ShipTalk - SRE, DevOps, Platform Engineering, Software Delivery
ShipTalk is the podcast series on the ins, outs, ups, and downs of software delivery. This series dives into the vast ocean Software Delivery, bringing aboard industry tech leaders, seasoned engineers, and insightful customers to navigate through the currents of the ever-evolving software landscape. Each session explores the real-world challenges and victories encountered by today’s tech innovators.
Whether you’re an Engineering Manager, Software Engineer, or an enthusiast in Software delivery is your interest, you’ll gain invaluable insights, and equip yourself with the knowledge to sail through the complex waters of software delivery.
Our seasoned guests are here to share their stories, shining a light on the do's, don’ts, and the “I wish I knew” of the tech world.If you would like to be a guest on ShipTalk, send an e-mail to podcast@shiptalk.io. Be sure to check out our sponsors website - Harness.io
ShipTalk - SRE, DevOps, Platform Engineering, Software Delivery
A Master Class in DevOps Executive Coaching - Joni - StackHawk
In this episode of ShipTalk, we are joined by Joni Klippert who is the CEO of StackHawk. Joni has been in leadership roles in the DevOps space for over a decade helping run and launch exciting products in an ever-evolving space.
Joni dove into cloud computing and DevOps and has not stopped growing. In this Master Class, we dive into what it takes to start in a new space from scratch. Navigating lots of grey in product management to scaling and growing firms and teams. Joni touches on being humble, hungry, and learn from her grit and perseverance. An episode not to be missed!
Ravi Lachhman 00:06
Hey, everybody, and welcome back to another episode of ShipTalk. I'm very excited to be joined today by Joni, who's a co-founder at a DevSecOps firm called StackHawk. But Joni., for the listeners who actually don't know who you are, shame on them. Can you tell us a little bit about yourself and a little bit your background?
Joni Klippert 00:22
Yeah, happy to. So I'm Joni Klippert. Thanks for having me. And thanks for listening. I'm the CEO and co-founder of StackHawk, as you mentioned, our mission is to put application security in the hands of software engineers, and help automate a lot of the process of finding bugs or vulnerabilities in your code. Before this, I worked at a company called VictorOps as the VP of Product, and I've been building software for software engineers largely in the DevOps ecosystem for about 12 years now. So happy to dig in and share a little more.
Ravi Lachhman 01:01
Awesome. Yeah. And I'm , really intrigued by your experience, because I think you've been building products in the space pretty much for as long as the space exists existed. Pseudo are now into the into the mainstream. So let me start with this. So how did you get out get into the DevOps product space, you've been probably one of the longest careers I see it, and this particular product in this particular product, but what how did you get into it?
Joni Klippert 01:28
It's actually kind of funny, um, I, during my MBA program, I was studying entrepreneurship and some marketing, but I was really interested in the capital markets. And so I took a VC law class. And I got to meet some of the folks from the Foundry Group, which is a local venture capital firm in Boulder, and just learned a lot more about the space, I would call myself at the time a tech enthusiast, I have no technical background, but Boulder just had this awesome tech community startup community that I started being a part of during that MBA program. And when I graduated, all I knew I wanted was to work for a Foundry back startup on Pearl Street. That's not very strategic, I guess. It's like, Hey, I love this space, I want to learn more about it. And I was doing a lot of research on companies, I had an idea of where I wanted to work. And that founder actually said, hey, you know, I don't have a spot for you at this company. But I'm on the board of another company in town called Standing Cloud. And I think you have a really good skill set for them, which was they're building this highly technical product, and working on taking it to market and I was really specializing in customer development. So understanding the problem domain, and making sure we were building products and can inform the customer the type of products that this company might need. And what's funny is, when I joined that company, the CEO said, Joni, I think you're going to need to learn to be a little bit more technical. And I said, well, what do you mean, I have like a Twitter account in a blog, you know, like, I had no idea what I was getting myself into. And this company, this is before, Amazon was just like, what 1000 pound gorilla in the room of cloud computing. There were tons of cloud providers that existed at the time. And this company had really smart technology, and that we could programmatically deploy, you know, 100 different open source applications on any cloud provider. So you could say, you know, I want Drupal on SoftLayer, in this area in Texas, and we would deploy all of that for you. So in order to understand this job, I spent three years going to cloud conferences, you know, all the different coding language conferences, and really immersing myself. It was like grad school, part two, in the slick world of technology. And at one point, somebody asked me if I was a systems administrator, and that was like, the nicest thing anybody has ever said to me. I was just like, faking it till I could make it right. So that's how I ended up in, in tech and just really immersing myself. But then in product, it was really about, you know, understanding technology, which was great, but really immersing myself in what are the problem domains? And how do we really uncover what the pain is in any given area and work to create a solution to solve it? So that's where I found my home.
