noise? And the innovation that comes in in this space tends to be ahead of the game in the next generation of attacks or finding some much better way to spot current attacks, and it’s a little subtle but in the security space in particular it’s really important that you can flag things that aren’t real problems; not cry wolf, as you might say. And so I have a real set of questions about how are people looking at these problems differently and really making sure that they are, as I said, 10 times better on a lot of different fronts.

SteveT: You know, that’s an interesting point you just made. I just came across a book, a body of work, that describes how innovation not only has to apply to products and you not only have to build a great company, but you have to be able to define a category that you’re in as well and then dominate that category, and at least work really hard to get there.

I know you could use the argument that even the number two or three or four player in any given category is still going to be making a lot of money, but I don’t think that’s an excuse not to innovate, right? And if you’re not trying to define a new category or really take a leading role in an existing one by adding new value at 10X scale, are you really optimistic that that company can be around five years from now, right?

SteveH: Yeah, it certainly wouldn’t be a target for at least the traditional high-growth venture capital world.

SteveT: Well, for those companies that are listening to this podcast that are out looking to get investment, who’s a security company, I think that’s great feedback. Innovation is hard work, wouldn’t you agree?

SteveH: It’s hard work and it never ends.

SteveT: It never ends. I won’t ask about whether there is some magical formula. Otherwise, every company would have followed it and became wildly successful, or maybe it is just really simple, but it … you know, most people won’t do the work that they need to do. In 1967, Melvin Conway introduced this idea that we now refer to as Conway’s Law that states organizations and systems are constrained to produce designs which are copies of the communication structure of those organizations. This came up, actually, in a couple of podcasts ago and I’ve been thinking about this and its relationship to a company’s ability to innovate, so what are some of the common misconceptions at organizations today that you’re seeing, and what do leading companies like VMware habitually do in order to transcend Conway’s Law?

SteveH: Yeah, that’s a great point. I think there’s probably a adaptation of that law, too. Whenever I’m talking to software companies about how to organize from a modularity and API standpoint, I really encourage the organization to match that. But that’s not really on the innovation front, and that’s, in fact, as you said, one of the challenges.

Probably what I’m most proud of about the work that we did at VMware was coming up with the structures and incentives to kind of break through the traditional way of doing things. I’ll give you a couple of quick examples, but it’s  a very different set of ideas depending on the company, but you’ll hear most companies have come up with some way to really allow individuals in the organization to basically crowd source ideas and to find a way for a frontline person working in support or someone who is doing QA testing to have enough awareness of what’s going on to have a good idea and to allow that to percolate up to where that gets attention. Plenty of software tools allow people to suggest ideas and have the crowd vote on it. We certainly had systems like that. I think having different forums, whether it’s kind of a science fair or whether it’s a lightning session that we used to do an annual meeting and allow two-minute lightning sessions from anyone on a disruptive idea.

So, one big chunk of the work is how do you allow every voice to get out, but yet also have some way for various people to vote and percolate the most interesting things up.

SteveT: Overcome internal bias and maybe a … you know, big personalities can have a … disproportionate influence on a small group of people, although they might not always have the best ideas.

SteveH: Yeah, I think so, and I think the higher in an organization you go, generally you become more risk-averse, and so I think that’s really allowing it … you know, we actually had these lightning sessions. We intentionally had them over happy hour, because I think getting everybody to get their guard down and open their mind even more than the traditional way, I think that change of scenery, change of timing, change of mental state, whatever it is, I think those are all interesting for making sure people are opening their mind enough from their day to day job.

SteveT: Yeah, good … that’s a good recommendation. Did you ever invite partners or customers and have the voice of the customer have an input to innovation, or was it due to privacy and competition was this generally in a closed loop?

