#603 Startups Scale Too Early. The Basics Are Still Broken | Raphael Peyret

[00:00:00] 

Mehmet: Hello, and welcome back to another episode of The CTO Show with Mehmet. Today, I'm very pleased, joining me, and I'm happy you see me, you know, smiling a little bit, little bit when I have someone same my region. So I have with me today founder and fr- principal advisor of SHA/RP, Raphael Peyret. He is based in the UAE, similar like I am.

Um, today we're gonna talk a lot about interesting topics which touch... I was talking about this maybe two to three years ago a lot, and then, you know, with the podcast and many things, it's important topic. Talking about, you know, cybersecurity for startups, talking about also, like, the role of AI, you know, with the cybersecurity and what's happening now.

We're gonna talk also a little bit about product management because Raphael has an experience in that domain also as well, and we will see how the flow will, will, will allow us to, to take this conversation. Without further [00:01:00] ado, as I do with all my guests, Raphael, thank you for being here with me today.

Little bit about you, your background, your journey, and then we're gonna start the discussion right away. 

Raphael: Perfect. Well, first of all, thank you so much for having me. Uh, and it is a pleasure to be joining a podcast with a host that is here in, in the UAE. So I'm, I'm based in Dubai. My background, uh, is product and cybersecurity.

Uh, my whole career has been in, in tech, Google, uh, VP of product at a cybersecurity startup called Harangi Cybersecurity, uh, based in Singapore, from MVP raise acquisition, integration into Bitdefender that acquired us a few years ago. And now I am an independent advisor and fractional executive for other startups to help them with these areas of product management and cybersecurity, particularly in the age of AI that we're-- we can't avoid really.

Mehmet: Yeah, we can't avoid. So, um, let's [00:02:00] start discussion with, you know, cybersecurity and AI threats. So you, while preparing, and of course we had like a discussion with you before, Rafael. So you've compared AI threats to shark attacks versus car accidents, right? So why do AI native attacks dominate the headlines while the breaches most companies will actually suffer are still caused by basic security failures?

Why we always ha- we see the same trend happening again and again? 

Raphael: You're, you're right. Like, every single kind of new, new generation of technology, we, we have the same mistakes. Uh, which is there's hype, all of the focus is going to the new, and we seem to be forgetting that all of the old stuff hasn't gone away.

And for AI, in terms of threats, AI as a tool for the attackers is super interesting, very, very dangerous, [00:03:00] but AI as a th- as an attack surface, when you're thinking of like, "I use AI within my organization," that is a major concern all the way up to the board. And yet the realistic cause or source of most breaches, if you look in the next 12 months, is going to be mundane issues like unpatched systems, unmanaged systems, poor credential management, no MFA.

Essentially the same things that have been the reasons attackers have successfully gotten into organizations for the last five, 10 or plus years, right? And I like the analogy of the shark attack because shark attacks make headlines, but statistically speaking, you're not gonna die of a shark attack, even if you go and swim in, in the ocean every single day.

You're gonna most likely die because of something mundane like a car accident, and somehow those never make the headlines. [00:04:00] And we're seeing the same with AI, where you're gonna hear a lot about security threats like, so the AI specific security threats, the security of my AI, things like prompt injection, model poisoning, et cetera, et cetera.

But nobody's really talking about the boring stuff that, that people still haven't been doing. 

Mehmet: Right. From your perspective, and you've worked with a lot of companies, you mentioned a couple, um, in your intro. In general, what companies still, in your, uh, opinion, misunderstand about security today? And, you know, with the AI in the, in the loop, I would say, what keep repeating, you know, as, as a misunderstanding?

Raphael: Well, I think we've seen a, um, overall for a large number of organizations- The level of maturity in cybersecurity has significantly grown over the last 10 years, in part because of an understanding at the [00:05:00] board level for these larger organizations that this is a critical risk that they need to know more about.

Which means that the, let's say, the level of understanding of cybersecurity at the board level and executive level has gone up. Now, one of the big problems that we see with cybersecurity is that the cybersecurity professionals, often all the way up to the CISO, are extremely technical people, and because they're technical people, they'll speak in the technical language of, you know, cybersecurity craft, let's say.

And that includes a lot of acronyms, a lot of very, very specific detailed things that don't translate well to a business leadership that doesn't understand, like, what does it mean that I do or don't have this XDR sensor? Like, why would I care? Mm-hmm. So that's something that we see, uh, frequently. There has been a level of maturity that's grown, but AI has caused kind of a little bit of a panic where all of a sudden everybody's asking- What [00:06:00] am I doing for AI?

And massive amounts of money and pressure are being put on organizations to transform and to use AI. And so the security teams there are saying, "What am I gonna do with this?" Right? Unfortunately, the response to that is, what am I going to do with this new attack surface? Whereas the real risk is defending against AI-powered attackers, because all of a sudden, like what you have to understand is that cyber criminality, unless you're going to be attacked by nation states, you know, advanced persistent threats, and so like if you're the Ministry of Defense, uh, you know, those kind of things, Google is one of them, then you are a target for those extremely sophisticated attackers sponsored by, uh, you know, states.

So they're, they want to get in and those are really, really difficult to, um, [00:07:00] to protect against. However, for 99% of organizations, they don't care about you. You're, you're too unimportant for them. The risk predominantly comes from cyber criminals that are basically running this as a business. And as a business- Mm-hmm

that means it's like they care about profit, efficiency, you know, cutting costs. And so AI helps them to do the same gains of efficiency and automation that we're trying to get, you know. And if they can do that faster, then even if the attack surface hasn't changed, they're just able to, to probe much faster.