Ravi Lachhman 04:30
That's perfect. I mean, I'm really impressed with that one. It was extremely precise. You had a specific street that you wanted to work on. It's usually like when buying a house like I have to live in this neighborhood, not even down to the street, but you were down to Pearl Street. Oh, yeah. To be fair, it was on Walnut but it was one block away. It was so much fun. They're just tech startups, all up and down that strip and I just wanted to be a part of it. That's all I that's all I knew at the time. Oh yeah, that's awesome this for the listeners out there like the greater Denver/Boulder area. So also, I gave a talk at DevOps Days Boulder,sorry, DevOps is Rockies is the official name in 2018. And my talk was at 10 in the morning, and I was joking with the organizer if I could get a beer , then he brought me a beer. I'm like, Oh, he's like, it's Colorado. I'm like, I love Colorado want to have a beer with me during my talk. Another story for another day, though. That's awesome. Like, I think, you know, just just whittling that down. like hey, you were able to have precision of vision, and you had a lot of grit, you stuck with it going to like something that you are completely new in. And you go for years going to conferences and learning more like that is a skill that and determination that very few people have. But I think it's just kind of like expanding upon that doubt. Like it can that particular grit determination can expand to anything, right. So maybe the flavor dejur or today is DevOps, or, you know, engineering efficiency. Who knows what the flavor dejur the day my favorite French word is in the next five years. And I think there's a lot we can distill on generics that hey, you know, what, if you had to learn something completely new, just really stealing Joni's framework here, you know, what, what does it actually look like? Usually just an uneasy feeling anytime you do anything new, but you were able to map it pretty successfully. Once you were at that particular cloud startup, you for those who don't have Joni's LinkedIn in front of them, you ascended to the highest, you were a VP level at VictorOps, like, maybe take us from your first startup to any sort of anecdotal information. What was it like continuing to climb that asscent? Yeah, sure. That first company was great. Like I mentioned, I got to learn a lot, cut my teeth, and I had a, an investor, when say, you know, a good career move is to have somebody pay you to learn something that you have no business being paid to learn, like I had, I had relatively little to offer, you know, other than just like hunger and thirst to learn more and share that input with the with the company. But by that time that three years had passed, I amassed quite a bit of technical knowledge, I learned a lot about how software was built, and how companies thought about building software. So when I had the opportunity to work at VictorOps, they were a really young company, I was the first non engineering hire. So it's eight dudes in a room writing code plus me. And my job was to partner up with the CEO, and go beat the streets, I had a really big network. And we had to figure out if how close this product was to launch, you know, what, what competitors do people use to VictorOps? Why did they like them? Why did they not like them? You know, PagerDuty had been around for a little while, but it hadn't really innovated at that point. And honestly, every once in a while, you'd still hear people carrying like, literal pager, which is kind of funny. But at that company, I came to a crossroads where Todd was like, hey, we're gonna build out this leadership team, really quickly. And I want to talk to you about how you're going to grow your career. And at that point, it was really, you know, in making a decision kind of where to where to head. I knew what it felt like to not own the product roadmap and to have to ask to get things included in the roadmap. And that's the one thing that I wanted to, because I was going to dedicate all of my time and energy to figuring out how to make this company successful and what we needed to build to meet the needs of the market. And he gave me that role. You trusted me to do that job. And it was awesome. We had a great team, so much fun building that company, growing it from just bringing the product to market through you know, it was about 150 people and an acquisition by Splunk in 2018. And that was a really fun ride. Awesome. Yeah. And it's, it's always interesting, right? Like starting early, there's always like wearing multiple hats. And just like that story that you know, you were the first non technical hire. I mean, I've heard that you were a technical hire, just focusing on different parts of the different part of the problem.
