Pat Clawson is the chairman and CEO of Resurface Labs, a software company that provides continuous API security by detecting and responding to API attacks at runtime. We discuss the four main types of sales research, working with APIs in your business, and API security best practices.
Listen to the podcast here
Build A Repeatable Sales Process with Pat Clawson
Our guest is Pat Clawson, Chairman and CEO of Resurface Labs as my guest today. Resurface Labs is a software company specialized in providing continuous API security by detecting and responding to API attacks at runtime. Pat, welcome to the show.
Thank you for having me.
I’m excited to have you and to learn about APIs and how we need to be protected. But before we go there, how did you get here? I looked at your LinkedIn profile and it took me five minutes just to read the businesses that you ran and, and exited. You, I think it was at least half a dozen. So how did you get to being the CEO of Resurface Labs?
You know, it’s a fun journey and I think it’s one I’m incredibly lucky to have been able to have. Right and I had the fortune of starting out right after university with a fantastic company who took young people right out of college and knocked the rough edges off of us and trained us in the tools and arts of selling and management and business leadership. You know, that company was called Lanier, and I spent 12 or 13 years with them. About half of it was overseas, and that overseas component, because I was always driven to be involved in international, gave me a whole bunch of business skills that you don’t get unless you’re thrust into that kind of an environment.
So it was on your own, it was building businesses, it was foreign currencies, exchange rates, it was super dynamic and incredibly fun. But I was able to take that and I wanted more, right? And I started working with a friend who had started a fantastic software company in the healthcare space. We were able to build that and then have an incredibly fun and profitable outcome in early 2000s. And then I started transitioning because one of our large shareholders had an investment in a cybersecurity company in the early days of firewalling and went down to a company called CyberGuard, which was a publicly traded company at the time down in Fort Lauderdale that needed a bit of turning around.
My buddy was there with me for a while and then he left and I took over 2003. And we were able to build that company just with hard work, you know, and some acquisitions of technology platforms. We were able to turn it around. We were able to make it profitable. We were able to grow that using direct sales domestically and channels internationally and successfully sold that company. That took some of those skills and went into a venture backed entity that was no longer firewalling but it was endpoint. Different skill sets required, different things happening there, software as a service as opposed to more of a perpetual sale.
So, your set, your revenue generating strategies were different. Able to grow that company and sold it as well. Moved into data end of life. And that was a different stretch. That was a public company in the UK. We rolled up four companies from around the world and created a new category within Gartner called data sanitization. Ran that for several years. And then got into dark web monitoring, which was early stage. So, I’ve had this journey of building companies and providing exits, you know, two public, one US and one UK. And then I got kind of the bug for this early stage software thing and wound up over here, resurfaced this year.
That’s a fascinating journey. And so let me ask you, were you a hired hand for these companies or were you an investor as well, controlling or minority? What was your kind of modus operandus there?
Good question. More of a hired hand. I’m not always the, I’m not the founder brain. I’m more the operator and the grower. So I’ve been brought in to help, you know, control costs, put together a growth strategy that made sense, dig in and then grow the businesses and then have an outcome. And I’ve been successful doing that. It’s worked well.
Well, obviously you’re getting new and new gigs. So something must be working right. So one of the things that we chatted about in our pre-chat was how you grew these companies and basically your approach to sales growth, which I found fascinating. And you talked about four types of sales research that you believe that people have to do before they even get to working on their sales strategy. So what are these types of research that we need to do?
I think too often people come in without ever boiling down the business and really understanding what it is you’re trying to get accomplished, right? So over the years I’ve developed this strategy and my strategy involves four separate types of research, as mentioned. The first one I like to do is industry research, reaching out to industry analysts who have a voice in the space, who understand the space, who have a view on where it is today and where it will be going or should be going. So I interview as many of those as I can and I read as much research has been published. So that’s kind of the industry analysts.
Those are the gardeners, foresters, you name it, anybody within those categories, right? The second would be the financial analysts. So the mid-tier banking firms around the world, really, but there are a lot here in the US, often have analysts that write and cover spaces and sectors. So I’ll reach out to as many of those as I can possibly find, and I’ll read any research that they put out. I’ll talk to them about their views on the market, the direction, the addressable market, the opportunity. And then the third piece, which is sometimes the most fun, but it’s also fascinating and enlightening, is a real deep dive in any company that you think might even be closely a competitor.
And in there, I wanna know their pricing strategies, I wanna know what they call out to be their value propositions, what they think their competitive advantages might be, what verticals they’re targeting, who their buyers are that they’re targeting. All of that’s available, but you’ve got to get in there and you’ve got to see what the language is around your space. Who’s saying what? What’s popular? What’s not? And also, what’s missing from it?