SteveH: No, we would absolutely … That’s actually a really good way of asking the question. We would often have both the partners and the customers come speak to us a lot. It was a very rich ecosystem of people who wanted to work with us and talk with us, but I would say this is one of the traps you get into a lot. Most of the time customers don’t even know what’s possible, and so when you start asking them for direct … like, if you could build a new product, what would you like? If we could add some new features, what would you like?

What was really important when we had them  [customers] in was to have someone asking the right questions, and these are much higher level, what is the biggest problem in your business? What is the most important budget item that you have?

I don’t think that’s the interesting question for this topic, for the real disruptive stuff. Instead, what was really important when we had them in was to have someone asking the right questions, and these are much higher level, what is the biggest problem in your business? What is the most important budget item that you have? It was like trying to get higher level, and I found that once we let the engineers know at the very top level what was going on, then they choose how to implement something that would really address it.

This is in the weeds, but one big problem that a customer came and talked to us about is scheduled downtime, and this is when you have to tell all your users from 2:00 a.m. to 4:00 a.m. you’re not going to be able to do something, and this customer was just ruing that they had to do that all the time, and so we convinced them to tell us about it, and long story short, VMware invented something called VMotion, a way to keep servers up and running as you messed with the underlying hardware, and they had no clue whatsoever that that was even possible, but by telling us the problem, the smart engineers could then go and think about super unique ways of addressing that.

SUBSCRIBE TO THE PODCAST

We will notify you about new episodes and important updates.

Nonconformist Innovation insights in your inbox.

SteveT: Yeah, which I think could have been the early concepts in terms of multi-cloud that we have today, whether you’re failing over to your own data center or from on-premise to the cloud or from the cloud to on-prem; it was a very interesting technology.

SteveH: Yeah, again, I think it came from, at a top level, not asking customers what they want from a feature or a product. It was really understanding the top-level problem, and then use technology and innovation to address that.

SteveT: Yeah, you know, it’s always that conundrum, right? If you would’ve, in the days of horse and buggy, if you would’ve asked the customer what they wanted they just would’ve said they wanted a faster horse and buggy.

My bonus was tied to a bunch of goals, but one of the goals was very explicitly to ship things that customers don’t want, and that sounded very negative, but what she really meant was we’re going to reserve some chunk of the release cycle, some chunk of the total engineering input to this release for things that you all come up with and aren’t coming through traditional product manager or customer interviews.

SteveH: Yeah, I had an interesting, just quick anecdote. Diane Greene is my favorite manager of all time, just incredible founder of VMware. She actually gave me a bonus. My bonus was tied to a bunch of goals, but one of the goals was very explicitly to ship things that customers don’t want, and that sounded very negative, but what she really meant was we’re going to reserve some chunk of the release cycle, some chunk of the total engineering input to this release for things that you all come up with and aren’t coming through traditional product manager or customer interviews, and I think that’s just another way of really trying to make sure that you’re not stuck in a traditional path.

SteveT: Mental models that they tend to box you into a certain way of thinking. I like that, because within applied innovation, you have to tease out new ideas, and otherwise you’re regurgitating a lot of your old thinking or what somebody else is thinking, and you just sort of subconsciously manifest these things, but if you’re specifically focusing on doing something that’s anti-pattern you can spark something new and something innovative that nobody’s thought about before.

SteveH: That was the intent. I think it worked quite well, too.

SteveT: You know, so as I was saying, when I first joined VMware in 2007,  I imagined this … I used VMware workstation on the desktop, so virtualization was still relatively new to me. I imagined the possibilities of server virtualization and automation, something more like a science fiction novel, and the ability to dramatically reduce the human labor in computing power and infrastructure was mind-boggling. Think of the applications of that that we see today in auto-scaling, elastic computing infrastructure; you know, huge unexpected spikes in demand that could be addressed through provisioning more capacity within minutes, not days. You know, these were pretty transformational to the way we think about and manage IT today.

But what of the innovations today on par with server and data center virtualization that you are most excited about?