Think about it like you have a house that you're protecting. I, I love using analogies of physical buildings when we're talking about, about, about cybersecurity because you can picture it, you know? 

Mehmet: Right. 

Raphael: You've got a building that you, you were protecting. The building hasn't changed. However, all of a sudden now the attackers can iteratively test [00:08:00] every single door and window every minute And try hitting the, hitting it this way, hitting it that way.

Like, they have so many different ways of automating the attacks. And so that is what people should be concerned about. And again, those attacks are going to predominantly succeed not because of some fancy new attack- 

Mehmet: Mm-hmm ... 

Raphael: you know, that you've found that if you do these 17 things super precisely, you get in.

No, they're just gonna probe until they find a door that's open because there are enough doors open that from a, you know- Business standpoint of these criminals, why would I go and do something complicated when the stuff that I was doing that's simple still works? Right. 

Mehmet: Right. Now, there's one topic, Rafael, which is related to this.

I faced it myself also. I'm sure like now, uh, maybe you're seeing also a [00:09:00] lot. Um, I'm not sure if this is... Of course, like, it's not on bad intention, but when, if I am a, a, a, a founder in the cybersecurity or even if I'm an executive, I'm a CISO, right? So we talk about, you know, these acronyms and how big the budget we need to put in so we are well protected and so on and so forth, and yeah, we talk about these big things like the APTs.

Uh, you know, a- and I'm, I'm, I'm, in the meanwhile, I'm another founder, right? Who I have, I have a small startup and, or maybe I'm a small business owner, right? And, you know, I, oh, what, what these guys are talking about, like, that must be like something very expensive, a lot of budget. I don't have that now. So how really startups should think about good enough security without pre-engineering, you know, the whole thing so early and still being, having, I would say, a level of protection?

Raphael: That's a, that's a brilliant question, and, and often, [00:10:00] uh, founders in small businesses, they find themselves stuck between these kind of two extremes. On one hand, they generally know that they, that they need some security, and so they, and so they might realize that I'm, ooh, I, I don't really know anything here, so I'm probably at risk and I need to do something about it.

And then on the other hand, every time they speak to someone about it, the security professionals will come back with pages and pages of reports, acronyms, and they're going to tell you that you need 17 different tools and a significantly sized team just to do that, and you're like, "But I, I don't have that many people in my company, and you want me to put all of this to do security?"

It does- it doesn't make sense, right? And so, so finding the, the right balance between those two. Now, the reality is a lot of these tools, they're built for different organizations that have a lot to lose, [00:11:00] whereas from a startup's perspective, they don't have a lot to lose yet. And speed and growth are the things that they care about the most.

And so you need to be adding in some security, but realistically, anything that slows down speed and growth, you, you don't want. Like, you don't want a vault door in front of your building if that means that your employees, you know, need to d- put a 17-digit code every time they go in or out. Like, however, for a bank, that's different.

But when you're starting up, you, you need that. So you need somebody to be able to tell you in very simple terms, like, what does this mean? Why are you choosing this level of security? And for me, the most important word is defensible. You're not trying to never be hacked, because if you did, you wouldn't run a business Right.

Because, because- Yeah ... there is always a risk, right? So if you [00:12:00] wanted to remove, you know, the best way to remove risk of getting hacked is you un- you just turn off your computer, right? Like, of course, that's, that's not realistic. So what you want is to be in a place where nobody is gonna tell you, you were negligent, right?

This was, like, you made a stupid mistake. Mm-hmm. So we need to look at that. There are various different things that we can use as baselines. We can look at peers. And you wanna make sure that for the risks that you have as an organization, and again, Google, The Pentagon, they're, they're targeted every single minute of every single day with threats that look very differently to, uh, you or I or, or the small founder, right?

Again, it's the same way that if you have a large corporate building or a b- a bank that has money inside, the attackers, the, the risks are very different from kind of the small business owner, you know, running a veterinary clinic, right? And so we need [00:13:00] to adapt it to that and target specifically, rather than saying, "Here are the five tools that you need."

We need to say, "Okay, what are your risks realistically? Like, if this happens to you, will it kill your company?" Right. And in some cases it's yes, and you need to do just enough to, to, like, meet that bar. In some cases, you're gonna want to do more because, like, you're in a regulated industry. Uh, FinTech, for example, MedTech, and, and of course you need to be compliant because if you don't, you will lose the ability to do business.

You'll have nothing. In some cases, you're gonna want to meet a certain bar to be able to get a certain type of customers. Larger enterprise customers frequently require, you know, compliance certifications like SOC 2, ISO 27001. There are, uh, you know, specific ones for, um, for AI. And so, again, like, your bar there is going to change depending on what you need, and it'll evolve as you go along.

And so you just need to know, like, why do I need this? [00:14:00] Sometimes it'll be I need a cyber insurance. And pe- some people are gonna hate, hate me for saying this. Most times cyber insurance is a checkbox, which means that you're not necessarily caring so much about whether or not you'll be able to claim the money on it.

Mm-hmm. But you need to be able to show it to investors, to customers. Yes, I am insured Right. Like whether or not you're actually, you know, like however- Yeah ... having some levels of protection that you can show to the insurer can lower your, the cost of your premium. So that, you know, again, depending on your, on your situation, you might say, "I'm gonna put a bit of money in here to increase my security and lower my premium a little bit."

Right? So you need to do this kind of case by case, but the basics are relatively simple as long as they are explained in a, in a, a language that is a business language for someone that understands startups. 

Mehmet: Uh, I think on that point of, um, you know, [00:15:00] cyber insurance, l- it's similar to the insurance in general.

