SailPoint CEO Mark McClain: ‘Continued Acceleration’ Expected Despite Recession Fears

In an interview with CRN, McClain also says that the company’s identity security platform is a ‘true’ SaaS platform, unlike some competing products.

McClain On The Record

The tech industry overall may be paring back on staff in sales and other roles, and some companies in the cybersecurity market have done layoffs as well. But for providers of technologies in the red-hot identity security sector, such as SailPoint, the economic upheaval and fears of a recession are having minimal impact on the game plan, according to SailPoint founder and CEO Mark McClain.

“We’re still planning for continued acceleration and continued market capture,” McClain said in a recent interview with CRN. “While the noisy economy is a little bit of a negative driver, there’s way more positive drivers for us—just the fundamentals of the world moving toward digitally centric business.”

SailPoint, an Austin, Texas-based provider of identity governance and administration (IGA) and other identity security tools, and its solution provider partners are benefiting as more customers recognize that identity is a “critical linchpin” in their digital transformation efforts, he said. Research firm MarketsandMarkets forecasts that the IGA market will reach $7.7 billion this year, more than doubling in size since 2018. Identity and access management (IAM) is expected to grow by 91 percent by 2027, to $25.6 billion, according to the firm.

In August 2022, SailPoint was taken private in a $6.9 billion deal by Thoma Bravo—a private equity investor that last year also acquired Ping Identity and reached a deal to acquire ForgeRock, two other prominent players in identity security. Then in January, SailPoint made an acquisition itself, snapping up third-party identity security vendor SecZetta to bolster its platform.

During the interview, McClain also addressed a recent claim that SailPoint is a “legacy” identity security provider. SailPoint offers a “true SaaS product [built] from the ground up,” he told CRN. “We’re a 17-year-old company, but we’re not legacy SaaS. We’re the most cutting-edge SaaS product in our category.”

McClain also discussed the potential for further consolidation in the identity security space, the biggest opportunities for channel partners looking ahead, the SecZetta acquisition and the prospects of making additional acquisitions.

What follows is an edited portion of CRN’s interview with McClain.

How are things looking for SailPoint in 2023?

I think we’re still feeling a lot of really good momentum in the market. Obviously, it’s a little choppy in the world. It has been off and on for a few years. I think we felt a little more in the second half of last year.

We’ve all seen the massive tech resizing. I think it’s almost obvious [why that is happening]. When you’re in a go-go mode, you’re not sloppy—we weren’t either—but we all were kind of assuming a continuation [of the economic conditions]. So you plan and hire for that. When it changes, then there’s some readjustment you have to do. I think some companies were a little more disciplined than others and their adjustments are less dramatic.

We haven’t seen as much of that in security, though.

There’s the world, then there’s IT, then there’s security, then there’s identity. Within identity, we felt a little bit of choppiness in the second half and heading into this year, but nothing too choppy compared to other segments. Like you said, even all of security still feels pretty good, most aspects of it. And then you get out into IT, it’s a much more mixed story. You get outside of IT, and it’s a really mixed story in some industries. I think we’re still planning for continued acceleration and continued market capture.

While the noisy economy is a little bit of a negative driver, there’s way more positive drivers for us—just the fundamentals of the world moving toward digitally centric business. Whether you’re in the tech business or not, we’re all talking about leveraging digital [in a bigger way], digital transformation, using technology to advance your business cause. Anything that drives more heavy investment in technology in a world that’s now default cloud/mobile/remote—that helps us. Because identity is now clearly seen as a critical linchpin in that mix. If you’re going to do more digital assets, more new business applications, you’re going to do them in the cloud. You’re going to do them to mobile. And identity is just very core to that.

I wouldn’t say everybody gets that, but we’re getting close. Most companies get that and then they’re now going, ‘OK, if that’s true, what do I do about that?’ And that’s what leads to a lot of great conversations for us.

Are there certain parts of the market where you’re finding the momentum to be especially strong right now?

