Browsing Tag

venture capital

What a Record Setting Investment into the ICS/OT Cybersecurity Market Means to Me

December 8, 2020

“ICS cybersecurity? What’s that? Is it worth doing? Can it be done? No it cannot, I heard…Even if you did the market isn’t large enough to support it long term”

Dragos, Inc. announced today its C-Series financing which is the largest investment ever into an industrial control system (ICS) / operational technology (OT) cybersecurity company. The investment is $110M for a total raised of more than $158M over the four years the company has been around. As the co-founder and CEO it fills me with great pride because of the team Dragos has assembled and our amazing customers who have truly partnered with us on our collective journey. Seeing them leverage our technology, services, and intelligence to make their companies more secure and further their maturity is something amazing to behold. Most citizens never understand or gain insight into how hard their infrastructure companies work to provide safe and reliable services and goods; I can tell you first hand this community works amazingly hard. There’s a lot of unknown passionate professionals running proof of concepts, implementing projects, advocating internal to their org, getting trained, working long hours, etc. all to allow companies like Dragos to exist to serve this community. Thank you.

I’ve written before on what it’s like to raise venture capital, you can view that blog here. In this post I want to walk through some of the challenges I’ve faced for Dragos from an investment perspective and the path along the way explicitly to help explain what I think this investment means for the broader OT/ICS cybersecurity market and community. I’ll speak a lot about our journey so far but the point isn’t about Dragos’ financing but instead the amazing realization that OT cybersecurity is worth doing, a large enough market to do it in, and that it can be done.

I will say without any intent to hype it up that I do believe this is a watershed moment and I hope to share that perspective with you.

No alt text provided for this image

I started Dragos a little over four years ago with my co-founders Jon Lavender and Justin Cavinee who had worked with me at the National Security Agency on our mission of identifying and responding to threats to ICS worldwide. We started the company not out of the desire to create a company or technology. To be candid we all abhorred the idea of becoming a software vendor after a career of being practitioners and community members in this space. But we did so out of a stark realization that the industry was changing and the threats were becoming more numerous and aggressive. What we were seeing as “answers” were a copy/pasting of IT security best practices into the ICS networks with little regard for the unique mission and threats those systems faced. I had authored the SANS ICS515 class on ICS incident response and network monitoring to help educate and train the workforce but realized that the only way to scale human knowledge fast enough in the face of what we were seeing was to also ensure those practitioners had ICS specific cybersecurity technology as well. We needed to do this in a company that would refuse to get acquired and be a long term player to put a dent in the problem. It’s my view though that to make the best technology you need the best people and you need to be hyper informed on the changing risk landscape if you’re going to counter it. So we built Dragos focused on our visibility, monitoring, and response technology but also with a professional services team of ICS cybersecurity experts to do everything from threat hunting and pentesting to incident response and architecture reviews while being trusted advisors to our customers. To inform everything we did and to help educate our community we built an intelligence team to identify and track threats specifically focused on ICS. To date we track 14 state adversaries explicitly doing so. I say all that in context of this fund raising to say – most investors hated our approach.

We got off the ground with a Seed investment from DataTribe. The only reason they invested was they had a background in the intelligence community and military and understand that we were mission focused. I’m sure they didn’t know much about what we wanted to do but they knew the problem was important and we were the team that would stop at nothing to satisfy the mission. When I went to raise the Series A round of $10M to finance our operations I met with and pitched well over 100 investors. Many of them sought us out to learn more about ICS/OT cybersecurity. The broader OT security market which encompasses ICS and the industrial internet of things (IIoT) (not to be confused with IoT, Alexa and a Gas Turbine have little in common) was very interesting to investors but none of them seemed to believe it was worth focus. I received pushback from the investors that fell into three distinct camps; these camps were challenges I heard from plenty of non-investors as well that I had encountered over the years:

  • Companies have tried to do ICS security before and failed. It’s not doable. People don’t care past regulation or fear. These companies won’t change. OT specific cybersecurity will never be successful.
  • The market is too small. If you’re interested in getting quickly acquired we’ll invest but if you’re interested in going the distance, we’re not along for the ride. The OT market is so niche.
  • IT and OT are converging. There won’t be an OT network in the years to come. IT? OT? It’s all just T. Enterprise cybersecurity will be rolled into the plants there’s no need for OT specific cybersecurity. OT specific security isn’t worth doing.

