Nearly two years after the breach of SolarWinds’ Orion platform used by governments and some of the most well-known names in the corporate world, the supplier of infrastructure observability software has emerged stronger than before.
The company is now going beyond traditional network monitoring into full-stack observability, a move underpinned by its secure-by-design approach that has taken root in the aftermath of the breach. It has also laid out a longer-term technology roadmap while continuing to hire amid the economic uncertainty.
In a wide-ranging interview with Computer Weekly in Singapore, SolarWinds CEO Sudhakar Ramakrishna offers a glimpse into the company’s observability playbook, how the Orion breach has changed its security culture and business opportunities in the Asia-Pacific region, among other areas.
Can you tell us more about SolarWinds’ footprint in Asia-Pacific and where the business opportunities are within the region?
Ramakrishna: Broadly speaking, Asia-Pacific, including Japan, has the potential for us to be the fastest-growing business for the company. That’s due to a combination of factors. One [part] of it is we are expanding in underpenetrated areas historically, whether it is in Japan, South Korea, or even Singapore for that matter.
If you look at our team in Singapore today, it has significantly expanded, whether it’s on the partner side or systems integrator side. We’ve also always had a strong presence in customer success, which we have expanded in the region.
We see a lot of opportunities in Asia-Pacific. Every company is going through some level of digital transformation. But increasingly, no matter what sort of company you are, whether you’re small or large, complexity is growing. That’s due to the combination of cloud, applications and user preferences, along with significant budget pressures across every organisation, especially in the past six or seven months.
So, customers are looking for vendors that can provide quick time-to-value for their solutions, and then help them reduce their complexity and improve their productivity. That’s where we see the opportunity for our existing and future products.
SolarWinds is widely used by networking teams. With the move up the observability stack and into areas like application performance management (APM), where you have cloud-native competitors, how is SolarWinds positioning itself in those market segments?
Ramakrishna: I would describe it in a couple of ways. Our biggest strength is our customer base, so our approach is very much a belief system that the world will be hybrid and multicloud. While there are cloud-native solutions, which we have as well, we believe those solutions will have to monitor on-premise and private cloud datacentres.
It’s going to be a long time before customers can be homogeneous in their deployment model. One might argue that it will never happen, but the right and prudent thing to do is to support the hybrid deployment model and multicloud products. That’s one clear way we are distinguishing ourselves.
“A lot of customers, especially the US federal government, that had put a pause on our solutions have turned us back on”
Sudhakar Ramakrishna, SolarWinds
Second, you mentioned APM. We think of ourselves in terms of providing full-stack observability, which for us is about monitoring infrastructure, network, systems, applications and databases altogether.
Suppose you’re accessing a website and it’s running slow. Is that an application problem or a database problem? Or is it a memory problem, systems problem, or a network problem? Today, an APM vendor is not going to be able to tell you that and customers will have to run from pillar to post to figure out what the issue is. A solution like ours will be able to pinpoint the issue and significantly reduce the time to remediate it.
Could you share more about SolarWinds’ cloud-native capabilities?
Ramakrishna: In October, we’ll be announcing what we call our SolarWinds observability solution. It will provide full-stack observability capabilities and show how we can differentiate against simple APM offerings. But it’s not a disjointed solution – it’s a continuation of our portfolio. Today, we have deployed what we call hybrid cloud observability. Think of what we're going to be delivering as SaaS [software-as-a-service] observability, which is a natural extension for customers that purchase our existing solutions.
What is the typical entry point for customers? The networking guys would know SolarWinds well, but what about those who deal with cloud-native applications who may not be as familiar with SolarWinds?
Ramakrishna: There are a few different ways to think about it. If you’re an existing customer, then the entry point is your network administrator, IT ops person or a database ops person. We are also becoming more active in DevOps communities, so you will see some DevOps influencers blogging about our solution. But the way we are approaching larger enterprises is through our very rich set of global systems integrator partners.
In fact, the person who runs the global systems integrator team is based here in Singapore. So, when you asked about the market and our local presence, we have a local agenda, but my local agenda is also the talent in region, which can impact the global agenda.
It’s been a few years since the Orion security breach. You were lauded for being open about the situation, not sweeping things under the carpet, assuring customers that you had things under control and the steps the company took to address the issue. Are you still getting questions about the breach from customers?
Ramakrishna: There are fewer questions on that. In fact, we’re getting more questions about the lessons learned and what customers can do that we’ve already implemented. So, it’s less about what happened, it’s more about how we handled it.
Number two is the whole secure-by-design piece we implemented. In fact, I was in a customer visit just before this. I would say in a one-hour meeting, we spent about 30 minutes talking about what we can do to help them implement secure-by-design.
A lot of customers, especially the US federal government, that put a pause on our solutions have turned us back on. So, in a year and a half, they had the choice of evaluating the competition, but came back to us knowing that we handled it the right way.
How has that incident changed the culture of the organisation?
Ramakrishna: The incident happened in December 2020, so it’s not yet two years, but it feels like 10 years as a lot has happened. The first way it has improved our culture is that before December 2020, you may not have heard of the term secure-by-design inside the company.