And then the fourth thing I like to do, and it’s often very low cost, is using a tool like SurveyMonkey to reach out to your prospective buyer types around the world and ask some of those very similar questions. And then I bring all of that data together. And in there, you’re able to get down to the root of who’s in your industry, what the right verticals are, what’s missing in pricing strategies around the world, where you should find your ICPs, your ideal customer profiles. And it helps you build out and make some hardcore decisions on your route to market process.
That’s fascinating. I mean, the way you describe it is super simple, but of course, that takes a lot of digging to actually, you know, find those reports, read them, talk to these people, do the emailing. The framework is simple. The work is it’s not it’s not easy, but but definitely makes a lot of sense. they get out there and they just start running a business and they hope that they’re going to iterate to something useful without doing all the research. And there’s a lot of wasted energy and a lot of dead ends, I guess.
Yeah, you know, I think part of it is self-preservation, right? I often coming into new types of technology, and it’s the research that helps you understand it at a different level than just being the guy that flies high and comes in and tries to flip a couple of switches. You got to really boil it down. You got to understand it at its core in order to be able to move it forward. That’s my goal with my four-step process.You've got to really boil it down. You've got to understand it at its core in order to be able to move it forward. Click To Tweet
I love it. This is very systematic. Now, the other side of it, so after you’ve done the research, you have another five steps, which is, we call it, I think, on our call, the Get Focused Sales Strategy Framework. So what does that look like? So when you got the information, how do you attack the market?
So what I try to do with all that data is I try to distill it down into five things that allow us to get to market. And the fifth is that process, right? It’s the old Jack Welch. Do you have a competitive advantage if not get out, right? You’ve got to, and often people talk about competitive advantages, but they never challenge themselves and see how many other competitors do something similar. So it’s really boiling down and finding those things that you can do differently in your sales process, that if people like that, nobody else can do it. So it’s getting to a competitive advantage.
I think the other thing is too many companies and software guys are guilty of this, try to appeal to everybody. And part of my process is, what are the most important verticals that we can build approaches and documents and collateral to target, right? And for example, in Terbium Labs, when I did the analysis, I think there were 10 different verticals that companies were pitching to around the world. And we said, no, that’s too much, right? Three, there are three that garner the volume of the purchases that have the regulations that make the most sense and they’re global and they’re driving buying behaviors.
So it’s tightening up your verticals to something that you can have a young new sales organization focus on as opposed to trying to focus on everything. I think the next thing is, and I think here Resurface is a classic example. We did pricing, part of that competitive research is understanding how people are trying to price the platforms. And it was so complex, they were including engineers and developers. You know, we had to find a way to make it crystal clear when somebody talked to you about pricing that they got it, and they could translate that into cost in their own environment.
So getting your pricing strategy that’s clear, it makes sense, and it’s a differentiator in the market space. Then I think the next piece of the puzzle is getting, who is your, what’s your target market, right? Are you super large enterprise only? Are you SMB? Are you in the mid-market? It’s getting into that that you can focus on and build your ideal customer profiles around and be really tight with your ICPs. And I think the last stage, what all that helps me do is build a defined, documented route to market process for the next few years that allows, for example, in this case, an early stage company to go from a very small revenue number into a very sustainable, large, repeatable revenue growth process. So those are the five things that I’d like to try and get done along the way.
That’s great. So it’s very systematic. So you do your research and then you figure out how you get to this repeatable process. You’re process driven. It’s not about getting so many customers. Obviously, you have to gain some traction, but then how do you get the kind of process in place that other people can execute?
It literally helps you. It defines the type of sales approach you’re going to have and then how do you engage, train, and create a repeatable sales process based on what you’ve defined. You’re not all over the place. It’s not five things for young salespeople to count on. It’s making it very, very tight and prescriptive so that they stay focused, they execute, and they can win without being confused. It’s staying focused.
That is very powerful. Resurface is all about API security. What the hecks are APIs in the first place?
Well, they’re everywhere now. You just may not realize it. The application programming interface has exploded, and I think the pandemic probably helped it because people were home and using different types of tools to access data. But you should think about it, and I’m not the super tech guy, so you should think about it as a set of procedures and or functions that allow the creation of apps that give you access to features, capabilities of different applications, services, or operating systems to enable business. Some of the more common names are things like REST, GraphQL is exploding.
But why it’s important is, I think a couple of years ago, Akamai said that it now was responsible for 83% of all web traffic flowed through APIs, right? And then there was a balancing number out there that said only 11% of companies at the end of last year hadn’t done anything to protect the data that’s within those APIs. So you’ve got this exploding technology use, and it’s not necessarily being built with security in mind. And now it’s out there, and it’s quite large. I think Gartner said at the beginning of this year that it would be the number one attack factor in 2022. So it’s this tool set, this technology that’s exploding, widely adopted, it’s global. The whole switch over to 5G is APIs. It’s this exploding technology platform that has not been really managed well from a security perspective.
