B Byrne Video Still

B Byrne: I'm so excited to be here. This is such a nice spot. So I have been spending the last six months deep into super nerdy topic, really just spending all my time on something which I can't talk about with my friends, because they're not interested. And so, the real pleasure of getting to be here today is that you all do care about this thing and so I get to talk to you about it for 20 minutes and so finally I get to get some of the stuff that's been just so in my head for a long time, out. So, thank you all for being here, thank you for being interested in this topic. I think it's super-important for SaaS companies in business and the way this industry is going. And I'm gonna be talking about building the ROI case for account security. ROI, return on investment, but basically thinking about how we're helping our customers make or save money. So I am going to break this talk down into four sections. First, I'm gonna to talk about SaaS pricing for security. It's an unusual thing, particularly for this industry, but normal for SaaS, and what that means for us.

BB: Then I'm gonna go into customer costs, how are we thinking about the way customers are spending money and therefore how we can be saving them money, calculating that return on investment, what's the formula we use, how do we talk to customers about it, how do we make sure they understand the money we're saving them. And then lastly, what that means for actual business of our customers and for how we grow. I'm B, I'm the head of product for account security at Twilio. Before that, I founded Clef, which is a two-factor authentication company, and at Twilio now, I'm running two-factor authentication, phone verification, Lookup, the Authy apps and a bunch of SDKs that help people build that kind of functionality into their apps. And when I talk about account security, often people are like, "That is the strangest or the driest topic I can think of." But it's what I spend all my time on and the reason I'm so interested in account security, the reason why I think it's so important, is because we're getting to be people online. There's all these ways in which we're exploring the versions of ourselves that exists on the internet.

BB: And the critical question for me, as we start doing that, is how do we connect the 'me'? The version of ourselves that walks around to the version of ourselves we're creating online. And that connection is all about authentication, verification. How do we really make these two things, make it so that you can trust that only you're gonna be in control of this new version of yourself. So I wanna start by talking about pricing and usage-based pricing. This is the sort of engine of Twilio's business model, and when Twilio started, usage-based pricing was really controversial. There was this idea that we would be charging a tiny, tiny amount of money per use of our API and that meant that, for a developer, they could get up and running without having to talk to a salesperson, without having to come up with forecasts or understanding how they would grow. Instead, they could just say like, "I built a demo, it works, I'm gonna pay you a couple of cents for this demo and if it starts working and people start using it and it starts making money, then I'll pay you correspondingly."

BB: Which is really awesome for the developer audience, but was something that a lot of folks were skeptical of, a lot of investors were skeptical of Twilio, because most budgets in the world are traditionally done with big contracts and a big contract means you are... It's predictable, a company knows how much they're gonna be spending with you. It means they have a big relationship with you, they've found a person that they know they can call when something goes wrong, they have... There's some accountability, there's a whole legal structure, that you've signed a contract together. And so, with most budget of the world going to these contracts, there was a lot of skepticism that a developer starting a demo would end up controlling enough revenue or controlling enough of a spend, to make a real business. Now we're almost 10 years later, Twilio is a public company, we make a lot of money, and we really have validated that the per transaction usage-based pricing works really well, that you really can make a big business on this kind of pricing. But even still incredibly, even more so unusual for security. That's because the way security is sold is usually like, scaring somebody about the worst thing that could happen.

BB: It's like, "Imagine if this horrible thing happens to you, if your secrets are leaked, if your passwords are all made public, if your competitors know all of your plans, what would that cost you? Well, what is the percent chance of that happening, and we're gonna charge you some fraction of that every year to make that risk lower." And it works pretty well for a lot of companies to sell security that way, but it really doesn't align with the per transaction pricing. And so if we think about two-factor authentication, there is a question of like, "What is the value for the customer of each authentication?" If what they're being protected against is a huge breach. Because each authentication is so incremental, that it's really hard to derive the cost that way. And so, it's really hard to price an API that does authentication or verification if you are trying to think... If you're trying to prove value in this big lumpsum world. So the first step for me in this process, and I've been at Twilio for the last six months after joining with the rest of my company, Clef, has been, how do I take the fundamentals? How do I take the APIs we build? How do I take the services that we offer and help our customers understand them in a transactional world?

BB: How do I help them understand the way we're saving them money incrementally? And so the first thing that I focused on was the ongoing costs, identifying these ongoing costs. And there are five up here and these are the five that I've sort of like spent the most time thinking about, but they range from very obvious to somewhat nuanced. The first is account takeovers. So traditionally, again, in security, we're thinking about what's the big worst case where everything gets leaked, but the truth is that if you have accounts online, some of them are getting taken over everyday, week, month, just one or two. Somebody's losing their account to a phishing attack. Somebody is getting brute-forced. There's sort of a constant set of small account takeovers, individual account takeovers, which are hard to... Well, not hard to measure, but which are traditionally not thought of as that big lump. And the reason these account takeovers are happening is because that's where a lot of fraud gets run through, so people will take over an account and then put in some bad credit cards and then run money through those credit cards and either get services or get credit or pay themselves if it's a marketplace, and then their charge back will happen when the business is out whatever money it spent on those accounts.

