TL;DR: I sat down with Maya Kaczorowski who’s building Oblique Security. I chatted about her early beginnings studying math and cryptography to building security products at Google Cloud, GitHub, and Tailscale. After talking to 60+ security leaders, she discovered that identity and access management is everyone's biggest headache—tons of manual work, no self-service options, and those dreaded access reviews that nobody wants to do. Maya shares how Oblique Security builds the authorization platform that makes IAM feel less painful.

The conversation with Maya

Zassmin (The Security Wing)

Hey, Maya, thank you for joining us today. I'm really excited to hear about what you're building and learn a little bit from your background.

You want to do a quick intro?

Maya Kaczorowski (Oblique Security)

Yeah: my name is Maya Kaczorowski. I am the cofounder of a company called Oblique Security.

We're in the identity and access management space. I've been doing that for maybe about six months now. Before that, I worked at Tailscale where I ran Product, Engineering, and Design. And before that, I was at GitHub as a PM on software supply chain security, and at Google Cloud as a PM on encryption key management and on container security.

Zassmin (The Security Wing)

Very exciting.

Well, I'm really happy to have this conversation with you because you've had a pretty deep background in security, a pretty deep background leading products in security, and a pretty deep background at building products related to identity and access.

I want to dive into that background a little bit, how it started, so that we can kind of walk through the path to now, since you've seen different versions of identity and access management problems as you've come up in your career.

Maya Kaczorowski (Oblique Security)

Yeah, so I think your first question is basically like, how did I end up in security? I've always just been drawn to puzzles and problem solving, and I really liked codes, and so I studied math and I studied cryptography specifically.

I started to get really interested in how security impacted the world and the industry. Some of the early cyber attacks on Estonia in 2008 really made me realize how real this was and got me really excited about this as being something that I could actually have a career in.

I started my career in management consulting, and I did a little bit of everything, but I also ended up doing a lot of security and getting to build security programs for really large organizations, like healthcare companies and financial institutions.

And that really solidified that I can have a career in this.

Zassmin (The Security Wing)

Yeah, that's awesome. And I wasn't aware that you studied cryptography and have a background in that. I would love to learn a little bit about that.

It's funny, the thing that I tell people to study nowadays is cryptography. I find it to be one of the most important things to learn as it's going to continue to advance the way we communicate globally. And so I'm a little bit curious about that.

Maya Kaczorowski (Oblique Security)

Well, I would say there's 50 people in the world who know cryptography really well and then write all the actual code that we depend on.

And then there's people like me who studied it for fun and then proceeded to not really work on it more than at a surface level afterwards.

But I do like the knowledge that I gained from it and understanding what limitations exist. That did end up being helpful in my career.

To me, it's always been about just studying the things and working on the things you're really passionate about. And if you can make a career out of that, you've won. Yeah. 

Zassmin (The Security Wing)

That's definitely true.

So your career started off doing consulting in security and that's when you realized, you can really have a career.

You noticed how you can support enterprises doing security. At what point did your role evolve into more of a product role?

And how did that shift? I find this important because product roles in security aren't common, but I find them incredibly important to driving the way security problems get solved.

Maya Kaczorowski (Oblique Security)

I joined Google in 2013 in the early days of Google Cloud, relatively speaking, as a Product Manager.

And it was my first formal PM role, but a lot of that skillset and a lot of those activities were things I had already been doing.

I really enjoy the product role of getting to do 17 different things one day and getting to talk to users and really think deeply about their problems and the technology. Thinking about the user experience and sales and marketing and how this all fits together.

The fact that the user experience is not about them going onto some web UI and clicking on something. It's instead about everything they experience. It's great documentation and it's how-to videos and it's everything else that goes along with it.

So I worked at Google on encryption at rest, encryption key management. And, yeah, like you're saying, I completely agree with you. It feels like we haven't necessarily valued products in areas like security. But I'd actually say it's basically, like, any enterprise space.

We spend so much time at work and we, at the same time, end up with these very clunky products.

It's really a shame because, like, that could really make someone's day if that was slightly less frustrating.

Zassmin (The Security Wing)

And was some of the encryption at rest work, was this a part of the Zero Trust team or Google Cloud?