SteveH: Yeah, well, one of the fun things about my current job is that I see really disruptive, interesting ideas all day, every day, so I think that’s really exciting. What I’ve been spending time on, I was a traditional data center and infrastructure person, and so I often go in there, but what I’m most interested in these days are what are the toolings that really just take the humans out of the loop and let the network, the storage, the compute, everything, you know, those things are all in support of an application, and so I’m really obsessed with what are the next level of abstractions that people would like to use and then have smart infrastructure using, you know, whatever they may be, forms of AI or forms of automation.

SteveT: Robotic process automation. Are you getting to that? RPA?

SteveH: RPA, robotic process automation, but yeah, I mean, it’s a form of it. I just like the idea, really, now of just remembering all infrastructure is working on behalf of running an application, so what can we do for, as you said, elasticity and auto-scaling, all these things, just let a developer focus on the functionality of their program and have the infrastructure do everything for them? It’s a big and long area that touches a ton of components, but that’s going to be the mission for quite a long time.

SteveT: Yeah, I remember during my days at VMware I would spend … we would spent literally a couple of months preparing for VMWorld and the traffic spike that we know would ensue during that week, and you know, I would look at performance and traffic trends from previous years and anticipate the kind of volume and load that we would have, which, at that time, was a lot of manual labor that went into that analysis. We didn’t have elastic computing, you know? It’s kind of a relatively new concept.

So, since leaving VMware, you in 2013, I left in 2015. Really the unthinkable has happened; now you can procure and manage your VMware infrastructure on Amazon’s infrastructure. Do you sometimes feel like you are living in a dream state, or did you see the writing on the wall? Was this partnership inevitable?

SteveH: Yeah, we had conversations with Amazon in the early, early days, and they’ve done an amazing job. I don’t know that anyone would have expected them to get this big, this fast, but at the end of the day, I think it took a while to get VMware to what they’re doing now, but the notion of whether you call it a … whether it’s a hybrid cloud or a multi-cloud, the notion that you would try to find some abstraction that allows you to move things to different places, it’s exactly what VMware did for servers. It’s just sort of raising it up another level to the level of clouds, and I think VMware’s core capabilities, from the start, has been virtualization, which means kind of separating the logical expression of something from a physical implementation.

So, I think it was a very obvious move from the start, whether you do that for storage, networking, servers, or clouds. It really feels core to the mission that they have.

SteveT: One of the biggest innovations and problems that it addresses for companies is prior to being able to deploy a VMware workload on Amazon’s infrastructure, you know, I got a feeling and a sense that AWS was a little bit like Hotel California. Once you check in, it gets very, very hard to leave that set of infrastructure because of whatever interfaces and AMIs that you were using from the infrastructure in the OS level to … and within your programming and application stack.

So I think that’s pretty cool, where you now have this VMware stack on top of Amazon’s infrastructure and the portability that affords for companies to be able to more dynamically and cost effectively support multi-cloud scenarios, and even check out when they want to, and move entire infrastructures around different data centers.

SteveH: Yeah, I think the … I mean, I guess the sarcastic response from them would be, “Okay, now you’re locking yourself into VMware.”

But you know, it’s funny. The history of our industry has been people getting really all-in on one vendor and them getting powerful and then finding different ways to use them or to find ways to get a backlash on that, whether it was IBM or Sun or Oracle or IBM, you sort of see that all the time.

If you can separate out how something is implemented from how it’s being used, it gives you the flexibility to move from where the better pricing is, to move where better availability is.

But I do believe, you know, at the end of the day if you can separate out how something is implemented from how it’s being used, it gives you the flexibility to move from where the better pricing is, to move where better availability is. At the end of the day, I think of it as a choice option and people tend to like that.

SteveT: Absolutely. You know, we hear a lot about data breaches that happen because of vulnerabilities in the AWS platform. If you could be as honest and candid as possible, what are the pros and cons of this move by VMware? Is the … you know, aside from what we’ve just talked about, does this move expose VMware customers running their workloads on AWS to new attack scenarios?

