Snyk CEO Peter McKay: Security buyers want platforms, not pieces

"When you have way too many companies chasing way too few opportunities, you go through a cycle like this and only the best will survive." McKay thinks Snyk has found a path forward.

Snyk CEO Peter McKay
Snyk CEO Peter McKay (Credit: Snyk)

Peter McKay realized at some point last year that he had to shift into a "wartime CEO" mentality.

For many years technology buyers and investors had assumed security companies were somewhat immune to macroeconomic forces, given how important their technology has become for anyone trying to run a business on the internet. That mentality ended abruptly last year as those businesses realized they had to cut costs to survive in an era of rising interest rates, forcing even security companies to confront the fact that things had changed and they needed a consigliere with a different approach.

Snyk went through two layoffs in 2022 and 2023, but in a recent interview McKay said he believes that the company, and the industry, has turned a corner. Its focus on developer experience — building helpful security tools that can be plugged into applications in the early stages of the development process — won converts among rank-and-file engineers, and a focus on integrating those tools into a platform impressed business executives who were tired of spending on dozens of piecemeal tools.

"When you have way too many companies chasing way too few opportunities, you go through a cycle like this and only the best will survive," McKay said. Snyk is expected to go public once tech investors re-open the public markets, but for now, McKay is focused on integrating recent acquisitions like Helios into its platform and fending off observability companies who would like to steal some of his business.

This interview has been edited and condensed for clarity.

There was a mentality two or three years ago that security was different — recession-proof is always such a terrible thing to vocalize, because nothing is really — but there was an undercurrent of thinking across a lot of places that security wasn't a nice-to-have, it was a need-to-have. While that is still true to some extent, security companies obviously have seen a reset like a lot of other software companies. What changed from your perspective?

In total spend, it continues to go up. I think what [happened is] CISOs at large, mid-to-large companies were trying everything, and they didn't know what the shift was going to be like.

I'll give you an example. In our world, it's application security. For years, [CISOs] used these kind of legacy solutions that were always after the fact and more runtime. We came up with this developer security category, embedding security earlier in that software development lifecycle, and it was a very new concept. And so [they were] like, "OK, I'll try that, and I'll keep the old [products]."

Security has always been so fragmented, all these little point products that do all these pieces.

Then the market goes through this correction. And so where everybody kind of bought two of everything, [now they were] like, "OK, let's take the better of the two."

Security has always been so fragmented, all these little point products that do all these pieces. And what's happened is companies are gravitating to more platform-based [products], where I can get more from one company that can pull some of these pieces together. We've had a fully integrated process, but we've also made eight acquisitions to bring all these pieces together that make it easier for customers.

So I think that's the driver: What could you do to have a better customer experience? When they have to pull all these things together, that's not a good experience. But if you could do that for them, integrate all these pieces in a painless way in a high ROI way? That's what I'll do.

I wanted to ask you a little bit about the acquisitions, because you're just a couple weeks removed from the Helios deal. Sometimes acquisitions are strategic in that you know you want to grow into a certain area. And sometimes acquisitions are like, "Oh, wow, we can get that? That's something we can add for a price that makes sense for us?"

I've been trying to get a sense of how things have gone in security with some of these deals, as a lot of companies are looking for the exits. With respect to the eight startups that you have acquired over the past however many years, how much of that was the articulation of a platform strategy, versus, this is such a good use of our cash?

We have a vision three to five years out. We have a team of people just scouring the market that can look for teams and technology that can accelerate that roadmap, that can take that four-year vision and make it three years or two years by way of an acquisition. Most of what we've done are team and technology [deals] to accelerate roadmap. That could be a depth play, meaning a gap we have in our current product that this fills, or it could be a new product that will combine with something we're building and accelerate the market.

We've done that with two of our products: AppRisk, which is our newest product that was in Enso, and Helios, acquisitions that allowed us to accelerate that product out a year earlier than what we originally planned if we were building it ourselves.

Rarely do we say, "Hey, this is a fire sale for a company and we can pull it in." That isn't our priority. We still stay with our priorities, and we'll pay more for the ones we absolutely need rather than bargain shop because a company is for sale, because every company is for sale at this point.

I'm just wrapping up a story about observability vendors who are looking at [security] from the other side. Do you see that as a race for that middle ground? Do you need to become more of an observability company faster than they become security companies?

We have that dialogue quite a bit. I think one of the things we've tried to do is we partner with a majority of the observability vendors to get their data into us so we can prioritize the fixing [process] for developers. We also feed information from our solution into Dynatrace, for example, so I think there's a good bidirectional [flow].

Our view is we know how the application is built from the developer.… We know everything about that app. We know all the assets surrounding the app, the complete kind of inventory of all the bill of materials that go into that app. And so we believe that it is a position of strength to go right, [rather] than it is to go [from] right to left.

(Editor's note: "Shift left" became a rallying cry over the past few years among tech vendors who want customers to incorporate their technology earlier in the software development cycle, or to the left on this flowchart of that cycle.)

Do you sell to CIOs or do you sell to engineering managers?

We are the first and the only company that has ever had a PLG (product-led growth) motion for security. When we started eight and a half years ago, it was always around the freemium, try-it-before-you-buy-it [model]; it was very developer-centric. In the first two years, all we did was provide a free tool for scanning open-source code for vulnerabilities, and that taught us how to optimize that experience for developers.

Four and a half, five years ago, you started to see increasingly the dollars and the spending would come in from security budgets. So then we started this top-down motion to complement this bottoms-up inbound motion, to go through security [buyers]. And that really kind of turbocharged our business.

There is this gap between developers who are building faster and faster in generating more code that is more flawed and more vulnerable than non-generative AI code, and security is just trying to keep up.

What's happened over the years is we became this bridge between developers trying to develop faster and faster and faster, and security teams trying to make sure that they can keep up and manage risk and do it in a secure way.

Every company in the world, every CEO is trying to get more productivity out of developers and generative AI is turbocharging developer productivity. There is this gap between developers who are building faster and faster in generating more code that is more flawed and more vulnerable than non-generative AI code, and security is just trying to keep up.

There was a report recently that you're considering filing for an IPO sometime coming up. Last year you said that you've done the groundwork to lay the foundation for that event, and obviously, the last year from an IPO perspective has been pretty much closed. Where do you stand right now?

We've watched the market. We're watching where the next round of IPOs are coming in and seeing how they do. I mean, obviously, you've got the election in the middle there so I think everybody's a little worried about what the implications of that could be on the public market.

And so I think we're just watching. We've raised enough money to pick our time. And we'll see enough companies go in and check and see if the water is warm, and then at some point we'll make the move.

We always saw ourselves as a public company. But I think we're in a fortunate position where we can actually pick that timing, and that's kind of what we're doing.

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Runtime.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.