Like, um, i- it's very, you know, uh, i- it's very interesting when it comes to cyber specifically because, you know, in, in, in, in, outside of the cyber world when, when you do insurance for your business, so there are multiple levels of it, and there are insurances, like, for different things. Like for example, we had a conflict couple of weeks ago and, you know, there's force majeure and this and that.

So w- this is the trade insurance. But when it's on cyber, it's, it gets very interesting because the premium here, it depends to your point on, on, you know, how these guys, you know, are ready for, for such incident. But if, we always repeat this in cybersecurity, like you don't know until you go and try to uncover.

And this is why, um, I've seen that you recently launched what you call the s- the security diagnostic, right? So it's kind of a- Yeah ... you know, way to, to uncover this. What causes the, you know, you [00:16:00] saw founders think that they are secure, uh, when actually, you know, i- it wasn't? And how have you seen, you know, founders have the ability to assess, you know, what is technical versus what is really business, uh, you know, uh, affecting risk, I would say?

Raphael: So what, what you find really is- People believe that their risks are in the areas that they, that they either know well or that they're, you know, that are hyped in the media. And so you'll have like the, "Oh, I'm scared because I hear some stuff about AI risks." But most of the time what we see is people are saying like, "Oh, I need to do these specific things for security because that's what I'm familiar with."

We saw this a lot with, so I, I used to do cloud security, [00:17:00] and we realized that people were having terrible hygiene on cloud security, the equivalent of leaving their, you know, the doors of their businesses open. Mm-hmm. And yet they were spending a significant amount of time and effort and money on securing other things.

For example, like maybe they were securing their mobile devices. But if you actually look at where the attacks are coming from, that's not where they're coming from, right? So that's some of the things, uh, uh, that we see there. Another thing that we typically see is when somebody is overwhelmed by information, the response is generally to freeze.

And so if I tell you, you come to me saying, "Oh, I'm, I'm sick, I wanna be healthier," and I tell you 17,000 things that you should be doing, uh, you're probably just gonna not do anything. 

Mehmet: Mm-hmm. 

Raphael: And which is the worst possible thing. So the way that I approach it is it starts with [00:18:00] really, really basic things, because if you have multi-factor authentication, you're using single sign-on, like these are things like I'm not reinventing anything new here, right?

Mehmet: Right. 

Raphael: And if you, if you do all of these things, that's already a good base. Then depending on what you're doing, if you're a software company, then a significant portion of your risk is going to be your software, because that is something that is attractive to attackers. 'Cause they can get in and it, it gives them, uh, for example, in some cases a way to distribute within, uh, within others, and this is what we saw with the, like the SolarWinds breach, for example.

And so- 

Mehmet: Mm-hmm ... 

Raphael: so, so that's gonna be a significant portion of risk. So you need to be very specific and look at that. So general layer of like basic things, and then layer on kinda more where it's necessary. But don't just base it off of- Security professionals when cloud came out, it took them [00:19:00] a while.

Like these are the, uh, the mechanics of the combustion engine cars, right? And the, and, you know, an electric car comes in and it's still new. And so they're gonna say, "Okay, I'm gonna change your oil and this and that." And it's like the car doesn't have oil. It doesn't make sense. But that's what they know.

The whole industry, the whole ecosystem is built around this. So, so few people understand that. And so what that meant was few people were doing cloud security. Instead, they were just focusing heavily on the o- older ways of doing things that mostly didn't apply there. Or, you know, you're like closing the door, uh, g- closing the window, but the door's still open just because- Mm-hmm

like you're used to securing windows, right? So, so that's something that needs to be, um, that needs to be l- looked at. Overall, basic hygiene is what's going to kill you first, right? And the basic hygiene of your specific business might [00:20:00] be a little bit more, um, uh Targeted or custom, for example, software, or if you're, if you're running in a cloud.

If you're using an AI model is different from if you are creating an AI model, right? So elements like 

Mehmet: that. Do you s- do you see, Rafael, this happens because sometime it's, you know, in startups there is this race of, you know, shipping fast, you know, getting the product in front of people as fast as possible.

So do you see also people who know that, yeah, this is a bad practice, but yeah, you know what, like let's just get this out and then we're gonna fix this later. Have you seen, you know, this repeated over and over? Yeah, 

Raphael: yeah, definitely. And, and I... You know what? I don't think that's a bad thing. Mm-hmm. I don't think that's a bad thing because-

You're [00:21:00] trying to run as quickly as possible. You need to get feedback, you need to iterate, et cetera. If you're spending so much time on building the guardrails, you're necessarily going to go slower. 

Mehmet: Mm-hmm. 

Raphael: Now, what you need, and you mentioned this before, like good enough. What you need is good enough.

You need something that's defensible, that, that- Right ... if somebody comes, whether it's an auditor, uh, you know, a, a, an unhappy customer, uh, you know, a, a regulator, that they come and they say like, "Okay, you took reasonable precautions." Reasonable i- in relation to where you are and et cetera. Like, so, um, that I think is really, really important.

That's also a low bar, to be very clear. It's lower than most people think at the beginning, right? Yeah, okay, it increases, but if you're doing it little by little, it's not, it's not crazy. Now, if you're a cybersecurity company, [00:22:00] like obviously you need to go relatively big on that from the beginning. Like- Right

but it's different because your livelihood depends on trust. If people don't trust you, if you get hacked, your trust is broken, you know, then it's gonna be really difficult. For most organizations, just spend, like, I'm the first to say to the founders, like spend your time getting business. Mm-hmm. And, and the discussion should be, it's like lawyers in small, in, in small businesses and, and startups, right?

If you take a lawyer from a, from a big business, there, there's gonna be so many things you can't do. 

