Umaimah Khan
Appearances
Code Story
S9 E29: Umaimah Khan , Opal Security
We are a security company, first and foremost. From day one, we have to build a lot of trust, and that has to show through in our features.
Code Story
S9 E29: Umaimah Khan , Opal Security
It's a balance. And I would say from day one, there was this notion of scale in mind. And at the same time, like recognizing when you're making one way decisions versus two way decisions. There are things you do early on, especially on the engineering side that like could be construed as tech debt. But you have to make those calls so that you can get to the next milestone.
Code Story
S9 E29: Umaimah Khan , Opal Security
There is like a small bucket of decisions, I think, architecturally that matter a lot, and it's very important to get them right from day one. So in our case, if you look at how Access products have been built in the past, none of them have really been built for hyperscale or complexity. They're not really built to have flexible data models.
Code Story
S9 E29: Umaimah Khan , Opal Security
This idea of context or being able to be flexible between role-based access control or attribute-based access control, it's quite difficult. And then the other thing is there's latency on all these things, whether it's requesting access or knowing who has access in real time. There's just not been systems that have been built from the ground up.
Code Story
S9 E29: Umaimah Khan , Opal Security
And some of that is just as a result of the fact that some of these companies and products are from a different era. But this idea of being built for scale was always like very top of mind and being able to be flexible enough on the data model. And that's where it's worth like putting in the investment. That's how we think about it, like from day one. And so that's where we didn't compromise.
Code Story
S9 E29: Umaimah Khan , Opal Security
On the rest of the stuff, it's very case by case. Sometimes it's better to have something done than have something perfect. And you make that call by, again, understanding what your core strengths are as a product. Our core strengths are reliability, accuracy, speed, and data. So that's where we wouldn't compromise architecturally and continue to make the investment to improve.
Code Story
S9 E29: Umaimah Khan , Opal Security
I would say the team, first and foremost, like I wake up every day and I'm just like, I can't believe that these people chose to like come here and work this hard with me, basically. That's first and foremost. I think the second thing is a lot of the things we've talked about as a product, and I don't say this as like a diss on us, but
Code Story
S9 E29: Umaimah Khan , Opal Security
They are just how you think about good system building to scale across many things. We've seen the entire DevOps space, like CI, CD, mature as an industry in the last 10 years. And a lot of that just came from this idea of good engineers thinking very carefully about what reliability and infrastructure look like there.
Code Story
S9 E29: Umaimah Khan , Opal Security
And I think that we're starting to get to a point where people understand this is necessary in identity and access as well. Right.
Code Story
S9 E29: Umaimah Khan , Opal Security
And I'm really proud of the fact that as a market, there has been enough maturity over the last couple of years that people are starting to stand up and take notice of that and are now thinking about this problem from this perspective, as opposed to, oh, I'm building a ticketing platform that's going to allow me to have this one workflow for everything.
Code Story
S9 E29: Umaimah Khan , Opal Security
On the product and edge side, there have definitely been things I look back and I say, I shouldn't have prioritized that. For example, there's this class of ill-fated UX redesigns, which are incredibly painful and very resource intensive that I think back to and I'm like, man, it just feels like the team was on a merry goose chase for three months.
Code Story
S9 E29: Umaimah Khan , Opal Security
In terms of how you respond to it, my perspective on things like this is honesty is the best policy. You own up, you explain why you made the decision you made, you explain how we got to this point, why it's and just open the space for feedback and how as a team, we won't find ourselves in similar positions. How can we learn from these things? The reality is you make a lot of mistakes.
Code Story
S9 E29: Umaimah Khan , Opal Security
The question is, do you make the same mistakes over and over again or are they learning opportunities?
Code Story
S9 E29: Umaimah Khan , Opal Security
Up to this point, from a product standpoint, we've talked about data ingestion and workflows and things like that. What really gets me excited about this space is this idea of really building this intelligent layer to calibrate access. We now have pretty good self-driving technology, right? And it's wild if you stop and think about it.
Code Story
S9 E29: Umaimah Khan , Opal Security
We have cars that drive themselves and they're able to navigate these incredibly complex environments and respond in real time to them. And a huge amount of that is a result of the fact that LIDAR technology allowed us to capture a ton of information and actually start to figure out how to model all kinds of heterogeneous environments.