Maya Kaczorowski (Oblique Security)

I was working on Cloud KMS and customer managed encryption keys.

Zassmin (The Security Wing)

Okay. So this was like the early days of Google security products. 

Maya Kaczorowski (Oblique Security)

Yep.

Zassmin (The Security Wing)

This is awesome. I mean, we know now that Google has put a lot of money into security, acquiring security companies and really going security first on the Google Cloud story.

And you were part of the beginnings of that. Who were your customers? Did you get to talk to external Google Cloud customers or were you still primarily focusing on internal devs as the initial customers?

Maya Kaczorowski (Oblique Security)

I was focused entirely on external customers. In my first or second year there, I talked to over a hundred customers in a year, something like that.

Which felt like the right number, roughly, for what it's worth. I do think that if you're a PM and you're not talking to customers a couple times a week, you're kind of doing it wrong.

And getting all that exposure was great. That was in formal customer meetings, but then I'd meet them at conferences, or I'd meet them in lots of other settings that we had as well.

The typical customers were relatively large businesses, a lot of retail, right? If you think about retail customers, they don't want to be on AWS, and so they look for some of the other cloud providers.

Zassmin (The Security Wing)

Oh, is that because AWS has Amazon associated with it?

Maya Kaczorowski (Oblique Security)

It's a competitive customer for them, they don't want to give money to a competitor. A lot of retail customers, by default, pick GCP, just because they don't even want to consider AWS.

But because I was working in, you know, a security space, I ended up working with lots of banks, financial institutions, trading firms, healthcare providers and tech companies and lots of other people who cared a lot about security as well.

Zassmin (The Security Wing)

Did you build a thesis based on these early customer conversations that stuck with you as part of those learnings?

Maya Kaczorowski (Oblique Security)

I mean, I think it changes over time, right?

What I thought 10 years ago is different than what I think now. I do think that if I go back to and wonder why something like a product or design or documentation is so important, it's because it doesn't matter how great your product is if no one uses it, you know?

Yeah. And you do need to think about distribution and adoption. And you need to think about how your customer, who's not the security team, has to interact with this product.

And how that changes their day, right? A lot of security tools are built by security people for security people and completely ignore that our end users are people at these companies who just want to get their job done.

Zassmin (The Security Wing)

Yeah, and I mean, I imagine that probably came with a sense of trade-offs as well with how to secure things and how to present that to the customer.

Maya Kaczorowski (Oblique Security)

For sure. I think you see a range of companies, for example, financial or high-tech, where security can say no and like really drive a decision, like a technical decision.

But that's the rarity, right? In a lot of other companies, security is like: “please, please do this thing. Please, please do what's right.”

We talk a lot about paved paths and that kind of thing. And I think in cloud security, we've done a lot of that work in the last several years. But I wouldn't say we’ve necessarily seen that in other aspects of security, right?

Like things like identity and access management, right? There's a huge opportunity for areas that haven't shifted left. It's shifting left as like a concept, not as literally shifting left.

Zassmin (The Security Wing)

Yeah. So much goodness there. You’ve focused on cloud and building security products. You learned a lot about talking to customers and you've helped build KMS.

Talk to me about how that has shifted over time into your focus now on the problem space that you're seeing around identity and access management, and how you arrived at understanding that as a customer need.

Maya Kaczorowski (Oblique Security)

Yeah. In my last role, at Tailscale, I got to spend a lot of time with customers as well, which was great. I could always spend more time with customers.

And then I left and decided to start something and really the motivation for me to start something was about being able to have an impact to solve a real security problem, while creating a great place for people to work, and have fun doing it, right?

That's the dream. And so I took my time. There's things that you can't build your way out of. And that's whether or not you're solving a real problem that the market needs.

I wanted to spend a lot of time making sure I could focus on a problem that everyone has.

I spent three or four months in the fall of 2024 interviewing almost 60 security leaders, including CISOs. I asked them what they were struggling with right now.

Some of these people were people I knew, some of these doors were open because I promised to share back what I learned, and I did.

I also published my findings, but basically the top issue that people were complaining about the most was identity and access management. The second issue was around vulnerability management, and the third issue was around getting logs out of SaaS tools.