Mehmet: True. 

Raphael: But if that were the case, m- a lot of startups would never have started because from a- True ... kind of legal perspective, it was not clear, et cetera. There was risk. And so, so this is kind of the same.

The job of the security professional for startups is I need to help you to go as quickly as you possibly can. And that [00:23:00] means, you know, in some cases having some breaks. But the purpose of the breaks is to help you go as quickly as you can around the course, not to slow you down. It's to make you go fast.

And for you to be able to go really, really fast, sometimes you need to be able to, you know, in a very targeted manner, just like slow down to y- you, to make sure that you don't spiral out and crash. That is what you're there for. And that's what the, the role of, of, uh, cyber should be. And, and it is changing.

Like there, there is more and more of a, of ta- you know, cybersecurity is a, is essentially risk management- 

Mehmet: Right ... 

Raphael: in, for cybersecurity risks. It used to not be thought of like that. It is increasingly thought of like that, but it's still taking a lot of time. And if you think about it from a risk management perspective, that means that it's not getting hacked or not getting hacked, this binary scenario that matters.

It's- How likely is it that I'm gonna get hacked? What is the impact [00:24:00] to me if I do get hacked? Mm-hmm. And that combination of things is g- is gonna tell me. Like, if I'm on a plane and there, and there's an issue, it's gonna be really bad for me, but the likelihood is so low, so that's fine, right? Like, so, so you need to think about this in, in, in these terms, and done well, you can realize that actually there's, there's quite a long, a large margin.

Mehmet: Right. Now, of course, people, uh, are hearing about how the bad actors are utilizing AI and at the same time, uh, hearing about how AI is being utilized in, in, in cybersecurity solutions. So where do you think AI is genuinely, you know, could be improving security operations versus just noise and just adding another unnecessary solution on top of what we have already?[00:25:00] 

Raphael: O- one of the areas I find the most interesting, uh, where this is being used is, um- Proactive cybersecurity, and so there's preemptive. Uh, there are a few different terms that, that cover this idea, which is to say what can you do before the attack even starts to reduce your risk? And so there are some really interesting things that you can do with AI because AI is a, essentially a prediction engine, and you can close all the doors that your users are not using, and that blocks the attackers without blocking the users.

So that's a really interesting use case where that can really, really help because what we found with cybersecurity is if you make it too difficult, people find ways around it, right? One of the big reasons that some people get breached is [00:26:00] because they turned off the system, right? Um, you know, pa- you, we've probably all seen passwords that are, because it's too difficult to remember the password that you need to change every three months, uh, you're gonna put it on a Post-It on your, on your screen, right?

And so it needs to be easy, and AI can help to find that space where you're still blocking attackers quite a lot, but it's not bothering the business. I think that's the most interesting one that, um, that I see. 

Mehmet: Right. Let's jump, you know, to another topic and change gears to talk about, you know, um, founder execution and little bit about product also as well.

So, uh, you know, there's a lot of things which, uh, you know, uh, I would like to discuss with you. Let's, let's see. But, you know, the... I felt like this is, this one is very, very important, like, um, about [00:27:00] hiring, um, sales too early, right? Um, why do startups repeatedly try to scale, go to market before even they have figured out repeatable sales and positioning?

Why this keep happening?

Raphael: I think there are a couple of factors that, that, that, that, uh, come into play here. One is that startups essentially are measured by their growth, right? Like what's the difference between a small business and a startup? A startup is they're growing and they're growing fast, and the whole point is it needs to grow quickly.

And so for that, people are always looking like a few steps ahead, and so they're trying to race to the, to the end. And sometimes that means that they, they take what they think is a shortcut. The, the real risk with that is that if you haven't solved some of the basic things, that shortcut is scaling something that doesn't work.

And so this is what we see a lot with often it's going to be the first salesperson, or it's going to [00:28:00] be pouring more and more money on marketing, right? Performance marketing. When what you're pushing out hasn't been validated, doesn't really work. And so if you're lucky And you scale. You, you know, you'd figured it out by chance and you scale.

You go really, really fast. The problem is that when you don't, then you're, you're just rushing against a wall. Specifically with the example of sales, what people don't always realize for kind of, uh, early stage founders is that the salesperson is not going to teach you how to sell Right? So a lot of these founders, they're like, "Well, I'm not a salesperson, so I'm gonna hire a salesperson and they're gonna sell my product."

But a salesperson, their craft is you give them a deck of cards and they, in [00:29:00] front of a specific other player, will read how to best play the cards that they have against that other player. And so that means they need to understand what the needs of that customer are, uh, what motivates them, who else they need to include, and so all of these things.

So they're playing different cards. But they are a player of cards, they are not a creator of card games. And the challenge is that you're gonna have founders that haven't fully figured out what those cards are, and so those cards are gonna be like, what are the things that people care about, about what you're building, that will make them buy?

Right. If you don't have that, if your cards basically are completely unfinished and you don't really know... The salesperson are gonna come, and they're gonna try, and they're gonna fail, and they're gonna get really angry, and you're gonna get really angry, and they're gonna leave. 

Mehmet: Mm-hmm. 

Raphael: Right? And it's not because they're a poor salesperson, although you, you as [00:30:00] a founder might think that.

Generally, it's because you, you weren't able to give them those cards. That means probably that you haven't done enough of the sales yourself. You haven't understood what matters to the customers in a repeatable way so that you can say, "When I see this customer, they have these problems. This is how I talk about how we solve those problems.