Code Story
S9 E29: Umaimah Khan , Opal Security
I think there's something similar that happens in access and identity, that if you can really nail the ability to create a ton of context and data, then you can actually start to build out the automation layer for real, basically. I think that's like a very unique opportunity. It's something like I feel like technologically is where the industry is headed to.
Code Story
S9 E29: Umaimah Khan , Opal Security
If you follow like anything that's happening in the big AI companies, there's a lot of discourse around security and specifically access management and how you calibrate that and how that grows flexibly and how you feel like you actually understand what's going on. I'm excited to see this industry take that leap in that direction.
Code Story
S9 E29: Umaimah Khan , Opal Security
It's just it's been so primitive right now from a technical perspective that there's just a ton of foundation you have to lay down.
Code Story
S9 E29: Umaimah Khan , Opal Security
My first team, like the leadership team, does influence a lot of the way that I work. I really enjoy working with whether it's my sales leader, marketing leader, engineering leader, and then really seeing how they bring their own leadership styles and manage their teams.
Code Story
S9 E29: Umaimah Khan , Opal Security
I also, I think, look up to certain like industry founders that I think were willing to do like the hard work, like really roll up their sleeves and figure things out. I'm a big fan of Databricks as an organization. I think they had like kind of an interesting early journey. And there's a lot of similarities. They had a very technical team and then they had to figure out how to build a business.
Code Story
S9 E29: Umaimah Khan , Opal Security
And I think they did. And a huge part of that story, it does feel like it's just like being willing to recognize what you don't know and embrace it and just learn things. I would say that I'm fortunate to have a lot of role models and people to look up to in various aspects. And I try to be self-aware.
Code Story
S9 E29: Umaimah Khan , Opal Security
I think it can be hard sometimes when you're in the zone, but I don't know, I feel like I'm still learning.
Code Story
S9 E29: Umaimah Khan , Opal Security
It's a weird job. Like nothing preps you for it. There's nothing you could read. There's no one you could talk to. And you can feel very self-conscious about all the mistakes you're going to make and all the things you do. And I think the thing that helped me the most and the advice I got was just being reminded of that. You don't have to know how... Everything works.
Code Story
S9 E29: Umaimah Khan , Opal Security
You're not going to be able to know how everything is supposed to be. I remember when I was earlier in my career, I would think to myself, oh, I have to become like a C-level somewhere to be able to start a company. And the reality is, even if I had done that, I would still not be prepared for it. the level of like ambiguity and the questions and open-ended questions and mistakes I would make.
Code Story
S9 E29: Umaimah Khan , Opal Security
And so just being really comfortable with the fact that you're just constantly going to be learning and, and not lose that enthusiasm or excitement, I think is like the most important thing.
Code Story
S9 E29: Umaimah Khan , Opal Security
So Opal Security is at the highest level. I like to think of it as an identity security platform. And what we really do is basically build the data layer and the workflows and then threat detection and response to actually understand who has access to what in your organization and how to calibrate that and eventually fully automate that in a way that actually scales with your work.
Code Story
S9 E29: Umaimah Khan , Opal Security
I did more academic security in a past life. I studied some cryptography and I did a bunch of math and found myself repeatedly drawn to real world problems at the same time. I enjoyed the technical challenge, but then would have this desire to fix things that I saw happening in the real world. And one of those things was access management was this incredibly messy, fragmented issue at every scale.
Code Story
S9 E29: Umaimah Khan , Opal Security
tiny 10-person startups to open source to big government labs. And it just felt like a strange thing. It's clear that this matters. It's important. It's almost ignored until it's too late. And I think a huge part of that is because people aren't willing to look under the surface and ask themselves, how did we get here? A huge part of that is the reality of how businesses grow and how they scale.
Code Story
S9 E29: Umaimah Khan , Opal Security
Another example of this is like building in our back end, our product itself, which is something that you will often see in like B2C or product-led companies gets left until way too late. I'm Umema Khan, also known as UK, the co-founder and CEO of Opal Security.
