Name: Peter McKay, Snyk
Uploaded: 2024-12-17T20:24:00.000Z
Duration: 21 min 58 s

Clips
More from theCUBE + NYSE Wired: Zero Trust Cyber Series

Peter McKay

CEO

Snyk

play_circle_outline Importance of embedding security early in software development lifecycle.

play_circle_outline Impact of generative AI on code vulnerability and need for security solutions.

play_circle_outline Snyk's approach to partnerships with generative AI vendors.

play_circle_outline Strategic acquisitions by Snyk with developer-centric focus.

play_circle_outline Snyk's culture focus, organizational learnings, and adaptability.

Info
Transcript

Peter McKay, Snyk

Peter McKay

CEO Snyk

In a recent interview, Peter McKay, CEO of Snyk, discussed the company's impressive growth, reaching $300 million in ARR by focusing on embedding security early in the software development lifecycle. McKay highlighted challenges posed by AI-generated code, emphasizing the importance of integrating with various tools and platforms to cater to customer needs. Snyk has taken a unique approach to market partnerships, working with generative AI companies to ensure secure code is generated from the start. McKay also discussed the potential for IPOs in the coming ye... Read more

explore Keep Exploring

What is the concept behind Snyk and how does it aim to address security issues in the software development lifecycle? add

What is the importance of building security into generative AI models and tools like Copilot, Gemini, and Codium due to the increasing vulnerability caused by training on more subpar code? add

What is the current approach to partnerships and integrations with generative AI solutions in the market for developer security solutions? add

What is the approach taken by the company in terms of acquisitions and focusing on developer-centric tools embedded with security? add

What is the importance of creating and maintaining a strong company culture, especially in a post-COVID world with remote workers? add

bolt Powered by CUBE AI

Peter McKay, Snyk

Dave Vellante

>> Hey, welcome back to the New York Stock Exchange and theCUBE's Media Week. This is cyber plus AI Innovators. Dave Vellante here with John Furrier. We got three days of wall-to-wall coverage. Brian Baumann is here. We got innovators coming in the evening. We're going to have a physical event. Of course, we run the digital twins here. We're super excited to have Peter McKay, friend of theCUBE, CEO of Snyk. Great to see you again. Thanks so much for making some time for us.

Peter McKay

>> Great to see you, David, and thank you for having me.

Dave Vellante

>> You bet. Well, you're in the news again. Last couple of days we've seen a lot of stuff. You've sprinkled out a few little tidbits about your business, which is exciting. $300 million in ARR. You got over $400 million on the balance sheet and I'd love to get into that. Give us the business update. Give us some of those metrics. Why are you talking about it now? Everybody is talking IPO. You had some comments on that. I'd love to get into it with you.

Peter McKay

>> Yeah. I know. It's been a tremendous milestone for us. I think it was five and a half years ago, I started as CEO here, and that time we were about $2 million in five and a half years. We've surpassed $300 million, and a lot of the same team that were here five years ago is still here. Obviously, we've added 1,000 more people plus over that period of time, but it's a tremendous milestone. A lot of companies don't make it to 100 million, let alone 200 to 300. As you know, go through all the stages and people think it's so easy to get from two million to 300. You have to take the time and appreciate the milestone, and we're obviously excited internally, but we wanted to share that externally as well.

Dave Vellante

>> Well, it is exciting. These markets are just coalescing. It was interesting to see your former company, Veeam. You see what's happened to Rubrik. They go public. Valuations are up. Those two worlds are coming together and CISOs are just getting more and more responsibility, as is the entire business. Then of course, the developers. We're asking the developers to do more and more. They're not SecOps pros, Peter, but they have to secure everything now, because that's the whole shift left thing. Explain where you guys fit into the whole value chain.

Peter McKay

>> Yeah. If you think about the world of application security, which has been the area that I've spent the last 25 years in, it's all been in a very slow software development lifecycle and a slow process. The concept of Snyk was really decentralized security and embed security early in that software development lifecycle. As you're building the apps, you're checking for all security-related issues like open source, code vulnerabilities, and open source vulnerabilities, and container, and infrastructure, and cloud security issues. Anything you can fix in the pre-production, fix it. You don't have to react or have an issue come up with some of your applications that are running live. For us, it was right place, right time, being proactive in addressing security issues. We're all about being proactive in preventing issues from ever coming in, of becoming a factor in your application world.

