Mark McClain: Winning as an incumbent in the age of AI
Download MP3Welcome to Inside the Network. I'm Sid Trivedi.
Ross Haleliuk:I am Ross Haleliuk.
Mahendra Ramsinghani:And I am Mahendra Ramsinghani. We have spent decades building, investing, and researching cybersecurity companies.
Sid Trivedi:On this podcast, we invite you to join us Inside the Network, where we bring the best founders, operators, and investors building the future of cyber.
Ross Haleliuk:We will talk about the hard parts of the founder journey, launching companies, getting to product market fit, raising capital, and scaling to an exit.
Mahendra Ramsinghani:And, yes, we will also be talking about epic failures.
Sid Trivedi:But, Mahendra, we're here to make the founder journey easier.
Mahendra Ramsinghani:That is correct, Sid. But we cannot make it too much easier because startups are hard, And, of course, you already knew that.
Ross Haleliuk:Alright, you two. Enough. Let's get started with this week's episode.
Mahendra Ramsinghani:Some founders take a company public once. Mark McClain took the same company public twice. And the second time, it was oversubscribed by 20 times. As CEO and founder of SailPoint Technologies, Mark created the identity governance market from a scratch, took the company IPO after twelve years, then took it private with Thoma Bravo for almost $7,000,000,000 Not to be satisfied, five years later, he brought the company back to public markets in 2025. Same company, same founder, an entirely different scale.
Mahendra Ramsinghani:Today, SailPoint is a leader in identity security with over 3,000 employees, operating in over 60 countries, serving nearly half of the Fortune 500. Join us to hear the fascinating journey of a founder who, after two decades and two IPOs, brings his depth, wisdom, and above all, a delightful sense of humor. Our episode was recorded live at RSA Conference twenty twenty six in San Francisco and is by far one of the more fun and insightful conversations conversations on how identity is shaping up in the age of AI. Let us get started.
Sid Trivedi:And welcome to our first live on stage show. We're really, really excited to do this with you, Mark. And most importantly, this is also the first time that RSA conference has hosted a live podcast on stage. Oh, look at us. So, you know, very thankful to Jenny who's in the audience today, and Cecilia and other members of the team for making this a reality.
Sid Trivedi:Well, we're going to talk about a whole bunch of different things, and we'll certainly get to SailPoint and the company you've built that has over a billion of ARR, over 3,000 employees, serves 50% of the Fortune 500. But before we get to all that, let's talk about the origin story and a little bit about the why. You've called yourself an accidental entrepreneur. You said, you know, you joined IBM out of college and you thought you'd retire there. Most founders tell the opposite story.
Sid Trivedi:Somehow they always knew they had started that lemonade stand, they've, you know, been a founder before, they they thought they were a founder when they were a kid, but that wasn't your case. When you were at TiVoli Systems in the mid nineties and the company sold for just under 750,000,000, were you thinking, hey, I can do this too, and what was the decision behind going and starting your own company?
Mark McClain:Yeah. I'll tell a obviously a very long story as quickly as possible, but yeah, I was literally the kid who mocked the lemonade stand kids, like, mom will bring us lemonade. I wanna go play baseball. What are you doing? So I I thought that was silly and and it really had no exposure to entrepreneurship or anything like it.
Mark McClain:And as you pointed out, kinda joined IBM when, hard to imagine this now, but back then joining IBM was like joining Google, you thought this is the coolest company and I'm gonna retire there and it's awesome and I'll get a watch at twenty five years and all that cool stuff. All of sudden it just didn't work like that, right? IBM was having some challenges and and then I went to HP for a minute and that was similar and I went, okay, maybe the big company thing isn't my thing. So I joined the startup Tivoli in the mid nineties. It immediately found itself purchased by IBM.
Mark McClain:So I'm like, I can't seem to escape this. This is weird. So did that for a few years, that's when the group of us kind of this is the late nineties by then, and we sort of thought, okay, we sort of seen this small company startup thing, maybe we should try this, and you know Mahendra would be around to remember this, right? Late nineties everybody thought they should start a company because the internet was booming and you know, let's go, let's go. So we did that, then the internet bubble burst and it wasn't a great time to start a company, but as it turned out I really would have said that it was that four to five year period where I joined a small business, sort of seen up close, Tilly had 200 people when I joined it, sort of seen up close when you could kind of get your arms around a whole company.
Mark McClain:I'd never seen that at IBM or HP obviously. So I kind of got my first taste of that small early stage company and I kinda got bit by the bug. Think like, well this is fun, know, I should try this. And then the whole environment around us said, well that's what you do. It's the late nineties, so off we went.
Mark McClain:And yeah, then I all of a sudden became an accidental entrepreneur.
Ross Haleliuk:Mark, you cut your teeth in marketing and sales at some of the largest players at the time. Right? Mhmm. HP, IBM, Sun. Yeah.
Ross Haleliuk:In cyber, when we talk to the majority of the founders, a lot of them tend to struggle with the sales and and the go to market side. They're very technical. They're absolutely brilliant on the technical side, but they might be lacking those skills and the exposure. How did that early exposure to the enterprise sales shaped your DNA as a CEO? And what are some of the maybe early learnings from those times, from your time in go to market that is still baked into the SailPoints culture?
Mark McClain:Yeah. I think what I learned along that journey was at the end of the day, if you've learned of the book StrengthsFinders or some of these books that kind of purport to help you think about the fact that you really actually need a really balanced team to win in the long run, I think it's partly knowing your own DNA. I had technical aptitude but I had tried coding for a year in college on four trend and went, this sucks. I'm not going to do this the rest of my life. So got away from that level of detailed understanding of tech but liked tech.
Mark McClain:Right? And so and yet I had colleagues who we had gotten to work together as I said at Tivoli where they were deep development engineering experts. And I think it was the strength of that founding team that had a lot to do with our success because we understood the importance of getting the product right, getting the requirements right, then building a great product and understanding how to market and sell that product. And so many as you said, so many founding teams particularly security founding teams are coming from a deep technology understanding. And there's still a little of that you know, field of dreams baseball movie, if we build it they will come.