Code Story
S9 E29: Umaimah Khan , Opal Security
Security sometimes ends up being an afterthought, especially in product-led organizations, when it hinders the business. You just get to a point where you got this like insane wild west of like authentication and authorization and you don't really know what's going on in your org and you're a little bit scared to pull the trigger anywhere because of what could happen down the line.
Code Story
S9 E29: Umaimah Khan , Opal Security
I found myself like just fascinated, like both from an organizational and technical perspective that like this kept happening and eventually got so frustrated that I was like, you know what, I'm going to go figure out why this is the case and possibly build it. I was confused.
Code Story
S9 E29: Umaimah Khan , Opal Security
It just seemed like there would be these big legacy players that were just built to check boxes from a compliance standpoint so that you could say, oh yeah, we definitely do this internally. but not actually solving the problem at some deep technical or product level. And I at some point just said, you know what? Screw it. I'm just going to build internally and try to build a good system here.
Code Story
S9 E29: Umaimah Khan , Opal Security
And what I found was that I wasn't the only one who had gone through this. There were many companies, especially in the Bay Area, who had a similar realization. And then they would hit this point where they're like, I can't scale this internally anymore. I can't justify this internally anymore. And it was like such an intense conviction.
Code Story
S9 E29: Umaimah Khan , Opal Security
This was like the right place to start that I took sabbatical from that job and just worked on it full time. I thought about it from many different angles. And it was funny. Two and a half years ago, I would meet people and they would just be like, isn't this a solved problem? I don't get it. It doesn't like so and so like company already do this.
Code Story
S9 E29: Umaimah Khan , Opal Security
And I would just constantly just be like pushing back and saying, no, have you actually looked at the guts of what gets deployed and like what happens? No, people are just buying things and nothing is actually like solving the problem.
Code Story
S9 E29: Umaimah Khan , Opal Security
So the MVP was born from this, what is like a really obvious, like tactical problem or pain point to solve and how do you get there? And so like in our space, if you think about all of the context and the data necessary to even begin to like build scalable access, it's overwhelming, right?
Code Story
S9 E29: Umaimah Khan , Opal Security
And so then you scale back and you say, what is a way we can solve the problem knowing everything and having all the context would in a faster time to value? And that's this concept of just-in-time access. How do you just patch through access that's very time-based, that's very role-specific for a period of time that's tied to very specific events?
Code Story
S9 E29: Umaimah Khan , Opal Security
And in our case, that was building for syncing with on-call schedules. This is like... Huge pain point for a lot of engineering teams. You're on call, all of a sudden some production system goes down that you may or may not have been granted access to at some given point in time. And now you're on the hook to figure out how am I getting access to this? Am I making a ticket? Am I paying my manager?
Code Story
S9 E29: Umaimah Khan , Opal Security
And all of that got distilled into a very simple entry point. And when we would show it, people would be like, oh my God, I get it. You know what I mean?
Code Story
S9 E29: Umaimah Khan , Opal Security
Oftentimes when people think like you're a product first organization, I think that means like you're just building stuff and it's just as important what you don't build early as what you do. When I think about where our products and vision really shines, it's in organizations that are incredibly large and complex and really basically need this firewall for like access, right?
Code Story
S9 E29: Umaimah Khan , Opal Security
They need to be able to understand the complexity with which Different entities are moving around and what they have access to. And that can get very complicated very quickly on the edge cases and how you implement least privilege for those things, right? We had to make some decisions on, one, who can we sell to in the early days, even though we know that this is where we're headed?
Code Story
S9 E29: Umaimah Khan , Opal Security
And where can we provide value in a more direct fashion? So what that ended up looking like was saying no to certain integrations or very complicated workflows.
Code Story
S9 E29: Umaimah Khan , Opal Security
And coming back to this concept of JIT, this concept of here's actionable lease privilege, here's like actual reporting we can show you on like mission critical systems you have today, even though you may have like thousands of applications you want to cover.
Code Story
S9 E29: Umaimah Khan , Opal Security
And then really tying that back to looking at our like cohort of early customers and making sure it resonated with all of our other customers who are in the same direction and looking for the same sort of like product vision.