Joni Klippert 09:41
Maybe not hands on keys in that way.
Ravi Lachhman 09:44
The old adage I like to say computers are easy, people are hard understanding right? It's extremely difficult. In fact, the computers didn't make us we made them don't let them take advantage of us so that's what I tell people. Just kind of diving into The one of one more click down. It's okay. So reporters like being more tactical it's, and this, then we'll get into how the genesis of your current place, StackHawk. I was talking to one of our product managers yesterday. And that, you know, maybe I might be interested in being a product manager one day. So but one of the illusions is, there's as a product manager, there's no more escalation past you in the product like it is, you are the all I say all end all. And how do you so just this might be more intrinsic? How do you deal with all the gray? Like, if I see that you navigated the career so excellently as a final point of escalation? Or if you are, how do you make how you determine making a decision? Extremely open ended question here.
Joni Klippert 10:46
You mean, like with a product roadmap, what what the roadmap or anything about the product?
Ravi Lachhman 10:50
So like, it could be the product, it could be the roadmap, it could be a company level decision, you have an excellent framework, so maybe I can extract it a little bit, the Joni secret sauce.
Joni Klippert 11:02
It's honestly not clean. I at one point, as the company was growing, and I was trying to help younger team members understand what product is I called it product stew. And there was a slide of like, 50 inputs that come into your decision making framework from, you know, who was the feature for? Why is that strategic? How hard is it to build, you know, like, there's so much like, what's the competitive landscape like, like, if you if you're a little ADD or like, can think about a lot of things at the same time, like, maybe product is a good thing for you, but it is very like multivariate complex decision making, that you ultimately have to figure out the best use of your resources to achieve a business goal. So while it's kind of messy, and you know, you end up in rooms looking like a Beautiful Mind, like trying to figure out how to best optimize all these ideas with limited resources, that at the end of the day, it's really simple, is, you know, your leader, your CEO, and, and the people they report to, you know, their, their board, there are objectives that that company has to meet, right. And at any given time, especially in early stage startups, it's what I can speak to the best, you know, you're you're fighting for the next round, you're fighting for market traction. And at any point, there's going to be a metric or a handful of metrics that need to improve in order to achieve that goal, right, your ARR, your annual contract value is too low. This isn't interesting to me, is the market big enough, right? Like there are a bunch of questions we have to answer. And it there is a world Todd us to say it feels like there are a lot of decisions to make here. But it's, it's not really like it's clear, like there's one choice, this is what we have to do in order to hit the target. And then you just optimize your resources to do that. And so product can feel complex, but at the end of the day, you're trying to solve one of a handful of business problems, and meet the needs of your customers. And once you focus on that decisions get a lot easier. So that might have been a non-answer answer. complex, but that's how I think about it.
Ravi Lachhman 13:19
That was absolutely perfect. And it was like, you know, it's one thing is just even admitting, you're articulating that there's 50 sources of information, you know, you get competing priorities all the time, right, like, and it's that the higher you go to organization, the more competing priorities you that you're gonna have to kind of manage that was actually as eloquent as I ever heard it. Well, as an aside, this is actually an hour of me getting career coaching for free. So surprise listeners, this is now I don't have to pay Joni for her expertise. Awesome. Okay, so just battle tested with the startups there. I think so kind of making another kind of abstract, but leading us right now into your current venture, which is StackHawk is like any new technology or a crypto space. It can be from starting a new department, in, let's say, organization, let's, for example, a lot of listen to listeners here. Their DevOps organization was not around five years ago, right? Or even take attendance of the most sophisticated people 10 years ago, but a majority people five years ago, there might be a few lone wolves out there. Like we still don't have one. But it's similar to carving out a new department and even more so more specialists carving out a new company new space. What what kind of led you to make, you know, StackHawk, right. And so this is a this is a newer upcoming space for listeners with DevSecOps, but what led you and your group of founders say hey, you know, I think we we can carve something out here.
