Lean Startup’s Eric Ries on How to Make ‘Gatekeepers’ a Source of Power and Speed

Lean Startup’s Eric Ries on How to Make ‘Gatekeepers’ a Source of Power and Speed

As companies add 'gatekeeper' functions like Legal, Finance, IT and Compliance, they tend to slow way down. But they don't have to. Here's how to lay the right foundation.

No matter what size startup you’re running or working for now, this type of scenario is right around the corner: You want to set up a booth at a trade show with a prototype of your product. You’ve put it all together when you receive a ping from your finance person: “You’ve exceeded your allotted marketing budget for the quarter.” Next, you hear from legal: “Are you planning to have everyone who interacts with the demo sign an NDA?” Before you know it, every move you want to make feels like this — bogged down.

Founder and bestselling author Eric Ries calls functions like Legal, Finance, IT, and HR “gatekeepers,” and he’s well acquainted with them. Between writing The Lean Startup (investigating how startups can stay speedy and agile), and his new book The Startup Way (looking at how big corporations can become more nimble), he’s seen first-hand how these functions can either slow startups down or give them more winning momentum.

In this exclusive interview, Ries explains how startups can avoid falling into the traps of growth that kill too many companies each year. He describes how to create and work with gatekeepers differently so that you can keep scaling innovation as you scale your company.


Gatekeepers are the functional teams whose beneficiary is predominately the company itself, versus the end customer. “Gatekeepers serve employees more than customers. It doesn’t mean that their work isn’t external at times, but their focus is internal: we’re talking Finance, Legal, HR and IT, for example,” says Ries. “The reason they’re gatekeepers is because these functions often impact the ability of the makers and sellers of the product — Product, Design, Engineering, Marketing and Sales, to name a few — to reach customers.”

To illustrate this relationship, Ries cites a matrix management structure (below) that’s been around for a century — and still influences the way a company’s functions overlap today. “Once they get to a certain size, most companies develop some variation of this design,” he says. “There are business-oriented teams related to the operations of the company — these are the gatekeepers, represented by the vertical bars of the matrix. Then you have horizontal bars that orient around a product function — Product, Marketing, Sales and Engineering, for example — that has to do with how you serve customers. Granted, there are some non-customer facing performance characteristics, but at the end of the day, engineering exists to build products for customers.”

The vertically-oriented teams — the gatekeepers — have a powerful role in companies because they generally have approval rights over what the customer-oriented teams do. “They’re called gatekeepers because if you want permission to operate according to the company's procedures, you have to get their sign-off,” says Ries. “Finance is the most obvious and easiest to understand. They ‘back’ teams through what’s called entitlement funding, where you argue for your budget in some kind of strategic process to fund projects and that budget can be adjusted based on performance. Legal’s another one. Product or marketing may need to beg legal for permission to release an app or use specific copy.”

Most early teams neglect gatekeeper functions until it’s too late. Legal, finance, IT — these teams are created reactively and treated as enforcers, not enablers.


Startups grow so fast and organically that gatekeeper functions pop up without founders giving a lot of thought about how they should be positioned, or how to keep them from becoming a drag. "Leaders create them mostly reactively. They realize that, without gatekeeper functions, people will incur liability. And then it spirals: ‘We could have some rogue unit running an illegal competitive surveillance project’ or ‘a regional PM doing an offensive ad campaign undermining the brand.’ The solution is often some sort of centralized brand or legal supervision of projects assembled out of fear or urgency. That’s when the function becomes monolithic — and drags startups just when they need to grow the fastest.”

Of course, if you’re at an early-stage startup reading this, the last thing you may want is structure around your nimble teams — and perhaps you’d be surprised to hear this advice from The Lean Startup author himself. So here’s a cautionary tale from Ries to illustrate the importance of defining and structuring gatekeeper roles as early as possible:

“Not long ago, I did a Lean Startup workshop with a tech company that had been highly innovative early on, largely due to their rigorously iterative style of building. But now they were a couple thousand employees, so they had slowed down a bit and were curious as to why,” says Ries. “Eventually the conversation around gatekeeper functions surfaced, especially as the team was about to expand by localizing and launching its product in many languages at once. It was your classic big-bang, waterfall-type project. They had plans to work on it for 18 months, and then launch simultaneously in several countries around the world.”