Dave Vellante

>> I've seen stats. I think I saw them from you, maybe some of the commentary you had in the media, that AI-generated code is 30% to 40% more vulnerabilities. Here we are thinking AI is going to make us more efficient as coders, and yet it sounds like it's presenting novel risks. Can you explain that?

Peter McKay

>> Yeah, it is. It's an interesting phenomenon. For the past five years it was always about trying security teams to keep up with the developers and the pace of software development, because application security was always centralized in this small team of security professionals. What we did was decentralize that. Everybody owns security. As these developers were increasing their responsibility and the number of developers by embedding security, and you could scale security at the pace of software development. Now with generative AI, it's like developers on steroids where now they're producing 20%, 30% more code than ever before in the test. There's a tremendous amount of research that the code generated by Copilot and Gemini and all these generative AI solutions are 30% to 40% more vulnerable. What's interesting, David, is from version one of all these to version two to version three, it's getting more vulnerable, because these are being trained, these generative AI solutions are being trained on more crappy code that's out there in the universe and it's getting worse. The need for us to build security into the generative AI models, embedded into Copilot and Gemini and Codium and all these tools. Snyk attack has been a huge tailwind for our business that if you're going to allow developers to use a gen AI solution, you need to put some guardrails on it to make sure that the code they're generating is secure at the same time.

Dave Vellante

>> That's interesting. Snyk attack. I love it. What's your route to market there? Are you working with some of these LLM vendors to help them be more secure? Are you actually doing that with enterprises? I'm sure you are. How do you stop this before it gets to runtime?

Peter McKay

>> Yeah. It's both ends. We've had partnerships now, discussions with about 15, 16 of the generative AI. I think there's probably 25, 30 of them out there from open source ones to commercial solutions. Then we work with the companies. The biggest banks of the world are all evaluating two or three different code generators in the market and trying to figure out what is best for them, open source and non-open source. For us, we have to work with both, because if you remember, David, we've had this conversation over the years. We've always been agnostic. Agnostic developer security solution regardless of the languages you use or the tools you use or the clouds you use and the generative AI solutions you use. We have to work with every one of them. Out of the box, we have to build those integrations, whether it's a formal partnership or not. If our customers are using it, we have to integrate with it. This is part of what we've done very early five, six years ago was integrate with all the tools out of the box. The next generation of tools are all the generative AI solutions on the market.

Dave Vellante

>> I'd love to get your thoughts on just the market landscape, and let me set it up like this. Microsoft obviously is ubiquitous. They're the big whale. You got Palo Alto being a big consolidator of companies. CrowdStrike as well, very acquisitive. You guys are acquisitive, too. I'll come back to that. But you've got these platform companies that are trying to be both best of breed and consolidators. You guys very clearly are best of breed. You're seeing a lot of trends where best of breed companies like yours will partner with other best of breed companies that are in adjacencies, and then together you'll go to market and try to help customers consolidate. They really struggle, because something new comes along that's really good and it helps with a new problem. How do you think about the landscape, some of those big players? Again, notwithstanding CrowdStrike is working through some of its problems related to July 19th, seems to be getting through them. But how do you think about that best of breed versus platform and the whole consolidation trend? Help us squint through that.

Peter McKay

>> Yeah. As you know, security has always been a very fragmented market. When you try to consolidate, even you'd consider us best of breed, but we consider ourselves a platform, a developer security platform that we've been expanding from when we started with just open source security. We added container, IAC security. We added code or SaaS. We just added AppRisk, which is another, our fifth product. We just bought Probely, which added DAST and API security in the mix. In our space, developer security on the left side, we believe there's a platform story that we've been building over the past six, seven years. We still believe that there's the need for someone to specialize, this agnostic solution for developer security platform, but we've always believed that we needed to win in our world, to be the continuous leader in our space, we have to play with the right side. Partnerships with all the companies in observability and runtime security and other areas from GitHub and GitLab and Atlassian, from developer tools to all the gen AI solutions, Gemini, Copilots of the world. We've always been very open to the ecosystem and we knew that in the biggest customers, they needed us to make sure we were building into all the tools that they use. It's been a massive part of our development initiatives to make sure we interoperate with all the companies in and around the ecosystem.