Here's how I can prove that our product actually solves them." Right? And so, and so now, okay, you've got, you've got a card. You add those cards, you layer them in, and once you have been able to sell yourself, then you can bring someone in. Or you need to bring someone in who is somebody that does that zero to one, and it's a different- Mm

it's a completely different mindset. They are the creators of the games. And, and in, in marketing, um, you actually have different roles for that, right? And so when we think about marketing, the [00:31:00] majority of people are thinking about the marketing professionals that take a message, they adapt it, tune it, optimize it for a specific channel, audience, format, right?

You know, optimizing, et cetera. But the core message, the core positioning, they're not the ones that come up with that. Right? Again, they are the ones that are distributing and optimizing for the distribution that they know, right? Mm-hmm. I know social media really well, so I'm gonna tw- tweet that, and I'm gonna, you know, take that message and use these influences, et cetera, right?

I do field marketing. I know which events to go to and put the... But what message to send, that's typically not the job that they do. And if you think about it in terms of like scale, there are a lot fewer people that do that job, right? Which essentially is product marketing, right? Figuring out the positioning, figuring out the [00:32:00] messaging, then the people that then distribute it.

And so naturally, when you think of marketing, you might not think about this distinction. And by the way, you don't necessarily need a person that has that role full-time, et cetera, but you need to solve the problem. You need to deliberately do the step of figuring out what your positioning is, what your messaging is, proving it in some way so that then when you give it to that person, they have something, you know, that they know will work, right?

Because the biggest problem is that you're, you know, you're looking for oil, but you don't know if there's oil here. You don't know if your drill can get to the oil. And even if, if you can get to the oil, you're not sure that you could pump the oil out. And when you're in that case and it's not coming out, which of those problems was the s- was the cause?

So instead, you need to validate it. You'll, you know, you'll do a little test well or test thing. You'll go to [00:33:00] somewhere that you know there's already oil because someone else is already there. You'll test it- Mm-hmm ... you'll know like, okay, this thing works. Now grow it, you know, duplicate it, scale it. That's the job that you're gonna give to, you know, performance marketing and to the salespeople as well, right?

So different jobs, and you need first to make sure that you nail that, that first bit. Enough. Like, you... I'm not saying that you need to optimize everything. No, no. Mm-hmm. You just need to hit some oil and know that these other pieces are working within this environment so that when you transpose it- You're only changing one variable at a time, and y- and you can, you know, tweak it.

I know that this message works for this type of customer when I'm talking to them face to face. So there is a logic that I should be able to find a way to get that message across through social media or, um, through ads, right? I know that they wanna buy, they've bought from me, et cetera. I know the [00:34:00] t- the words that they use.

Now we can tweak, et cetera. Once I've done that, then you can say, "Okay, I'm gonna try the same channel, but I'm gonna tweak the buyer a little bit. I'm gonna bu- a company that's a little bit bigger, or this is slightly different industry, or where the, the person, the buyer persona is slightly different.

It's not in the same function." You know? But you don't change everything at once, otherwise you, you can't point to what's wrong. If you're lucky, great shortcut, but most of the time you're, it's gonna take a few tries before you, you, you know, you create your own luck. 

Mehmet: Right. I know you, you, you call this, uh, you know, building the fifth floor before the second, like, which is the shortcut mainly.

So you talked about it from, from the sales perspective. Um, where else you see founders making mistakes, like when it comes to the product itself or maybe engineering teams? Anything you can share?[00:35:00] 

Raphael: Again, similarly, when you're thinking about When you look at successful companies, particularly successful software companies, you look at them, you'll say like, "Oh wow, they're so successful. They do all of these things." And so for me to be successful, I'm gonna copy that and I'm gonna do... I, I don't necessarily mean copy that specific feature, but I am going to do all of these things.

And the problem with that is that that's not how they got there. That's what you're looking at today, right? First, you need to figure out the core issue that you're solving. And so in product management, what that means is you need to go out, you need to go talk to customers, prospects. You need to be able to get the right insights from them.

That means that you know how to do user research, that you are not completely biased in how you interpret how people are answering your questions. You know, you never go and ask somebody, "Do you like this?" [00:36:00] Because they will say yes, because people like to please other people, right? So, so these kind of things, but the typical problem that we see is people adding features too quickly instead of stopping and solving the core problem.

Like what-

What is the pain that is so acute that you're speaking with them today, and that if you can solve it for them, they will buy your product? Then once you have them on board, of course they're gonna be asking for other things to make their lives easier, et cetera. But those other small things are not why they bought your product originally.

It's not the core problem that you're solving. And so product management is essential to help you to understand that, right? And without product management, you have this idea of like feature factories and some kind of poor product management also goes into that. Or you're, you're producing output [00:37:00] nowadays so much more with the, uh, you know, cost of execution or development of software going down because of- Mm-hmm

of, um, you know, AI, agentic engineering, et cetera. First you need to make sure that you have nailed the core. You know, like the reason that- Uber is Uber is not because of, like, all of these million things that they do in the app today. 

Mehmet: Right. 

Raphael: Okay? They, they nailed one problem. And that's what you as a founder you need to do first.

You nail that one problem for one group of people, and you do it well. And then as soon as you have that, yeah, grow, grow quickly, expand, test, et cetera. But, like, do it once you know that there is something there. You know that there's oil there. Start drilling everywhere. Fine. Right? But don't skip that piece.

Mehmet: Absolutely. You know, um, there is, uh, the professor, [00:38:00] uh, in Stanford, uh, uh, Steve Blank, so he, he's, he's like a very well-known adjunct professor at Stanford and, you know, he, he talks a lot about, you know, the same mistakes that usually founders they do, uh, where they think, "Oh, okay, let me just add just, just this one feature," or, "Let me just do this one small tweak and, you know, like, the customer will go buy."