To root the strategy in reality, Ries guided the conversation to minimum viable products (MVPs) — the lowest-lift thing you can try to get important learnings. “One idea was — and this was when Facebook ads had just come out — running some Facebook ads in the target countries, where the company would recruit people to pre-order the product. The idea being that we’d get 100 people in each country exposed to the ad, and see what percentage of them give us their credit card,” says Ries. “The company would offer them the English version of the product for free, and then the local language one would ship as soon as possible after."

Now that strategy seems obvious, but, at that point, it was relatively novel. “So we get this agreement that we're going to do this test, and one of the engineers says, ‘You know what? We can't do this MVP. Forget it. Legal will never allow it. We're not allowed to take credit cards without being PCI compliant in their transactional infrastructure. The thing might not ship and so there might be liabilities,’" says Ries. “I said, ‘Well, who in Legal? Who told you that?’ The engineer said that no one had to tell him — that everyone just knows. He didn’t know who his legal decision maker was, or who could appeal that decision. The engineer suggested maybe the general counsel of the engineering team, which the company was large enough to have.”

Ries asked to get the GC on the phone. “To my shock, the engineering team was terrified. It was as if they were getting called into the principal's office. I said, ‘Listen, you asked me to be in this workshop. Let’s do this.’ So we call the GC and he picks up,” says Ries. “The engineer said to him, ‘Sir, do you mind if we incur unlimited liability by taking people's credit card for something we probably won't ship?’ I can hear the GC about to shut it down and lecture us, so I say, ‘I'm sorry. Timeout, timeout. Can I try? What he meant to say is, do you mind if no more than 100 people give us their credit card for this thing?’ The GC asked me how much it’d cost, and I said, ‘It's $29.95, so $30.’ So he said: ‘So you're telling me the total maximum liability, even if we defaulted on all of these is $3,000?’" The GC did a 180 and said, ‘Do you get that we’ve spent that much on this call already? Of course you can do it. Bye.'”

The company had lost its speed and bias toward action because everyone was making assumptions about gatekeepers. “The employees were contextualizing entirely wrong. They’d assumed that the GC would not be okay with it, so they asked the question in such a way that they got the answer they believed they’d get: a ‘no,’” says Ries. “It wasn’t just an internal misalignment — there was a clear business outcome from the conversation. The team got to do their experiment, and it turns out that Indonesia is very different than Singapore which is very different than Norway. They got important product and market intelligence from the test.”


Multiply this cautionary tale by each product launch, market entered and customer segment targeted, and the impact on a business can be monumental. So what can startups do to get ahead of these default assumptions about gatekeeper functions? Ries has a list of tips for three key stakeholders: people not on gatekeeping teams, those who are gatekeepers, and the leadership team at your startup. Scan to your section to read the his top tip and action for you to take today to set up your gatekeeper functions for success as you scale.


Rule: Avoid the eleventh-hour ask to prevent a gatekeeper’s lose-lose scenario.

“How often have you pinged Legal or HR the afternoon you need an answer because you didn’t plan for their sign-off? If that resonates, it should be no wonder that you’ve only experienced — and reinforced the belief — that gatekeepers are always blocking you,” says Ries. “What they experience is someone calling them with no lead time, pitching a complex plan and asking for a thumbs up or down by end-of-day. From the lawyer's point of view, that's a lose-lose proposition. Either she has to say yes to something that has more liability than she's comfortable with, or she has to say no and be the evil one. It’s not long before non-gatekeeping functions like Product or Marketing are saying, ‘Those jerks in compliance hate us. They never let us do anything.’"

Tactic: Employ a cross-functional team from the start.