SteveH: You know, I wouldn’t think of that as the first challenge. I think, yeah, the pros for this is if you’re a VMware user and you’re sick of managing your own data center and buying your own hardware, this is a super easy way to move to the more elastic provisioning and take advantage of that, but I think the cons people would say are really more … maybe as a vendor standpoint, the cons would be, now move stuff closer to Amazon. What if they move them out of VMware VMs and run them directly within Amazon, or what if they start using more and more Amazon services so that they couldn’t ever be pulled out? I think from a strategic or competition standpoint, that’s what they’re thinking of.

But on a security front, I mean, security is a long topic. I actually think the clouds have done a really good job. I think they are attacked by every single attacker every single day and they have very talented teams working on it, so I would sort of counter that part by saying, you know, do you think that your security team has as much experience or as much practice as the folks having to run these big clouds that are under constant attack? They’re sort of a super set of all security analysis and certifications as well, so I don’t think of security as one of the challenges so much as some of the other pieces.

SteveT: I recently had a chat with one of our former VMware colleagues, Balaji Parimi. I don’t know if you heard or follow the company CloudKnox, but yeah, so he went and started a security startup going after automating identity within the multi-cloud and virtual infrastructure. I thought that was pretty brilliant. The problem with privileged identities tends to open up a lot of … not only attack scenarios, but I think like 74% of all data breaches involve a compromise of a privileged identity, so Balaji had done a study and found that most identities use less than 1% of their privileges, so a lot of companies and environments don’t follow the principle of least privileged, right? So, you end up finding accounts that have way more privileges than they actually need, and so looking at this from a VMware perspective or a multi-cloud perspective or sitting on AWS, I think that’s pretty great.

SteveH: Yeah. I actually have a startup that I really focused on called Preempt that is really obsessed with understanding rights and management and identities, but I would say, to your point, that the risk with any time you’re consolidating a lot of stuff onto a smaller platform, whether that be the cloud or VMware or something else, you know, really understanding roles and responsibilities, you know, you have access to a lot of stuff if you don’t start partitioning.

SteveT: So, do you want to weigh in on Zero Trust? It seems like if you follow the Zero Trust framework and have more of a default deny policy, that these privileged identities would never be over-privileged or have access that they shouldn’t have, but at the same time there’s a huge burden from an administrative or even a product design perspective to use that. Did you think about those kind of things when you were designing infrastructure products for VMware, and do you still think those are relevant and applicable today to companies in your portfolio?

SteveH: Well, I really do. I’ve been focused quite a bit on zero trust as a movement and have several companies that are really in the middle of that story, and I do believe that as a movement it makes a lot of sense, not just for the notion of administrators and their rights, but you know, the world has changed quite a bit, too, where you have a lot of stuff running within a single data center, and it used to be if you’re in the data center everything is trusted. Everyone should be able to see everything, but with so many insider breach approaches or just compromised credentials, it’s proven that if you can put walls up between things internally, kind of like submarine does, that you’re going to be in better shape.

So, you know, it is a … I think it’s a good movement and an important one for the overall safety of data and certainly I think that a lot of startups will do well by providing unique situations there.

SteveT: Absolutely. You know, I had recently learned that you commissioned a study at Stanford to look at all the different players that are working on ways to build security in at the start of the development process, so you know, we refer to this as security by design, and I think that’s one of the more promising trends in business today. You know, where zero trust is everything is locked down by default. Can you summarize your findings for us, and then what is your outlook on the industry of actually being able to take a security-first mindset and get ahead of cyber adversaries?

SteveH: Yeah, this is an area I’ve been looking at for a few years now, and I think one of the hotter areas within cybersecurity would loosely be called application security, and I really think about this as building security into the applications from day one, and there are really three interesting reasons why I got really excited by this and invested in a company called Contrast Security, doing very well in this space.

