Founders on Fire: Tim Hinrichs, CTO and Co-Founder, Styra Founders on Fire Podcasts Posted by Jon Howell | 29/03/2021 Today we’re catching up with Styra, our winner of the 2020 Containers Trailblazers category. Tim Hinrichs, CTO and Co-Founder at Styra, talks to Chief Trailblazer Rose Ross about how his journey from academia and a focus on declarative languages at Stanford led to the open source authorisation solution, Open Policy Agent (OPA), which is currently bringing Styra such great success. Learn more about OPA and what the enterprise version offers above and beyond the open source product, discover the origin of the company’s name, and find out how it’s their customers that are the key to driving the firm’s progress. Styra not only won the Containers Trailblazers Award in 2020, but Tim himself was runner-up in the Male CxO category, leaving him in the perfect position to give two tips for a successful startup. Listen to the full podcast here: You can also listen to the podcast on YouTube or Anchor FM. Interview transcript Rose Ross: Welcome everybody to the Tech Trailblazers Founders on Fire podcasts. Today we are talking to Tim Hinrichs who is the CTO and Co-Founder of Styra and one of the guys behind the Open Policy Agent OPA, which has recently graduated within the CNCF. Hello Tim, thank you for joining us. Tim Hinrichs: Hi Rose, thanks for having me, it’s great to be here. Rose Ross: Fantastic. So, we’re just going to talk a little bit about how you came from academia, through into the world of a big corporate, and then out that other side into Styra and the formation of that. So, perhaps you could tell us a little bit about that journey Tim. Tim Hinrichs: Yes, so back I did my, as you say, my doctorate work at Stanford in Computer Science, but I focused on policy languages, declarative languages, most people don’t even know that’s a thing that you can do, but yeah, that’s what I focused on. Then, as you say, I worked as a postdoc for a number of years as well. But what also happened simultaneously was that Nicira’s, one of the Nicira’s founders, remember Nicira was known for software-defined networking, for coining that term. So one of Nicira’s founders and I knew each other at Stanford, and so at the same time as I was doing my postdoc work, I was also working with him in Nicira in the early days, because in the early days in Nicira it was really a company designed around the idea of policy-based networking solution, right, you write some rules about what packets can move around, and then the software goes ahead, and it implements and enforces that automatically. So they needed a policy language and that’s what obviously I’d been studying for a number of years. Anyway, so I knew the Nicira folks back then, and then a few years later decided to go ahead and join back in with Nicira more formally, like we back then moved into industry, and that was about the time that Nesera was acquired by VMware. So that’s how I ended up in VMware working on the same kinds of problems I’d been working on forever. Then at VMware it turns out that we were talking to a number of Nicira’s clients at the time, they were financials and tech firms, and what they told us was that they all had hundreds of thousands even of applications, and what they had to end up building was a sort of unified solution of policy for all their apps, that was just how they found that they had to manage authorisation of policy for all those apps. And so what they said was, ‘Could you go off and build a solution, a unified solution of policy for us?’ because they didn’t want to do it, that wasn’t their core competency, it wasn’t what they wanted to spend time on. So anyway, then we started up project inside of OpenStack at the time, that was what Nicira was very comfortable in in the open source world, and so we worked on that for a couple of years but then we realised that this problem of unified policy, unified authorisation, was one that was going to be not just an OpenStack problem, not just a VMware problem, it was a problem that spanned all the different technologies that people are using, especially in this cloud-native world, this DevOps world, this microservice world. So that’s when we went ahead and started Styra, so that’s kind of the founding story, I guess. Rose Ross: Fantastic, that sounds good. So Tim thanks for sharing that interesting journey, which was quite fortuitous really, wasn’t it? So coming through post-doctoral stuff, coming across Nicira, and then that obviously being acquired by VMware, and the also finding this groundswell of interest in authorisation. So that’s great. Looking back at that, let’s have a look at perhaps the technology side of things. So you’ve talked a little bit of how you came up with the idea, and what the push was from the users in your conversations while you guys were at VMware. So, tell us about your co-founder and what you’ve been up to, because I understand that the technology is both an open source project, the open side of things, and then a commercial one. So could you just give us an insight into who