Snyk CEO Peter McKay: Startups Looking To Get Acquired ‘Dramatically’ Increasing
In an interview with CRN, McKay also discusses how GenAI affects code security and the company’s IPO goal.
For developer security company Snyk, acquiring startups is going to continue to be a key part of its strategy for expanding its platform going forward, according to Snyk CEO Peter McKay. And there’ll be no shortage of options, McKay told CRN, given a surge in interest from startups in getting acquired as venture funding has waned.
CRN recently had the chance to speak with Snyk CEO Peter McKay to discuss the company’s M&A strategy, the impacts of GenAI on code security and growing partner opportunities.
[Related: 7 Cybersecurity CEOs That Are Eyeing An IPO]
McKay also spoke about where things are at with Snyk’s goal to pursue an initial public offering (IPO) in coming years.
What follows is an edited and condensed portion of CRN’s interview with McKay.
How is your approach to developer security evolving to respond to generative AI and GenAI-created code?
We have our vulnerability database, which is the crown jewels of Snyk. We marry that together with our suite of products that focus on vulnerability prioritization and then auto-remediation, which has been the big focus with our AI engine. There are 30 to 40 percent more vulnerabilities in AI-generated code than your own. So you need more automation, you need more intelligence.
I’m sure auto-remediation would make many developers nervous — how are you dealing with that?
As long as they can help make sure that the fixes are correct, that’s the critical thing. As long as they can help make sure that the fixes are correct, right. That’s why the machine learning capability [will say] “I found this issue, and I fixed it this way.” Then if this issue is seen again, it can fix it that same way. It is the Holy Grail. And a lot more of them are using low-code engines. Developers are generating more code, and going faster and faster. So the need to embed [code security] in an automated way into the tools in the engines that they use every day becomes increasingly critical.
Many of the major developer platforms are now embedding code security tools themselves. What’s the advantage of Snyk over those approaches?
We’ve always been that agnostic provider of developer security. You need somebody that crosses over all the languages, all the development environments, whether it’s a Bitbucket, or a GitLab or GitHub. All the different tools, all the different clouds. You can’t just [support] AWS or Azure or Google. So it’s cloud-agnostic, tool-agnostic, infrastructure-agnostic. And now it’s AI engine-agnostic. Because there’s at least 10 of 15 new engines that these developers are using. It’s not just [GitHub] Copilot, there’s a whole bunch. And so [Snyk can be] the Switzerland, the one solution that is making sure that the code that’s being generated from all of these engines is secure.
How crucial is M&A to your growth strategy going forward?
We’ve done seven acquisitions. But what we want to stay true to is building a platform. Everything’s fully integrated and it’s that one view, that single pane of glass, for developers. We can’t deviate from that.
The developer security space is still very fragmented. There’s a lot of pieces that we still believe that we either build, or buy, to bring together. And our customers are asking for it.
We raised money and we have a lot of money in the bank. It’s a perfect opportunity to consolidate our space. And we’re going to continue to be aggressive to do that.
I think the market is ripe for that.
I think a lot of companies are looking for dance partners right now. Because they’re features more than they are a platform. The number of companies coming to us, looking to be acquired, has dramatically flipped from a year ago.
How much more are you seeing this? Would you say twice what it was a year ago?
Four times. It was always us going to them, when money was falling from the sky. Now the money’s dried up. And there’s so many companies out there — it’s so fragmented — that they’ve got to pick a dance partner at some point in time.
What has the acquisition of Enso Security brought to your platform?
It brought that visibility to the security and AppSec teams, with all the information that we were getting from the developers. It’s giving security teams what they need to go to the board of directors to say, “Here’s our security posture.” [Previously] I think we were really heavily weighted to the developer, very focused on that developer experience. In some cases, maybe we weren’t focused enough on the security side. They needed more from us, and that’s what Enso provided. So we were able to bring both of those together.
Do you think this capability will resonate strongly with channel partners?
This has been a little bit of our challenge with the channel. A lot of the channel partners sold security tools to security people. And this whole concept of Snyk coming in and saying, “That’s all shifting to developer” — they were like, “What?”
It took years to get these partners to understand that that model doesn’t work anymore. It slows developers down, or they’re going around it. And so you’ve got to embed this early. This is a bigger opportunity for partners than selling security tools to security. Leverage your relationships with the security teams to empower the developers to go fast and be secure. This is the time to shift that.
But now you’re seeing the Optivs and the Trace3s and the GuidePoints — now they’re getting it and they’re leaning in. Now the timing is right for us to invest more aggressively in the channel, because they get it now. They see this need to shift left and embed developer security.
Where do things stand in terms of pursuing a Snyk IPO? Is that still the goal?
It’s always been what we focused on — being a public company someday. We’re in the fortunate position where we have enough cash to pick and choose when that happens.
But there’s no question—our goal has always been to be a public software company. And we’ve run our business very much like it. Our board is very public-centric. The infrastructure, the finance, everything that we can control, we’re public-ready. It’s just more about market timing. there’s no rush. Nobody’s asking for liquidity. We’ve done raises, and we’ve been able to provide liquidity along the way to employees, to shareholders.
But the growth rate is there, the path to profitability—we have all of that in our line of sight. All the metrics are there. I think we can be a very, very successful public company.