In this episode of McKinsey on Building Products, McKinsey Partner Rikki Singh sits down with Arnab Bose, the chief product officer of the Okta Platform. During their conversation, Singh and Bose discuss how AI has changed the landscape of cybersecurity, how Okta innovatively protects its clients against deepfakes and phishing attempts in innovative ways, and how product management teams can work with marketing and sales teams to set ambitious goals while incrementally delivering change. An edited version of their conversation follows.
The evolution of identity management
Rikki Singh: Arnab, share a bit about your background.
Arnab Bose: I’ve been at Okta for more than five years. I joined as the head of product management for the core platform of Okta in 2019. I now head product management for our Workforce Identity Cloud products as well as Okta’s customer identity solutions. Before coming to Okta, I was the vice president of product management at Salesforce, where I led many different efforts. And I started my career by spending nearly a decade working on Microsoft Office products. In total, that’s more than 20 years in product management.
Rikki Singh: Given your breadth of product experience, what is the most counterintuitive thing that has stuck with you as a product leader?
Arnab Bose: As a PM [product manager], when you work on products or technologies that are widely adopted and run at scale, you might want to focus on when to release a product to have the maximum impact and number of customers right out of the gate. But new products or categories within an existing portfolio need a different approach: You have to give them an incubation period and treat them almost like a new product from a start-up. You have to figure out how to introduce the new product and then help it get to scale. And what does the time frame for that look like? Those considerations are all fairly nonintuitive.
Rikki Singh: What are some common misconceptions you see among the C-suite regarding identity management?
Arnab Bose: There is still a perception within the C-suite that identity management is not a C-level concern, that it’s a tool that helps the business adopt applications rapidly. That’s a misconception that a vast majority of enterprises still have, and it’s resulted in breaches being caused by some sort of compromised credential or identity in the market. Attackers have figured out that identity is the way in, especially in a cloud-based world, where people are working from anywhere. So C-suite members should not think about identity just as a tool to help adopt other technologies. Identity needs to be the foundation of their security strategy.
Outcome-oriented product management
Rikki Singh: How has your experience shaped how you think about product management?
Arnab Bose: I’ve only worked with B2B enterprise products, and there’s some benefit to that because you’re building products that another company is willing to pay for. From that constraint, you first have to figure out if your product actually delivers value. Are you replacing an existing product that already has wallet share with something better? Are you capturing existing spend, or are you creating a net-new spend category? In the cases where you have to create a new spend category, the level of conviction needs to be far more robust and deeper because otherwise you might end up spending a lot of engineering, marketing, and sales resources on something that is a bad return on investment for the company.
Second, you have to think hard about competition. There could be competition from behemoths that are bundling functionality and creating the perception that their product is good enough for commoditization. It is very difficult to outpace that with innovation alone. That behemoth could spend just as much as you are and have something that is 90 percent as good and 50 percent as expensive. So it’s important to think about differentiation. Maybe you differentiate with technology, partnerships, or solutions that give you outsize reach and scale of distribution. Maybe you differentiate by focusing on segments or geographies where a behemoth is not present or can’t be for certain reasons.
Alternatively, once you become an early-stage public company, you’re working against a publicly committed projection. It’s hard to mess up margins or change investment without dramatically impacting your perception. That level of constraint doesn’t exist for nonpublic competitors: They can drop their prices, create design partnerships for future products, and effectively hide the margins impact that they’re experiencing. A PM early in their career may not think about how these factors affect the decisions that come from their senior management. The earlier you understand an S-1 filing or an earnings report, the better.
Rikki Singh: How does Okta differentiate itself in terms of product management practices?
Arnab Bose: We try to be extremely clear about our high-level three-year strategy so every PM at every level can understand what our goals look like and can plan against it. Every year, our CEO publishes an updated version of a three-year vision and strategy for Okta based on the size of the market, what’s serviceable, and what’s changing. That creates some good guide rails for us to create a more specific workforce identity, cloud vision, or vision for customer identity solutions.
PMs take a portfolio-based approach based on a particular buyer persona or segment, such as security products, governance, or privileged-access management. They can see our competitors and the market share we have right now, then create a projection based on attach rates and existing customers.
We want to avoid a feature factory, where we build a bunch of features that don’t improve our differentiation. Clarifying the bigger bets you’re making helps you avoid that and aligns the company’s functions.
Rikki Singh: How do you get the cross-functional input to make some of those decisions?
Arnab Bose: Okta has access to data resources to help create business case structures around investments, which allow engineering and product and design teams to facilitate a conversation with marketing, sales, and finance using a language that those functions understand.
Let’s say a PM has an idea about universal logout, which can be a protocol that solves the important security problem of post-authentication attacks. It’s easier to show a chief revenue officer or CFO that we have data that proves that in 2022, nearly 1.9 billion session cookies were stolen from Fortune 1000 companies.1 We have data that shows that our biggest competitor doesn’t have this capability today. We have data that shows that it is possible for us to attach this capability to our existing customers because we’ve done a propensity-to-pay study. Creating that case is step one.
We also have a monthly sync meeting at the leadership level that’s focused on new product introductions with the biggest bets, and we make objectives and key results for those bets across product marketing and sales. That’s a space where we can have an open conversation about how things are going.
Rikki Singh: How should product leaders disperse efforts and capacities between incremental changes versus big bets?
Arnab Bose: The ratios are going to differ based on the maturity of your product and how scaled out you are. I usually don’t see incremental, quality-of-life improvements be less than 40 percent of a company’s bandwidth. So about 60 percent can go toward net-new things.