Finding people that didn’t agree with the three points above in the broader market was hard. In reality, very few of the practitioners in our small ICS security community believed such things. I think many people in our community have wondered if it’ll take some giant cyber attack on ICS to get people to take it seriously, but my view was “we’ve had all the attacks we need.” Every industry has representative attacks and stories. That wasn’t the issue or need and no one should hope for it. The reality was there wasn’t a large investable market which means for the business there was no obvious need to address this risk. I viewed building a technology company and staying around long term as necessary to getting these companies resources for workforce development, training, etc. as much as anything else.

On the three points here’s where I disagree in order:

  • Just because a few companies have failed on this path doesn’t mean that it won’t be successful. But more importantly the efforts I’ve seen failed before were largely re-skinned IT security efforts with some ICS marketing. It was obvious they were going to fail. This community does care about its infrastructure but we are a community of people who understand what does and doesn’t work. Our infrastructure members will invest beyond regulation and fear but not in things they don’t believe will work. Also undeniably over the last decade there has been a larger and more proactive community advocating cross company cross vendor cross conference etc. on what does and doesn’t work.
  • The OT market is huge. It’s hard to put a real number on it; some orgs claim 20-30B, but however you size it, it’s huge. Most people associate it with electric utilities and oil and gas. But manufacturing, rail, water, mining, transportation, etc. should come to mind. And the physical systems in the data center. And building automation systems. And airports. And and and. It’s actually harder to find companies that don’t have OT than those that do. These businesses aren’t in the business of selling emails. They produce goods, interact with the physical world, and provide services all powered by OT. The major risk is in the OT and when executives are aware of that and have an answer to address it they will in a way a majority of investors I’ve met have misunderstood.
  • IT and OT convergence happened a decade ago. I’m near tired of hearing how it’s “coming.” We have had Windows in ICS/SCADA/DCS/OT/etc. networks for more than a decade. The convergence is actually the digital transformation of these organizations coming at the same time of ICS specific adversaries. But no matter what the underlining operating system is that’s not the point. The point of OT cybersecurity is that the mission is different. The threats are different. The risks are different. The culture to get the job done is different. The challenges are different to succeed. Therefore the way you secure it will be different. I’m not saying all IT security is useless in the plants. There’s plenty we can learn from and adopt. What I’m saying is the unique and most critical part of these businesses deserves a specific focus that understands and accounts for the people, culture, process, technology, mission, risks, threats, etc. of that side of the business. To not accept that is naïve.

When I went to investors saying we wanted to focus exclusively on OT cybersecurity and we wanted to partner with our customers not just in providing technology but also having smart people and actual insights to provide it didn’t go so well with most of them. You cannot describe all the VCs in one broad stroke just like you cannot describe any group; and I’ve met and really enjoyed getting to know plenty of VCs, but to say the vast majority didn’t understand this market is an understatement.

Not only were the pushbacks from above tangible but also “and you want to hire experts to do professional services? Won’t that lower the margins on the software sales? I don’t think that’s a good idea.” But even extremely mature companies are relatively immature in their OT cybersecurity journey and need a partner not just a technology. That’s also how we get better. So it was non-negotiable. Our team’s people are and were our secret weapon. For all the words like innovation and disruption that get flaunted in Silicon Valley it was interesting how many investors we scared away by simply being different than what they had seen before. The reason we were successful in our A round was largely due to Energy Impact Partners and AllegisCyber. AllegisCyber is a VC built by former operators (ran companies before) which helped them see what we were doing beyond a spreadsheet. Energy Impact Partners though deserved the lion’s share of the credit as they are a VC built by the electric companies. Southern Company, National Grid, Xcel, Oklahoma Gas and Electric, etc. and those companies knew first hand how important OT was and the necessity of a full solution.