Dave Vellante

>> You've done it with a combination of organic innovation and M&A. You mentioned Probely, Helios, DeepCode, a number of others that you've tapped. As a platform company, how do you think about M&A? How do you target? What do you look for from both a business and a technical standpoint so you don't have to do a lot of ridiculous integration that's going to slow you down, or even worse, don't do the integration, which causes headaches? How do you think about that in a way that is facile for customers?

Peter McKay

>> Yeah. I think to really understand the logic of how we've made our acquisitions. Like you said, we've done 11 of them over the years and we take a very different approach. A lot of people are consolidating security companies or security tools for security users, security people. Our view has always been very different. It's security tools, but for developers. When we look for acquisitions, we need to look for acquisitions that are developer-centric. A lot of times in a lot of the moves like DeepCode and others, we bought quality tools or developer tools and embedded security in. We have the security experience. We wanted to make sure that they're developer-friendly first. We don't look where most security companies look. We look for developer tools and we embed security in. Probely was a DAST solution, but of all the 20 different DAST companies out there, Probely was the most developer-centric of any of them. That's the lens that we look. Our buyers in a lot of cases are CISOs, but the users are always developers or platform engineers that integrate our platform into their stack. It's a very different way. We continue to build these components into the platform, not standalone. Every product that we've bought has been integrated into our platform. Not like the land of misfit toys that some companies, "Yeah. I've got a platform, but it's all loosely coupled and not integrated."

Dave Vellante

>> Well, we've seen how that causes real pain for customers. We saw it with companies like EMC. VMware similarly, which brings me, I want to ask you about culture, because you were at VMware. Amazing culture. Ecosystem, great engineering culture, great partnerships and go-to-market strategy. Then when you became CEO of Veeam, you inherited a very unique culture, as you know.

Peter McKay

>> Very unique.

Dave Vellante

>> Then now Snyk, you actually were able to handcraft it. I want to ask you about culture, your philosophy on culture. How would you describe it to the audience?

Peter McKay

>> People think, well, the CEO sets culture, and I think everybody owns culture. A lot of people come to Snyk because of our culture. We care about each other. One team. We're very focused on customer centricity. I learned a lot of that. This is my fifth CEO, but I learned a lot from VMware where they had a really amazing culture. Pat Gelsinger and Carl Eschenbach and that team really taught me a lot of the importance of culture. Going from there to Veeam, which was a very, very different culture, was a test in my ability to drive culture from the top down into an organization. Coming into Veeam, that was between myself and the founder blending on a culture that we thought we wanted to leave a legacy that we're proud of. Taking all the things that we've learned from our past to come in and make this the greatest culture we could ever build, and I think we've done a really good job of doing that. But culture, especially post-COVID, it's hard, because people aren't always coming into the office. You got a lot of remote workers where you don't get the bonding experience. It's hard to keep that culture strong and improve it as you go. It's a lot harder today than it ever was, and it's something you got to stay up on. Every new person you hire coming into your company is either going to improve your culture or reduce or diminish your culture, and so you got to hire right and bring the right culture fits into the company from the start.

Dave Vellante

>> Here you were pretty much early on, so you're able to do it from whole cloth. I was talking to Frank Slootman a while back when he went from ServiceNow to Snowflake, and I made a comment like, "You're going to bring your ServiceNow playbook to Snowflake." He said, "No. Everything is a different situation. It's case by case." You have to be a situational leader, understand the situation. What might've worked before, maybe there's pieces that you learn, learnings that you can apply, but you have to really think deeply about where you are in the current situation. I presume you agree with that.

Peter McKay

>> You're dead on. I can just tell you about my experience coming from VMware to Veeam to here. I've done this so long. You think you have all the answers because you've made all the mistakes possible that you could in your career. When I came in, I got a kick out of these people who come in there with these playbooks. "This is how I do it." It's very structured. I tell you, when I came into Snyk, it was very clear that they were doing things that I've never done before in my career. I said, "I'm not coming in with a playbook. I'm not coming in with all the answers. I'm going to come in and learn and I'm going to have an opinion of what I think is the right answer, or they're going to convince me that their way is a better way." I have to say I was wrong at the time. You think that by doing this for 30 years, you'd have made all the possible mistakes, but I came into a new company and I didn't. I think that's fascinating. When you're wrong, that means you have a lot more to learn, and you're always adapting to new environments and new ways of doing things. If there's one thing I got from Snyk, PLG for security. Whoever thought you could do PLG motion for a security product? I never would've even imagined it. Now, I wouldn't say I'm an expert at it, but we've learned a lot of how to build a bottoms up with a top down business and make it a $300 million business on our way to a billion.