Mark McClain:I'm just going to put the best tech out there and everyone will see it's the best tech and I will just win. And as we've all someone's been around a long time, no, the best tech does not always win. Microsoft. So at the end of the day, there's a way that you can have good enough tech often and great sales and marketing or just catch a particularly great wave. I think we felt like we're not going to be necessarily lucky enough to catch a wave completely.
Mark McClain:So let's make sure we have a really good understanding of what's needed and then make sure we build a great product and then make sure we have the kind of people who know how to go sell that to large scale enterprises which is a very unique skill set. So it kind of was all of those together and understanding the parts that a couple of key founders brought to that. We had a team of four at Waveset, team of three at SailPoint. And we knew kind of where our strengths lie and where we needed to complement those strengths with others.
Ross Haleliuk:And what were some of the learnings that translated from what you've seen in the go to market in larger companies when you started the startup Yep. Versus something that didn't translate?
Mark McClain:Yeah. I think a lot of it was especially selling to the world's largest companies. Most of my career I've been in those kinds of environments, you know, the fortune 1,000 or 5,000 or something. And you just learn that there's an awful lot that it takes to get products into those companies. I mean, there's political dynamics, there's massively complex buying centers.
Mark McClain:Your actual intellectual buyer might come along with you very quickly but he's got to get finance and legal and procurement and everybody else aligned with him. And if you don't understand that, trying to sell into large enterprises, you're going to hit all kinds of struggles. And so I think we knew an awful lot about what it took to do that. And I'd say kind of differentiating marketing here for a moment, I think great positioning and compelling simple messaging is often undervalued by technical founders. Like there is this whole thing, if you can't explain it to a third grader, don't understand it yourself yet.
Mark McClain:And of course, third graders these days with AI are smarter than all of us. But anyways, at the end of the day, you have to kind of ruthlessly focus on simple, clear, compelling messaging. And especially I'm reminded that every time I come to RSA. You know, like, wow, blah blah blah ginger. If you remember the old Far Side cartoon, like everybody's saying a handful of the same words.
Mark McClain:Pity that the seesaw's walking around this floor. Good luck trying to sort out the noise. So you have to try to cut through the noise with clear, simple, compelling messaging. So I think that's the other thing we learned from those early companies. Some were better than others at that.
Mahendra Ramsinghani:So Mark, before we get on to SailPoint, let's talk about the first innings in the field of dreams, WaveSat.
Mark McClain:Yep. Okay.
Mahendra Ramsinghani:You know, talk to us about the trigger point and the motivations. But more importantly, you sold that company in four years for a respectable amount, few 100,000,000. Yep. Many founders would have then said, the game is over. I'm going to go and enjoy the fruits of my labor.
Mahendra Ramsinghani:Yep. So here you are twenty five years later, still going strong. So help us understand not only the origin story, but also what keeps you going.
Mark McClain:Yeah. And I think the only fair I'll try not to go into some like lie down on the couch, tell you my life story thing, but I think there really is a personal and a professional thing there. I think professionally, like that was a good outcome. Right? We had a good outcome, I think it was 44 or something like that when that deal happened to sell it to Sun.
Mark McClain:And I was just partly I had this is the personal part for a second. I had kids that were like elementary and middle school and I didn't really want them to see me hanging out on the couch watching Oprah while they busted their butt in school like you guys should go work hard, pass me the ice cream. Right? Like that's just it's not a good look. So I kind of had this personal motivation to kind of give a good example to my kids of hey, I'm going to keep working.
Mark McClain:But think professionally it was like, well that was a fun good outcome, but it was company got to 100 people, we immediately got sucked into the borg of Sun. This is another long story. Sun was great until it wasn't. And so we kind of went, man, maybe we could do that again. And the weirdness of the SailPoint story is we thought it would be the wave set story again.
Mark McClain:Run four, five, six years, build a nice product, some cool tech company will buy us and lather, rinse, repeat, maybe we'll do that a couple more times and that's almost what happened, but then it didn't. So I think there was a professional motivation to try to just keep going. Yeah. Again, we did well. We didn't make you know so much money that we were buying islands.
Mark McClain:We were buying modest houses in the burbs. That wasn't like the end goal necessarily. And it wasn't so much the money as the sense of doing something interesting that I think that motivated me always frankly. And but on the other side personally, just like, well I have energy and interest and I'd like to stay in the game. I didn't anticipate SailPoint would be a 20 journey, I really didn't.
Mark McClain:So that part was unexpected, but it's been a super fun journey. So I guess we'll talk a
Sid Trivedi:little more about that too, so. Well, let's talk a little bit about SailPoint.
Mark McClain:You're welcome for the segway.
Sid Trivedi:You're At building the castle. SailPoint raised very little venture capital, so full partnering with Thoma Bravo Yep. 2014. Yep. I believe the company was founded in 2005.
Sid Trivedi:Yep. You initially took the company public in 2017, and you were Thomas' first ever IPO of a portfolio company.
Mark McClain:That's what
Sid Trivedi:And I believe still the only ever IPO. Did this end with
Mark McClain:No, not the only. They technically had six IPOs Oh. But we are two of the six, which is kind of an odd statistic.
Sid Trivedi:That is very interesting.
Mark McClain:Yeah, is. It is in fact.
Sid Trivedi:At the time that PE firms were buying, you know, kind of companies, they weren't typically focused on buying innovative Right. High growth software companies. And it was pretty unusual. Yep. You've said that you were pretty surprised that private equity was even interested.
Sid Trivedi:What got you excited about working with private equity versus venture capital and continuing to raise multiple rounds?
Sid Trivedi:Yeah. No. I'll go ahead and tell the story as honestly as I can because what happened was I mentioned we thought this would be the same story as Waveset. We had two aborted m and a deal. We've almost got bought once that one on a clock scale which about ten thirty, Then we almost got bought that one went to eleven fifty eight. Like red lines back and forth, think we're almost done, deal blows up, which was not a good day actually in my life. But it led to like, okay, we're going to keep going, didn't really expect that outcome at that point.
Mark McClain:So And we went to raise what was then generally called growth equity, right? We've been raising early stage venture, we're getting to a bit of scale, let's go raise some growth equity. The banker that had been working on the M and A deal kind of said, well let me help you guys. We'd never used a lot of outside help to raise capital because we had these relationships with some of the VCs in Austin and such. And so we got down this journey and all of a sudden the people that seemed to be having a lot of interest in us were PE firms.