Code Story
S9 E29: Umaimah Khan , Opal Security
To me, like the way I think about this philosophically is it comes back to positioning. So access touches a lot of different stakeholders in an organization and a lot of different departments and economic buyers. Like you can think that if you just think about it, right, like access is about it's a workforce issue, right? It's not just like directly security or engineering issue.
Code Story
S9 E29: Umaimah Khan , Opal Security
It's also a security issue. It's also a compliance issue. when we think about our positioning and what's unique about us at Opal Security is that we are a security company first and foremost. And that means that like from day one, we have to build a lot of trust and that has to show through in our features.
Code Story
S9 E29: Umaimah Khan , Opal Security
So we made very specific choices on what we would prioritize from that perspective, such as being able to work in hybrid environments, because we knew that even as a small company, if we wanted to be the backbone of people's access management and least privilege like infrastructure that they needed to feel like they could manage us entirely and work in these complex environments.
Code Story
S9 E29: Umaimah Khan , Opal Security
So we made very specific choices on what we would prioritize from that perspective, such as being able to work in hybrid environments, because we knew that even as a small company, if we wanted to be the backbone of people's access management and least privilege infrastructure, that they needed to feel like they could manage us entirely and work in these complex environments.
Code Story
S9 E29: Umaimah Khan , Opal Security
Another example of this is like building in our back in our product itself, which is something that you will often see in like B2C or product led companies gets left until way too late.
Code Story
S9 E29: Umaimah Khan , Opal Security
There's like these things that I think got prioritized very early on the integration side, just like doubling down and like the cloud security space and building like really first class native integrations into the hyperscalers because we knew that while folks wanted to figure out what was happening in like their lower priority SaaS.
Code Story
S9 E29: Umaimah Khan , Opal Security
applications today, they had no visibility or ability to remediate in these mission-critical production systems. There's no vendor serving that. It was flowing directly from that positioning again. What does it mean to be a security and infrastructure company solving access? And then once you've got that, you can start to engage and think about what do the other stakeholders need?
Code Story
S9 E29: Umaimah Khan , Opal Security
The user experience is really important if you want to have that data and that coverage. And so talking to our customers, understanding how important it was with them, working with them and making these parts of the roadmaps possible. a partnership helped us sequence. I will say that in the early days, as much as you want data, like sometimes it's just not there.
Code Story
S9 E29: Umaimah Khan , Opal Security
And also as you're figuring out who you're selling to and who your power users are, you're going to get a wide variance of feedback until you tighten that up. So there is like an element of like art versus science to it as well. You just have to Spend some time using your own product. We dog food our product here internally and just talking to people and like really digging in.
Code Story
S9 E29: Umaimah Khan , Opal Security
Even if somebody says I need X feature, like trying to get behind that and say, what are you actually trying to solve for? And let's be creative about it.
Code Story
S9 E29: Umaimah Khan , Opal Security
It's very much being self-aware enough about who you are and building a team that's complementary to your own blind spots, as well as folks who amplify you. In my case, I would consider myself a fairly spiky individual. And so I knew that I would naturally gravitate towards other folks who spiked. in certain areas, right?
Code Story
S9 E29: Umaimah Khan , Opal Security
Who were just like incredibly good at whether it was because I'm a technical leader, engineering, or sometimes like on the sales side and building a team that like when you have a lot of personalities, you also need to like make sure you're building the infrastructure for like good communication, for good understandings.
Code Story
S9 E29: Umaimah Khan , Opal Security
Early stage companies are largely built by sort of bad students, good test takers on across every department. And you need to like be very comfortable with that, maybe be a little bit like that yourself to let people run around the field and do their thing and like basically figure it out with you and experiment. and be very comfortable not waiting for like marching orders.
Code Story
S9 E29: Umaimah Khan , Opal Security
The other thing, and this kind of touches into how we're talking about roadmap, is obviously we built very critical infrastructure. Building a team that had the experience to know what they were building was also very important. because this is a product that requires a lot of trust and understanding.
Code Story
S9 E29: Umaimah Khan , Opal Security
So having a balance of those two things keeps the pace of execution going, but also the experience of having seen things before.