Within that 60 percent, prioritization is important. I use a framework called top-in-focus objectives. I’m very clear about the things that I am going to focus on, and I give myself the flexibility to change these priorities once a quarter, if required, but I try not to. That allows me to put pressure on that 60 percent. Are we using that 60 percent capacity? Is something else blocking it? Let’s say incremental tasks are taking up 50 percent of capacity because there are continued escalations in a particular area. Instead of letting it ride that high for the rest of the year, we should do a moratorium for a quarter and address the root cause with some new product investments to eliminate that issue. That frees you up for the longer run.
Rikki Singh: How can marketing engage with sales to make sure they are aware of where things are headed and can prepare accordingly?
Arnab Bose: We have a phased rollout for new products. At every one of these gates, we have a product acceleration team that is closer to the product and engineering teams that come from either presales or sales backgrounds. The acceleration team helps us with a few highly qualified deals to get early feedback on the functionality, pitch deck, demo environment, and documentation. There is a lot of rigor that goes into ensuring that what we have specked is correct when it ships.
Gen AI and its impact on cybersecurity
Rikki Singh: How has Okta embraced AI for itself, its vendors, and its customers?
Arnab Bose: We have taken a four-pronged approach to AI. One is we have been baking AI into our products to help make them more secure. We have identity threat protection opportunities with Okta AI that allow Okta to be a shared signal receiver to asses third-party session risks.
Second, we’ve been leveraging large language models [LLMs] to reduce complexity within the product. For example, Auth0 has a capability called Auth0 Guide, which is an agent that helps you build out solutions faster using natural language. Okta AI also has a capability called Log Investigator. Instead of having to learn the query parameters, you can ask it natural language questions, and it gives you the query structure as a response. There will be a lot more investment in that space over time because these LLM tools reduce the time to value.
Third, we’ve focused on enabling AI agents to build secure authentication into their products. Agents can sometimes behave like humans insofar as they have access to multiple sources of data, and they might comment on a document or respond in Slack or Microsoft Teams. But they can’t behave like a human with respect to authentication and factors—they don’t have biometrics. So the team has been working on a product called Auth for Gen AI that helps developers build these agents in a way where they can authenticate securely instead of having to use static API tokens. It should make building these agents safer in the long run.
Fourth, to help with workforce identity inside companies, we have capabilities to help customers safely adopt AI agents. We’re looking at how we might be able to find nonhuman identities that are configured within your applications. Creating visibility and awareness is the first step. Then, customers can vault or rotate their credentials or come up with policies that adopt applications more securely.
Rikki Singh: Of these four dimensions, which could have the greatest impact?
Arnab Bose: The last category—helping customers adopt AI agents safely—is a place where Okta can have the most impact. The pressing need for our customers is figuring out how they can roll out AI agents safely with the right level of permissions.
For example, AI agents have become good at enterprise search and document introspection. Offer letters are often posted in public places, and the agent can pick up on that, so employees can see other people’s confidential information when using the agent. Side effects like that prevent the true value of AI from being realized in enterprises today, so we can play an important role in fixing that.
Rikki Singh: As organizations innovate with AI at scale, what are some challenges that can pose for cybersecurity, specifically in identity management?
Arnab Bose: There’s been a 700 percent increase in deepfakes in the financial sector alone.2 So how do you know that you’re speaking to the right person? Maybe there are integrations with identity verification tools. Maybe there is a way to do end-to-end call encryption.
Phishing emails and messages are also sounding more human. They’re going beyond simple phishing links. It could be a more complicated, longer-term play that gets you to download and install malware. We think about equipping clients with phishing-resistant authentication so that even if their credentials do get compromised, the attacker can’t make much lateral movement.
How companies can safely adopt AI
Rikki Singh: What are some trends in business applications that excite you?
Arnab Bose: One trend we’ve observed is a massive increase in the adoption of compliance tools such as Drata and Vanta. That shows that compliance regulations are on the rise or costs are on the rise. From an identity perspective, the amount of authentication going through phishing-resistant factors was up to 3 percent in 2023,3 but 3 percent is still not great. Off-the-shelf phishing tool kits and the new AI-based attacks can break through non-phishing-resistant authenticators. I’m hoping those numbers increase.
Rikki Singh: How can C-suite members adopt AI without exposing themselves to these vulnerabilities?
Arnab Bose: It comes down to information and awareness. Change is hard. With enough education and awareness, people will be able to drive that change. And there’s a lot of industry momentum behind that. Security vendors such as CrowdStrike have been talking about the importance of identity security and investing heavily in identity security products. Even vendors such as Cisco have announced a lot of identity-specific security tools. These are Okta’s competitors, but it’s an affirmation that this is the right strategy. The more voices there are in the room, the easier it is for us to convince enterprises and chief information security officers that this is the right way forward.
Rikki Singh: Do you think there is a clear definition of what “good” looks like in terms of organizations’ security?
Arnab Bose: The National Institute of Standards and Technology [NIST] framework for assessing completable security does a good job of pointing out identity security gaps and guiding businesses through architecting security solutions. We’ll start seeing more businesses leveraging the NIST framework.
Rikki Singh: Last year, at the World Economic Forum, you discussed the need to democratize cybersecurity. What does that mean to you?
Arnab Bose: The heart of the discussion was cyber inequity because cybersecurity is such an investment-heavy space today that only the world’s largest companies or well-funded governments can implement a good solution. That’s bad because no company stands alone in the market. They have different stakeholders, and if your supply chain is compromised, then you’re probably compromised as well.
To help this, a lot of solutions point to standardizing identity security or security best practices, so companies don’t have to invent their own framework. Vendors would then be encouraged to protect themselves.
Rikki Singh: If you could leave our audience with one parting thought, what would that be?
Arnab Bose: I think PMs should have some level of optimism for the world. There are so many problems to solve. No matter what segment you’re looking at, whether it’s in AI or security, having a level of excitement and optimism is super important because you are going to drive change.
