He has stood next to almost every security wave of the last two decades. He thinks the next one is the biggest - and it starts with a question nobody has answered: what are you actually allowed to do?
CEO, Opal Security / San Francisco, CA
In November 2025, Howard Ting took the CEO seat at Opal Security, a San Francisco company that maps who - and increasingly what - can touch a company's systems. The mandate is not glamorous. It is plumbing: joiner-mover-leaver workflows, just-in-time access, the user access reviews that most companies duct-tape together and quietly dread. Ting thinks that plumbing is about to become the most important real estate in security.
His reasoning is simple enough to fit on a napkin. Companies run differently than they did five years ago. More identities. More machines. More automation. And now software agents that can read a repository, rewrite infrastructure, or fire off a workflow without a human in the loop. Every one of them needs an answer to the same question a night watchman asks at a locked door: are you supposed to be here, and for how long?
Authorization - what should you be allowed to do, and for how long - remains deeply unsolved for both humans and machines.Howard Ting, Opal Security
That is the bet. Opal does not open by asking employees to file requests or by drowning admins in compliance forms. It opens by showing a company its real access, the sprawl it did not know it had. Ting says that is what sold him. He watched customers use the product not to run a workflow, but to see themselves clearly for the first time. “This level of partnership is hard to build,” he said, “and it says a lot about the team and product that's here.”
Read Ting's resume backwards and a habit appears. He keeps showing up at companies a beat before their category ignites. Palo Alto Networks, when the firewall was being reinvented. Nutanix, when the data center was being folded into software. Redis, when in-memory data went from clever trick to default infrastructure. Zscaler, as the perimeter dissolved into the cloud. He was not always the person on the keynote poster, but he was in the room where the category got its name - most of his roles sat at the seam of marketing and product, the place where a technology decides what to call itself.
Before all that, he studied at UC Berkeley and cut his teeth on mergers and acquisitions at Banc of America Securities. Then he joined Cisco through its acquisition of a startup called Securent. Securent did authorization. Two decades later, authorization is the through-line of his whole career - the problem he keeps circling back to, no matter which logo is on his badge.
Access is getting harder because the way companies operate is changing.Howard Ting
Immediately before Opal, Ting spent more than five years as CEO and board director of Cyberhaven, a data-detection-and-response company, then a stint as Executive in Residence at Greylock Partners. Running a security company is a strange kind of leadership - you succeed by making sure nothing happens, and the days you earn your salary are the days something goes wrong. He came out of it with a operating philosophy he repeats often: discipline about the fundamentals, especially when a company is growing fast enough to skip them. Clear priorities. Transparent communication. A willingness to make the hard tradeoff instead of the popular one.
“Great companies stay disciplined about the fundamentals even when they're growing quickly,” he says. It sounds like a platitude until you remember that most fast-growing companies do exactly the opposite.
Here is where Ting gets animated. For years, identity meant humans - onboard them, offboard them, review their access once a quarter. Then the machine identities arrived, and now they outnumber the people. Then the AI agents arrived, and they do not behave like static service accounts. They reason. They adapt. They act. “Once they can read repositories, update infrastructure, or trigger workflows,” Ting warns, “they introduce access patterns that need real governance.”
His answer is not to build a separate cage for the robots. It is to treat humans, services, and agents inside a single framework - and to make ephemeral, just-in-time access the default rather than the exception. Grant an agent access to exactly the resource it needs, for exactly as long as it needs it, and make the approval frictionless enough that nobody routes around it. The old model was a one-time checkbox. Ting wants a continuous lifecycle, oversight that never quite stops watching.
When governance fits naturally into the engineering workflow, it stops being a blocker and starts being a safeguard.Howard Ting
It is a tidy summary of his whole thesis. Security fails when it becomes a wall people learn to climb. It works when it disappears into the way the work already gets done. That is the product he wants Opal to be, and it is, not coincidentally, the kind of product he has spent twenty years learning how to name.