No alt text provided for this image

By the time the B round came about, a $37M investment, a lot of the naysayers of OT cybersecurity in the context that it couldn’t be done fell to the side. We were flooded with investors who wanted to invest. But, most of them were talking about and thinking about acquisitions. My view was and is that the OT cybersecurity market is so large that it can not only support one company IPO’ing or being of that size but multiple. This was not a widely shared view to say the least. Most of the 70+ investors calling who were interested in us because of the importance of ICS quickly had the wind taken out of their sails and the conversations would noticeably shift when I mentioned our vision was to be a long term company and not to build to be an acquisition target. To them it was clear now that OT cybersecurity could be done. They agreed it should be done. They did not believe it was a large market. Luckily, this time around we had Canaan which is a well respected Silicon Valley VC to add that type of credibility to our name in those circles but believed in the mission and in the market size. They saw what many at the time didn’t and I think that a big reason for that is how involved they had been with pharmaceutical companies and others realizing that maybe there was something to this OT market. Vision is an easy word to say and hard in practice. (Hear their perspective in this blog here.) We were fortunate to also be joined by a direct strategic investment from National Grid, Emerson, and Schweitzer Engineering Labs. Obviously those three understood OT and have continued to be great partners.

No alt text provided for this image

To claim that the C round is some sort of finish line is obviously silly. It’s really just the starting point. But to have a record setting $110M investment isn’t about Dragos. It’s about our OT cybersecurity community and the broader market. It’s a massive signal to everyone that not only is OT cybersecurity important (most everyone gets that), and is doable (people starting to realize that), but that the market is large enough to make it a worthy investment (new to most). This time, instead of taking calls from all the interested investors, we focused on letting the industry tell the story. The only thing more powerful to me than a large investment is having the asset owners and operators themselves tell their story. Thus, for the C-round we had the venture arms of National Grid and Koch Industries lead the round with investments from Saudi Aramco and HPE as well. One of the largest electric and natural gas companies in the world, with the largest manufacturer in the world, with the largest oil and gas company in the world, with one of the largest manufacturers in the supply chain in the world. That’s a powerful story. That’s a signal to everyone including the investors that the OT cybersecurity market is large, worthy of investment, and will be around for a long time. These are industry leaders saying not only do we believe in the technology we’re seeing but this market and category is important to our businesses at a strategic level. That’s a powerful signal to the other companies in their space and broader. That’s the new piece here. That’s the story. That’s what I think serves as a watershed moment. The community itself standing up and saying “we’ll get this done ourselves, it’s of strategic value.”

There are plenty of savvy investors and VCs that I’ve had the privilege to get to know. But across the broad swath of them the conversations have changed as they learned about our C round. And it’s not just investors. I’ve run into the naysayers every month and sometimes every week of my entire career. It gets tiring. And don’t even get me started on “you’re technical? Are you sure you can be the CEO? Shouldn’t you bring in someone else?” discussions. That’s a less polite blog I’ll write some time. But I know many of you in our community run into the same conversations about our ICS community. To all of you I will tell you now that I can say with great confidence the folks telling you that it “can’t be done” “shouldn’t be done” or “cannot be done long term” are on the wrong side of the argument. We have a lot of work to be done. But this is a community milestone.

It’s not a Dragos only story. The work by so many firms, so many passionate professionals, students, practitioners, leaders, government agencies, and even competitors have been a part of getting here. And here we stand on a larger platform than ever before, as an OT/ICS cybersecurity community, to tell our story.

If you’re in our community we at Dragos hope this provides some ammo for you to propel your ICS security journey forward. If you’re not in the ICS security community and you want to join, we hope this is a good signal to you that you can have a wonderful career here and its worth your time. Your local power company, water utility, oil and gas, manufacturing, rail, data center, mining, etc. companies are hiring. Go check them out. Their mission is worth investing in.

What It’s Like to Raise Venture Capital (Just My Experience)

November 22, 2018

Last week it was announced that Dragos, Inc. raised $37M in our Series B financing event. That brings the total amount of money raised for the company to $48.2M since the company was founded in 2016 and marks my third time raising (Seed Round of $1.2M, A Round of $10M, and now the B Round). There’s a lot written explaining venture capital so I won’t attempt to explain it here in a short blog; but the purpose of this blog is to share some insights into things I’ve learned as a security practitioner that were new and surprising to me or just general observations that were interesting enough to document. Over the past two years I’ve taken more than 300 calls with more than 150 venture capitalists, officially “pitched” to more than 50, and had term sheets from about a dozen. I’ll start off with a comment about the team and company before diving into some of the observations I’ve had across those experiences.