I focused on this IAM problem. It’s about people struggling to manage access changes, keep up-to-date, and have consistent information across systems. It’s a highly manual process that required context that was specific to every single organization.

And also, so many companies had ended up building the same solution, again and again and again. Or, like, somebody would leave a company and go somewhere else and just rebuild the same system again because they couldn't buy something.

It was just a massive waste of everyone's time. I found this space and thought: “there's a problem that everyone has.”

There is validation. People are willing to invest to build something here because they're literally putting engineers on this problem.

This must be something that I can go work on. 

Zassmin (The Security Wing)

Yeah, that's wonderful.

Those are two really important signals, people are already spending money on the problem, it’s highly manual, and it’s happening at several companies. You mentioned your blog post that you wrote about this. What is it called?

Maya Kaczorowski (Oblique Security)

It's called, What sucks in security? Research findings from 50+ security leaders.

Zassmin (The Security Wing)

Love it! Okay. Out of the top three that you heard about, you decided to focus on identity and access management.

How did you take what you were hearing? There's often in this process conversations about what the user wants or needs can often be different from what they say they want or need.

How do you reconcile that with the pain points that you're hearing from the security leaders who are already spending money on this? They're already scratching their heads over this, and they need some type of solution.

And there's a bunch of cloud solutions that kind of hover around this problem. How did you decide on what this looks like for what you're solving?

Maya Kaczorowski (Oblique Security)

I wouldn't say that I did the best product management job ever, but I did spend the beginning really just digging into the problem.

I wrote up a long doc for myself to understand what are all the problems people are complaining about in identity. What are the specific things, with quotes, of the things that I hear again and again and again and again.

And then I looked through it, again, not super formally, and made some notes to myself, and I went, okay, I think the right way to solve this problem is this, and there was a company doing that, and I think the right way to solve this problem is this.

And then there's this thing over here that everyone complains about, but I don't see a solution on the market that makes sense to me.

How could we actually solve that? I also spend some time talking to folks who have built solutions in this space, either internally at their organizations or started startups themselves or other companies, and just got their feedback. A lot of the time it was, what was the problem, and why did you build something? What was the motivation to go build something?

Because that's the thing that I'm really interested in. Not, don't get me wrong, the architecture of what you built is interesting, but the why is the part that's really interesting.

I spent a lot of time on that. And then scoped out the design and started making mocks, like just UI mocks of what I was going to build, showing them to people, getting feedback, iterating between meetings and on the mocks.

Not having any code. Zero code. I was simply trying to explain these concepts and see if it made sense.

People got it. And people got excited about it. And I was like, okay, I have something here. Time to actually start building it and seeing if I can make this real and see if people are going to use it.

Zassmin (The Security Wing)

I love that you walk through that because it kind of reminds me of stuff that happens at off-sites or when we're doing user stories with product managers. Doing the post-its on the wall, talking about the different user pain points and user journey mapping and UX sketching and all that kind of stuff.

Maya Kaczorowski (Oblique Security)

Yeah. Yeah.

Zassmin (The Security Wing)

So, So, I mean, it sounds like you kind of did go all in on the product for this one.

Maya Kaczorowski (Oblique Security)

To me, it feels like I didn't, but I think it says more about my personality than anything else.

Zassmin (The Security Wing)

Yeah. 

What were the things that you were hearing from your customers that resonated with them most about your discoveries?

Maya Kaczorowski (Oblique Security)

I think one of them was around self-serve changes. So everyone has some sort of ticketing system where if you want to get access to something, you go, create a ticket, and then you request access, and it goes through some sort of approval flow.

The fact that that isn't more automated in a lot of organizations, but also more importantly, if you're making a non-risky change, you can't just make it.

Or if you're making certain kinds of changes, you actually can't, it's not automated. So, like, maybe you can request access to AWS or Salesforce, but maybe you can't request the creation of a new team, as an example.

And that's highly manual. People don’t have a scalable solution there. That was one.

Another one is that  hates user access reviews and doesn't feel like they have any real value.