the founding team were, and how you guys have been operating for the last five years. Tim Hinrichs: The other co-founder, Teemu Koponen, he’s got a great background in distributed systems, he was actually the chief architect at Nicira. So, what was great was that when we realised that we needed to start Styra, we knew from our past experience technically speaking, what the requirements were on a solution for unified authorisation. And so one piece, of course, was that we needed a policy language that allowed people to write down whatever policies they cared about, and that policy would have to work. That policy language would have to work for really any kind of piece of software, right, whether it’s like Kubernetes or microservices or an application, it didn’t really matter. But the second thing that we knew we needed was a distributed architecture, a way of implementing and enforcing policy at a scale that could only be served through distribution, and a decentralised architecture. And Teemu’s background is exactly that, he had a similar kind of journey as I did, which is he did his doctoral work in distributed systems, and so now the two of us combined have all that technical background we need to build out, obviously distributed authorisation system. So anyway, that’s kind of how I could think about it, and how we got started down this technical road. Rose Ross: So, that’s that side of things. Do you want to tell us a little bit about OPA, because that really was the beginning of the Styra journey, wasn’t it; and obviously how that fits in with… maybe just give a quick overview for people, which I think would be interesting for myself as well, is how does this all work when you have an open source thing that you donate to the CNCF or a similar open source body. Tim Hinrichs: One thing to keep in mind here is that definition of the problem statement. The problem statement that we saw is authorisation, so that’s just really a fancy word, we’re just saying controlling the actions that people and machines are taking. And so that’s the example I like to give there is a banking application; any time I log into a banking application, if I try to withdraw money, am I authorised to do that or not? Am I allowed to take that action or not? So the software needs to know the answer to that, it has to enforce it. And that’s kind of the problem space that we’re in. And then what we really focus on is all of those software systems, solving that authorisation problem for all those software systems that developers use to build and run their own software, so it’s a kind of meta-authorisation problem. But anyway, so that’s kind of the problem space, and then we built two pieces of software to address this, the first of which is this open policy agent project. Its goal is to provide this unified language and toolset for expressing and enforcing policy across many different kinds of software. So that’s really OPA’s goal. And what we did when we started it was, we spent a couple of years developing it, making sure that we had a good and solid piece of software that people could use, and we had people using it, and then we eventually donated it to the Cloud Native Computing Foundation. So the way that works is that when you donate it to the CNCF, you typically start out as what’s called a sandbox level of maturity, and then it moves ahead to the incubating level, and then finally it moves along to the graduated level of maturity, and that’s where OPA is, that’s the same level of maturity as Kubernetes, Prometheus, Envoy, some of these other very popular cloud-native software systems. So that’s kind of the journey for any project that’s going into the CNCF. Rose Ross: So it’s in good company then if it’s with Prometheus and Kubernetes then in that case, because obviously they’re very well recognised. So Tim, that’s OPA and that’s your open source project which has been shared with the CNCF, the Cloud Native Computing Foundation; could you tell us a little bit more about the commercial product that Styra’s really been developing more over the last couple of years. Tim Hinrichs: The commercial product that we have aims to operationalise OPA for the enterprise. So the way I always like to think about it is that OPA was designed to be a distributed approach to authorisation; so you might run not just one or ten, but maybe a hundred, or a thousand instances of OPA. And so then the commercial product gives you that control plane that allows you to do things like offer policy, distribute policy to all those OPAs, make sure that all the OPAs are healthy, record all the decisions that they’re making. And so then overall it really does aim to bring OPA, make it easy to use within an enterprise, not just for a single developer but across many different teams. Rose Ross: Brilliant, that’s fantastic. And one of the things that struck me is obviously you’ve come from academia, by being almost pulled through to the commercial world. I didn’t see you kicking and screaming so hopefully it wasn’t too painful an experience! But Styra as an organisation being five years