“If you want to go fast, go alone; but if you want to go far, go together”

The proverb/quote above has some controversy around it regarding its origins but I like the quote nevertheless. It explains a lot about startups (to be fair so does the TV show Silicon Valley). When Jon Lavender, Justin Cavinee, and I started Dragos as co-founders we had previously built CyberLens together back in 2012/2013 time frame under the name “Dragos Security.” The tool was simply an assessment tool to process out packet captures and draw a map including some deep packet inspection of industrial control system (ICS) protocols. Getting it together as three people was really easy. It was a good year into the life of Dragos, Inc. when we were still adding things into the Dragos Platform that were already accomplished in CyberLens. The difference of course was the scale and stability of the Dragos Platform, our technology at Dragos, was significantly more vast than CyberLens. As we started adding a “feature” into the product it would break into numerous features and requirements. In theory what our technology does is simple: passively map out industrial environments, utilize threat analytics to identify the M.O./behavior/pattern of adversaries instead of just indicator or anomaly based detection, and offer up playbooks in an analyst workbench that act as step-by-step guidance to validate the alerts and scope the investigation. Not too bad right? Over the last two years we’ve seen the need to scale to 10 network appliances back to a server, to 40, to 300, and beyond. All on-prem without being able to take advantage of the cloud (in most cases) because of the sensitivity of industrial environments. At Dragos we’re about to be 100 people strong. You move so quickly you don’t really stop to think about the numbers and scale and all the things you’re doing. But one of the reasons startups tend to outpace larger companies is the ability to move those folks in a single direction and throw the entire organization behind it without as much communication challenges as large companies; flexibility is key. It’s amazing to see that occur and yet moving forward always seems like it takes place at a snail’s pace. You look back over 1 quarter and you realize that’s not true; but going far definitely requires the team and creating a scalable, deployable, stable, and usable technology often requires more than just a few people. I’m proud of the team we have today and the growth we’re achieving. Every now and then I sit back, pour a stiff drink, and just have to feel the exhaustion overcome me all at once. But then you sit forward and keep going again. You see the difference you’re making for your customers, the lives of the people on your team changing and growing, and you just feel so fortunate. Luckily, my eight month old son and wonderful wife provide more centering for me than exhaustion making the journey a bit more doable.

Venture Capital is Neither Good nor Bad

As a security practitioner I often found myself opining about venture capital. Bankers, private equity folks, finance majors, and “business people” were what I always assumed made up all the ranks of Venture Capital and to be honest I couldn’t stand the idea of them. I didn’t despise anyone, everyone takes their own path in life. But non-security practitioners trying to fund and decide “market winners” without an appreciation of the technology always bothered me. For anyone that’s seen my writings before it’s probably pretty apparent that I don’t think too highly of “management” positions leading security teams or technology teams without an understanding of security or technology. So it extended beyond venture capital. I also saw venture capitalists as just interested in making a buck (that is their job but the amount of “let’s make the world a better place” I’ve seen even in the hard times has been stunning coming from them) and largely figured it was better to bootstrap a business than take capital. While a lot of bad venture capitalists exist I learned that the bad apples were really giving a bad name to a much larger and more diverse field. Here’s some areas that I have evolved my own thinking:

Watch the Burn, Spend the Money, Watch the Burn

One of the reasons I hated the idea of venture capital is that I figured and had heard they would try to get you to spend so much money that you would have to raise more money later. They’d “get you over a barrel” and you’d be too deep in debt to do anything but go forward and raise more. That impression I had was entirely wrong, maybe I’ve just seen a different group of venture capitalists but there’s a whole science and art to throttling the business correctly. I’ve heard “watch the burn” from my board members (made up of our investors) to the point that it’s annoying not because it’s not accurate but because it’s been stated so much it couldn’t possibly have left my mind. The burn is how fast you’re burning through capital. Venture capitalists don’t want you to spend too much money, they want you to spend the right amount of money to invest in the business’ future. The logic is actually pretty simple when you think about it. In an enterprise software styled company where you are investing heavily in R&D you’re going to need to raise venture money to support it (sales can’t support the R&D costs especially before you have a product). But once you have the product (though it’s never done) you still have to invest heavily in sales and marketing. If I put $1 into sales and marketing today I likely won’t see any return on that for 9+ months. It takes time to generate the lead, make the contact, get the meeting, make the pitch, fit into this or next year’s budget, etc. The sales cycle can easily be 9-18 months long. But if I can invest $1 into sales and marketing today and get a return of $2 in 12 months that’s a 100% growth. Throttling the business to be “profitable” especially early on is robbing the future of the business. If I can lose $5M this year and make $10M in sales next year, that’s a great thing for the business. Thus venture capital is needed so that you can spend what you need to, but you don’t just want to spend money you want to understand what the return on investment is and monitor your burn as closely as possible to make sure you’re not over investing or under investing. This can cause a “foot on the gas foot off the gas foot on the gas” back and forth in the company on an almost weekly basis. There’s risk into taking this approach and it’s not the only one but previous-me would have stated “well just grow as you can support it and don’t try to lose money in hopes of earning more business next year.” Today I understand that the speed of the market, demand from the customers, growth of competitors, marketing from incumbents, and more all goes into deciding that spending large sums of money to grow the business is hyper critical especially in a software company where deal sizes and sales cycles are both large.