So if I’m a layperson, which I am in this case, and I run a small to medium-sized business, then what are the kind of APIs I may be exposed to that I’m not even aware of error.
Well, right. It’s, you’ve got those, APIs have come into two different types of categories, largely. Those that are north, we refer to as north and south, but those that are external data flow between you and your customers or you or the customer or somebody else and you’re using an API to gain access to their services, right? It’s a tool that they will present to you that gives you access to things that they provide. So those are called North and South. And then sometimes businesses are building them for internal data exchange and usage, right? And that’s, those are called East and West.
So you’ll know if your business is building APIs to make the use of your services or tools or data accessible to third parties or clients. If you have customers that consume your materials, you’re probably providing the detail through APIs, or you’re using them internally. So you’ll know if you’re creating them on your own. You’ll also know if you’re not really building them with security in mind. And then you have those that you’re using of third party. You’re the customer in this case, and you’re leveraging their APIs.
Are these APIs behind certain applications so that we don’t even know that they are there, or I actually choose to use an API? Let’s say I use different web applications, are there APIs behind them or are they the APIs? How do I know that I’m now engaging with APIs, and now I have to protect myself.
Well, I think less of an individual issue at this stage. I think if you’re on your mobile phone and you’re engaging with apps on your mobile phone, you’re using APIs every day, you just don’t know it. It’s the tool that allows that stuff to function. APIs are often what we refer to as sitting in this, what we call the zone of the unknown after valid users have credentialed through a WAF or an API gateway, and then they’re gaining access now to services. Then services are often leveraging APIs to make that exchange easier to use. Hopefully, that makes sense.
So, Is it correct that your major target market is those companies that develop these apps that use the APIs, they incorporate them into their products that are the most logical people to protect? Or is it the end users as well, who are just using the apps and assuming that those companies take care of the security risk?
I think we all believe that those companies are taking care of those. The issue today is they’re largely not. There are a lot of global companies today that are trying to focus hard on having a budget for next year to start applying security practices to their API infrastructures. I think one of the things that we find, which is kind of fascinating to me, but it makes all the sense in the world, our target verticals are what you’d expect, right? Big banking and financial organizations around the world. They have the regulations about protecting that data and fines. Big healthcare around the world for the same basic reasons.
And then high-tech companies, which includes defense and aerospace, telcos, right? That group right there is like 40% of the IT security spend in the world, right? So it’s a big number, but it’s also, they’re heavy users of the APIs because the API is so much easier for you and I to gain access to the services they want to provide. But sometimes they’re just business to business. I ran a company a while ago and we got a lot of our data from a third-party entity out of Europe and they presented an API that allowed us to ingest the components that we wanted and pay for from them directly into our own services. So it’s a big part of almost everything we do.
Okay. So there are all these APIs out there. I may not even know behind which applications what API is. So how do I protect myself? Do I just build a wall in my own company, and then any communication from APIs will be filtered or how does that work?
So it’s a great question. In the National Institute Standards, NIST has helped create guidelines for what that should look like. So they have their five steps. I won’t bore everybody with what they are, but it’s a combination of technology and process. In organizations like Resurface, what we try to focus on our platform helps our clients understand for the very start, it goes out and it looks for and it finds the totality of your API infrastructure. So it maps it for you. It says, hey, this is what you got. Here are the North and South, here are the East and West, here’s your total API volume, and then it breaks down that volume. Because out of the box, we’re set up to do three things for you right away.
The first is monitor for the OWASP top 10, which is table stakes defined by NIST and others for things you need to do to make sure you’re protecting your API infrastructure. The second thing we’re looking for are any of the known attack types that are being levied against APIs today anywhere in the world. So we’re automatically looking for whether or not there’s any evidence of that happening. And the third category, again, this guy here, which we refer to as anomalies. Not all APIs are built with security in mind, and not all code is perfect. So we think of anomalies as future attack service, like a slow performing API, maybe a future DDoS attack, the notice of something that they can take advantage of, bad code. So you’ve got three major buckets.
Some are development related, some are full-on security related, but you’re monitoring that. When you can take a look in, you get a view of, hey, we do 10 million calls a month across 30 different APIs, and 0.7% of that are attacks, real attacks. And then I can understand those attacks, and I can do something about mitigating it is a big deal. And we can do that. And this is a little bit of a resurface commercial, but I’m really proud of what we’ve done. The architecture that our founder, Rob Dickinson, put together was one that is cloud platform agnostic. We can stand up in any cloud platform, but we only do it in the customer’s environment only. That allows us to do two things that no one else in the world can really do or should do.