old, and only taken $14 million in Series A funding is quite unusual. If I look at some of the others who have been recognised in the Containers Trailblazers space, who I am sure you probably recognise the names of, for example Aqua Security have just closed their Series E which takes them with another $135 million to $265 million-worth of investment, bit of a difference, similar length of time that those guys have been around as well, $265 million, and $14 million, that’s a bit different! And then obviously we’ve looked at some others who have also been acquired, so for example Kasten last year who were runners-up, I spoke to Niraj Tolia one of the founders there, they were acquired by Veeam. Portworx were acquired by Pure Storage for $370 million, so I think it will be interesting to see what happens to you guys over the next couple of years. I’m sure you won’t be able to tell us too much, though certainly we’ll be keeping an eye on things. So from that perspective, what do you feel you’ve learnt from this? Clearly if you’ve taken this level of investment, you’ve got a great VC partner with Accel. The money came in quite late, you’re already three years into Styra at that time. You obviously have a lot of focus on your customers, because when push comes to shove, ultimately you need to pay the bills, you need to pay for the offices – or you did up until we got stuck in a pandemic where everybody’s working from home. What have you learned about that? What’s been your sort of takeaways, and your advice to people? Because it’s one of my big bugbears, is that your most important investor is your client, your customers. Tim Hinrichs: Right, so I learned quite a bit. For us one of the interesting things was that we did spend quite a bit of time in the early days, like the first part of the company’s journey was focused on open source, making sure that that project was successful and healthy, and it solved real problems. So we spent a bunch of time in the very early days, not just building software but working with our customers, as you say, having a very strong customer focus and saying, ‘Look, what problems do you need to solve? Can OPA solve them?’ And if they didn’t, we would enhance OPA to make sure that was successful. Then the second part of the journey of the company is really focusing in on commercialising OPA. So making sure that the commercial product that we provide is a great way of bringing OPA into the enterprise, solving a bunch of the challenges that come up in terms of deploying OPA within the enterprise. Now, what did we learn? I think we learned a bunch of things, and the biggest one to me is, and if I had to give advice to folks I would say, focus on solving real problems. It is amazing how easy it is, especially, you know, I’m a technologist, so it’s amazing that if you’re not really focussed on those end users, it’s amazing how easy it would be to go off and build a bunch of software that people don’t need. But as long as you’re focused on those end customers, those end users, they will keep you doing the right thing. So, that’s certainly one thing that we’ve seen be very, very successful. And then that sort of implies the second thing which is, that it is amazing how much time and energy it takes to go ahead and communicate the value of a project, a company, really anything to the world, and that is incredibly valuable. I think that is something, especially technical founders will often undervalue is that communication piece, going out giving lots of talks, but even engaging with individuals or small teams. And so those two things making sure that you’re solving real problems and making sure that you are communicating the value of what you do to the broader world, is super-crucial and certainly things that I’ve seen work very, very well. Rose Ross: Very good. Well it reminds me very much about the… because in the UK you could take double-mathematics at 18, and one is pure, and one is applied. So I think the problem you find is a lot of people take a pure approach to technology as in, ‘Oh, what can we do?’ versus the applied in, ‘What should we be actually trying to do that actually makes a difference for people?’ Tim Hinrichs: Yeah, and I’ll reiterate that. I know very well what the pure approach looks like, all those years I spent in academia. I know what that looks like, I also now know exactly what it takes in the more applied arena here, working in industry for the last several years. Rose Ross: And any other sort of takeaways? So you’ve talked about communicating, and obviously your marketing team have put you forward for the awards, and you’ve clearly done very well, so congratulations again on that. What are the things for you personally, because I don’t know how much of a shift it was from your perspective over the last few years as you’ve been a startup founder, versus an academic, versus somebody who was in a bigger corporation? Tim Hinrichs: The interesting thing to me is that if I compare academics, open source, and even commercialisation, I feel like there are just so many parallels there. Like