Mark McClain:And I was just like, Like what is that? Like all I knew for the older folks, all I knew at PE was Michael Milken and LBOs. Like leverage buyouts, that's not us. We're like a little fast growing startup. What what is happening here?
Mark McClain:And what was happening was that was the early stages of PE getting into growth equity. They were starting to see there were multiple ways to make money. One was to buy kind of quote unquote broken companies and fix them and resell them and they still did a lot of that. But the other was to kind of get in on the front edge of some industry and to Tomah Bravo's credit and they've still built as we all know amazing security industry franchise. They saw identity I think before a lot of people saw it.
Mark McClain:And so they literally were kind of almost kind of keeping an eye on the landscape for who was emerging as interesting identity players and they connected with us and really liked the story. And next thing you know, when we thought we were just going to be adding investors instead we had a PE investor who took everybody else out which was not the expected outcome. And so that was a bit of a shock. But then to your point, we thought okay, well fine, we'll do this in a few years we'll sell to a big strategic because that's what PE guys do. And then all of sudden Wall Street's talking to us, they're talking to Tomah Bravo and like, you guys could take this thing public.
Mark McClain:We're like, what? Like that was not the plan. So that's where we got to. Again, I've tried to be as transparent about this stuff as possible. It was not how we went into it.
Mark McClain:Didn't expect it. Always think I was going to be a public CEO, probably would have said at one time I'm not sure I even want to do that. Unlike the folks who seem if they want to do that, always. So that sort of evolved as the next natural step, but it wasn't really the game plan and it really was because PE, Toma particularly I think was shifting into a mindset of multiple investment strategies. And one of them became growth equity and ultimately Toma now has an already staged venture fund effectively, right?
Mark McClain:But back then though there was no fund focused on that. We were really a misfit in their in their portfolio. We literally would have these conversations about EBITDA multiples and we'd be like, there is no EBITDA. So they actually fit the multiple. What EBITDA? Yeah.
Mark McClain:What is EBITDA? We had that conversation first. So there was just a lot of cross learning with those guys, and then you have the public thing happened, and then, yeah, we can go on the weird story from there.
Sid Trivedi:Tell us a little bit about Austin and building a company, a startup, particularly a technology startup in Austin versus here in the Valley. How was that like fundraising in a very different environment?
Mark McClain:Yes and no different. You know I think one of the things that you'll hear from, I'll call them grumpy Austinites, if there's any in the room, apologies. It's, oh, know, there's no money in Austin. I'm like, bull, there's money. You've got to be attractive enough for it to find you, and it does find you.
Mark McClain:If you build a good business, the money will find you. And, you know, we were we were first invested by Austin Ventures which was kind of the flagship fund at that time, but then Lightspeed, who many of you know out here, flagship VC firm was round B in both companies. So they found good companies even based in Austin. Right? But building a company there there's some pros and cons compared to here.
Mark McClain:Right? One is you've got a decent, less so back then than now, a very decent pool of talent, right? What you didn't have necessarily was as much executive talent out there. People who had been there, done that at like c level jobs in fast growing startups. That's different today, but 2006, no.
Mark McClain:And so finding that kind of talent was a little more challenging I think in that era. But there's a big difference in Austin and now I'll diss on The Valley for a minute. I was dissing on Austin, try to be an equal opportunity offender. I think the thing about The Valley that's tough is you kind of get this suspicion. If if you want to meet with me, do I need to talk to you?
Mark McClain:Why? What are you going to do for me? In Austin there's like this openness like, sure, I'll talk with you, I'll help you. Do you want to meet somebody? Oh, if I know them I'll make that introduction.
Mark McClain:It's a very much more community collegiality, I think this kind of characteristic there. Some of you know the famous event we have down there South by Southwest, and I told people the guy at Hugh Forrest who built that didn't know how brilliant he was with that title because Austin does kind of represent this meeting of the South, which is genteel and sweet and nice. By the way, somebody down there tells you bless your heart, they don't mean it in a good way, just so you know. But but there's the South South thing, but it meets the Southwest, which is sort of the West and independent rugged go do your own thing. And it's kind of Austin's got both of those characteristics.
Mark McClain:It's really interesting. You get the niceness meeting the tough independent innovator. And that's kind of who we are as a city. So for what it's worth, I felt like when I got there I'm like, oh, this has kind of a different vibe than I was used to in the valley. And that just turned out to be a great place for us to build a couple businesses.
Mark McClain:So yeah, it is different than here. I think those those differences are less than they were. So many folks have moved from California to Austin and just the whole thing is a lot more remote friendly than it used to be. COVID taught us that. Right?
Mark McClain:So now teams are sort of virtual and national, if not global. So it just all those things are still important, but maybe a little less so than they were.
Ross Haleliuk:For the longest time, identity was seen as just a compliance workflow.
Mark McClain:Yep.
Ross Haleliuk:Yep. What like, if you go back to those times, what did you see so early on that made you believe that it will change and identity is going to become one of those most critical control planes for the enterprise? Or maybe that in fact wasn't a belief and things just unfolded or not you're all likely
Mark McClain:I tried to be a verbally humble. I will not tell you in o six I saw where we would be today. No freak chance I saw that. But to be fair, we did see Waveset had been kind of a life cycle provisioning company. Then we started SailPoint as a compliance and then over time those two sort of became the core of what's now called IGA, right?
Mark McClain:Governance and administration. And we certainly saw a lot of drivers for customers in that marketplace, right? Just the whole need, Sarbanes Oxley became a thing and audits and compliance became a thing, but the whole operational provisioning side of identity was still a thing. So we kind of rode that wave, but pretty early on I think we were starting to see these early, especially in SaaS, the shift to cloud and SaaS. Like when you shifted from an on prem data center model, which was kind of a castle in moat, right?