Of course, the benefits of a cross-functional team — especially between engineering, product and design — are well known. But how often might you think to include counsel or compliance at strategic points in plan development (not just at the start and finish, when contributions are limited)? To illustrate this point, Ries shares an anecdote.

“I worked with a company in the healthcare space that had a lot of tension internally. Their functions were siloed and everyone building the product hated the people in compliance. The compliance team disliked the product team because it was always pitching low ROI, pie-in-the-sky product proposals,” says Ries. “Not only did both teams suffer, but so did the company’s ability to build and innovate. The company asked me to do lean startup training. I had one condition: ‘If you’re going to work with me, I insist that you build a true cross-functional team. That means that you, Product, need to put a compliance person on your team full-time.”

Reluctantly, the point person on the product team called up compliance and asked them to send someone over. Compliance said it couldn’t spare anyone, so Ries told the product team that they had to pay the compliance person's salary from its budget. The product team was taken aback. “It’s not a charity. True membership is what it means to work cross-functionally. I had to call the company’s founder to break through the politics and intervene, but finally it happened,” says Ries. “Of course compliance sent the most challenging member in its arsenal to join this team. Now he’s mad at me, and so is the product team.”

Now that their compliance colleague was officially part of the team, Ries told Product to bring him to the next workshop. “When we started, the guy from compliance — we’ll call him Kevin — had his arms crossed and locked a death stare on me. The original product team is still mad. But we proceed with MVPs and lean startup 101 principles. One PM spoke up. ‘Hey, I have an idea. We could pre-sell our products to hospitals ahead of time. We could get like three pilot customers and do a trial to learn whether we have the right commercial model way sooner.’ An engineer shot it down, saying ‘That's not going to work because everyone knows that you're not allowed to pre-sell a medical device without FDA approval.’"

That’s when Kevin from compliance spoke up. “Excuse me, I have a question: Does that strike any of you as the kind of thing the U.S. Federal government would do? Publish a rule that’s one sentence long? Do you really think there's a rule from the FDA that says you can't pre-sell a medical device without FDA approval without any exceptions or clauses?” he paused. “No. The relevant rule is 500 pages long. Have any of you read the 500 pages? None of you have? I have. It’s on page 168, sub bullet B, sub clause 3, footnote C, and there’s a rule that covers this case. And what you just described is perfectly legal. In fact, the FDA would prefer that you did this kind of pilot to make sure the thing works.”

Ries watched the product team’s collective jaw drop to the floor, and then rattled off a series of questions about other exceptions. Kevin jumped into a dozen of them. “He was empowered — and it was so impressive. The team made much faster progress after that. The FDA thought they were amazing, instead of being super weak,” says Ries.

“If you’re at a startup and have limited headcount in gatekeeper functions, have representatives attend your first, middle and last meeting. If they can’t be on your team’s payroll, carve out a specific part of the agenda for them to lead. Give them something to own so they actually belong.


Rule: Revere how others build, be flexible in how you build.

Ries has studied different types of gatekeepers, and he’s seen commonalities among those on track to become effective. The attributes aren’t all that dissimilar from high-quality startup employees generally, but are particularly critical for gatekeepers.

“The best-performing gatekeepers have entrepreneurial virtues, even if they were never founders or worked at a startup. They’ve got a tolerance — even comfort with — uncertainty and ambiguity and understand why entrepreneurship is challenging. This translates to empathy for what the product teams are going through,” says Ries. “That profile spikes high on respect for what others build and agility in how they themselves build. And of course, that flexibility brings a learning-first mentality. You want a gatekeeper who’s informed, but not always coming in with all the answers. She should be able to synthesize her expertise with what the company is doing.”

Ries admits that this is a tough combination to find. “Those are rare superstars: Chris Cox is the Chief Product Officer at Facebook, but was also the head of HR for a time, for example,” says Ries. “There are two key attributes. The first is respect. If they haven’t been a founder or product leader, fine. If they haven’t worked on a 5-person startup, okay. But they must have reverence for building and empathy for creation and how chaotic it can get.”