BB: So account takeovers are a thing that are sort of a consistent cost that really very directly attributable to better authentication. We can reduce that cost. Second is new account fraud, so a lot of people are making accounts and either taking the free trial money that you give them or using those new accounts to do the same thing with credit cards depending on limit, but basically people are making new accounts or lots of new accounts, maybe even doing comment spam where they're putting a bunch of links in your content, things like that where they're hurting your business just by making new accounts all the time. Third, and this is the one I'm gonna dig into here, is support tickets. Support tickets are really great because most companies measure them really well. They know how many of them they're doing. They know what they're related to and they know how much they cost on average. This is a great place to think about customers' ongoing costs because it tends to be well-measured in a lot of companies, and for us, a lot of support tickets are related to people getting locked out, whether that's forgetting their password, losing an authenticator device, or somehow otherwise not being able to get access to their account. The same people then go away.

BB: The bad user experience of a lockout scares them away from using your service or they move on to a different alternative because they're frustrated, so there's also the cost of losing those customers to the bad user experience, and then finally, there's maintenance. Basically, depending on how important security is to your business, you're going to be needing to do ongoing development work to stay up to date. And for some businesses, security is critical. It's how they differentiate. It's really important. Some businesses, it's like table stakes, in their industry it matters, but it's not the thing that they're gonna differentiate on 'cause everybody does it well. And then some businesses it's like security isn't what our customers think about and so it's not something that we invest in in an ongoing way. But depending on those things, it can be a pretty significant ongoing cost. So once we have this ongoing cost, we can start to calculate the return on investment, and this is the critical equation that I spend a lot of time thinking about, and that is, how much money can we save you? If we can reduce the number of support tickets, how much does that cost? How much are you gonna spend with us?

BB: So the savings minus the cost and then divide that by the total cost of the tool, and that's gonna be a percentage which we can then say to a customer, "You're gonna get this percent return on investment. For every dollar you spend with us, you're gonna get a 150% back, a $1.50 back." And so I'm gonna dig in here into the support costs for one of our tools, and this is just a process that I've gone through that I think is a good way to think about how you can do this. If you're building a SaaS service, this is a good set of ideas of how you can talk to customers about what your tool is offering them, and I just think this is really interesting because it's so clear. So the first impulse I had when I wanted to think about support tickets and how many we were saving our customers was like, "I wanna go talk to a bunch of people who aren't our customers, like our potential customers, and see how many support tickets they spend on two-factor authentication." But there are a couple of problems with that. First, most of our potential customers don't have two-factor authentication yet, which is why they're still a potential customer. Second, I don't have a relationship with them yet, and so asking them to give me a bunch of their data is not always easy.

BB: And then third, to get to the statistical significance, to have enough people sharing this information is actually really time-consuming. And so instead of going and doing that, which was... You know, I actually sort of wrote out this plan of how am I gonna go figure out this number. I instead went and looked at our existing customers, all the people who use the two-factor authentication API today, and I identified a couple of things which I believe would create a support ticket for a customer if we didn't handle it. So we have a phone change process. When somebody has changed their phone number but forgotten to update their account, and so they now need to go through a whole process to verify that it's really them and make sure that they actually control this new phone number and update that in their account. And so I assume that if you go through our phone change process, you otherwise would've created a support ticket with one of our customers.

BB: Second is account recovery, so if you've lost access to all of your devices and need to get access to your account, we have another process that automates a lot of this but gets you back into your account, also assume that would create a support ticket without us. And then third, I actually know how many support tickets of like people are confused or frustrated or don't know what's going in the process and they reach out to our support team and we help them, and so those are also support tickets that otherwise would've gone to our customers. And then, looking at this, I can say in a month there's X number of support tickets, and this slide originally had that number X, but we're a public company now, and I have some restrictions on what I can show you, which is new to me. [chuckle] But I can tell you that across all of our customers, I can take the number of support tickets, and we're saving one support ticket per 90 authentications that are happening with our API.

BB: And that let's me do that equation that was on the last slide really easily. And here's what I did. So estimated support ticket costs about $25, this range is $25 to $30, is a range that is generally accepted, some people outsource a lot and can get it lower, some people do a lot of voice calls, and it gets significantly more expensive, but I picked the low end of the range just to make sure that I wasn't gonna go talk to a customer and have them be like, "Wow, you've really overstated your case."

