Data breaches. Privacy headlines. GDPR fines. If you’re building a company and these things aren’t on your mind, you’re setting yourself up for some major headaches in the future. Lucky for us, Rich Vibert, CEO of Metomic, has felt the pain and come up with a carefully crafted solution. Using his data background and entrepreneurial genes, Rich and his co-founder Ben have created a product that does one thing: connects to your SaaS applications and prevents all unnecessary data breaches waiting to happen.
Customer PII floating around in Google Drive. API keys accidentally shared on Slack. Ex employee details in Bamboo… These are only some of the risks that fast growing companies are leaving in their wake — and they are not minor. Any single offence could take down a growing startup, and nobody wants that (we’re all in this together, right?). In this Spotlight, Rory and Rich talk about how Metomic approaches finding product-market fit, how much they value customer relationships, and what they predict in their 5- and 10-year vision. Enjoy the read!
Over the last ten years I’ve seen SaaS radically change the way we work — for the better. Slack instead of email. Miro instead of sticky notes. Airtable instead of Excel. SaaS is helping tech companies move so much faster, but it’s also introducing a new surface area of risk they’ve never seen before. The risk of leaking sensitive data and being the next privacy headline.
As a result, today, tech companies are faced with two options: 1) introduce a lot more red tape which slows employees down, or 2) accept compounding security risks as the company grows. It’s a catch 22 and neither option gives anyone peace of mind.
But I estimated that at least 95% of sensitive data sitting in SaaS applications actually didn’t need to be there. Slack messages that were sent two years ago. Ex employee data sitting in Google Drive. Tons of duplicated tables in Airtable. Once there was a place for it, but now it’s nothing but risk. So companies actually had a third option: automatically remove data risks with no red tape.
Our customers are tech scaleups. They may have just raised a new round of financing, or they’re doing tremendously well and they’ve hit a natural inflection point in their growth as a business. We connect to their cloud apps and take care of all of the critical data risks that are popping up all over the place, simply as a by-product of growing a business. Ensuring Google Drive files are only shared with those that need them, stripping personally identifiable information (PII) from closed Zendesk tickets, and deleting API keys accidentally put in Github (to name just a few).
Most scale-ups believe that data security is inevitably going to get in the way. We believe that doesn’t need to be the case. Whilst we’re focusing on being the best in the world at finding genuine data risks (not an easy thing to do), we’re equally as focused on removing those risks without getting in the way of employees doing their jobs. We don’t want our customers to login to our platform everyday. We want them to turn Metomic on and only hear from us once a month to show them all the critical risks we resolved which might have saved their life. This focus is a huge competitive advantage to us.
We put an unscalable amount of time, money and attention into Customer Success. I still spend a big chunk of my time speaking to customers.
We do this for a couple of reasons. First, we’re still an early stage business and the product is evolving. Metomic is an end-to-end product that does exactly what it says it does — and it does it well. But there are always features customers want that we haven’t had time to build yet, or occasional bugs early customers need to deal with. Building a genuine relationship with our customers means they’re willing to overlook these incomplete aspects. They trust us, and that goes a really long way.
The second reason is much more product-driven. Of course I wish I could just Slack a customer and say, “Hey, what feature would you want us to build next?” and they’d sketch it out for me and tell me how much they’d pay if we built it. But most founders know it doesn’t work that way. Digging into customer problems, understanding what they actually care about, what additional issues they’re facing in addition to those they had in the first place — bringing that out of customers is an art, and it pays dividends if you can perfect it because you start building product customers actually need.
Going back to what I was saying earlier, we think deeply about the problems we’re solving. One of the key areas we’ve improved is being conscious of what problems customers actually have vs problems that we want them to have. Eliminating our confirmation bias is very difficult but it pays off in the long term.
So our approach is more about organically and practically understanding what our customers are saying, rather than what we want them to say. They’ll rarely describe their problem verbatim, so it’s important to dig into it and understand it. In the early days, it’s the sales team that are doing this more than anyone else.
There’s this quote I love from William Gibson: “The future is already here — it’s just not very evenly distributed.” If you think about how companies will be managing sensitive data in their SaaS apps in 5 years, while it may be vastly different to how the average company is doing it today, most likely a smaller group is already doing it that way. That’s why we focus on fast growing tech scaleups. We feel that the way they treat sensitive data inside Slack, Google Drive, Airtable, etc. is reflective of what every company in the world will do in five years. We build for those companies because they reflect the future.
The way we see some of our customers use SaaS tools today is mind-blowing. For example, one tech company (one you’d recognise the name of) is building almost all their data infrastructure on Airtable, with Zapier connecting in hundreds of other apps and tools. Data is flying all over the place and they’re using Metomic to automatically resolve all the security risks they might accidentally leave in the wake of their rapid growth. It means they have one less thing to worry about — which is invaluable for a tech scaleup that’s mission-driven.
In 10 years, a greater number of regulations, heavier enforcement, and elevated consumer expectations are going to make it 10x more important to have visibility and control of sensitive data.
Today, companies are getting by with an excel spreadsheet listing all their SaaS tools and the categories of data processed in them. It won’t be long before they won’t survive without a real-time understanding showing precisely the flows of sensitive data between SaaS tools, physical countries, and departments. And to control those flows from one single place. To name just one example.
And remote work has added another dimension of complexity. Depending on where they’re physically located in the world, employees might not be allowed to ‘touch’ customer data. Whether it be an engineer refactoring a database, a product manager doing some analysis, or a customer success manager responding to a customer request. If an employee decides to work from Brazil for a week, for example, they could be violating dozens of regulations every morning when they open their laptop. We want to abstract all of those complexities away so that customers can focus on building great products.
So, in 10 years, companies won’t use any SaaS apps unless Metomic is connected too — taking care of all the sensitive data risks without getting in the way of their employees doing their jobs.
I’d say there are two things. First was when we pivoted at the end of 2019. It was an extremely difficult decision because our existing product actually had traction, even if it wasn’t where we wanted it to be. We left that product and started working on a new one without exactly knowing what the new one was. We knew the problem, but we didn’t yet know the solution. There were a lot of risks, and it wasn’t fun writing that email to investors, but within nine months, it proved to be a great decision. That’s definitely a proud moment not just for me, but for everyone involved in making that call.
I’m even more proud of the team we’ve built. We have a group of fantastic people who are world class in their chosen field and we would be nowhere near where we are today without them.
Ah, we need a long time for that conversation. One that stands out is hiring a Product Manager too soon (i.e. before you have customer traction). You get all this advice online and in books about hiring a Product Manager early, but when we did it, we were just six people, and we didn’t really know what we were building yet.
I refer to it as a “grass-is-greener” role, which means you think when you hire a PM you’ll magically have an amazing product people love. It’s, unfortunately, not as simple as that. In the early days it’s the founder(s) that need to take on this role. For later stage companies, PMs are hugely important.
I love the Connect community. I did the Founders Retreat a couple of years ago in Italy, before COVID. I remember going into it, sitting down on the first day in small groups of maybe six or eight founders who would talk about the challenges they were experiencing at their respective startups. At the time, I was only a year into building Metomic and I was worried that the problems I wanted to discuss would be embarrassing, or out of place. Then everyone started speaking and I thought “wow, I’m not the only one in this boat”. The support network that came out of that retreat was truly amazing.
I’m in love with Roam Research. They call it a “graph for connected thought” and I think it has absolutely nailed note taking. It’s probably not for everyone but I use it for everything: notes about the business, personal stuff, everything. I actually tried to buy a lifetime subscription for something like $1,000 — but sadly they had stopped offering it.