In some cases, it’s midsize companies who probably never did a lot in this arena. Big companies have absolutely done some things, and they’re revisiting what they’ve done and if it’s going to work for them into the future. So they’re both a very large market and [are making] a very large migration. In the midsize world, more often they have less investment in our category and are looking at if they should be doing more than they’re doing. They recognize the problem far more than they did a couple of years ago.

So back to your point, I don’t see security feeling the pain in general that the market’s feeling. And I feel identity is feeling even less of the pain than the rest of security. I think most identity companies are still sounding pretty bullish right now.

How have things been going so far since being taken private by Thoma Bravo? Is that playing out the way you’d hoped?

If I’m honest, it’s only been since late in the fourth quarter where we really got much deeper into the dialogue on, ‘Where are we? Where are we going to go? How are we going to get there?’ The SecZetta [deal] had been looked at pre-Thoma, we temporarily put it on the back burner until we saw how things unfolded there, and then roared it back into action once we closed the deal with Thoma. We actually had a light offering for what we called ‘non-employee life cycle’—how do you manage people that aren’t your employees in the world of identity? We knew that was a need. And there’s a lot more of that than there used to be—there’s contractors, there’s various value chains, distribution chains, supply chains.

And one of the hotter new topics is non-human identities. That wasn’t a big focus of SecZetta’s, but they’ve touched that a little. The initial focus from this will be the human non-employee. But this technology lends itself to extending to other flavors of the non-typical employee. So it was a very clear place for us to be extending and expanding. We looked at how easy it would be to integrate that into our core platform versus building something from scratch. Ultimately, the decision was that it’s better to buy this.

What’s your outlook on making more acquisitions in the near future?

This year, because we do still feel bullish about the growth, we’ll be continuing to look at other acquisitions. I think given the market backdrop, I don’t know we’ll be super aggressive in the first part of this year in that. But there’s also so many [companies] that are willing to now consider transactions. [In the past] both the management teams and the investors were like, ‘My asset is awesome and it’s worth $5 billion, even though we have $5 million in revenue.’ They’re not saying that now. So I think the world of more rationalization between the state of some of these earlier businesses and the perceived value of those has narrowed.

We are looking at efficient growth. We are going to be a growth story, but we want to be efficient in that growth story so we continue to increase our margins of profitability over time, which we believe will ultimately make us a very attractive company to either the public markets again or another alternative.

What are some of your priorities looking ahead for SailPoint on the product side?

Because identity is increasingly recognized as an important linchpin, that’s driving more [focus] among the customers on, ‘I need your stuff to integrate with this stuff.’ And ‘this stuff’ is getting to be a very big list. The rest of the security ecosystem, a lot of the IT operations ecosystem—we’ve got to tie into not just other identity players like Okta, Ping, ForgeRock, CyberArk, Delinea. But also, ‘How do you tie into Splunk? How do you tie into Rapid7? How do you tie into Palo Alto Networks and other security players? How do you tie into ServiceNow, Workday, Oracle?’ The range and need for connectivity and integration are pretty high now. And I think we’re always looking at, ‘What do we build there? What do we jointly work on with some of those partners? What do we put out as APIs and let customers or partners build some of their own integrations?’ So there’s a lot of choices being made there about the ways we connect to the rest of the world. Some of those we think might be candidates for directly folding into our platform some day. But we’ll just keep looking at what’s available in the market, but more importantly, what are our customers really pulling us toward most strongly? What are we hearing the most consistent patterns of, ‘I really need you guys to tie tightly in with this.’

Do you expect to see further consolidation of tools in the identity space?

If you track what some of the analysts [are saying], they’re all talking about some flavor of convergence. Over time, you just see that happen again and again in markets where independent ‘best-of-breed’ things tend to get integrated and consolidated. [That happens] as customers said, ‘I really need this and this and this to all tie together.’ There’s always somewhat of a pressure toward convergence over time. But it is counterbalanced by, ‘In some areas, I really need the product to be awesome. So I will take your awesome independent product over the lousy offering that’s within somebody else’s suite.’ You see customers make those decisions all the time.