Mark McClain:You have your own proprietary network, your own proprietary data center, you own those desktops, people have to come to work and work in the office on that desktop. That's how most of us grew up. Like when the world became mobile and cloud, all of a sudden those core security fundamentals, they didn't go away, but what happened pretty quickly is we figured out they were insufficient. Like you didn't not have a firewall or not have network security or device security, but a whole bunch of the time someone was on a device you didn't own over a network you didn't own going to an application you didn't own. So the common thread to an enterprise was the identity doing all of that.
Mark McClain:And so we kind of saw that and started to talk about more of identity security, not just identity governance and compliance. And sort of, I think we were a bit ahead of that curve, but it was not that we saw it twenty years ago to be fair, Ross. We saw it maybe a few years before others and started to kind of shift our mindset there. And I think that's, you know, I kind of said this earlier and I'll highlight it just because I know some folks in the room think about doing companies and stuff. I would say the longest term sustainable competitive advantage is listening better.
Mark McClain:If you listen better, you're going to be ahead of the curve on a lot of stuff. And this is where the tech founders sometimes get off track because they're really really smart and they think they know what the market needs and that's what they go build and they didn't listen very well. And so if you continue to listen well and evolve and adapt, then you're more likely to kind of stay at or slightly ahead of most of the customers, and that's how you keep winning in the market. And we absolutely did that as as things evolved.
Mahendra Ramsinghani:So now, Mark, it's been twelve years. The company has gone public. The first company that you built, you sold it in four years. Yep. The second time, it goes public after twelve years.
Mahendra Ramsinghani:Yeah. And then you take it private within five years. Within five years. So help our audience, help the entrepreneurs who are trying to build companies understand the challenges through each of these stages. You know, company goes public, there are a bunch of challenges, then you have to take it back private.
Mahendra Ramsinghani:What's going on behind the scenes?
Mark McClain:And then you go public again, then you go private again. I think I'm gonna do this for another thirty or forty. I'm just kidding. Only.
Sid Trivedi:The bankers will be very happy.
Mark McClain:The bankers would love me, my wife would shoot me, so we're gonna go with staying alive as a strategy. Yeah. Look, think at the end the day, one thing that's not expected that I've now learned is as a CEO, you spend about 15 to 20% of your time with investors. That looks one way when you have three or four venture capital investors. It looks very differently when you have one PE investor.
Mark McClain:It looks very differently when you have hundreds of institutional investors. And it's really fun at the moment where you have both a dominant PE investor and hundreds of institutional investors all at once. Super fun. Sorry, that's public, isn't it? Sorry.
Mark McClain:It's great. It's all it's awesome. It's great. But at the end of the day, what I've learned is you always have people, unless you build something completely bootstrapped and got big and that doesn't happen very often, You're always going to have a set of investors to whom you answer. And so your job as a CEO is always to make sure that investment community, whoever it is, has confidence in your strategy, believes you have the right team on the field, and believes this market opportunity still looks like a great thing to pursue.
Mark McClain:When you do that well, then they stay with you. I think the other obviously part of our job is inward facing. And at some level what I've seen with all these changes in our cap table is it really about 3% of the company at most spends a lot of their investment community and 97% is just building software, marketing software, selling software, installing software, supporting customers. Like most people's job changes very little with changes on the cap table. I try to remind them like, you stay focused on what you do, let us worry about this investment stuff.
Mark McClain:When they get overly worried about that it's not great. Right now it's not great because everybody's watching the stock price be completely disconnected from the value. But we will see that change I believe. Matter of fact we famously said on one of our company meetings after the first IPO, every second you spend watching the stock price you're doing absolutely nothing to help the stock price. That's that's a good reminder for all of you if you're in a public company.
Mark McClain:So we we try to get people focused on that and let you know the CFO and the CEO and the IR team worry about the investors and how that goes. And I think that's another thing you signal to how you lead the company. If you're staying focused on customers, the market, the competition, the partners you need to win, most of the investments will work out. But if you get overly fixated on that side of it, some founders get so caught up in the fundraising and the this and the that, you lost sight of the market, you lost sight of the competitive dynamics, don't do that. So I think we've tried to make sure the handful of people that really need to focus on the investment community, whatever that investment community is, are thinking about that while the others are just doing what they need to do to build a great business.
Mahendra Ramsinghani:You know, in our some of the background research that we did, we found that you're the only entrepreneur who's taken the same company public twice, except two others, Michael Dell, who's also from Austin Sure. It's an Austin saying about Sure. The South and the Southwest. Sure. There you go. And then the third one is Richard Branson.
Mark McClain:So Yeah. I think the three of us should go have dinner and talk about this. This is super fun. Hey, Rich, Mike, what do you think? Yeah.
Mark McClain:No. We should definitely do that.
Mahendra Ramsinghani:But but the second time around when you took the company private again and public second time Yeah. That was a three year window. Yeah. Were the motivations the second time? Was it the market that was pulling or did Thoma Bravo sort of play a role in saying this is
Mark McClain:a good window, grab it. Were both ends? Great question Mahendra. Yeah, both end. I mean, look, we don't feel it very much sitting here in March '26, but about a year and a half ago the market was buzzing.
Mark McClain:Long after a year and a half ago we elected a president who was going to be super business friendly. You guys remember that? And so we got geared up to do an IPO frankly about a year to year and a half earlier than we were planning. When we went private in, I guess it would have been '22, we expected that to be a four year private journey like to right now. Oh, wow.
Mark McClain:Ish. And two and a half in, we're like, it's time to get ready and go again. The company had performed really well during that private period, you know, gotten much more profitable. We kind of did some more aggressive SaaS transformation, we did some more aggressive, you know, calling out some products that needed to be called out as we continue to evolve. And all of a sudden we looked really attractive again for a public market offering, so we went and did that in February and then we all got liberated and that wasn't great.
Mark McClain:And so just now we're just navigating it like every other public company is navigating it and obviously with the AI noise you're you're navigating a particularly challenging set of investor dynamics of isn't AI going to kill everything in the software industry, which is ludicrous. But there is a lot of unknown as to how this will evolve, and so for the moment investors are like, I should invest in Nvidia because they're building a lot of data centers.
Mahendra Ramsinghani:Very few companies have got 20 times oversubscribed at IPOs.