You know, first and foremost is we are just now talking about multi-cloud and running applications different places. If you can build that security directly into the application, you can really make sure it’s going to be with the application wherever you deploy it, as opposed to firewalls or things built into the IAM model of Amazon. You know, you’re doing something different depending on where you’re running the application. So, point one was build security into the application and it’s the same wherever you go.

Point number two is by being really inside the application, most of security is having to do kind of the lowest common denominator defense, like you have a bunch of applications behind this firewall so I need rules that would allow all of them to work. If you could actually build it directly into the application, you can be really specific to that application and do a really tight job of protecting it.

And then three is, you know, the whole point we’ve been seeing across the industry has been the faster application development lifecycle and scrums and agile programming and getting things out the door quickly. The slowest thing about pushing out new software has always been hooking up the security stuff at the end, and so there’s early signs that if you bake the security in at development time, it can cruise right with it out into production and really speed up that application lifecycle.

So those are kind of three quick reasons, but I’m a big, big fan of this space of building applications to be self-protecting and I think we’re going to see a lot of that in the coming years.

SteveT: So, your focus is, then, on applications. I mean, if we look at data at rest or infrastructure, do you tend to group those in the same, or do you treat those separately?

SteveH: Well, you have to treat them all different ways. Usually a data source is used by a bunch of different applications, so you can make sure that the application door coming in through the application to get the data, is protected. If someone is coming in a different path and just going straight after the data, I think there are a lot of things you need to do there, as well, and a huge set of technology companies there, I think both for breaches but increasingly for privacy and adhering to a lot of the new laws coming around, GDRP in Europe as well as several coming in the US, there’s going to be a whole new set of challenges which is, as a company, how can I ensure a customer that I know where there data is? And most of these laws say that if you, Steve, want to get your data back from the system, they have to be able to do that in a reasonable amount of time.

That’s a whole nother mess around data, then, and I think really interesting startups are going to have to be completed around.

SteveT: So, maybe looking at them and how they partner with their technology partners, does that lend itself to externalizing any kind of authorization logic, whereas developers might be inclined to add some security libraries that are enforced during runtime. Authorization logic can get a little bit more complex than, “Are you who you say you are?” There’s a lot that goes into those kinds of things. What are the synergies that you see and are Contrast Security and other companies thinking about to avoid putting too much burden on developers to implement a very robust security or authorization model within the applications?

SteveH: Yeah, I’d say in general people don’t do the authorization models within the application themselves. It tends to be a common front end or a common set of APIs that are used as the on-ramp, so I would say this is exactly an example … Contrast, in their example, they have to plug into all sort of different tools, whether it’s on that level or … you know, they’re really big about how do I work and find bugs and security issues in the development life cycle? So they’re plugging in CICD frameworks and plugging into source code repositories, checking for out of date open source packages.

On the authorization front, I think there are a lot of really interesting companies that have come in and allow you to put different policies around incoming authorizations for an application, so I see that as a whole different space within cyber, but one they need to work on. And there’s really cool technology going on around that. I think fraud detection as well as, I would say, conditional authentication, like turning up the heat if something looks a little suspicious and requiring, you know, all sorts of attestation.

SteveT: Coming back to the … you know, looking, inspecting code and looking for bugs and anomalies at the application layer, there’s actually … you know, one case when I was at VMware where a developer had hard-coded a subroutine where any time another developer would change the password of a shared account or a developer account it would email him the password to the account, and that code, at some point, had gone into production.

So that’s kind of interesting. I hope that at some point it becomes so easy for security to be enabled and things like that, even where it wasn’t really an insider threat, it was just really bad coding and really bad judgment that we, applications and security in the future, can protect us from ourselves.

SteveH: Yeah, I mean, I’ve seen all sorts of stuff, and whether you catch that at the … you know can catch that at the code level. You know, a lot of really good work is going on around basically monitoring all inputs and outputs to applications and understanding if something looks anomalous. That’s how you catch a lot of these breaches and a lot of command and control attacks that people have done.