Lots of Different Types of Venture Capitalists 

There are a lot of different types of venture capitalists, and I’m talking about the people not the firms yet, I’ll approach those next. Some venture capitalists are the bankers, private equity folks, business grads, and financial analysts that I had previously thought about. But many are also “operators” that have built and led companies before. In reality there are good and bad in both forms. I’ve found that as a founder I really resonate with operators. Having a few of them on my board early on gave me good guidance and made a collaborative environment. They were also more empathetic to the needs of the business instead of spreadsheets and trying to math the company to death. As we grew it was also important to add those who had more experience as the “typical” type of finance people who helped provide a bit of devil’s advocacy to the board on various decisions and help make sure that the “emotion” of running the business and the “experience” of having done it before wasn’t completely out of touch with what the numbers could support. It’s obvious of course that it takes all types, but to me seeing the different value propositions of people and their experience and how they influenced the company was interesting. As a gaming nerd there’s so much that role playing games have taught me about business, more so than any of the free online classes I’ve taken on business (seriously you should watch those free videos like the free MIT and Harvard classes and you should throw in some good RPGs as homework). Class skills and development of different professions while understanding people’s skill tree maximums and strengths/weaknesses is much easier when you just imagine everyone you meet has a playing card or a stats page that you can see when you hover over them.

Lots of Different Types of Venture Capital Firms

There are many different types of VC firms. Some have experience in your field, some do not. VC Firms vs. Corporate VCs are a major difference in how they view the world as well. There is even the informal ranking system of “Tiers” that is very loosely made but can help you think about the VCs to determine which are right for you. From the very beginning the idea at Dragos was to IPO the company. Making it to the stock exchange with a public listing of your stock sounds like a good thing from a monetary perspective but it provides something more important to my team. We want to keep Dragos around and really make the world a more secure place for our most important and critical infrastructures. The industrial world is huge and deserves protection. Having an “exit” by getting bought by another company generally doesn’t allow that. Acquisitions of technology companies are not always bad but especially early in the company’s life when they are just really getting their culture and tech and value propositions right, getting adopted into another company can be a death sentence. It’s going to take years to put a real dent into industrial cybersecurity. When you raise venture capital though you have to be able to give your VC’s an exit. They need to be able to exit the company at some point and recoup their investment plus how much their investment has grown. As it turns out, the appetite for how this occurs differs from firm to firm. There is not simply 1 “persona” at any firm but their track record, size of fund, and “tier” can help inform what they’re looking for in how you exit.

As an example, if your VC firm has a small “fund” they’re investing out of ($100M-$200M) and they haven’t had a lot of IPOs before then it should be pretty obvious they are looking for an acquisition as an exit. If they invest $5M in your company early on and you can exit for $200-$300M they get enough return to put a real “dent” in their overall fund size to show returns to their investors (which surprisingly enough are not just rich people but more often college endowments, retirement funds, etc.). But if your investor has done IPOs before and is investing out of a large fund ($500M+ and often times $700M+) then the check sizes they write are going to be larger (they’re going to look to invest more like $15M instead of $5M so they can put their capital to work) and they’re going to need the exit to be larger (which is more likely to be an IPO than an acquisition) to get an exit that actually puts a dent in their overall fund. There’s way more to evaluating VC firms including their networks, who the board member is that will actually sit on your board, and how they enable their investments but figuring out what they need in terms of an exit is a really important part of the equation to make sure it aligns with the company you want to build. An IPO is an “exit” for many of the investors but it’s a growth stage for your company. The founding team and its members shouldn’t be thinking about an exit but should be aware that taking venture capital is more of an investment/loan than it is anything else.