Mark McClain:So we did have a very good IPO back to the market was very healthy at that time and we were a great offering and came out right where we thought we would on valuation and all that stuff. Companies performed very well since then and the market has not reacted where you would think a market would in those situations. So we just have to be patient.
Sid Trivedi:Well, we did all the nice questions. Okay. Five the hard ones. Oh, I'm almost out of time. Let's get into the hard questions.
Sid Trivedi:And the reason that that all of us are here today, which Oh,
Mark McClain:that other part was just fluff.
Sid Trivedi:This was all this was all just to, you know, get you excited and get prepared for what we're getting into. We can only hope. Which is talking about, you mentioned it already, but the AI arms race and Yep. How do you win as an incumbent? Yes.
Sid Trivedi:SailPoint just crossed a billion of ARR. Yep. You launched five major products at your conference, navigate 2025. Yep. And one of them was an agent identity security product.
Sid Trivedi:Mhmm. All of those five, by the way, booked orders within the first month, which is awesome to hear. But here's the tension. Mhmm. 80% of organizations are already using AI agents Mhmm.
Sid Trivedi:Yet less than half of them have policies to, you know, secure any of those agents. Mhmm. How are you adapting SailPoint's architecture and your team's mindset to govern AI that can think on its own, that can reason on its own, rather than just managing static human credentials, something that you've been doing for quite a while now?
Mark McClain:Yeah. Boy, this is the question of the day, isn't it? Look at the end of the day, agentic is like other forms of identity and it's not. Right? Both and.
Mark McClain:At one level you've got an identity. And by the way, we've had other relatively static non human identities before this, bots, service accounts. There have been non human identities for a while now. The non agentic flavor of that was not getting a lot of attention to the last few years until they became part of the attack vector, Right? Once the bad actors started to figure out if I could break into that bot or that service account or something else, I like to say unlike our employees or our humans who we've trained to raise their hand and go oops, I think I clicked on a link in the phishing thing, you should make sure I didn't screw up.
Mark McClain:There is no analogy to that in the nonhuman world. Like, you manage to compromise that nonhuman thing, that nonhuman identity, it doesn't know that it's been compromised, it just keeps doing whatever it's asked to do. And that was sort of true in this non agentic world where most of those were deterministic, predictable kind of behaviors. Now you enter this agentic world, and of course as we all see every week the world of agentic keeps morphing and changing, and how how intelligent are these things, how autonomous are they, will they in fact spawn and morph and create new sub agent, all these things. I I tell people you want to freak out a security person, you tell them that a super agent can spawn sub agents and you may not even know that happened.
Mark McClain:Like how do I protect against that? And so we're we're rapidly seeing that there's a set of common capabilities like you need to understand what this identity is, what its purpose is. We call that a role for humans, our background role based access. Is it is it still valid to whatever it was set up to do still meaningful? And then you watch what it does and theoretically report when you see anomalies.
Mark McClain:That's kind of how it worked for humans. Those kinds of things are going to be fairly true of non humans except some of it's going to happen at machine speed, which is wildly different. You know, a human can only hit so many keystrokes in a short time. An agent can do millions of things a second like all computer things. So we're going to have a lot of different speed and adaptability challenges.
Mark McClain:And then that point you raised it of this idea of intelligent you know, autonomous agents that can morph and change, and they're mission driven, to use an old phrase, right? Like I am being told to solve a problem, I will do whatever I need to do that I have access to to solve that problem. And what we're seeing, I don't know, some of these stories haven't hit out loud much, but we've we've heard some scary stories like customers who said, well we set up this agent and it thought it needed a piece of data, so it tried to get to that data and it couldn't. So it found another little agent in the system and said, hey little agent, can you get me into that system? It said, no I can't, no I can't, no I can't.
Mark McClain:And it kept pounding on the little agent, this sounds like a children's story, know, but it's really happened. It kept pounding on the little agent to say do it, and it finally said okay, and it went through and found the source code to that application and found a backdoor. I mean, these stories blow your mind. Like, when you tell these things to go accomplish a mission, they're going to accomplish it. And they won't necessarily have morals or ethics as to how they do that.
Mark McClain:And all of a sudden you're like, oh my goodness. What am I going to do to protect against this stuff? So I think when we talk about the the world of AI and how enterprises are adopting AI, there's probably never been a technology with more promise. I think we would all say that. And there's two big resistance.
Mark McClain:One is this, where there's a clearly understood risk profile that's not well managed yet. And the other is all the people who are like, so you want me to implement this technology that's going to put me out of a job? I'm not going to move too fast on that. So you got two real slowdowns I think happening, but they're going to get overcome. And we're going to see this stuff come like a freight train I think through the rest of this year.
Mark McClain:So at SailPoint, we are hyper focused on what are the similarities to your point Sid, that we've seen about identity, what is unique and new and different about that. We're hiring lots of really smart people who have come from that world already and trying to blend that into a comprehensive view of how do you manage the entire identity ecosystem, human and nonhuman agentic, and protect your data. At the end of the day, that's what we're trying to do is protect the data, and that's where we're that's where we're focused.
Ross Haleliuk:You just said that machine identities already outnumber the number of human identities in most enterprises, And you also stated that the static policies that the identity governance has used to rely on for decades are not scaling. So what does that mean in your context? Does it mean that the very foundation in which Sellpoint has built this technology, you know, was built for solving the wrong problem, or does it mean that indeed that foundation is what enables you to expand and cover the new use cases that have happened?
Mark McClain:That's a very great question and that's probably the heart of this incumbency question, isn't it? We do think that deep rich understanding of identities through entitlements getting to data is still foundational. The difference is you said it was generally thought of as a static situation where you set it up and watched it and it didn't change until there was a reason for it to change. The person changed jobs, the IT environment or application environment changed, now I have to rejigger. Right?
Mark McClain:Well, I think what we're going to see is all that stuff happening now not in days, weeks, months, but in seconds and minutes and sub seconds. And the idea of ephemeral agents, right, where an agent is literally created to do something and disappears again. That's a completely new you you didn't have employees who worked for two seconds at your company and left, right? That was not a thing. So we're going to have some new concepts or new challenges I should say.