Gatekeepers must be agile thinkers. Ask them for a best practice in their line of work. Then ask where that same best practice would be inappropriate. Agile thinkers know a best practice isn’t always best.

The second is agile thinking. “I have a hiring heuristic called ABCDEF, which stands for: agility, brains, communication, drive, empathy and fit. For gatekeepers, I’ve found agility is the most important attribute. To test it, I ask them: ‘Tell me a best practice from your way of working.’ Then I ask: ‘Tell me a situation where that best practice would be inappropriate.’ Only agile thinkers can demonstrate that a best practice isn’t always best,” says Ries. “For an attorney, that might be probing for a situation where you shouldn't run everything by a lawyer. Hopefully they don’t say ‘criminal conspiracy,’ but you want someone to say something like: ‘You know what? If you're a two person team, and you're just doing an MVP, and six people are involved, you don't need a lawyer.’ It requires some common sense and mental flexibility.”

Tactic: Create a one-pager for your customers.

Ries advises gatekeepers to create a one-pager for their internal stakeholders, who are essentially their users. A lot of what gatekeepers do is very complex and requires rarefied knowledge, but they can simply explain and lay out the easiest ways to work with them so they can do their jobs even better and faster. To keep things simple, they should limit this guide to a page, so that stakeholders know exactly when they can handle things on their own, when they need to interact, and what information they need to provide.

That was the final outcome of the story about the tech company who called their general counsel only to be told their call was a waste of time because their liability risk was so low. “The GC told the founder: ‘It’s not my fault. Your teams never ever consult me, they're all a bunch of jerks.’ The founder said: ‘Listen, with all due respect, it is your fault. These people are your customers, and if they're not treating you respectfully, that's actually your issue, so could you please fix it?’" says Ries. “The GC hadn’t made his terms of engagement clear. In other words, he hadn’t defined for his customers what issues were worth contacting him about and which were not. How was a junior product manager to know? Plus, he always yelled at the junior product manager whatever he does, so that person is burned, and doesn't want to call the GC.”

The swiftest way forward is a one-page document — basically a very simple set of guidelines that internal stakeholders can consult. That’s what the general counsel drew up. “It was straightforward and characteristic-driven. It had about five bullet points with checkboxes and short phrases like: ‘The total number of customers involved in your experiment is less than X; and ‘The total amount of money that they're paying you is less than Y’ and a handful more,” says Ries. “If you can check-off a specific number of these requirements, then you’re pre-approved to run the MVP. You don’t have to call legal. Then, if phase one of your MVP is complete, and you want to broaden your experiment, there’s a new set of guidelines, requiring your manager’s approval. Anything more, you have to call Legal. And so on, with the escalating checks-and-balances.”

The trap here is that it’s very hard for gatekeeping functions to make one-pagers. “The GC thought it was a great idea and sent his team to make the one-pager. Guess how long the document was when I first saw it? 10 pages long. It was a 10-page "one page" document because they're lawyers; that is their ‘one-pager,’” says Ries. “There was fine print and all these legal definitions and ‘your mileage may vary disclaimers.’ That won’t fly. Gatekeepers have to consider their customers. It has to be consumable and comprehensible to product managers and engineers. They're not going to read some legal document, no matter how beautiful you think your policy statement is."


Rule: Foster an environment where gatekeepers can serve, not just respond.

The need to empower your team is a startup trope, but giving actual agency to gatekeepers is frequently neglected. “If you're going to hire a general counsel or a head of IT and put them in charge of their function, you have to allow them to be gatekeepers,” says Ries. “As their leader, the statement you must be able to make is: The gatekeeping functions serve their customers rather than just respond to them. Can they have an agency model where they bring a central process to their key stakeholders — the employees — or is stuff being thrown over the wall in the eleventh hour. How often do you need to intervene as the founder or CEO?”