BB: But so, $25 for a support ticket, and we charge nine cents per authentication so, it's $8.10 they've spent with us. So got that $25 minus $8.10 divided by $8.10 and it's equal to 208% returned on investment. And this is something that I have in a spreadsheet, which I send to a customer when they get to a certain part in the process, and every one of them is like, "Oh wow, this is a good idea, I should spend money with you." Because now, I'm positioning myself as like a money machine. Ooh.

[chuckle]

BB: I'm a money machine, and the more money they give me, every dollar they give me, I'm spitting out two extra dollars; their $1 plus $2 back. And so, the conversation changes from like "Oh, should we just spend a little with your first and then, maybe one day, we'll spend more if we care more about security" and now, it's like, "Oh no, the more money I spend with you, the more money I'm saving" like, "I want to be using you to do this thing," which is a really, really great way for that conversation to be going.

BB: This is also just one of those five ongoing costs I talked about. So, I actually have similar calculations for all of the other four, and depending on the company, we can get a pretty compelling case here that, they're gonna be saving a lot of money with us if they choose to use this transactional model, even though it's not what they're used to.

BB: So, the next thing that's happened with that. So, I created this return on investment model, these spreadsheets which, I don't know about you all, but I love spreadsheets [chuckle] You all are working SaaS, so I suspect a lot of you love spreadsheets. But what I started to find was that we could actually break our customers into three categories, based on how they understood this model. And this has actually been like, the sales team loves me, that I have set this up for them, but basically we have three buckets of customers.

BB: The first is a tactical customer. They've had something happen, they've hired a new person, some customers have been asking them for 2FA support or something like that, and they've decided to take on the project and get it done. Usually, it's one person who runs their account security or even some engineers from another team are taking some time to get this done, and they're not spending that much, they're spending less than a million dollars a year on account security.

BB: These customers, we can now identify them really well, we understand what they need, they really care about quick onboarding, the fact that we handle edge cases, and that we can help them check that box really fast, which, they're great customers, I like them. And then, we can start training them, and we can say like, "Hey, by the way, here's how you could measure the account takeover rate for your accounts, here's how you can look at new account fraud, here are these different types of fraud to look out for." And help them start to measure their costs and understand how we could add more value later.

BB: In the middle, and most excitingly, we have these operational customers. And these are the folks who have started measuring these costs, they know how much money they're losing, they know how many accounts are getting taken over, at what rate, they know how much it costs them every time it happens. So, they already have the spreadsheet internally, and when I give them my spreadsheet, they plug in some numbers and they're like, "Oh yes, this is good math, and I wanna give you money."

BB: They also tend to have a dedicated team working on this and are investing much more heavily because they know how much money they're getting back. So they know how much money they're saving and we can make a much better case, and they're spending $10 to a $100 million a year on account security. So these are the customers that we love and we spend a lot of time with, and that this model has the biggest effect on.

BB: Lastly, we have strategic customers. These are folks who have a thousand person identity risk team, they see security as a critical to their credibility in the big market, in the world, and they come to us wanting something very specific, they are like, "You Twilio are very good at delivering SMS, we have our own systems, but we want you to deliver SMS." And we also know not to waste our time trying to sell them on a bunch of products because they're really thinking about this in a totally different way.

BB: So, we've broken down these customers. I've like equipped our sales team with materials to talk to each of these different groups. And the success rate with all three of them has gone up significantly, which has been amazing. So, the result of all of this, and this is the secret of Twilio's success, the reason why Twilio has gotten to be a big public company on a SaaS model...

[background conversation]

BB: Is net expansion. And this is the opposite of revenue churn.

BB: And so, for most businesses, every customer you have or for the number of customers you sign up, you lose some of them every month, there's this waning amount of money you make. But net expansion is when your customers spend more money over time. And so basically, if Twilio stops signing up new people, even if we didn't cross-sell or make new products or convince people that they should buy new things from us, because they see us as a money machine, they just wanna put more money in every month because they're getting that money back, we actually see almost all of our growth come from net expansion, which is our existing customers paying us more. And that's the power. That's the reason we've gotten big, that's the reason why we were able to prove investors wrong is because they couldn't see that you can start with a little budget as long as it wants to keep getting bigger and bigger. And then every time you're adding little customers, and you can add a lot of little customers very fast, as long as they all keep growing together, the result is that you make a lot more money eventually. And so over the course of a decade, it's grown into a really big business and has shown that the transactional pricing model really can be super impactful. So that's what I've got for you. I have some time to take questions and hopefully answer them. So, let's go back to that. That was building the ROI case for Account Security.