Mark McClain:Many of them are speed related and obviously we've seen that come in so we've been doing a lot to invest in how do you do these kinds of things but at literally orders of magnitude faster than you could do them before in a dynamic environment. The other thing I think that's going to continue to change about this environment is what we always just call the context. Like there was sort of an assumed context a lot of times in human access, right? You're at your desk and you're on the computer system in the office and you're going to this application. And then that shifted to as we said before a mobile cloud context.
Mark McClain:Now you're going to have not just the where are you and what device are you on, but this wonderful new word we're hearing a lot about intent. What are you actually trying to do and can you understand enough about what the intent of this agent or identity is and therefore keep it within the guardrails of its intent? That is some brand new technology, just to be really clear. And so we're all figuring out how do you define policies that kind of, you know, guardrail intent. How do you look for signals that the intent is being compromised?
Mark McClain:There's some really hard computer science here and I'm about to get out of my depth quickly on talking about this, but that's the kind of things we're having to wrestle with. And those are the things that our customers are telling us, those are the things we're gonna need to protect. So that's the part that's gonna morph continually as we keep going.
Mahendra Ramsinghani:Mark, now SailPoint is a large company. It was once a startup. Yep. And you think about how you have a nice grip on the market. You have a large number of customers, you have a loyalty built in there over the years, and on the flip side, there are a bunch of new startups.
Mahendra Ramsinghani:I mean, you walk around the halls, yep, RSA. Yep. I think AI, agentic, identity are the three sort of Everybody is buzzword compliant. Yeah. They're all saying the right buzzwords.
Mahendra Ramsinghani:So so now you have this, I would call it attack vector of a different kind. Yep. You have startups that are coming after your market. Yep. And you have to obviously protect your turf.
Mahendra Ramsinghani:Yep. You obviously have to deliver the growth numbers that your investors care about, etcetera. So help our audience and entrepreneurs understand how do you think about startups? How do think about innovation? Is it a partnership strategy?
Mahendra Ramsinghani:Is it head to head combat strategy? How do you play that game?
Mark McClain:Bothand. Gosh, I keep saying that, don't I? At the end of the day, is both and. Meaning, we look at some of the emerging things happening, and sometimes we look at those through the lens of could that advance in the direction we know we need to go, but we'd have to go build it the classic build buy thing.
Mark McClain:We know we need to move in that direction. Oh, look. Here's this young technology company that seems to have made some progress down that path already. That's where we get into potentially M and A conversations. I don't think a lot of times you see larger companies, I guess we're mid we're like a teenager, like to say we're not small, we're not old, we're sort of You know, you look at this stage of a company's evolution and often these are the things they're talking about is should I you would have used to have said months, maybe it's weeks now with AI, but do I take some amount of time to go build something or can I advance my cause?
Mark McClain:And by the way, you all know this, you're not just buying the tech, you're buying the knowledge behind the team that built that tech who you think can continue to advance that, right? On the other side, you definitely have some people that say I'm going to disrupt SailPoint with a newer better SailPoint. Here's where I think there is a little bit of miss in the industry today. There's folks coming at saying, I'm just going to master the agentic world. And we're like, look, the agentic world will always operate under the direction of humans.
Mark McClain:This human is asking that particular agent to do something or in some cases maybe it's policy. Like the underwriting department and the insurance firm says we've created a series of agents to go make underwriting better and faster. So no one human drove it, but humans built that plan, that policy that so the idea that you're going to manage a set of agents without the context of all the controls that we've always had around what can identities do with data I think is a misunderstanding. That somehow magically you can do that just in the agentic world without understanding all the things it took to build policies that knew how to protect data for the right reasons at the right time. I think that's where the world's going to get a little bit of a wake up call we think.
Mark McClain:So we think we're going to head with our current franchise of knowledge in that direction additively not displacing it. And we may do some of that by grabbing some of these early stage tech companies that have advanced that part of the solution, but we don't think they can ever win the whole game with just that. And their ability to grow back toward what we've done for twenty years in human is very hard. That is a very big lift.
Mahendra Ramsinghani:This might be music to a lot of founders ears, but to help them, help our founders understand what are some ways they can partner with a company like SailPoint, what are some techniques or strategies that you might have used so far?
Mark McClain:Well, usually I try to say there's a park bench and if you wanna drop a bag of cash, no I'm kidding. That is not how it works. We're not Russian spies or anything like that. No.
Mark McClain:What we do, our corp dev and m and a strategy team is actually out very actively surveying the landscape at all times. We have folks here today and they are you're if one of the startup companies, we're probably trying to figure out who you are, where you fit in the universe, and is that something that we should look at? And by the way, our friends at Tomah Bravo do that all day every day. They are constantly if you work in a small security company, somebody at Tomah Bravo has probably called you. They might know more about the founder themselves, about them.
Mark McClain:A 100 times, yes, that. So I mean we're constantly in kind of you know scanning the landscape mode, right? And so I think a lot of it is, know, you said it Mahendra, sometimes people come at you combatively, I'm going to beat you at your own game. Other people say, look I know I can't beat you at your own game, but I think I could help you in this way. That's obviously a better approach.
Mark McClain:Sometimes though people say I'm going to try to challenge you and then you go, well, okay you're challenging me now I got to decide what to do about that. I would say today we aren't seeing and literally we've been scanning very very diligently. We haven't seen anything that makes us go, oh no, they've just figured out how to break the code and do what we do way better and faster. Part of the misnomer about startups and I believe this when I was one well we're just smarter and faster and we're going to do it better. Well, that's when you were fighting against one of the dinosaurs frankly, that weren't innovating and we're still a highly innovative company.
Mark McClain:And so we're not sitting on our laurels thinking we just don't have to do anything new and different. We're constantly looking for how the tech can be used to advance our cause. So there is a sense of we're looking for some very advanced folks pushing the boundaries on certain things while we ourselves have been trying to do most of that as well. And sometimes you say, wow, that's interesting but that's what we're already working on inside the company, you just don't know it yet. Or wow, that is a new and different approach than we had seen and that's smart and that could advance the cause.
Mark McClain:So I think we're constantly looking at that range of players which you guys know this. In the identity landscape there's a lot of noise about convergence and overlap and the world's gotten pretty confusing. But I think we still feel like where we're starting from in this kind of deep identity governance and admin heritage, I think we know kind of the things that we think would help us advance toward a really robust agentic AI future. We're building an awful lot there. We're not sitting on the sidelines.