Raise What You Need Not What You Can

If you’re outside of a company you rarely get deep insight into what’s going on in that company. One of the ways we measure companies though, at least when consider venture capital, is how much they raised and at what valuation. At one point I would have thought raising the maximum amount and then not raising again for a long time is a good strategy; turns out that’s very silly. The simple version is easy to understand, if I raise $10M at a $15M pre-money valuation you give up a lot of the company in terms of dilution. If you raise $5M at $15M and then raise another $5M in a year at a $30M valuation you’ve just raised money without giving up as much of your company. It’s never that simple though and you have to figure out how much you can raise and how much you can put to use to get you to the next milestone for your company. If the venture community is hot, then investments might come easy, if it’s not then no matter how good you do the money will “dry up” to some extent. Additionally, you always want to make sure you can hit the goals to get to the next milestone.

As an example, did you raise $30M at $100M pre-money valuation? Congrats that’s awesome. Did you raise $60M at $150M valuation? Looking a bit dicey by comparison. But why? Let’s assume those are C series numbers since they are really big amounts (although in the industrial community a lot of the Series B raises are more like Series C, our $37M raise at a B is more like a C round for comparable IT security companies). If you raise $30M on $100M pre-money valuation then your post money valuation is $130M. To raise a D round on this trajectory you really want to show investors that you can 2-3x their investment, this entices the new investors and shows good health for the company. I.e. at the D round you’d really want a $260-$390M pre-valuation. Ideally you could get there in a 2-3 year period showing rapid growth. But if you raise $60M at a $150M valuation for your D round now you have a $210M post money valuation. Which means you’d ideally want to hit $420M-630M pre-money valuation to show the same level of growth. But the larger the numbers the slower the growth might be and there is a limit in how much you can invest in your company each year to hit a return especially if you’re being compared to the growth of the company that took $30M. I.e. pouring $50M onto a company instead of $30M may not actually give you any extra value depending on market size, customer adoption, sales cycles, and more. So if you raise more than you need just because it’s available you are potentially taking more dilution in the company than you need, you are possibly not doing anything more for your growth rate, and you may make it incredibly difficult or even impossible to raise your next round which means you have to get acquired as you’ll be burning too much to go cash flow positive or raise more. There’s no perfect formula nor only one school of thought, but this was all interesting to me as I learned more about raising capital and watched our own experience. If you’re wondering, we raised the $37M specifically to get us to the next round which we have a target valuation and date for already (I found it useful to always be thinking about your next round and walking backwards into it for the current round).

Terms, Terms, Terms

It would also seem obvious that a company that raises $30M at $100M valuation is a better company than the one that raises $30M at $90M valuation (pre-money on both). However, what most people never get a chance to see are the terms of the investment. The term sheet is the “offer” that an investor makes a company for the terms of the investment that then get ironed out in a much larger package of closing documents. Those aren’t made public but in my opinion are far more important than the valuation of the round. A seemingly bigger and better investment may have horrible terms. As an example, one term that could included in the investment is “participating preferred” or even have a multiple on it. A multiple is idiocy in my opinion and would only make sense to a company in distress and participating preferred in general is a term I refused to ever accept. There are numerous terms you have to watch out for that can flavor the entire trajectory of the company but let’s dive into participating preferred which I think of as one of the worst terms.

Let’s imagine an investor puts in $10M into your company and you add equity for them which gives them 10% of the company. And then your company eventually exits for $200M. In a simple world where that was all the investment you had then the $200M would be split between all the preferred stock holders (the investor) and the common stock (the founders and employees). So $100M would be split according to how much equity everyone has. The investor’s $10M turns into $20M and that’s what they leave with. The rest of the $180 is split between the founders and employees depending on how much they own each. But if the investment was participating preferred at a 1x then the investor would get back their $10M and then get to participate in 10% of the remaining $190M. That means they’d walk away with $29M and the company would split $171M. In reality the investors would actually get more because of interest accrued on the initial $10M. This is very simplistic but even in the simplistic view you can see why this would be problematic. Even if your goal isn’t everyone splitting money and instead is just growing the company, you could potentially have lots of extra money flowing out of the company at an IPO. Simply put, no matter the situation you really don’t want money leaving your company that you could be investing in your company or splitting between the people who were putting in the day-to-day work. In my experience, my goal was a simple term sheet. An adviser of mine told me to demand that the terms of the deal be so simple that they could be written on a napkin. We aimed for that and succeeded in doing it but it is way harder than it sounds.