I think we see some amount of convergence across the identity landscape, as you just said. So we are seeing some of our competitors around us do that. We’re looking at whether some or all of that should be in our playbook. But then we also see lots of opportunity to go deeper in our core area—tying in to non-human identities and bots and IoT over time. Tying in to increasingly deep ways to manage not just the applications and who can access them, but also the data elements within the applications, and the data when it’s outside the application in a spreadsheet on SharePoint. There’s lots of ways to extend the core of identity security that we do and stay out of those other lanes. We could do that. We know that’s a very healthy business option. But we’re looking at the market around us too, and saying, ‘If everybody starts to talk more and more about convergence, we’re going to at least have to be aware of how that’s going to look in the market.’ So it just means we’re trying to both be market-sensitive and market-driven in everything we do. But also watch how things are unfolding and decide if it’s time to make different moves than we would’ve made [if it was] a different time.

What else is at the top of your mind with SailPoint right now?

Sometimes people miss the importance of what we’ve done with our SaaS offering. We made a very deep investment in what was once a core software product to build a true SaaS product from the ground up. That’s significant for two reasons. One is—and we will stand by this—we’re the only true, multivendor, native SaaS product in our category at scale, period. And there are a few others out there saying that. But there’s a difference between what’s called hosted and SaaS. Hosted is, ‘I have software that I’m now putting in the cloud, but every customer gets their own version.’ SaaS is classic multitenant, ‘I’ve got one copy of the software and everybody’s using that software. So if I make a change, everybody benefits from that immediately.’ ‘We’ve started to point out that delta because we have a couple of folks that are noisy about, ‘We’re SaaS too,’ and we’re like, ‘No, you’re not.’ And there’s a big issue there. That means the vendor really is running a single copy of their product in the cloud that has to be separately maintained from every other customer which, by the way, means at scale, this gets hard. Every copy is unique and different. But it also means for the customers, whenever we do things—upgrade, enhance—everybody gets it immediately. That true, multitenant SaaS is kind of a big deal. And we started building that product eight or nine years ago. Somebody recently referred to us as ‘legacy’ and that really made us angry—we’re a relatively new SaaS product. And it’s a pure SaaS, developed-from-scratch product. So how are we legacy? We’re a 17-year-old company, but we’re not legacy SaaS. We’re the most cutting-edge SaaS product in our category.

What are the biggest opportunities for your channel partners looking ahead?

We’re more of an SI [systems integrator] channel than a classic reseller channel. We work very closely with all the big global SIs and a lot of midsize boutique SIs. Because quite often it’s less about selling our products than implementing them. And that’s a long tail. So we tend to work with companies who have the capability to not just sell—or maybe they even don’t sell, but they implement and stay with the customer for a long-term implementation. We’re looking at extending more of our classic selling, though. One of the primary partners we’ve historically worked with here in the U.S. is Optiv, which is the biggest security reseller in the country, I think. But they also have an integration arm that they’ve been building up over time. That’s a great example of a company who has the depth and knowledge of security to sell our stuff, but also help the customer implement it over time. So I think we’ll be looking at can we build more of those kinds of channels? [These are partners] that can not only understand the value prop and help us sell, but can also stay with that customer through the implementation.

A lot more resellers have themselves expanded into implementation services as well.

We do work with Sirius [Computer Solutions], we do work with others that are kind of in that family, like CDW. A lot of them that were primarily selling product are shifting to [also] implementing product. That’s pretty common, to your point.

From the customer viewpoint, they know this is complex. Identity is not a project, it’s a program. This isn’t something you finish and then you’re done. When are you ever done with data management in your company, or network management? You’re not. There’s an ongoing program around network security, data security, desktop security. That’s identity now. You’re never going to be done—you’re just going to continue to make progress and add and deepen. Well, when customers see that kind of a scenario, they want a long-term consulting/integration partner.

So the attractiveness to us and our partners is when you get in with SailPoint, and you win that position of a consultant/integrator, you have a long journey ahead with that customer that’s pretty lucrative because you’re going to do a lot of work for a long time. We’re sticky. We don’t come out easily. And there’s a lot of work that comes around this to tie it into their environment and represent all their policies that are unique. And that’s great for partners because they drive a lot of revenue. For customers, because it’s complex, they need a partner to help them make it work.