Mark McClain:But on the other hand, we're for sure looking at ways to kind of move that faster and sometimes these companies will help.
Sid Trivedi:Yep. A lot has happened in the world of identity. Yep. But I'm sure and and certainly with all the new aspect of new technology that's come out with AI and AI agents, how are you thinking about using some of these tools internally? I mean, obviously, saw Block announce that they're reducing headcount by 40% and using agents to go and supplement a bunch of work.
Sid Trivedi:How do you think about where do we enhance our current employee group and make them significantly more efficient in their work? And where has AI disappointed you internally?
Mark McClain:Well not a lot of the latter yet but I'd say we're kind of in the middle. I think as a security vendor I would imagine you talked to some of the large ones here we would share this. Lot of us are leaning in like a lot of companies are heavily on engineering. Like how do I build faster, better, cheaper, all those things, right? And and I we're leaning in very heavily on that.
Mark McClain:Everything from you know Copilot and Cursor and Cloud Code and you name it. You know we've got that stuff going on. And I don't think there's almost any tech company that's worth paying attention to that isn't leaning in heavily on these technologies. I think it's sort of when you get outside of the core engineering function. And I'd say not just engineering by the way.
Mark McClain:I think I would the world of product management is changing pretty dramatically too. Like how do you decide what requirements are important? How do you vet those quickly with some iterative cycles with customers? How do you know who to listen to? How do you get early demo pilot wireframes in front of customers to test out what you think they're looking for all that stuff.
Mark McClain:When you get outside of engineering and product, think it varies quite a bit depending on the kind of company you are. We're a heavy enterprise selling company. No offense, not in my lifetime are you replacing super sophisticated sellers to call on fortune 100 companies. That those guys aren't going to be talking to AI agents to spend millions of dollars on software. That's crazy.
Mark McClain:The early parts of that selling cycle though kind of the DSR world, the digital sellers and the folks looking for pipeline growth and all that. Oh yeah, that's a heavy investment in technology right now. Marketing tools to do better fit intent mapping, get better understanding of that customer's environment, how do you prepare for an engagement with that customer, that's heavy. We're using it in HR as you might imagine to make sure we don't accidentally hire North Koreans, no offense, right? So like there's all kinds of places and even in G And A that's probably one of the least heavy places right now, but we're looking for opportunities there.
Mark McClain:But I think, you know, we we see it like every company does, I think particularly tech companies as a way to advance and accelerate. Probably not a cost cutting thing. You know, I don't I can't speak to what Dorsey did there at Block, although Elon came into his other company and cut half the company too. Maybe they just build companies with too many people, but I don't know. But I think there's a sense of if a lot of tech companies I think are trying to figure out how to maybe not so much take cost out as accelerate innovation and efficiency not necessarily do the same thing with less people.
Mark McClain:How about same people do more? Right? And I think that's how a lot of us are thinking. I I don't know quite what to make of you know, in the work security conference but you know mister McDermott at ServiceNow said we're going to grow revenues whatever 20% compounded, keep our profits in the 40% range and not hire anybody. I'm like, feels hard.
Mark McClain:That's amazing. I want to check back on you in a couple years and see if that came true. But we'll see. But I think yeah, there's some bold things being said about what we can do there. I think we're just trying to be kind of aggressively pragmatic.
Mark McClain:We want to move aggressively, we don't want to move so rapidly we do something stupid and expose ourselves.
Sid Trivedi:Nothing has disappointed you in terms of some of this tooling. Mean one of the things I've noticed is that in this world where everyone is saying AI efficiency is going to you know save us all a bunch of time. At least here in the Valley it feels like everyone's working overtime trying to figure out how to use Cloud CoWork and some I of these other
Mark McClain:I don't know how many are again, Mahendra and I with our white hair here you know. I remember the claims of the four hour work week because all this amazing automation technology we're only going be working four hours a week and then I I'm still waiting for those days. Me too. Yeah. We seem to always as humans find more to do.
Mark McClain:Yeah. Not just hang out and do less. So I I think what AI is going to do is it's going to accelerate a lot of things and we're going to find many other things to do. But I think we're all going to see some serious productivity gains and a lot of knowledge work to use that term. But I don't think I believe we're going to find that everybody's like, oh great, now I can work you know twenty eight hours a week.
Mark McClain:That'll be awesome. The world keeps creating new problems for us to go work on, so I'm not, you know, I think maybe the folks at the DMV are hoping to work less hours, but most folks that isn't their goal, right? So I think we're trying to figure out how do we how do we do more with this technology faster, better. You it used to be in product you always had this three way trade off between function, speed, and quality. Absolutely those were intention.
Mark McClain:Now ideally with AI you can move faster with higher quality, cheaper. Like, that's never happened before. Right? And so we're gonna have to see if we can make that happen.
Ross Haleliuk:Where do startups have a legitimate edge over SailPoint today? Like, if you were a 30 year old founder walking on the floors of RSA
Mark McClain:You're asking me how would I beat myself, which is always Yes.
Ross Haleliuk:Yes. Exactly. What what can the startups you know, if if you're a seed stage founder, what can you build that SalesPoint cannot do today?
Mark McClain:You should invest heavily in COBOL developers. That's what you should do.
Mahendra Ramsinghani:By the way, you might wanna emphasize what COBOL stands for. Yeah. Never mind.
Mark McClain:If you don't know what COBOL means, you should look it up on AI. But no, I think realistically the advantage they have is they don't have baggage and that's just the right term. Right? They they don't have the but this is the way we've done it because most of those startups are going to be populated with younger highly innovative people who've been learning on these tools for the last five or six years. That's just different than developers who've been doing it for twenty five years.
Mark McClain:And they had to learn agile, they had to learn a bunch of new things in the last ten or twenty years. But on the other hand, what I think is wildly undervalued today and I think we're going start talking a lot more about it is what I call domain knowledge, right? Like you can't take an AI tool, point it at our company, get it to say, show me how to beat SailPoint and then actually go build that company. It'll show you a bunch of words on a screen of things you could do, and then you may or may not have the context to know what the hell that means. I like to flip it around the other way like I can't use AI to say help me beat Workday.