But yeah, there’s a lot of bad ways stuff can happen. It’s fighting all the different mechanisms to catch them.

SteveT: Yeah, yep. You know, so there’s no doubt that hybrid cloud computing and hybrid IT will be the dominant computing model for the next decade, perhaps beyond. HP’s CEO, just last month, went on record to claim that edge computing is going to be bigger than cloud computing. Antonio Neri stated that, you know, this future is edge-centric, cloud-enabled, and data-driven, and furthermore data breaches, abuse of data, and increased regulatory scrutiny like, you know, from GDPR and more recently the California Consumer Privacy Act of 2018 are creating more demand for security-first mindsets and privacy by design.

So where is there opportunity for nonconformist innovation and for companies, startups and established players, to ensure that we can scale this new computing model safely and into the future?

SteveH: Well, I think that’s where most of my time goes, is to finding the companies and people who are going to take really unique approaches to this. At a top level, the good news, in air quotes, of the security space is that it is … it’s simultaneously becoming more impactful when breaches happen, and CEOs are being fired and real money is being lost, so it’s a combination of the impact of attacks going up coupled with an increasingly tricky environment. It used to be relatively simple with … I mean, in the mainframe days it was very simple. All your stuff was in one place, protected, and then it got a little more complex with PCs, and now we have data and mobile phone and everything, everywhere, and I think that the edge computing side is just one more example of that.

So, heterogeneity is the word, and finding unique solutions to not only protecting these things but doing it in a manageable way is kind of everything, so it’s a huge space for a lot of new thinking to come in, and that’s why I like it, so much.

SteveT: Yeah, you know, the argument goes that a lot of data breaches we see are preventable, if you implemented the right technology at the right time at the right place. “Should’ve, would, could’ve,” kind of thing, you know? Do you ever get frustrated as a VC looking at, “Man, I invested in all these technology companies, but we’re still having these problems.”

You know, you can’t really invest in addressing lack of judgment, poor judgment, those kinds of things.

SteveH: Yeah, a lot of people say that. Even cybersecurity policies for insurance are saying, “We don’t cover issues caused by personal negligence,” which is kind of a joke because that is how all of them happen.

But I would … I’d go a different path and say, like, this world’s complex, and for us to expect humans to consciously be able to deduct what is a phishing mail is not quite fair. I mean, the whole point of machines and automation should be to make us have to think less, so I would put that onus on the developers of software and systems and mail systems and whatever else, and so that’s where I’m investing, is like, how do you find these issues and totally protect people, even from themselves? And I think that is … that’s a hard-very problem but that is what a lot of the investment is in.

SteveT: Yeah, you know, you have been there before because you’ve seen this automation and these issues for a billion dollar company, a multi-billion dollar company. Another statement made by HP’s CEO is that the future belongs to the fast, so you know, can you maybe share the insights you have about moving fast versus scaling safely?

SteveH: Well, it’s funny. Stepping way back, I mean, for someone like HP to say we need to move fast, they’re basically saying, “We’ve missed every major trend. We’ve got to be in front of cloud, et cetera.”

So fast is relative. I think if you step way back, though, it’s really interesting: the notion, even Facebook’s original saying of kind of move fast and break things, I think it’s proving that that’s not really smart. I think your point on scaling safely is kind of everything, and a lot of the … perhaps the backlash on tech as a whole might have been done by trying to move too fast and not having safeguards and security and such in mind, so I guess I’ll come back and say, like, “Yes, move fast, but move very smartly, and don’t move too fast.”

So, I’m … I’m all for pushing out features and capabilities faster, but it’s really about an underlying architecture and infrastructure that can handle that fast movement and not get you in trouble.