I'm, I'm repeating what you're saying because I think this is... A- and back to something you mentioned couple of minutes ago, like, when someone say, a founder say, like, "I, I'm not a sales guy," right? Actually, it's not about being, you know, quote, unquote, "sales guy," just, you know, about being able to ask question and uncover, like, what is, what I'm building or what I have built solving a pain for the customer, and they're willing to, a- again, I'm quoting little bit from the book of, of the Professor Blank, and, and, you know, just making sure that they gonna pay for [00:39:00] the solution that you have put there.

And then you know by asking them if actually they were looking for this solution because if they have pain and they have been looking for solutions, so probably they have money to spend also as well, and you focus only on, on that one specific problem. And then of course, like, in the world of a, of, uh, startups, you know, once you, as you said, like, once you mastered one, this single use case, you jump to the other use case and this is where the, you know, growth happen, and we call these startup, they cross the chasm, and now they, they are into, you know, the hyper-growth phase.

What surprised me, Rafael, really is although, like, there's a lot of literature there, there are a lot of people like you, me, you know, there's a bunch of people, we keep see this happen. I'm not sure is it, like- Something related to, um, to, to the psychology of being founder and, you know, being under this pressure to try to, to get these things out.

[00:40:00] Um, and o- one thing which I also saw is sometimes where the founders, they become, especially if they are solo founders, they become bottlenecks. Um, how to avoid, you know, being the bottleneck as a founder and making sure that, you know, all what we talked about, uncovering the pain, talking to the right customers, and focusing on that one single thing, stay on track.

Raphael: Well, I think the bottleneck one is an interesting one because at the beginning, the founder is the one that is doing all of this work. Often, you know, for, for founders that have industry experience, which is relatively frequent, in a way the whole, you know, pitch is, "I know this problem space better than most, and that is why I'm going to solve it, because I know it."

That doesn't scale. So how, once you've gotten that initial traction, can you create a system where it will continue to [00:41:00] grow like that without you being required for every single piece? And the good news is that there are systems, like product management. Obviously, I'm a believer of product management, but I'm a believer of product management because it works.

Like, if there was something other, uh, else that would be better, I would not hesitate to go and d- you know, do the next thing. Like, but the key about product management is that you're trying to create a system where you can make sure that you are producing outcomes that matter to the business, which are generally the outcomes that are improving things for customers, right?

The best way to grow your business is to make customers happy, right? So, so it's not always 100% aligned, but it's generally very aligned, right? And so the examples I can give where it's not aligned or, or in some cases where you're going to be trying to optimize for revenue, for example, slightly larger and, and sometimes at the cost of, of the experience of customers, right?

Like, you're just optimizing. [00:42:00] Generally speaking, it means that you are trying to do what the customer wants. Now, doing that when you're not an expert in the field with all of that experience Is going to be difficult. What often happens is they're going to either not hire a product person, or they're gonna hire a junior product person.

And that first hire is gonna be a little bit tricky because they used to be controlling everything themselves as a founder, and that means that the decisions of what to build and why relied on their knowledge and their... Right? The really good founders, they're the ones with the, the ones that are listening the most, right?

So they realize that they don't know, and in fact, it's why you find some founders that are extremely successful in fields that they didn't know anything about because they obsessively listened. They went out and got more information, et cetera. [00:43:00] There are ways that you can build that into the, into the system of your organization.

Properly done product management will take in a number of different inputs, which include the founders', "I think we should do this," which might include ideas from engineering, which might include requests from customers or customer success, things that we've seen going on in the market, a high level strategy of where we wanna go.

You take all of those things, and you systematically evaluate them against what it is that you're, that you care about, and you do that in public so that the salesperson understands why you're not doing what they're asking for for this customer because it comes at a cost of this other thing. Like, if you do it well, the fact that it's transparent, the fact that you're kind of putting all of these ideas at the same level, right, is what's going to allow you to, again, in a systematic way, offload what you used to be doing as [00:44:00] a founder of deciding what to build and making sure that all the teams are aligned on this to the system of product management.

Mm-hmm. Right? And, and I say the system because once it's well done, like, you can swap pieces of the system out, right? It's no longer dependent on you. You can grow it. You can hire more people. People come, people leave. You know, like, it's bigger than you now. 

Mehmet: Absolutely. One, one question here, because you mentioned about, you know, um, you know, hiring and all this.

So is there any time where it is still early to have a proper product management structure into the startup, or at the same time, when is it too late to, to, to do this? Because, you know, you tried to figure out it to, as a founder. You said, "Yeah, I can figure it out myself," and you were trying a bunch of things without the system that you just mentioned.

So when it becomes, [00:45:00] you know, very late to come and fix, uh, the unfixable now?

Raphael: It really depends on how... On the founder. Some founders, some founders are product people. Some founders think like product people. Like, I don't believe that product is something that you, it, it's a, a title. It's a way of- Mm-hmm ... a way of thinking about these problems, way of approaching these problems, and it comes with, it's a cr- I call it a craft because, or a technical job in the sense that there are techniques.

There are tools. Mm-hmm. Just the same way that the woodworker uses a tool, the product manager has a number of tools that they'll use on different cases. You don't need to have a title of product manager to do that. Many good founders have that, and their product is the company, right? So ev- for in my mind, every single founder is at heart in some form a product person, the [00:46:00] product being their company.

Now, when we're talking about like software products, et cetera, the... what we often find is a mistake is when the engineering team start to get too big and there's nobody that is facilitating communication, alignment, goal setting, prioritization between the people that are building and everyone else, right?

