Lessons - How to Hire A+ Talent (When It’s Hyper Competitive) | Ian Tien - CEO & Co-Founder of Mattermost

In this episode, you'll learn about the security advantages of open-source software, the importance of customer collaboration, and how to build a strong security culture. The conversation also delves into scaling a SaaS business, securing enterprise clients, and the power of focusing on impact, growth, and connections when building a successful team. The other thing that I think about when I think about open-source is you've built this community of people that are always like pressure testing your software. Talk to me about security, talk to me about why open-source, I've watched a couple of other interviews that you're in, and just the security point I think is important. More important than ever before with the amount of people that do get compromised. When you roll this out and when you build an open-source project, is it more secure than a closed source? Yeah, that's a great question. It's not so many things, it's not just the open or closed model. It's the investment on security, it's your internal process. Security doesn't come down to one or two things. The way that you think about there's three principles to think about in security. One is nothing is secured. There's always going to be vulnerabilities. All you can do is kind of move those around. That's one. When you're open-source software, you have a lot of visibility, and your customers are very motivated to work with you on security. Everyone runs the secure customers. We're in public sector. We're in the U.S. Air Force. There's 20,000 U.S. air crews that rely on matter-most in order to fly planes. The security and the rigor that we go through is at that level. Then you'll find us in many communities that have very, very high security standards. I think that community and that understanding that yeah, all software is vulnerable. We've got transparency and people can report to us. We have a system to address that. That's all super important. I think that's one on security that is for the open-source model. I think the second is really about... There's second principle, which is the effort that goes behind a breach, that goes behind an attack, is proportional to the value of that breach. What that means is if you can think of like, hey, I've got everything in this giant cloud system, everyone in the world uses this cloud. Great. Guess what? There's going to be an infinite amount of resources that will be dedicated to breaching that mega fortress. All they need is a crack in the armor and they're going to be going after it. What open-source and self-hosting lets you do. We can do either cloud or self-hosting, but what it lets you do is put that behind your own defenses. None, one, your date is not mixed in with all these other honeypot targets. Your stuff is off the side and it's behind all your other security and the only people that are breaching it are the people that want to breach you, not breaching you by accident by hitting somebody else. I think that's the second piece. Then the third is really just about the dedication to security. One thing that I'm actually personally proud of is our security team and how it works with how it works with the community. We just brought on a wonderful person, Jerry Porello, who was the former CISO of the New York Stock Exchange as an advisor. That's just an example of how much we care about security and he doesn't hold back on his opinions and what we need to do and it's super helpful. What I'm really proud of is a little while ago, we discovered, because we vet all the software that comes in a matter most and we vet it very carefully, as we're vetting a certain library for SSO, SAML authentication, we found a vulnerability in the GoLang language itself in the XML parser and this and we're like, wait, this can't be true. We looked at it and we're like, oh crap, this is true. We never, we never, you know, that never went into, we were never exposed to that vulnerability. Our customers not exposed that vulnerability, but there were a lot of other people that used GoLang and used SAML SSO that had a vulnerability. It took us three months working with the GoLang team and working with the downstream libraries to figure out how do we do a coordinate disclosure. So the coordinate disclosure is tell them like, we create the patch, matter must itself, not the GoLang, you know, folks, but we create the patch itself, we created, you know, a reference for how to fix it. We went through a very time series, we told the downstream libraries, we got them to prepare patches, we told the people, private and public companies and government institutions that were exposed to this vulnerability that was there so that they can fix it quickly and then we did a public disclosure. So we did it in a responsible way, we cascaded it, we gave people time, let people know it was important and this was a big deal. Like it would, you know, one of the tech giants, you know, had a delay, one of almost had a delay, one of their launches because of this issue. So, you know, that's what it means to be part of the security community and really participate in not only the safety of our products and our customers, but of the general software community itself. So I think when you think about, you know, what it means to be great at security, I think it's not one or the other, it's