Sitting down with Andre Durand – Ping Identity Founder and CEO
What does it take to build a market leading company in an industry that does not yet exist? According to Ping Identity founder Andre Durand, it takes vision, conviction and patience. Almost 14 years after it was initially started, Andre’s Denver based security firm is now the leader in digital identity, with almost 400 employees and serving 50% of the Fortune 500. I sat down with Andre to ask how they have achieved their success and what he sees the in the future for security.
My passion is to organize and energize the Colorado information security community as the mecca for information security. As I’ve worked in the community, I’ve been continually surprised at just how many fantastic individuals we have in the area and the wide variety of ways they contribute to the industry. So I set out to start meeting those people, and writing up those interviews for you to enjoy along with me. I am hopeful that one of these stories will inspire you to throw your own hat in the ring and take a chance by trying something new. Click the links below to read previous interviews in the series.
- Dave Navetta – Information Security Lawyer
- Chris Petersen – Co-founder of Boulder-based Log Rhythm
- Johan Hybinette – CISO for Hosting.com
- Jericho – Founder Attrition.org
- Dan Wilson – Co-founder of Denver-based Accuvant
- Mike Kalac – CISO for Western Union
- Brian Krebs – Investigative Security Journalist
- Debbi Blyth – CISO for the state of Colorado
- Rob Eggebrecht – Founder of Intelisecure
- Alex Wood – ISSA International Board of Directors
For this interview I was fortunate to sit across from Andre at the Palms Restaurant in downtown Denver and talk one on one. Andre Durand is a wildly successful serial entrepreneur right here in the Denver area. He started his first company, Durand Communications, in 1993, and built the world’s first Windows client/server bulletin board. He sold the company to Webb Technology in 1998. In 2000, he started Jabber, Inc, which commercialized the Jabber instant messaging open source platform started by Jeremie Miller, and was sold to Cisco in 2008. In 2002, Andre founded Ping Identity.
My questions are in bold, with Andre’s responses paraphrased below.
You’ve obviously done a lot of interesting things in your career. Why Ping Identity?
I became interested in identity from the first day Microsoft introduced Passport (now Microsoft account). The entire notion that we could have a single identity for the entire Internet was mesmerizing.
In the 2001-2003 timeframe, the internet community woke up to the larger idea of identity and in classic fashion, decided we needed standards in order to scale identity use-cases across the Internet. Out of these early efforts, the concept of federated sign-on was born, a simple yet powerful notion that we wouldn’t need to have separate sign-ins to every website.
During this same time, October of 2001, I started to see that this was a massive need. Part of my nature is that I love to create solutions (and companies) to solve massive problems. I was sitting on a sail boat in the Caribbean when it struck me that this was an opportunity I should not let pass me by. I decided I should start a company to address this need.
What was step one?
I was on that boat because I was on a three month sabbatical from Jabber, October to December 2001. I decided to cut my sabbatical short and come back after six weeks. I used those six weeks to determine if I could raise the money needed to start this company the right way, or if I would go back to my job. I knew it would take a year or so to learn the identity space and create a viable solution. And I knew that I couldn’t do it alone since I am not a developer. So I decided that I needed to raise seed capital to get through the first couple years.
How did the fund raising go?
Because I had started and sold my first company already, I had great contacts. I was able to go back to those same investors and ask them to support Ping Identity. Since they had done well working with me previously, it was fast and easy. I secured the money within the six weeks I’d set aside, and was able to start Ping Identity in January 2002.
How did it go leaving Jabber?
They were incredibly good about it. They actually let me use an empty office in the 1899 Wykoop building, in downtown Denver, to start the company. They were glad to have me around, and I was glad to have the space for the new venture.
Tell me about day one with your new company.
The strangest thing was setting up my new email account and by 11am not having a single email in the inbox. Of course, nobody knew the address, so there shouldn’t have been, but it was an odd feeling. That’s when it really hit me, “What did I just do?” What do you do Day One in a newly created company? I was the only employee, nobody even knew we existed.
So I decided we needed a logo. I created a logo, printed out a piece of paper with it, and “Ping Identity World Headquarters.” I taped it outside my office door and decided that was a good day’s work. I went home.
Tell me about Ping employee number two. You said you needed a developer for this to work, right?
To start Ping, I got back together with the cofounder of my first company, Bryan Field-Elliot While we hadn’t worked together at Jabber, he was just the person for the job, ultra bright and really talented at taking big ideas and distilling them down into products that were meaningful.
You mentioned that you needed to spend time getting educated on identity. How did that process go?