Dave Vellante

>> Well, Peter, being from Massachusetts, you and I, we're always going to come back to sports.

Peter McKay

>> Oh, God. Yeah.

Dave Vellante

>> Batting 500 is pretty good. If you're Juan Soto, you're batting 285 and making three quarters of a billion dollars over 15, 16 years.

Peter McKay

>> Can you imagine that?

Dave Vellante

>> How about that? Holy cow.

Peter McKay

>> That's a nice contract. The Red Sox had no chance to sign him. I think it was just a PR stunt to try to get some interest going, but they didn't stand a chance, not with the Mets and the Yankees going. That was a pipe dream.

Dave Vellante

>> They didn't want that contract. I want to come back to money. Brad Gerstner, he wants every company to go public. I like his narrative on this. But the bankers are telling us 2025 may be not a robust year for IPOs, which is interesting. It's hard to tell in December what's really going to happen in 2025, but that seems to be the sentiment, although people are talking about the new administration maybe having a little less friction. I think you've said publicly, "Well, we're going to wait and see." What are your thoughts? What can you share on the IPO front and what you're expecting for 2025 and beyond?

Peter McKay

>> Yeah. No. This is one of those questions you got to watch out what you say, because it'll be used against you at some point down the road. You always leave yourself open to whatever the dynamics are happening in the market. First thing is just be ready. If you're ready as a company, you have all the options. You can move faster, you can move slower. You run your business as if you're a public company. Do your quarterly close, get your audits done, build the predictability of your business, and all those things we've done. I think the first half of next year, part of that is you also have to have an opinion. My opinion right now with the data I have is the first half is going to be the ones that have to go for a lot of reasons will go out maybe in the March, April, May kind of timeframe. I'm looking at seeing what happens in the second half, early 2026, and just be ready. I think the interest rates drop have a six-month delay. The Trump administration coming in will have some impacts, because I really believe the M&A market and the IPO market go hand in hand. When you have this opportunity, when a vibrant M&A market where they're consolidating companies, where you have an alternative of I could be bought or I can go public. When you have that competition between the two, I think it makes it more attractive for both, and I think we haven't seen much of any of that. Not a lot of IPOs and not a lot of acquisitions. There's a massive logjam waiting to open up. I think valuations of public and private companies are coming in line, and I think the IPO market will start to get better. I look to the second half of 2025 and into '26 as being the prime M&A and IPO markets.

Dave Vellante

>> Well, thank you. That's great color. What we heard from you is you don't have to go. You've got over $400 billion in cash in the balance sheet. Then I would also ask, the last question is growth. We tend to be optimists in this business, and we're certainly hopeful that with the large debt that we have, the new administration, that we can get growth. Maybe we can get GDP up to 4%, maybe even 5% to try to grow our way out of this problem. Sprinkle in some real AI ROI in 2025 and 2026, and we could really be seeing a big wave. I hope I'm not too bubblicious here, but it really does feel that way, and that could solve a lot of the problems that we're facing and then tie back into M&A and IPO. Your final thoughts.

Peter McKay

>> Yeah. I think you're dead on. I think you're going to see a lot more of the productivity gains and a lot of the tailwind of AI really hitting in 2026. But when you marry the AI wave with the Trump administration coming in, the more favorable interest rate environment, I think the combination of all of those things, and hopefully with less geopolitical issues going on. You're towards the end of 2025 really getting a perfect cocktail for some significant growth in the market. That's what we're betting on in our business is yes, it'll be slower in Q4, Q1, Q2, but I think as you get into Q3, Q4, I think you're going to start to see that acceleration.

Dave Vellante

>> Peter, always a great conversation. Thanks so much. Keep us safe out there at the starting point of code. Really appreciate your time.

Peter McKay

>> Thanks for having me, David.

Dave Vellante

>> Okay. You're very welcome. Keep it right there. This is Dave Vellante for John Furrier. This is our Media Week NYSE wired in theCUBE community. We'll be right back right after this short break.