One key metric to help determine the independence and empowerment of gatekeeping functions is whether they can scale their team with increased scope and workload. “In the very early days of product/market fit, you won't have enough gatekeepers to go around. So there’s actually a limit on the number of good projects that you can get done at a time. Most startups ignore that to move fast and build things, so you end up with one GC shared across fifty project teams,” says Ries. “But startups leaders can anticipate this growth and take steps to allow the leaders of gatekeeper functions to pinpoint their own staffing requirements. That may mean determining the breaking points at a certain headcount or project count at which a gatekeeping team must hire and grow. That may be the single most powerful lever for empowering gatekeepers to define and centralize a process for their function in the organization.”

With gatekeepers, there’s no progression without representation.

Tactic: Keep gatekeeper functional heads accountable according to the cycle time of teams.

The flipside of empowering gatekeeper functions is holding them accountable. “If you're a CEO and you want gatekeepers to have success and respect across an organization, then you have to hold your gatekeeper functional heads accountable for these outcomes. This is, I think, the biggest mistake that CEOs make,” says Ries. “Vague or broad metrics cause disasters. So, if you say to a GC, "Your job is to make sure that we don't have any liability in this company as a metric of performance, they're just going to say no to everything. Then your teams won’t be able to ship any products. They’ll say, ‘Well, you told me no liabilities, so I delivered.’”

Don’t tell gatekeeper functions that they’re accountable for general business performance, because that’s highly variable and not a lever they can often pull. Instead, create metrics pertaining to how fast you want the team to turn things around. “As the leader, you’ve got to say, ‘Listen, I care about the teams’ cycle time. So a classic one I see on teams is — and not to pick on Legal, but it’s a common issue with that function — as companies get bigger, lawyers provide service levels to teams based on which team is favored by the company. I was talking to a team the other day, and they put in a request to get a legal agreement approved, and the lawyer that they got assigned to said, ‘Send me your ROI business case.’ That slows down the cycle of building. You need to define that for your gatekeeper functions.”

Ries invokes SLAs — service level agreements — to establish clear ground rules. “Just like you have an SLA agreement with AWS, what's the service level agreement between legal and the rest of the company? When we send you something, what kind of turnaround do I get? What is the cadence of releases and getting feedback from customers? If we don't measure that, none of this other stuff is going to matter,” says Ries. “But assuming we're measuring that, then we can track the legal contribution to that cycle. The CEO can say to all the gatekeeper VPs, ‘You are a committee together, and your job is to oversee this response time and drive it down. So I want to see teams that are very productive. Each of you needs to take a productivity metric, create a dashboard and own it. Let’s review monthly."


To many startups building quickly, “gatekeepers” is a pejorative term. Instead of being equal functions that can protect and reveal your team’s blind spots, they’re seen as a bottleneck. In his career and research for The Startup Way, Ries has seen too many startups and big companies alike work with gatekeepers reactively rather than define how to operate with them proactively. The result is a stigma around gatekeepers and growing tensions within teams.

Instead, tell your non-gatekeeper functions (Product, Engineering, Marketing, etc.) to build a cross-functional team from the start (formally make gatekeepers a part of your team if you can). This will cut down on those relationship-damaging last-minute asks. Gatekeepers should draft layman’s one-page cheat sheets for teams, so they can set expectations without complicated legalese or industry-speak. And lastly, for CEOs or founders, give precise metrics — try rewarding gatekeepers that create faster cycle time for teams, versus protecting against all liabilities.

“At the many companies I’ve worked with, I’ve noticed a through-the-looking glass moment for its founders. At some inflection point, they start seeing themselves not just as the entrepreneur who makes the decisions, but as somebody who empowers and invests in the entrepreneurial people who work for you,” says Ries. “Those heading up gatekeeping functions are often the last ‘founders’ recognized by leadership, because they’re more focused on employees than customers. But it’s a mistake to leave them until last. Startups must give gatekeepers the right level of support and anticipate what they’ll need — not only from the top, but from the non-gatekeeping teams around them. After all, they’re serving the people who serve your customers. Everything is irrevocably connected, and that becomes very clear at scale.”

Image courtesy of Travis P Ball/Getty Images Entertainment.