about, you know, how do you, what is the whole story about your investment security? And that, the fact that it keeps things safe. I was going to say it's also the fact that it comes down to the culture of the company and where you put your focus and attention to. So, you know, I think it's probably less about closed versus open and more about how forward thinking and looking at the company is and where they want to spend their time and attention. I think that both both could, but if somebody is so, so hyper focused on building the best possible solution and is so hyper focused on security all the time, like you said, like, you're probably, you're probably leading the way in some security and some of the things you do for security that any other company could do, but you're doing it just because it's a focus of yours. That's the sort of the takeaway that I get, but I want to, I want to pivot. So now we're spoken about like the, the, the, the engineering side of the business, but also, you know, the fact that you landed large enterprise customers starting a new company is it's also very impressive. So when you're taking a product like this to market, you just casually said we landed an enterprise customer. A lot of people would love that to happen to them when they're trying to take a new SaaS product to market. So how do you take a product like this to market? You, you understand you solve the problem that you have, but how do you identify your ICP, your buyer persona? How do you go in and how do you sell that first version when you have no other customers? What was your, what was your first customer strategy? How did that close? It's really about building something that people want. I think there's, you know, there's a simple algorithm to teach a YC, which is like, you know, talk to customers, build product, you know, exercise and exercise basically stay healthy, right? And that's, that's so important because like, people can burn out, but talk to customers and build product like that's the loop. And I think what happens is people realize how powerful that is. And, and talk to customers and just they're like, well, hey, you came to our website, you know, we open source Slack. Well, why open source Slack? And it's like, oh, we need this for like data privacy, like full stop. And we need this SSO feature and we need, we need this. And it's like, would you pay for that? Yeah, we'll pay for that. Like, that's it. Like, that's the market discovery. Just, you know, put something on the web, create like, we use discourse as a form. So we would like be able to talk back and forth. You know, we email, hey, contact us form. And people just fill the contact us form. Maybe like, okay, well, here's, here's what I want to know. Like, why, why, why are you interested in matter most? And like, and then you just put that down the drop down list. Oh, it's a hip chat replacement. Oh, it's for like, you know, we have, we're deployed the free version. We want to get, you know, these paid features. So, um, it just conversations. And as you have more conversations, you can, you can speed the conversation. You can have them. You can categorize things. So just don't stop talking to customers. And then don't stop building product. And then, you know, always stay healthy. That's really important. And do those three things. It's magical how quickly you can move. I think people, they get, especially in the early stages, they get very distracted. They're like, oh, should I be speaking to the conference? Oh, should I be talking to investors? We spent very little time talking to investors. And everything just, you know, and the thing is, investors don't really want to talk to, I mean, yeah, they want to kind of talk to the founders, but they really want to do is talk to your customers, right? So then, you know, whatever logo list you've got on your website, they're going, they're back channeling, they're like, okay, why do you, why do you buy that? And then when they, the good investors, when they're ready to talk to founders, they're, they already have the context. So just build a great business. And, and don't worry about like networking and speaking, and they're just just talk to customers, don't the product, like it, and feedback leader that. Yeah. Yeah. When you're scaling up, and, and you, your technical yourself, but one of the things that I thought was interesting. And one of the things that is interesting now, at least for me, because I came from a SaaS company where we had a lot of, we had a lot of difficulty with this, but hiring great talent. And most importantly, development talent, as a startup, when these are just obviously, like these are numbers that I, I can't verify, but I, you know, you see the, the netflix is of the world paying 300,000 plus for a developer, a software engineer. And, and, and then some, and then you look at some of the, you look at some of the salaries in the valley. Like, how do you find and scale up great talent and retain great development talent when you don't have a 20, 50 million plus dollar investment? Yeah. That's a great question. I like, so the people that are money motivated, great. Go be, go work in hedge funds, right? Like, just, you know, don't even think about Netflix. Just go straight to hedge funds. Like, and then because they make a ton of money and, you know, they don't really create that much value. But like, you know, you're