The first is, we do get to see their traffic in runtime because it’s in their environment, not exposed in over an hours in an AWS or an Azure, a different country, any of the above, it’s in their environment. We get to see it unredacted and unencrypted in runtime, all of their data. So we see full request and response data sets, which is really important. And the second thing we were able to do is we build a hot data layer of the last 30 days of all of their API traffic because zero day attacks happen. But you’ve got to be able to know if you’ve been impacted. So we build a cool Google-like search tool.
When a new zero day happens, you simply plug it in, and it will tell them if they’ve been impacted, exactly which APIs and where within those APIs, so they can prioritize their remediations. But again, that data layer is in their environment. No bank is going to allow that data to sit in a third-party environment, right? And if you think about moving over to Europe with EU GDPR, there’s absolutely no, it’s not even, it’s a very unique position, but it allows us that strategy and that structure, that architecture allows our platform to see things very safely in their environment and alert differently. We see more, which is part of the goal.
Can someone who is figuring out, OK, maybe I’m exposed to this to actually test, is there you can provide people before they jump in that, hey, is this really impacting me potentially?
They can confidently download our platform. They get a two-week license for free. They put it into monitor. We stand up in 15 minutes. So anybody who thinks it’s hard, we simplified it. A single home command, we’re up and running in 15 minutes, connected to your data sources, and you’re off and running and let it run. At the end of that two weeks, you’re looking at that monitor and you understand exactly what your volume is.
You understand where you have client errors, you understand where you’ve got leaks happening, where you’ve had any attacks and what those are very specifically. It is an aha moment, but it helps you understand and it also helps you say, and we do actually have a problem here, and we need to think about investing in protecting our APIs and this is what that’s going to look like. And here’s why, right? It’s super easy to do. We try to be the lowest touch of any vendor out there and probably the highest yield in terms of what you’re going to getin feedback.
So the first step is for someone to download this software, check what’s happening, and then if they see that there are some attacks happening and they need to do more, then do you provide professional services or is it, the software will take care of it? What’s the next step then?
Great question. We have a unique position. I think when you think about API security, I put it in three. First, you got to download and get your platform upgrade. That’s easy. Step two is connecting into your API industry, and then we provide four, five, six different ways. You can use all of them. You can use different ones, whatever that is. You got to get the data flowing. That’s the first step. And then the platform really takes over from there. At the very back end, once you realize, you get past that testing phase and you realize you want to have outcomes when you alert, whether it’s code related, whether it’s attack related, whatever that might be, we refer to ourselves as remediation agnostic.
We are not agent-based. We are not going to ask the customer to put any more agents down in their infrastructure. We pass on our data to those platforms you’ve already invested in, like an SDR platform, so they can begin orchestrating a remediation for where they have their agents, right? A sore platform or whatever those platforms are that you’ve already invested in. We’re sending the data to those platforms through simple webhooks, so that they’re capable of remediating, and that’s happening behind the scenes. You want that to be as automatic as possible. We don’t just leave you with, hey, you’ve got a problem. We probably will in the trial, you’re not really doing integrations in the trial process, that’s more of a learning exercise. But in the go forward, it’s a very simple integrations with whatever platforms you’ve already invested in.
Basically, what I’m hearing is if you run a business, take a look at what’s happening in the API, that’s the biggest risk in terms of cyber attacks and download the free trial, then you see what’s happening. Then if you decide to go ahead, then you will basically take care of me. You are going to communicate automatically with all these platforms and they’re going to fix any issues that come up.
Yeah, we want to demystify. It shouldn’t be scary. People shouldn’t think of, we’ve designed the platform so you don’t have to human resource up in order to get control of your API infrastructure. That’s how we’ve designed the platform. We try to make it simple. We try to make it easy to experience. I encourage people, look, we know people are setting up their budgets for next year, but they just don’t have the definitive data, go through a free trial. There’s no pressure, do two weeks, see what you got, and then go into the budget process and vote. That makes sense?Don't let fear hold you back; demystify the process and take control. Click To Tweet
It does. So awesome. So if someone wants to do the free trial or they want to learn more and reach out to you, where can they find you?
Hey, resurface.io, you’ll see the opportunity to do a free trial on there. Or I set up a simple e-mail so that people can reach out to me at any time and I’ll make stuff happen, it’s email@example.com. Super simple.
Okay. Awesome. Well, definitely check it out, resurface.io, download the free software, talk to Pat as well if you have further questions. Pat, it’s been illuminating to hear about your sales research and your sales approach, how you build that repeatable sales focused sales process, which we all want to scale our businesses. So thank you for that. And those of you listening to this, if you enjoyed the show, please don’t forget to rate and review us on Apple Podcasts and come back next week. I’ll have another exciting CEO entrepreneur on the show. Thank you, Pat, for coming.
- Pinnacle: Five Principles that Take Your Business to the Top of the Mountain
- Pat’s LinkedIn
- Pat’s email: firstname.lastname@example.org