Mark McClain:Like I don't know crap about the HCM marketplace. I don't know how those people think, what they buy, why they buy it. And you can't replace that domain knowledge. I like to if I really want to challenge people like, you ready to fire your doctor and just do it all yourself with AI? No.
Mark McClain:Of course you're not. Right? Like I'm going to fix my own health. I don't understand chemistry. That would be a bad idea.
Mark McClain:So like there's a whole thing there of domain knowledge really does matter. So I think the people that are going to do well, this is where the advantage a startup has is they're fast moving and they're kind of coming at it with an up we've used this term born in AI, AI native, whatever you want to call it. But what they don't have is the experience of working with big organizations and how these things actually work in real life and the difference between theory and reality of how companies actually do some of these things. So I think what we're going to find is domain knowledge coupled with aggressive innovation is going to be the guys that win. And so the two guys that lose are either the guys that only have aggressive innovation that don't understand the problem, or the guys with domain knowledge that aren't aggressive about adopting the technology.
Mark McClain:So if you're in my chair, you better aggressively adopt the technology and that's what we're doing. You know, the guys that are in trouble are are saying, I, you know, I don't think this stuff's real. We're not going to spend time on it. No chance. So the the startups, the advantage they have is no baggage, and the disadvantage they have is no domain knowledge.
Ross Haleliuk:So you're not giving the founders any specific ideas, are you?
Mark McClain:I'm not generally a fan of here's a gun, please shoot me with it, right? That's generally not my my general approach, but but no. I think like founders, they should, somebody said this and I think this is true, you kind of think around the edges. This is your question Mahendra. If you want to come straight at the heart of a big player today, that may be a fool's errand, a little Quixote ish, right?
Mark McClain:But on the other hand if you look at where where a company's got a nice franchise, but there's all kinds of stuff around that that is a need that's unmet today. That's where I think you could surround it and say, and look ultimately we're all worried about being disrupted, completely disrupted, I get it. But I think in the long run if you're paying a lot of attention, your best bet as a startup today is probably for betting on the odds, go build something that helps supplant and supplement one of those guys and you could find yourself in a great M and A situation. So we did the first time, right? It's harder to take on a massive strong player head on early on.
Mark McClain:You might say I'm going to start here and maybe I'll grow in toward that if I don't get bought. But you know, there's a lot of folks that think they're going go, who was the company that was making all the noise about disrupting Salesforce? And then a couple people tried it went, oops. I mean, Salesforce has their issues, but like, you know, that's a big franchise after all these years. That's a little tough to go straight at that franchise.
Mahendra Ramsinghani:I think many many founders who have reached the scale that you have often talk about this, that do not underestimate the challenges that you have when you are entering a mature market. Yes. And secondly, empathize with the buyer. The CISO has to deal with you know, they're not getting up every morning saying, what a beautiful sunny day. Let's go and go shopping for agentic AI.
Mahendra Ramsinghani:That's the last thing on their minds. Right? So I feel like when you look at the startups that are trying to enter the new markets, obviously, that's a, you know, great point that new markets are much more accepting as opposed to mature markets. You know, the lights are starting to flash up here, Mark. So as we wrap up this session, two questions.
Mahendra Ramsinghani:One is, you've been in this industry for well over two A hundred and fifty years.
Mahendra Ramsinghani:Yes. You know, your hair was probably as black as mine when he started our careers. Let's just you know,
Mahendra Ramsinghani:you have all the lines in the right place. You've been smiling for too long. That's a good
Mark McClain:Okay. That's enough on the whole thing. I'm with you. I got you.
Mahendra Ramsinghani:So how have your belief systems evolved? When you started your career and where you are today, what are something that you believe about cybersecurity looking into the future?
Mark McClain:Well, there's a lot of talk today about platforms, right? Notably here we talk a lot about Palo and Crowd as massive security platforms. And I think having lived not my whole career but a lot of it in security, you will always feel this tension in the large scale enterprise that's a little different than SMB. The whole move toward consolidation, fewer vendors, more under one roof, Every procurement person in the world wants that. And many technical buyers want it, but what happens is you move up the scale of complexity and enterprises, they will make a trade against a single vendor approach to what I really need to solve the problem.
Mark McClain:And that in security, that's part of reason we have such a fragmented security industry. It's a bunch of very specific complex problems and you know it's difficult to as the world keeps evolving and changing keep being one player who can plug all those holes. I mean our friend Nikesh is trying to do it by buying a bunch of stuff. We'll see how well that actually stitches together into a true platform, and our friend George is mostly building it. But again, they had a core center of gravity and they've extended some beyond that, but not a ton yet truthfully.
Mark McClain:Right? So I mean it's just it's difficult. So I think what I believe today even stronger, I don't if it's a change, Mahendra, is like this market will always have a level of fragmentation to it because there's probably nothing that's evolving faster. Like how do you make a product in manufacturing certainly evolves. How do you fight security threats keeps evolving because the the actors keep evolving as to how they threaten you.
Mark McClain:So you have to just be completely you know, evolutionary there. And I think that's just a reality of the security landscape. So I would say the platform pull will always be there from the buyers, but in the enterprise, and again, I can't speak to SMB, it's not my space, but in the enterprise buyers that tension will always be up against, but I really need to solve the problem. And so I would tell my younger self, go find specific unsolved or undersolved problem. This is my advice to the startup guys.
Mark McClain:Go find something that you hear from customers they are frustrated with, either the current offerings or there's just no offering. Go solve that problem and you'll find a market.
Mahendra Ramsinghani:I think that's all the time we have today. Please join me in thanking Mark, sharing his wisdom. Thank you, Buck.
Mark McClain:Thanks, guys. Pleasure. Thank you all for coming.
Ross Haleliuk:Thank you for joining us Inside the Network. If you like this episode, please leave us a review and share it with others.
Mahendra Ramsinghani:If you really, really liked it and you have some feedback for us, wrap it on a bottle of Yamazaki and send it to me first.
Sid Trivedi:No. Don't do that. Mahendra gets too many gifts already. Please reach out by email or LinkedIn.