Joni Klippert 15:00
Yeah, so I, after the acquisition, I kind of felt a fork in the road for me, which was, do I work on building my career in a larger organization? Or do I start something new. And my heart was like crying for those days of the eight dudes in a room. And I shouldn't say dude's, because that's not like, the ideal. But it's like this great time where there's a handful of people who believe in something that are working really hard to make it real. And that's what I had grown my career. It was super early stage startups, and I'm a builder. And I knew that's what I needed to do. But I didn't have a plan I just left. It was like, Okay, I know, this is the time, because as much as it can be enticing to where golden handcuffs. Time is the most valuable thing that you have, right? It's the most limited resource. And so for me, it was time to take the risk, I had built the right relationships, I built a lot of domain knowledge. And I knew the right thing would come if I just took the jump. So I left. And honestly, I researched a company completely out of domain. And those who know me really well laugh at me. And they were like, that was just therapy for you. Because I love solving complex problems. So I just go interview a bunch of people about problems in that space, it was like, in the hour, optimizing hourly workers like it was nothing to do with technology, other than I had a sense of what I was going to build, if I found that that was a real problem. And I was talking to one of my mentors, and she's like, Joni, what are you doing? Like you've built. You've amassed this knowledge in DevOps. And how software is built over the years. Like, why wouldn't you use that competitive advantage, and I, I think I just needed to take a minute and breathe in something new feel something new for a little bit. And that was only, it was only really three months, from what I left, when I started a new company. So that was a tiny period, to be clear. But, um, I started researching the security space. And with DevOps, you know, there are different trends that they like, they're like, half lifing, in terms of how long it's taking for them to catch on, right? So Agile kind of took a long time, right? It was, like 10-15 years before people really understood agile, and we're practicing it. And then with DevOps, you know, you know, cloud computing really kicked that off, right. But it was like, we don't want system administrators to be the bottleneck anymore, to deploying code. And so like a whole bunch of tooling and processes changed so that businesses could meet the demand of their customers. And obviously, like the rise of mobile, like you want features, we want them now. So every company became a technology company. And these patterns were very clear. So the thing, the place we're playing in VictorOps was, Hey, there used to be like a network operations center. I mean, sure, companies still have them. But it was the ops people and your devs. And they didn't really like each other, because devs would throw code over the wall on Friday at 3pm. And then some other persons responsible for making that shit run, right? Over the weekend, they're getting paged because it's not running. And the thing that we believed is, the code is changing so fast, that in order to really minimize downtime, or maximize uptime, if there's an issue that you're, you know, monitoring systems are telling you about, you need to be able to route that directly to the person who changed the code. The trend and security is moving even faster than DevOps originally was moving, because we've totally changed how we build software, the tooling is there, the processes are there, every company, either the born of the internet, or they're undergoing like major digital transformation at this point, and it's a foregone conclusion that you have to build software differently in order to be competitive in market. And security was just left behind. Like, I would go to DevOps Days Enterprise and there are security folks there. And they're like, Hey, hi, I am here to learn, because I don't understand how we're going to keep these new systems safe. I have no idea. And then you'd ask them a little bit about their processes. And it was like, Well, before you can deploy, I need you to log into the system and click 2000 boxes that tell me that the ship safe and it's like there's like no one has time to do this. This is so inefficient. So in researching the security space, what what came to be was really this idea that same talk track, right, like we are changing code so fast, this idea that and at the time I was researching this idea around pen testing and that's that's not what we've built, I think people should get pen tests. But this notion that people evaluate the security of their software annually or a handful of times a year by a security team, or maybe a third party consultant that evaluates the code while it's in production, so you've shipped bugs brush. And then they, you know, six months later, they find a bunch of issues and throw it over the wall to depths. And I'm like, this is insane. This is so inefficient. And so I spent time really understanding the application security market, and where the holes world where the cultural challenges are just like we had them with the with DevOps, and several of them, where do they live in security, and break that down, and then figure out what's wrong with the tooling. And I'll stop talking now. But that's, it led me there. And I think what built a lot of confidence was, I knew the space. And I knew that this was really important to build. And it wasn't that hard of a problem. Like if you understand software engineering, you know, it's a clear there's a very clear problem to be solved. So that really came out in the research and then meeting my co founders, were able to put together an awesome team to go tackle this problem.