And everyone else, sometimes there are salespeople involved, sometimes not. So it, it, it, it can vary quite a bit. One thing that I would note is that the role of the product manager is changing a lot. A lot of the good product managers today, they are thriving because they can now do a lot more themselves.

They can do prototypes really quickly. They can put together some, um, some wire frames. They can even vibe code some things, right? Like, super powerful. Like, I don't think we, we really understand where that's gonna land yet. But you need [00:47:00] some form of product mindset from the beginning. If you don't have it, bring in some help, right?

In whatever form, in, in whatever form you can find, right? Like, and, and this goes from everything from, uh, you have an advisor that you can call or you speak to periodically. Uh- Right ... another founder that you know that has the product hat that can, y- you know, um, uh, hiring somebody that has done it before.

I, I'm a, I'm obviously a strong believer of the fractional model, which in, in my sense, fractional model is you're solving this step function of the only solutions that you have to get- Senior experience working for your company in specific domains, like the product domain, right, is to hire somebody full-time.

Like, you've got an advisor and you'll get maybe an hour here or there, or you'll, you'll have somebody from, on your board, or you- you're, you're gonna have some people from your investors. They've seen how others are doing it, so they can share best [00:48:00] practices. And so that's a tiny little bit. And then all of a sudden you become large enough that you can have a senior product hire that has done this many times before, that understands the craft and the building and the system and, and things like that.

And the fractional model allows you to kind of bridge that, because you can say, "Well, at this stage, it doesn't make sense for me to hire this person, and also I, I probably couldn't." But having them the equivalent of, say, one or two days per week, right? I say equivalent because it's, you don't want them there one day.

You want them, you know, it's like whenever you need them. But there, that's something that's really valuable bec- because your need for that product management does not look like a step function, even though the solution to it in terms of h- which is hiring, looks like a step function. And so, so that's, uh, what I think people should, should look at.

But basically go and get help in the areas that they want. Product, the, the tricky thing about product is that it's not clear that it's a craft. A lot of people think that they can do it, and they probably could if they put [00:49:00] enough time and effort and learned the tools, right? Like a lot of engineers, by the way, think that they could sell.

Selling is easy. Yeah. Building software is difficult. Well, you know what? Like, selling is a craft too, and it's- Right ... you know, and it's quite hard for a lot of, uh, for a lot of, uh, you know, engineers, technical-minded folks, et cetera. So if you need help in whatever area, you know, go and find it. 

Mehmet: Right. There is one thing just before, you know, I, I try to start to wrap up things here.

Um, y- you mentioned this in the sales, you mentioned this in the marketing, you mentioned now this in, in, in the product also as well, which is all, like, comes to the same point about, you know, trying things and, and see what happen. So there's a difference, and I know you talk about it, between, you know, motion and progress, right?

So h- how me as, as a founder, leader, you know, I can differentiate whether, you know, this is, like, move the needle, like, little bit, maybe it was [00:50:00] a failure, maybe it was wasted time and, and resources. So how do you define this, this difference between motion and progress? 

Raphael: Um, I love this one and, and, and, uh, the analogy, I, I love thinking in analogy.

The analogy that I use is if you think about the difference between an Olympic swimmer and someone that's drowning, they're both putting in a lot of effort. 

Mehmet: Mm-hmm. 

Raphael: So there is motion. They are both moving their l- their arms and their legs. They both have the same goal of, you know, moving forward, and yet, you know, one is near death and the other one is a, a super athlete.

The difference comes down to understanding the, the, the sequencing. It's not just moving randomly, and when we see a lot of these cases like sales, like marketing, et cetera, where people [00:51:00] are basically, they're jumping ahead. They're thinking... They're there in the water and they're saying like, "I am going to swim as fast as I can to there."

And so they, so they're gonna move and they're gonna put a lot of effort. Instead, what they should be doing is they should be deliberately breaking down, my objective is to go there and is to go there fast. In order to go there and go there fast, what do I need to do before? That is a concrete goal that I can achieve.

Well, I'm gonna need to go there. If I go there, then I can go there fast. Okay. Then if I need to go there, what do I need to do? And so you basically, you bring it down step by step by step by step by step by step. And now instead of going straight for the goal, where as I was saying earlier, it's really difficult to know what's wrong unless you get lucky and noth- nothing's wrong, right?

And you get down to something that's very, very specific, very, very close to you that is something that you can work on and that you can demonstrate. It needs to be something you can, you know, prove, and it'll be different and it'll [00:52:00] change all the time, right? As soon as you get one, you know, like your objective if you wanna be an Olympic swimmer is first is like, I need to be able to be in the water without dying.

True. Goal. Check. I need to be there able to for two minutes to be in the water without dying. Then I need to be able to do it for five minutes. Then I need to be able to do it for 10. Y- you know, and okay, and interspersed with that you're gonna say, "I want to be able to move forward in the water." Right? So maybe you're gonna do a separate thing, a course where you're like somebody's gonna show you and, and you're not at risk of drowning.

It's a very na- you know, shallow pool, but you are focusing exclusively on moving forward. And there you can get that feedback loop where you will make forward progress. And so basically what you're saying is that by having these very, very clear, deliberate sub goals or gates, you know, walk before you can run, put the first floor, et cetera, right?

Break it down and then you can put all of your focus on that. [00:53:00] And that's what you see i- is where like success is going to come because everything compounds, right? Right. Like, you, you can see that the fastest way to swim is not just to try. Like, it's going to be like, if you do that, maybe you'll do it really quickly from one.

Some you realize that you sliced it too thin and you immediately got it. Some were really, really hard and you've tried and not made progress. If you've tried and not make progress, maybe there's something there that you've missed, then you need to find something in- intermediary. Right? Okay. You know, what is that?