[applause]

BB: Yup.

[background conversation]

BB: Go for it.

Audience Question 1: Why is the Y at the end alone?

[laughter]

BB: This presentation originally had different fonts that didn't make it in some transmission, and I'm running with it. [laughter] No, it's intentional, I just like messing with you. Also those red bars totally aren't meant to be aligned with the text or anything.

Audience Question 2: Can I go? Okay, so first of all, thank you so much, this was fantastic.

BB: Absolutely.

Audience Question 2: We're all nerds at heart, so...

[chuckle]

BB: Counting on that.

Audience Question 2: My question is regarding ROI, when you're selling to these three different types of customers, what are some acceptable percentage numbers? I'm assuming it's different for them because they're different-sized businesses. But what is something that gets people excited versus something that's meh?

BB: Yeah, so it depends totally on your business, and again, that customer maturity model was really important for exactly that question. The first tier of customers, I could tell them that it was a 40,000% ROI and they would still be like, "I don't know what that means, I don't know what my costs are, just check my box please." And the customers at the end have already spent so much time investing in the ROI, they know all the tradeoffs, they know all the pieces there, and they're coming to us to shave down a piece of the cost. And so, for them, if we can tell them that we're gonna save them 5%. We have one big customer that was like, "If you can improve our success rate 1%, that is worth the change for us." And so... And the really mature customers, they're happy to get really low numbers. So the range exists of how much they care. And the ones in the middle are the ones for which something like a 100% ROI is like, "Oh wow. There's still a big opportunity for us to save money on that." It's also partially volume-based. So those big customers, a 1% saving represents $1 million, for the little customers, a 1% saving represents $1. So it really depends on the business and how much people are spending, but I would say that the critical part of creating that maturity model has been understanding for which customers, which percentages make a difference.

Audience Question 3: So one thing on your ROI thing is that you did the costs that are avoided and you do that. Have you found any examples of doing revenue lift? Where people have actually been like, "Hey, I've got security, now I can charge more, something." Where it's not downside, it's upside.

BB: Yeah, absolutely. And so security definitely tends to operate on the cost of savings as opposed to the money making, but the other parts of Twilio's business are very much about money making. So one reason this is so important to fit into Twilio is that, for our SMS business, it's a lot of marketing messages where it's like every 20 SMS I send out, I get one sale. And one sale is worth $10 and I'm spending $0.10 per message. This makes a lot of sense. And the more SMSs I send, the more money I make. So definitely, it goes both ways and that formula, I can't say out loud the way it changes, 'cause there's no way I will make that clear. But you can Google ROI formula, and it's like a simple change to make that positive revenue for the return on investment. So yes, positive revenue earned is also an awesome way to do this, in security, we tend to need to do the cost savings. Some businesses actually really make more money if they seem more secure, but it's very brand-nebulous, hard for me to put in a spreadsheet which applies to many other businesses. There we go.

Audience Question 4: Also to follow on from the last question, you talked about net expansion, does that happen so much in the security side? Or is that more a matter of once someone rolls out one of these products that it's out for 100% of their authentication and there's no room for expansion?

BB: Our business has great net expansion. The account security business for Twilio has really awesome net expansion. But it's not uniform across customers. And I would say that, generally, net expansion isn't uniform across all customers. We definitely have folks who are like, we checked that box of two-factor authentication, we buried it in the settings, and we hope that no one ever touches it, because it costs us money when people touch it, and we don't really care about protecting their account. We just needed to technically offer the feature. But part of it is that we serve a lot of small companies. So a lot of startups started using Authy or our two-factor authentication API. And then they got bigger. And as they get bigger, they use us more, even if they're not pushing us harder.

BB: I also think that, generally, the trend is that as companies get more mature, they start to understand the use cases where additional security matters. So for instance, it may not be that, "Oh, we're gonna make everybody turn on 2FA," because that's a very unusual decision. But instead, like, "Oh, all of these sellers who have accounts." So Twitch is one of our big customers, and they've been pushing all of the streamers to start using 2FA. And it's not that everybody watching Twitch needs to turn on 2FA because that would impact their growth. But they do understand that those streamer accounts actually hold significant amounts of money right now, they really are people's livelihoods, and we really need to protect those. And so we do see a lot of our customers, both as they grow they use more, and then we have these humps, where they'd realize that there was some vulnerable audience that they should mandate it for. And then we get a big uptick.

[pause]

BB: Awesome. I'm a fan of letting it get awkward. 'Cause...

[laughter]

BB: Somebody there has a question that they're just not quite sure they should ask yet. But this has been wonderful. You all are a great audience. Thank you for nerding out with me, and have a great rest of your day. [applause]