Ravi Lachhman 21:19
Awesome. Yeah, totally, totally great. Strategy roadmap, they're like, absolutely right. fixing something in production is like magnitudes more expensive, than fixing it early. Oh, surely going going back to the human, most likely the engineer who wrote that feature, when by the time the auditor, like the PwC's or Deloitte's of the world find that they're long gone off that project. And then the remedy information also, like full disclosure, I took a look at StackHawk stuff. So you know, a pseudo familiar with that, like that remedy information is extremely hard to get because then it's like two people who don't know like, Okay, what do I do with the findings? Like, what do you want me to do? Like mr/ms software engineer, it's called mr/ms. AppSec. Engineer, we don't know, like oh boy. Now it's not like the clock is ticking because the audit findings are there and like your remediation periods there, then you're gonna blow past remediation. There, depending on what kind of audit you're under. And it's just a big, big, big cycle. So Okay, awesome, that, that founding StackHawk there and to help solve that kind of a another. This would be the more human question. Again, it's kind of more of a psychological, how do you do it type of question. So I had the ability to talk to someone who was very big into open source community, like she founded several large open source foundations. And also going back to one of the DevOps executives, but it all boils down to how do you convince people; like how do you build vitality? Right, so the question for the foundation founders, like, well, if you had a new open source project, how do you get people to contribute? She had, like, you know, like, hey, it's actually very human centric. Same thing with how to, you know, grow your department. And you space but, you know, I think you represent the excellence crossroads here. What I think most entrepreneurs, you know, would want to hear it just in a two minute. masterclass, Crash Course from Joni. Just how do you gain get people to get interested in anything? blank slate.
Joni Klippert 23:29
Yeah, I mean, it's like, what people first are you talking about? Because you got to get a lot of people interested. I guess the first thing is come up with a hypothesis of a problem that you believe exists in the world, and then validate it furiously, like look at it from a lot of angles, try to poke holes into it, and listen to the words people use as they describe the problem, and then go use those words and talk about it to somebody else, right. And it starts to, you start pattern matching, and it's like, oh, it's super clear what this problem is. And for me, even though, you know, I'm not an engineer, and I'm new in the security space, you can start telling the story is though you you've lived it, right? You if you hear it 50 times, and they're overlapping in so many different ways. It starts to create a life of its own, and you can really clearly articulate the problem space and who has those problems and why it's important to fix it, right. So storytelling is a really big part like listening, and then being able to share that story such that people believe in it, and then believe in the vision on how to fix it. And then there's, you know, your personal story. So, for me, I mean, my co founders one I knew really well Ryan, who you've met, I hired him at VictorOps. He's brilliant and you know, very analytical. Awesome at data awesome at like, inbound marketing generation, like super, super smart guy. And we knew each other well, we knew how we worked. And so really, that was an easier, you know, quote, self. Like she just had to believe it was the right time for him, right. But then also, there was my co founder, Scott Gerlach, who is amazing. He was the CIO at SendGrid for a handful of years before there as they were bought by Twilio. And before that, he led security at GoDaddy for 10 years. So he had really deep domain. And I had to convince Scott that I was the person he should jump on board with, to get this company funded. I hadn't, I had to believe that I had enough experience to run this business. And I had the right people around me as mentors and advisors to be able to do it. And there's a huge leap of faith. Right? So there's sort of the is the story real? Does that feel real? And does does our solution to it? Does it feel like a problem we want to go tackle? And then there's, is this a person I want to tackle this problem with? Like, do I believe in them as a leader? And do I believe that they have the right connections and capabilities to move this forward? And that same kind of second part of belief extends to your investors, right? Like I had built really strong relationships with my investors over time working at other companies. And, you know, the Foundry Group really stepped in and made a bet that I could do this. But also, when they look at the people you hire, like, as a CEO, your most important job is getting top talent. And if I can convince them that this is a problem worth taking on, then you know, then your investors look at you and think, Okay, I think this person has enough domain and enough influence to be able to build the right team to get this thing off the ground. And then you have customers, right? So there's building a solid product based on a vision that was born out of research, right, we live, we listened to our people in the market about what their problems were. And then along the way, you know, product being kind of where I'm born out of you constantly validate your assumptions with people in the market and find those, you know, super early adopters that are willing to touch your product and play with it before it's even a thing. Like, we built the built on top of ZAP and built the scanning capability before we had any UI. And there were so many awesome people that believed in our vision that were willing to test it and give us feedback along the way, that it led us to a strong product that we could really stand behind and go out there and get other users to use it. Like you mentioned earlier. That's a lot of relationship building. So there's a lot of trust and, you know, taking the leap, but also building strong relationships over time.