so many of the skills that you develop when you’re in academia, you’ll invent new whatever – algorithms, and that’s hard technical work. But then you’ve got to spend a lot of time explaining and communicating the value of that to the rest of academia, right. Similarly in open source you build that piece of technology, and then you spend a whole bunch of time talking to people and explaining why it’s useful and showing them why it’s useful. And then commercialisation feels the same way, it’s just that that communication piece is broken into marketing and sales, and the technology piece is broken into product and engineering. But there are these very common threads across all these seemingly very different environments, but in fact I find that the skills you need to be successful are very, very similar in all three of those areas. Rose Ross: Interesting, interesting. Well communications is obviously something that you’re very good at. You present an awful lot about what you guys are doing in various guises, both on the platform of places like the CNCF and others. What’s coming next for you guys? You’ve achieved very impressive revenue growth over the last 12 months or so, I’m sure you haven’t been doing too shabby prior to that either, what more can we be expecting to see from you guys? Tim Hinrichs: Maybe I’ll just amplify that, but I’ve been excited over the past year, to see that triple revenue growth and to see… and that’s great from like a new customer point of view. But I also pay a lot of attention to our existing customers, making sure that the renewal rates are good and high, maybe they have been… I think it’s like 90-95 percent, something like that, so that’s been really great to see. And then the other thing that I’m always looking at is to think about the future. This problem that we’re looking at, authorisation policy, is obviously something that those highly-regulated industries like healthcare and finance care a lot about, they live and breathe it. But when I’m looking at the future I’m also thinking about, well do we focus ‘there’, do we focus more broadly on other segments? And so, it’s been great to see that if we look at our current customer-base, it’s roughly 40 percent of customers who are not in highly-regulated industries. So that’s a coin-flip as far as I’m concerned, and so from my point of view, looking to the future, what that implies is that this really is a pretty universal problem that we’re looking at. Rose Ross: So if it’s not regulatory pressure that’s bringing those 40 percent, what do you think is the driver for them? Tim Hinrichs: I think that this notion of authorisation policy is just pervasive, it has certainly security and compliance, there’s certainly compliance and security policies that you need to put in place, but there’s also a whole collection of just operational policies. Policies that just help the business run, or the development pipelines run the way they’re intended to be. Like anybody who is using software in a team typically has to make decisions about how they’re going to use software. And so if you just leave those rules, those conventions to PDFs and to Wikis, and you don’t codify it in some way, shape or form, then you’re just trusting that everybody learns, you’re relying on people to learn what those rules are, to learn how to create tickets in Jira correctly, and fill out all the right fields or whatever it is. But instead if you put those rules and regulations into software in something like OPA and Styra, then you’ve got just better efficiencies across the spectrum, in terms of how those enterprises work together to run and build their software. So there’s this big operational component as well as the security and compliance side. Rose Ross: Are you seeing that supply chains are becoming more integrated as well, and perhaps that is an element within it? Tim Hinrichs: I think the big trend that we see is just everything’s getting automated, right. Rose Ross: Sure. Tim Hinrichs: And so when you start thinking about automating everything, what you know is that you can’t end up with certain pieces that are manual. Right, if you’ve got a bunch of security checks that people have to perform before you release a piece of software, then you can’t go any faster than those people can check, do whatever checking they need to do. But if instead, if you take those same security checks that you have Security or Compliance or do, and you automate them, then you can automate the whole thing and you can obviously then start running software and deploying software, more at the speed of minutes instead of months. Rose Ross: Yes, reducing that cycle is obviously going to be important as people want to stay competitive and agile, spreading that software development term into the wider organisation, which I’m sure you’re not adverse to. Any other things for you personally? I mean where do you go, you’ve done this already, what else are we going to see from you guys, or from you personally? Tim Hinrichs: Well, I think as company the road is very clear ahead of us, which is we’ve got tons