SteveT: I think there are some great examples even within technology enabling speed. You know, virtualization definitely enabled faster time to market, time to value, right? So, it’s a combination of mindset combined with applied innovation to make technology just simply do things faster, and so then you can build upon those efficiencies and get even faster, right? So, I think that’s really cool. One of the fascinating things about technology to me …

So you’re no doubt working with some very hot security companies. What kind of emerging technologies would catch your attention, and what advice would you give to a founding team to be successful in pitching their product and business to you in 2019?

SteveH: Yeah, that’s kind of everything from my job now. Emerging technologies, what’s fun for me is I really need to be looking out just kind of in the CTO role as well. Look out kind of three years and look at the bigger trends that are going to hit and making sure we’re right there with the companies, and it’s such an exciting time again, building hardware is interesting again for a lot of companies. The whole movement of machine learning and deep learning has caused a lot of changes to models. Quantum computing is still a ways out, but it’s very interesting, so there’s so many interesting horizon items. It’s kind of picking which ones are going to be ripe and coming in soon.

But I would say whether it’s in cybersecurity or in these spaces, you know, I really look for two things when I’m meeting founders. One is do they have an empathy and a real understanding of the area they’re going after? Both so you can build a smart product that’s really going to solve a problem, but also, like, building a startup is hard, and you have to really love this space to want to stick with it through the ups and downs, so I really look for that, “Why are you doing this company? Is it to make a quick dollar, or do you really, fundamentally want to fix the problem?”

And then the other one is the one we talked about a couple times, Steve, which is you can … I guarantee if you meet with me, I will ask you why is this 10 times better than what’s out there today? I just think if you’re not at least that much better it’s not worth doing the company.

SteveT: I think that’s a great point. Would you subscribe to the belief or the argument that you don’t have to have the best technology to win? I mean, if you look at some of the examples where the winners weren’t the ones that had the best technology, they were either first to market or they have the stronger network or better relationships with big enterprises. You see countless examples of these. Does that carry weight in a pitch to you, or do you really look for the dominance in that 10x mentality of innovating and improving on technology?

SteveH: Yeah, yeah, I certainly love technology and I have a bias towards intellectual property that is created, but there’s zero question, like, that’s only part of the puzzle. It’s how are you ultimately going to deliver this to the customer? Is it going to be cheaper to buy? It has to be something that fits in with your existing systems and has the integrations, so the technology piece matters, but it is a hundred percent about the entire experience someone is going to have with that, and I think it is easy to get too enamored with an all-tech solution, whereas something that was substantially simpler or was delivered from the cloud or something that came bundled with some other products, like, there are a lot of other ways to make something 10 times better, not just on the technology front.

SteveT: Yeah, I think that’s great feedback. In a book that I’m currently reading, Play Bigger, it goes on to explain that most entrepreneurs think of … and it’s consequently why they’re not entrepreneurs… they think about building great products and building great companies, but the third dimension that they talk about in this book is building a great category and dominating that category, and he looks at this habit and this trend of all the serial entrepreneurs and successful entrepreneurs that really look at the market that way. So, you know, regardless of who I’m speaking with, I think on this podcast I really like to attract people with serial success so we’re not just talking and being an armchair entrepreneur. I hope to avoid those kinds of hypothetical conversations.

Steve, I really appreciate the real-life experiences and in-the-trenches point of view that you’ve brought to the podcast and to the thinking about nonconformist innovation.

SteveH: No, I’ve enjoyed it. Thank you, and I agree with you; a lot of people conclude a pattern from one example. You need to have a longer history of success and failures to find that, so thank you for having me on the show today.

SteveT: Absolutely agreed. Thanks so much for your time today. I really hope you’re enjoying some sunny weather out there in California today. I will definitely make sure I stop by Café Venetia next time I’m in Palo Alto, and hey, let’s try to do this again sometime.

Take care. Bye-bye.

SteveH: Cool. Thank you. I enjoyed it. Bye.