Three months into the company, I was Googling for anything I could find on identity and really frustrated that the only thing I could find was a whitepaper only tangentially related to what we were targeting. The truth is, identity wasn’t a market, nor was Identity Management even a term. No one even knew they had an identity problem much less want to fix it. I called my first investor that day and said, “Phil, we’ve got a problem. I think we just started a company in an industry that doesn’t exist. But don’t worry, I’ve reserved www.digitalidworld.com and if you invest $5k, I’ll do the same and you and I can start the industry conference to build awareness around the looming identity problem.” With that the first identity conference was born. Over the years, we grew that conference to about 900 people and sold it to IDG in 2007.
So you weren’t waiting for the industry to start to see this as a problem, you were actively out there changing the conversation to discuss identity?
Yeah, it was daunting. We had started a company in an industry that didn’t exist. We had to help create the industry to support our company. Our conviction was that the whole security industry paradigm was wrong. We had a solution we believed in, enough to build an entire company on. However, it’s not easy to convince the world of that overnight.
What’s the new perspective you were trying to drive through the industry?
Traditionally in security, we put our most valuable assets in one place, a green zone if you will, and then erected a perimeter around them. This perimeter was then responsible for safeguarding our network, our people, applications and our data. In this model, we put trusted in things on the inside, and wall off the things that are unknown and presumed untrusted on the outside. Starting about 2008, that model really started to break down. Some applications left our perimeter and moved to the cloud with the adoption of software-as-a-service (SaaS). Today about 20% of applications are SaaS. Following this in 2010, users created the bring your own device (BYOD) issue by demanding that their smartphones connect to corporate resources while off the corporate network. The third wave, which we are now seeing, is that those remaining applications that are on the corporate network are getting moved to cloud infrastructure providers.
So the perimeter we worked so hard to create has become less relevant as the assets they were there to protect have moved. In this new reality, everything of value is simultaneously ‘outside’ the perimeter, and yet must be treated as an insider. What ensues is a shift from perimeter-centric thinking to identity-centric thinking, as secure access becomes the mandate for a digitally transformed enterprise.
The challenge we foresaw is in knowing which users have access to which resources. That is the essence of an identity access problem. We need a better notion of who the user is, what they can do, and what the implication of that access is.
How do we deal with that changing paradigm?
We need to rethink the model and answer different questions. How do we ensure users have intended access to resources across geographically and organizationally diverse lines? We need tools that allow us to provision that access centrally, while controlling those wildly different systems. That is a federation problem.
Of course, as we put more things behind the same single sign on, there are positives and negatives. We’re funneling all traffic through one account, or one door, so we really need to make sure that door is exceptionally sturdy. Strong multi-factor authentication is more important than ever.
Reimagining identity in a distributed cloud infrastructure truly is a new architecture. We’re not building a monolithic technology stack that presumes my users and apps are in the same domain.
Let’s backtrack to the beginning of the company. You told me about creating your logo on Day One and bringing in your developer. How did you get customer number one?
During that first year as a company, we were getting involved in the online identity community, engaging in discussions around creating open standards, and getting to know the players. Our first customer was American Express, who we signed in the summer of 2003.
The 18 months we spent in between starting the company and making our first sale were spent learning, developing the industry, developing relationships with those few people who highly valued digital identity, and figuring out how to solve this problem. In fact, we met the CISO for American Express during that time. He had been involved in the standards effort, he recognized that we were doing valuable things by implementing the standard, and asked us to embed the standard toolkit into one of their websites.
You made your first sale in 2003, was that the start of a huge run of sales?
No, not right away. We didn’t start to see strong adoption until we created our first federation product, which was in the 2004-2005 timeframe. And even the first version of that wasn’t quite market viable. We were missing some protocols, and we were missing the integration kits needed to make the experience turnkey into applications using SAML.
But it was in the 2004 timeframe that we identified what the pattern was that would start to make a difference in the industry. It just took time to implement the vision.
Did the market also see that same vision?
The key for market adoption was businesses starting to move to SaaS. It wasn’t until the industry really began adoption of SaaS products that they began to feel the pain of having so many systems to provision with so many different configurations and security profiles. As companies looked to solve that problem we became a welcome solution. Adoption was pretty meager initially, in the 2004-2005 timeframe. It really began to pick up in 2008.
When did you transition from working to generate demand in the market to responding to the demand that already exists?
It’s been a mix over the years. In the early years we spent most of our time trying to create demand, doing webinars, training, and our user conference. But in the last couple of years it’s flipped and we’re now trying to keep up with the demand. The analogy I use is that at the beginning we were pushing that heavy boulder up a hill, trying to reach the top. Yes, it is hard work pushing that boulder, but you can stop and take a break to catch your breath when you want. Once we reached the peak and the boulder started rolling on its own, we’ve been rushing to catch up. While it’s less work in some ways, it’s more difficult in others. We can’t take a break or the market will get away from us.
How did you make it through those lean years as a small startup? Weren’t the expectations from investors crushing?