and tons of OPA users and we interact with them all the time, so they can tell us exactly what else we need to do, both for the open source project as well as our commercial product. So that to me is wonderful. You’re working with people, you’re helping them solve problems, and oh by the way you’re also figuring out exactly what you as a company need to do to really be successful, and so that’s super exciting. For me, the company is growing, we’ve grown quite a bit last year, I think it was roughly 90 percent. So for me it’s been a lot of fun, and I expect it to be a lot of fun in the future to just see and work with a growing company. I think that will be a lot of fun. Rose Ross: So you won’t have met a lot of your colleagues then, what sort of size are we talking about for the team that you guys are leading at the moment? Tim Hinrichs: So, we’re right at 40 folks right now, and so we were obviously about 30 last year. So, this is exciting you know, when you start growing 90 percent in a year that’s huge, so that’s quite a bit of fun. Rose Ross: Cool, and are you all based in California, or, bearing in mind it’s over the last 12 months where it doesn’t matter where anybody is anymore. Tim Hinrichs: Right, exactly. We were more focused in California for the last year, but we always wanted to get to a point where we were more distributed, just because I think it’s overall better for the company. But now obviously we are all very distributed! But I think we’ve also taken this as an opportunity to become more of a remote first company, and so we’ve been hiring moreso all over the world, and I think that’s been overall really good and I expect that to continue. Rose Ross: Brilliant, fantastic. Anything else you’d like to share that you’ve picked up along your adventures so far? I have one more question, well in fact two questions, but carry on. Tim Hinrichs: Anything else I’d like to share? I think I’m just pretty excited here, I mean the more I see OPA traction, the more I see we’re a million downloads a week or something at this point. Rose Ross: Wow. Tim Hinrichs: So, the more I see that kind of traction and growth, the more excited I get about both of the open source as well as our commercial offering, and just really getting to solve… the academic in me just really badly wants to solve that unified authorisation problem, and fundamentally provide that new piece of software that people just typically aren’t using today. I always like to liken this to the database, like today everybody knows what a database is, nobody thinks about building application without a database. Well, I expect in the future that an authorisation system will be very similar, people will think back in however far the future will be – 20 years from now they’ll look back and say, ‘How did you ever build and run software without this authorisation system?’ So that’s what I’m looking forward to. Rose Ross: Brilliant.So, I have to ask you – this is my other question, because you’ve got this fantastic background there, so where does the name come from, Styra. Not Tim Hinrichs, because I’d imagine that’s got some Scandinavian element to it, because you’ve got the Viking look now with the beard and long hair, you’ve got the horned helmet there in the background, so you’re cutting that Viking vibe at the moment. So, where does Styra come from? Tim Hinrichs: Styra is Nordic, and it means ‘to govern’. Rose Ross: Oh, okay! So there is a Viking theme, and it’s not just a really nice logo that you thought up. Ah okay. Tim Hinrichs: And then you add in Teemu the co-founder is also from that area of the world. Rose Ross: Oh, so where is he from? Tim Hinrichs: So he’s from Sweden. Rose Ross: Ah okay, so that’s the whole Viking thing, fantastic that’s really exciting. Well that was my questions there. Tim Hinrichs: I was just going to say, the other bit of that of course that Styra, the .com was available when we came up with the name. Rose Ross: That always helps doesn’t it, a very important part is to check whatever amazing name you’ve come up with that somebody else hasn’t nabbed all your digital assets online. Fantastic, well that’s good to know, brilliant. Well thank you so much for your time Tim, really, really appreciate it. It’s been fascinating finding out about your adventure both individually and as an organisation. We’re delighted that you’ve been able to come and spend some time with us, sharing a little bit of the Viking magic or the Nordic greatness that has come over through Styra, and obviously Californian now as well. Great, well thank you very much for your time, and I’m delighted that Tim Hinrichs who is the CTO and Co-Founder of Styra, our Containers Trailblazer winner, and Tim himself was runner-up in Male Tech Trailblazer of the Year last year. Thanks again Tim. And everybody, if you would like to find out more about what we’re doing, please do visit TechTrailblazers.com. Follow us on Twitter @techtrailblaze. Or find us on LinkedIn as Tech Trailblazers. Thanks again Tim, very much appreciate that. Tim Hinrichs: Thanks so much, it’s been a ton of fun.