Zassmin (The Security Wing)

Yeah, I used to do those every three months. It’s a part of everyone’s SOC2 world.

Maya Kaczorowski (Oblique Security)

Everyone's just like, I just checkbox everything and I don't understand what the value of this is. I don't feel like it makes me more secure. And I don't want to do it.

What I find really fascinating in general in security are these sorts of problems that are not technology focused, but more around process and organization.

Identity really fits in this space where usually the IT team manages your IDP, but then your security team is writing requirements for your identity.

There is this constant pull between them. There’s too many cooks in the kitchen and no one's quite happy with the solutions.

Zassmin (The Security Wing)

Yeah, and none of them are product people.

Maya Kaczorowski (Oblique Security)

Yeah. They all know it can be better, but yeah. Yeah, so those are the problems. It's been interesting to realize that no issue that I'm looking at wasn't also a problem 15 or 20 years ago. Access reviews and requests will perennially be issues for people, which is honestly kind of motivating, right?

If I think back to why I'm interested in working on this, it is to have an impact. If I can make a dent, let's go make a dent.

Zassmin (The Security Wing)

Yeah, and I mean, sometimes the most important problems are actually the really boring ones, they're the problems getting in the way.

Access controls are a really great example of that. It's something you have to do. It's something that's good for you, and it recurs, and there can be a better way.

That’s what you’re building, the better way.

Maya Kaczorowski (Oblique Security)

Yes, and everyone also feels like it's super custom. Every organization is different, but there's a lot of the same constructs. It's about having enough flexibility for it to work for different kinds of organizations without it being too flexible because then you won't know what to do with it.

Zassmin (The Security Wing)

Yeah. I imagine that a lot of these enterprises are also using very similar enterprise products, like Salesforce, Workday, GitHub, or GitLab.

Maya Kaczorowski (Oblique Security)

Yep. A lot of, a lot of similar tech stacks, for sure. Yeah.

Zassmin (The Security Wing)

Talk to me a little bit about how you integrate your product with your customers.

Maya Kaczorowski (Oblique Security)

We're building an authorization platform for corporate environments. You can define your organizational structures around attributes, like departments or locations or reporting chains or ad hoc teams that need to exist and then grant those different entities access to things, as well as let users self-serve access, but more importantly, debug their own access.

The key integration points for us are the HR system, like Workday, your IDPs like Okta or Google, but also anywhere else that you have to define consistent groups, like Slack and GitHub, is another one that’s such a consistent source of truth for communication and work in so many organizations that you need to have consistent groups and information across all of those systems.

Zassmin (The Security Wing)

So you're plugging it all in and they're managing it directly.

Maya Kaczorowski (Oblique Security)

That's exactly what we're trying to do. The stack that I just described is for a lot of companies in the space that we're targeting is the same. We're not looking at something super varied, which hopefully makes our job much easier.

Zassmin (The Security Wing)

Yeah, definitely. Any insight that you'd like to part with for our chat?

Maya Kaczorowski (Oblique Security)

I mean, I think one of the things that I've been thinking about the last couple days is related to access management is that the hard part about access management isn't storing information about who has access to what.

The hard part about access management is change management. It's making people feel confident that what is changing will not break everything and helping people understand how to do some of these changes.

This is a space I've been thinking about nonstop for months now, and then to still be like, oh, wait a second, am I solving the right problem?

What's the deeper thing that people really need help with?

Zassmin (The Security Wing)

I mean, it's interesting you say that because, yeah, there's the people's access to services, and then there's how the access of services gets managed.

And then there's also the reality of teams changing often. People move between teams, people get onboarded and offboarded often. Teams evolve every quarter sometimes. And things do break when all that stuff changes. Completely agree.

Maya Kaczorowski (Oblique Security)

Yeah. So it's been interesting to see how consistent everyone's reality is and how consistent everyone's worries are.

Everyone's worried.

Zassmin (The Security Wing)

Yeah and I love that everyone feels like their problem is unique, but they're actually similar enough constructs that make it so that a clear solution can be built around this.

Really great conversation with you, Maya, and thank you for sharing your story and what you're building.

Maya Kaczorowski (Oblique Security)

Thank you, Zassmin, for having me.