There is a quiet oddity to Ting's trajectory. The security industry loves a founder-engineer origin story, and his does not fit the mold. He came up through marketing and product, the discipline of deciding what a technology means and who it is for. In most companies that is a support function. In a category that does not exist yet, it is the whole game. Somebody has to look at a pile of unfamiliar capability and give it a name a buyer can hold onto. Ting has done that, over and over, for firewalls and cloud proxies and hyperconverged infrastructure and data-detection tools. The move from explaining a category to running the company building it is shorter than it looks.
It also explains how he talks. He does not reach for jargon. He reaches for the plain version - the night watchman at the door, the checkbox versus the lifecycle, the wall people climb. That instinct to translate is the same one that let a marketer stand next to Bill Gates in 2006 and make an identity demo land for a room full of skeptics. The technology has changed a dozen times since. The job of making it legible has not.
Strip away the vocabulary and Opal's pitch is almost old-fashioned. Know who is in the building. Know what they can touch. Take the keys back when they leave, or when the job is done, or when the software agent finishes the task it was spun up for. What has changed is scale and speed. There are more identities than a human team can review by hand, they change faster than a quarterly cycle can catch, and a growing share of them are not people at all. Ting's answer is to stop treating that as a periodic audit and start treating it as a live system - risk scored continuously, access granted narrowly, approvals automated where they can be and escalated where they must be.
Whether that becomes the default way enterprises think about access is the open question of his tenure. But it is a bet with a coherent logic, made by someone who has watched enough categories form to recognize the shape of one arriving. Ting has spent a career showing up early. At Opal, he is wagering that he has done it again.
A short list of the places where the category got its name while Howard Ting was standing there. The highlighted one is where he sits today.
Studies at UC Berkeley and early M&A experience - the finance grounding before the pivot into security.
Senior marketing and product roles. Joins Cisco through its acquisition of authorization startup Securent - the seed of a career-long obsession.
Given 90 days, helps build and deliver an Azure Active Directory demo presented alongside Bill Gates at RSA Conference 2006.
Senior marketing and product leadership through two of the decade's defining growth stories.
Strategic marketing leadership as cloud security and in-memory data both went mainstream.
Leads the data-detection-and-response company as CEO and board director for more than five years.
A brief investor's-seat interlude - before the pull of operating wins out.
Takes the top job at Opal to build a unified control plane for access governance in the agentic era. Announced December 11, 2025.
Managing access is getting harder everywhere. More identities, more machines, more automation.
Once they can read repositories, update infrastructure, or trigger workflows, they introduce access patterns that need real governance.
Rather than building everything around request or compliance workflows, the product starts by mapping real access.
Great companies stay disciplined about the fundamentals even when they're growing quickly.
Shared a live keynote stage with Bill Gates at RSA 2006 - built on a 90-day clock.
Joined Cisco through its purchase of Securent, an authorization startup. The problem followed him for 20 years.
Has worked at or near RSA, Palo Alto, Zscaler, Nutanix, Redis, Cyberhaven - a walking tour of modern security.
Started in mergers and acquisitions at Banc of America Securities before pivoting into cybersecurity.
Father of three young kids - coaches their sports and helps with homework between board meetings.
Calls himself a fundamentals guy: clear priorities, transparent communication, the hard tradeoff over the popular one.
Ting is a father of three young children, and he is unusually candid about the math of it. A growth-stage CEO's calendar does not have slack in it, and neither does a childhood. He coaches their sports, helps with the homework, and talks openly about the discipline it takes to set boundaries around a job that would happily consume all of them. The same word that runs through his work runs through his home life: be intentional, decide what matters, and defend it. Access, it turns out, is a family value too.
Built from public sources: Opal Security, BusinessWire, Unite.AI, Crunchbase, LinkedIn. Quotes drawn from published interviews and announcements. Where the record is silent, this page stays silent.