Ravi Lachhman 28:00
That's as perfect as an answer I've ever heard. It's computers are easy, humans are hard. And that that was very eloquent, right? Like showing that even though there's a lot of gray in there, or there's a lot of unknowns, it's just being perseverant to the problem that's those disciplines can teach you that right. It's all kind of comes down to the person, that was perfect. Kind of a very abstract question to ask . You saved me $900 for an hour of executive coaching. So thank you so much, Joni for that. So last question. I always like to wrap the podcast up with what one one? So again, thank you so much for coming on up. If intrinsic question here again, if you're taken back to when you're graduating undergrad, and if you let's say you you were walking down the street with undergrad Joni and current Joni ran into your previous self, the day of graduation and it won't be any advice you would tell yourself as you throw your cap in the air.
Joni Klippert 29:15
That's such a good question. And I'm like, how do I make sure I answer this.
Ravi Lachhman 29:19
Could be anything; don't go to jail, you're allergic to avocados.
Joni Klippert 29:28
I think it would be Trust your instincts. And don't let anybody tell you no. Like I have I've largely lived my life and that I never want to work in a place where somebody gets to tell me what, when I can take vacation and what I can do and just believe that you're you're worthy, right like it's this is a terrible answer to your question. But also to stay hungry. Like, I, I always believed that I could figure anything out. And I was I've never been the smartest person in the room. I've never been the smartest students. But with enough curiosity, it's possible just to figure to figure it out, and, and trust that the path will lead you where you're supposed to go. I didn't, I was never the person that in a job interview, somebody would say, Where do you see yourself in five years? I'd never had a good answer. I'm like that the internet was hardly born, what I was going when I was in school, what do you mean? Like, our lives are changing so fast. Um, but I always worked for people who inspired me and who I knew could teach me something new. And I and I always wanted to learn from people that I would want to emulate in the future. And I was very fortunate to build a lot of those relationships over time, and have a lot of people believe in me that I would sit in their seat one day, and I think a lot of other people believed it. Before I did, and then I just had to take the jump. So that was a very meandering road, the answer to your question.
Ravi Lachhman 31:19
That's a great answer. Yeah. I will be looking for seats, like I said, and now like Joni's inspired me to find it. So awesome. So if folks want to learn more about StackHawk, what's the best way to get engaged with StackHawk?
Joni Klippert 31:35
Yeah, I mean, just come to the website StackHawk.com. And check it out. Like we're a very transparent security company. So our doc's are online, you can start a trial, you can play with our technology. And we also have a team of humans here that provide outstanding support to people who are even just curious about the product. And they're all very technical. So if you want to learn more about the domain, yet, there's a lot of resources that are available to peruse, caulk, and if you want to get your hands on the keys and play a little bit with some application security as a software engineer, it's a really nice place to start.
Ravi Lachhman 32:17
Cool. Well, Joni, thank you so much for being on the podcast.
Joni Klippert 32:20
My pleasure. Thank you for having me.