“We are not retrenching at all, unlike many companies that have cut costs or headcount. I’ve always been a believer that downturns are opportunities for you to do something useful and constructive”
Sudhakar Ramakrishna, SolarWinds
We had a strong security practice, but it wasn’t focused on secure-by-design. Right now, everything is focused on secure-by-design, and everyone, I should say, has an understanding and appreciation for that. So, in that sense, the culture has changed.
The second way I would describe it is we were very happy not being in the limelight before December 2020. But after the incident, we didn’t have a choice but to be in the limelight. Now we are becoming more comfortable with it because we know we handled it the right way and we’ve become a model for others.
Back to the point about observability. I’m sure you know observability means different things to different people. Could you provide some colour as to whether those differences have led to any challenges in going to market with specific solutions for different groups of people within an organisation?
Ramakrishna: Ultimately, whatever you call it, it is all about what value you deliver to the customer.
Monitoring will tell you what happened more or less after the fact. Let’s say there is a network failure and it’s telling you the system ran out of memory. Yes, you can set some triggers saying when the system gets to this much memory, give me an indication, but that’s more of an alert, right? It’s not telling you anything proactively.
In the observability space, there is a lot more correlation. So, for instance, going back to the point I made about the slowness of the website, a monitoring tool may not exactly tell you why a website is running slow, because monitoring tools are segmented as network monitoring, database monitoring, app monitoring and so on.
With observability, it’s almost like you have a bird’s eye view of everything. You are able to anticipate certain events happening and more proactively tell an administrator what could be going on. In that way, observability is reducing your complexity and improving your productivity.
Could you share more about what SolarWinds’ technology roadmap looks like?
Ramakrishna: I’ll talk about our three-year roadmap and then extend that to four and five years. This year, we’re coming up with full stack observability.
Next year, we will integrate observability and service management. The idea behind that is that it’s one thing to report a problem and it’s another to report a problem and fix it, so we want to automate your environment and help you observe and figure out what’s going on and remediate. There are very few vendors in the market, if any, that can integrate those two things. We have the ability to do that on the same platform.
After that, we will focus on abstracting that out to decentralised teams. What’s happening more and more is that while a company may have a CIO, many solutions are chosen by departments. How do we provide the ability for teams to work and solve problems, such as an SRE [site reliability engineering] team or DevOps team? That will be the next phase of our roadmap.
In the following years, we’ll be more focused on driving business outcomes. If you’re a user of my system, you should be able to set some thresholds on what you want to achieve, such as service levels and uptimes. If you set those, you should be able to forget about the operation of the system because, say you want a 99.999% uptime and something fails, the system will automatically spin up more resources to rectify the issue and meet that SLA [service level agreement]. So, you’ll be more focused on business outcomes, rather than events in your environment.
Now you’ve got this roadmap, are you facing any challenges getting the talent that you need to execute on that?
Ramakrishna: We’ve been very lucky with talent, especially in 2022. It’s also ironic, going back to the breach. In 2021, there was a lot of scepticism about whether SolarWinds would survive. In 2022, I see a lot of interest in what we did that was different and better. And then we unveiled our strategy and our value system and purpose as a company.
We are getting some really good talent infusion into the organisation. The talent market is very difficult and tough, but if we need to go hire, we are able to hire.
What keeps you up at night these days? Do you worry about the possibility of someone sneaking into your systems and staying in there for the past year without you knowing?
Ramakrishna: That risk is always there. As much as we have improved, or as much as any company has improved, there’s no guarantee against that. You just have to keep doing the best you can.
What keeps me up at night are two things. One is how do we scale better? And two, can we be relevant to customers? At the end of the day, you have to build things that are relevant to customers.
When I say scale, what I mean is, do we have the right people? Are we getting the right talent? Do we have the right processes? Do we have the right tools? Do we have the right behaviours?
As for relevance, I’m referring to things like whether we are building the right solutions. Can a competitor come from somewhere to eat our lunch? How do we stay ahead of that? How do we anticipate the needs? Do we understand customers? Have we stayed in touch with customers?
The economic situation has been pretty rough lately. Has SolarWinds been affected?
Ramakrishna: We are not retrenching at all, unlike many companies that have cut costs or headcount. I’ve always been a believer that downturns are opportunities to do something useful and constructive. Of course, you always have to be careful with spending, but to me, a downturn is an opportunity to show commitment to customers and our belief that if we keep executing, we will succeed.
In that sense, I’m not reducing headcount. In fact, we have almost 200 open positions in SolarWinds. On the business side, one of the unique things about us is the time-to-value for our customers, which means if you make a purchase today, how soon do you see value? We are one of the best in the industry in that regard.
If you take a company like SAP or ServiceNow, you might spend $1m today with them, but before you can meaningfully use it, maybe six or nine months has passed, so the time-to-value is very long. Those are the projects that are getting stopped by customers because there is a lot of uncertainty. Whereas for solutions like ours, our time-to-value is short, so there’s still a lot of interest.