Our conviction of the vision is what led us through the metaphorical desert. We always had conviction that there’s another side, and that we’re going to get there. There was never a question in my mind whether we’d make it; it was always simply a question of when.
I still have the business plan I had created in 2003, which is now covered in dried Sriracha from a spill at the bottom of a drawer. That plan is still 80% accurate. Some of the words have changed, and the order of some events may have switched, but what we’ve seen play out in the past decade is fundamentally the same as that original business plan.
We were very fortunate to have investors and board members who bought into that vision have the same conviction. Jeremy Allaire, creator of ColdFusion and a great visionary, was a board member for us. He was the lead with General Catalyst Partners to make our A-round venture capital investment. He could see what was coming down the road, and help articulate it. He was a powerful force in maintaining the investor conviction during the years where identity was becoming a conversation point, but was still years from exploding.
From a leadership perspective, how did you steer the company from a two man start-up looking to create a new industry into the market leader in the digital identity field?
The problem Ping Identity is working to solve is a big one. It’s not one where we can create an appliance or service and declare mission accomplished. As a result, we have had an entrepreneurial rhythm where we acquire capital to build out our vision, prove the plan, and go back to the market for additional capital to expand the vision. We have done this every couple of years. Each step along the way we are better summarizing the market opportunity, lowering the technical risk, and better convincing investors to go the next leg of the venture with us.
Going hand in hand with that has been the endless pursuit of talent, in every fashion. Leadership talent, engineering and development talent, marketing talent. Everything. When I summarize my role at the organization, it is to bring the investment side and talent side into the same room, and infect them both with the same vision. Then doing it over and over at larger and larger scale. Better able to execute the plan against the market opportunity at every step.
So, why Colorado? Why have you made this the home for Ping?
I moved here in 1998 and met my wife. Later I started my second company, Jabber, right downtown. Over the years, I have fallen in love with Colorado. Colorado really embodies a challenge that I take seriously. How can we win the right way? How do we perform and deliver stellar results without sacrificing attitude and culture?
The challenge I have created for myself is to figure out how to win in balance; how to achieve financial results without compromising the things that matter. I believe Denver is the ideal place to do this. The people here understand the importance of balance and value it.
Is your intention to keep the company here in Denver?
We are a very distributed company, with offices throughout the world. However, my intention is to keep the headquarters here in Denver and continue adding talent wherever it makes the most sense. Our model has been to hire the best people and be flexible on the location.
You’ve been working with CISOs as customers for the past decade. What advice can you give us as a group? How can we get better?
I am not in a position to give advice, as I know that’s an incredibly difficult job. But I do have my own biased perspective on where security should go.
I believe that identity is the lynchpin of security in the future. If we define security as giving the right access to the right people, irrespective of what device they’re on, then having an identity architecture that can get us there is fundamental.
One step beneath that high level vision, I believe that our mobile phone is the ultimate authentication token. It’s got biometrics, it’s always connected, and it has behavioral information to tell us who the possessor really is. Second is the question, what are we authenticating to? Is it just to a specific service? Or are we authenticating to a federated environment where our identity can be passed around to all the services we need internally, in the cloud, or wherever we need it? And finally is the concept of access security, or access control. Traditionally we have viewed access control as a pretty manual process, with periodic check-ins to make sure things still look okay. But if we’re performing monthly or quarterly reviews of access, how do we catch a bad actor red-handed? We need an automated, intelligent way to ensure that people have the right privileges.
We are in a moment where CISOs should be paying attention. We are just on the cusp of seeing the means to accomplish that type of architecture emerge. I believe that within 12 months we will be able to accommodate most of model. CISOs should be considering now how they will leverage this new model in their environment, and be prepared to adopt.
What’s your advice for individuals considering getting involved in a career in security?
Right now is the biggest period of intellectual property theft in the history of the world. And we have a massive talent gap among the defenders. So we need more people, and we need great people. My experience is that the security industry has drawn the best and the brightest talent. I’ve seen a certain personality type consistently: those who have strong instincts to protect. That is not to say that you couldn’t learn to practice security without it, but I do believe there’s an inherent level of interest you should to have to do this naturally.
Final question: What should people do to get ready to be hired for the next great job at Ping Identity?
I have become a believer in hiring for attitude and aptitude, not for skills. That doesn’t mean that skills and experience don’t matter, but I would rather find someone who is a hard worker and a fast learner. The company already has so much institutional knowledge that we can bring people up to speed quickly as long as the person has a solid technical background and is willing and able to learn.
Thanks so much to Andre for taking the time to talk with me and share his thoughts on building Ping Identity, the future of the security industry, and the Denver security scene. I look forward to continuing this series and shining a light on more interesting members of the Colorado security community. If there an individual or corner of the security spectrum you’d like to see spotlighted, drop me a note and I’ll see what I can do.