Find what that is 

Mehmet: Right. This is-- I like your analogies, uh, Raphael. I think this also makes it, you know, easier for anyone- Mm ... especially for founders who we are trying to help here, um, with your, with your, you know, really words of wisdom, I would call them. You know, to, uh-- We know it's not [00:54:00] simple, we know it's not easy, we know also, like, the, the pressure, but the way to do it right is to, you know, break it down in pieces so you can...

And you, you mentioned something which I like, you, you know, personally also about the compound effect also as well. So this is, you know, the way to do things. And back to the example of Uber you just gave, like, because if these guys, they wanted to to do, like, the whole thing in one shot, probably they would not ever, you know, have existed, you know, the way they have existed today, and they start with that specific use case.

And just as a reminder also as well, they started just in couple of cities. They didn't go and say, "Hey, we're gonna be in every state, in every city in the world." So they start, they just start in couple of cities, I think in San Francisco and New York, and then they start to expand, and then international.

And by the way, people think- And even 

Raphael: types of international. Like, it's different. Yes. Like, you see the behaviors here- Right ... in Dubai, the UAE, is different to the behaviors that you have. And so [00:55:00] if you have all of these variables at once, it's just too difficult to solve for. 

Mehmet: You cannot manage them easily, simply.

By the way, and people, they think, oh, like, this is apply for B2C, maybe it doesn't apply for B2B. No, it's not-- I- it's the same thing because, you know, there you need to find that first, of course, in B2B it's the-- it's actually harder, and you need to go, like, more niche because you need to find the early adopter, the guys who are willing to try something new, and then you need to uncover their, you know, pains, and, and then you go specific try, I would say vertical maybe.

So you just say, "Okay, you know what? Let's try healthcare or maybe let's try f-finance, uh, financial institutions." Or, you know, like, this is the way. And then once you have this, then you have the repeatable business, and then you, you, you grow it. And, you know, when, when it comes to go to market also, like, because similar to you, like, I try to, to help other founders, it's the same story, right?

So, uh, let's get, let's get all the big logos. No, man, you can't go big logos because actually, in fact, [00:56:00] you don't have enough support to go and, you know, serve all these, you know, big enterprise at the same time. If you get, like, 10 tickets, who gonna look after them, right? And they're gonna complain later, oh, you have bad support.

Just do it step by step. Accept, you know-- And I think what people miss- Is that, you know, like once, you know, you, you cross that, you know, that step, the chasm, you know, we call it crossing the chasm. So you gotta see yourself like accelerating. You gotta be the rocket ship if really you have the right product, you have the right, you know, engine.

So y- you know, all these are like things I like also to discuss, and thank you for bringing that up today, Raphael. As we are wrapping up, maybe final things you want to share and where people can get in touch. 

Raphael: Uh, first of all, I think to all of the people founding, I think it's brilliant. We need more of it.

It's extremely, extremely difficult, so I feel for you. Like, there is nothing more difficult than starting something new because you are going to fail in so many [00:57:00] ways before you find the thing that works. And it, and it's not like p- you, you imagine it as a single thing. It's like in every single domain.

It's going to be in hiring, it's gonna be in sales, it's gonna be in your product, it's gonna be, uh, you know, you mentioned, you know, customer success, everything. And so, uh, thank you for doing that, right? Hang in there. Um, I'm happy to help. You can reach me on, uh, LinkedIn is the easiest, or on my website, uh, Sha-RP, S-H-A dash R-P, my initials, .com.

Uh, and on LinkedIn, R-P-E-Y-R-E-T. And, uh, I can help 

Mehmet: Great. I will make sure that I will put, um, the links in the show notes. So for people who are listening on their favorite p- podcasting apps, they can find the links to Raphael LinkedIn and social profiles there, and also to, to the website, or if you're watching this on YouTube, you'll find them in description.

Just, you know, on, on the point about, you know, it being hard, I have an advice, like, uh, there's a book that I read-- I, I wish that I read [00:58:00] it, you know, when, when it was out, but, uh, it's called, uh, The Hard Thing About Hard Things by Ben Horowitz, who's one- Yeah ... you know, of the founder of a16z, uh, Andreessen and, um, Horowitz, which for people who doesn't know, they're one of the biggest venture capitalists in the world, and they, you know, they, they were both at Netscape, so, um, uh, Ben worked for, for, uh, you know, uh, Andreessen.

But anyway, so you go read this book, and you know, when you read this book, uh, you know, as a founder, you figure out, oh man, really, is it that tough? Read this book. Before you start a startup, go read this book because just you kn- you understand what you're gonna go through, to your point, Raphael. But I think founders today are lucky because there are a lot of people like yourself, Raphael, who saw it all, saw up and downs, right?

And, you know, plenty of other people who are out there for help. So reach out to advisors like Raphael that, you know, I'm sure their experience would help you. Again, Raphael, it was a pleasure to talk to you on, on the show today. I really appreciate the time, [00:59:00] and this is how I end my episodes. This is, this is for the audience.

If you just discovered us by luck, thank you for passing by. Give me a favor, subscribe and share it with as many people as you can, because we're trying, as you can see, educate, help, and reach as much people as we can. And if you are one of the people who keep coming again and again, thank you very much for the support.

Thank you for the messages, for the feedbacks. Thank you for keeping the show running by supporting it through listening or watching, and I can see the numbers. We are always trending on the top-- Apple Top 200 podcast chart, different countries, but this is something growing since last year, which I'm very grateful for the audience for that.

And as I say always, stay tuned for a new episode very soon. Thank you. 

Bye-bye.