basically advanced day trading. Like, go create, you know, high, high velocity training, trading, right? Like, there's, if you want to make money, just go make money. If you want to build great software, if you want to, you know, think about, you know, the impact that you're going to have, if you think about the personal growth that you're interested in, whether it's a technical, whether it's the languages, or it's, you know, being on the manager track, or however you think about it, you know, what, what is growth? Um, that is, you know, that's just a different frame. Think about the, the frame we have is impact. It's growth and it's connections, right? Connecting, connecting to the other human beings that are in that are on the mission with you, right? So, um, for us, you know, the impact is about being open source. Like, you, you write at once. And if you do it right, like, it never has to be written again, right? Like, we have, if you're into an open source Slack, open source notion, open source Trello, um, and, you know, coming up sort of open source, you know, huddles, right? Clubhouse. We're adding the audio piece too. You know, once you build that and it's an integrated suite, like, it never has to be built again. You've, you've made your mark in software history. Like, if that's important, you know, that's, that's one of the pillars that we've got at Madermost. The second one is, is personal growth. Half of our managers at the company are promoted from within. So, you know, that track and that dedication to enabling managers and making them successful is also, you know, super important to us. And the third is, you know, we have staff in 20 countries. We have contribute. We have 4,000 contributors in the open source community. And it's the ability to sort of like, you know, walk off a plane in like, you know, 20 different cities around the world and have people greet you at the airport, have your friends, you know, show up. And I think that that connection that like concept that's like, oh, yeah, people aren't like machines in the, in the, and they're not cogs in a machine that they're here with other human beings to go build something that's meaningful together. You know, that's, you know, that's the people that we want. So, if there's people that will care about, you know, we spend most of our life working. And if impact growth and connection is important, that's what your life's about, then we want to work with you. If your life is about, you know, how many Netflix options can I have in my portfolio, then you should work for Netflix. When you, when you try, so what are some of the strategies that you use to find people like that? Um, 56% of the staff at Madam, 56% of our hire has come from referrals. So the people that like, hey, I love working here. This is really great. You know, that's, that's more than half of our team. And I think when you, you think about NPS and a promoter score, it's like when people really enjoy working here and they tell their friends and they get, you know, more and more people and like that, those are the best hires. No, no, I was going to say so you focus on, you focus mostly on referrals and then you were going to say something else. Sorry, I think we're like, there's like a two-second delay. So I never know. Go ahead. Sorry. Now the, so some referrals is, is, um, the referrals is the majority and we'd love to continue that and then keep going because that really means that people enjoy it here and love it and they're, they're bringing on, you know, all the folks that they know, the second biggest source in the early days, definitely was the open source community, 4,000 people contributing and, you know, just saying, hey, let's work together. Like, let's, let's do this professionally. So, a few months after we released our commercial version, we got this person who pinged us and they're like, look, I've, I've never contributed open source before. Um, but I would like to contribute a, a translation infrastructure for every string in your system. Like, I, I have got this pull request that localizes everything and I've translated everything to Spanish. Um, and it's 10,000 lines of code. Would you be open to this pull request, which is kind of bananas. So what happens is this person was working in South America and their company was reselling Manermost, but it had to be in Spanish. So this person actually translated all of Manermost the right way. Not hard coded strings, but with the actual infrastructure. Um, but every month, yeah, we talked about why it's difficult to fork Manermost. Every month, we're pushing out new features and innovations. It took them a week to like merge it back in. So, um, it was in this person's best interest to offer that upstream so that we could, you know, put that in the product, make it better for everyone and make that person's life easier. Um, we hired that person. Um, so, you know, that's just a great way, you know, to, to say, because it's a great offer. It's like, well, just stop what you're doing and want to work on the main lane line product rather than derivative. So that's another great path to hiring. Thanks for tuning in. If you found this valuable, don't forget to hit that subscribe button so you never miss an episode. And if you want to dive deeper into this conversation, check out the links in the description to watch the full episode. See you in the next one.