Boards Are Equally Important and Not Important

This is a weird statement to write because I get a lot of value out of my board as advisers and a sounding board. But previously I would have thought a board had a lot of control over a company. I don’t know why but I just always assumed a lot of decisions get made at the board level. Turns out that’s not the case. The person running the company day-to-day is the CEO. The CEO knows so much more about the company than the board members could possibly know. In relation to venture capital the board wants to know that the company is growing, monitor their investment, and provide input and connections that could benefit the company to help it grow. As an example, one of the ways I used my board is to help me with interviewing key hires especially VP’s because they’ve seen many people and have experience I don’t have on to act as a sounding board. They provide good connections throughout the various industries we work in and also provide some guidance to make sure that I’m growing the business in the right way at the right speed and am building a company that others will want to invest in which will help our team build the type of company that can really impact the industry. But they don’t make a lot of decisions. I assume a lot of people think they do because I even have people outside my company that want to do business with us or want something from us hit up my board members directly assuming they have some significant influence over me; very little makes me more likely to ignore someone.

It turns out my view of how involved boards were was entirely off. They provide help that I ask for, but they don’t make a lot of choices. Salary and compensation packages get approved at the board level (which I find to be useful actually), the annual budget gets approved there, and the rest is just providing them updates and getting advice. You could get bad terms that dictate a board has more say but I’d be concerned about that for a lot of reasons. Opening a new office, choices around the product, hiring and firing, strategy for the company, go-to-market, etc. that’s all on my team internal to the company. The board is interested and active but entirely disconnected from the “decisions” that get made around that. The approval of an annual budget has a high level of impact but it’s something my team and I put together and put in front of them, their input is “that looks normal” “that looks like it’ll get you what you want” “have you considered upping the investment in X?” “I think you’ve over invested in Y”. It’s useful, it’s their approval, but it’s still the work from inside the company and whatever I put in front of them is going to be within the range of what gets approved.

I imagine this is all super obvious to most other people but I was surprised to find how little boards actually do and yet how they remain vitally important. One of the things I’ve really found value in my board is simply having a well experienced team of folks as a sounding board. It really can’t be overstated. As the CEO whether or not its true you constantly feel you’re the person who’s suppose to have all the answers and lead the ship. Sure everyone else actually does all the work, and the decisions are super collaborative in the company, but that feeling remains. At the board level though it feels far more like a discussion with less stress. I’ve found my board to be my “safe space” to just think about stuff out loud without repercussion and have folks more experienced than myself in areas that are different but important provide thoughts or validation. At the end of the day it’s not lost on me that so many in the community, so many customers, and all the families of all my employees have a very vested interest in me not screwing up my part. The act of “yea Rob that makes total sense” or “I really think you should dig into that more” provides far more comfort than I can put into words.

Every Company is Different and Your Journey Will Be Filled with Friends and at Times Lonely

These are my thoughts. These are some of my observations. Yours are bound to be different but I hope it’s useful to see one person’s thoughts on all this. I’ve never felt more excited and more proud than leading this team at Dragos and I’ve also never felt so very alone in my career. That sounds weird but let me clarify. Being the CEO and founder of an industrial cybersecurity company that has received venture capital, now above $48M, and is forging into a market that’s largely been undefined…is a lonely and exciting endeavor. Industry analysts and financial folks have tons of opinions, but none of them have actually been down this journey. I’m empathetic to the various industry analysts trying to define the market or provide hot takes on where the market will or won’t go; and it’s useful to the community because buyers and community members cannot just listen to the obviously biased companies leading the way, but those same industry analysts and financial folks have far less experience in this topic. The number of peers I have for the very specific thing I’m doing is tiny. And to be honest it’s not like the founders of competitive companies really get together and have open discussions other than “hey thanks for helping also build the market, good luck to you, I hope I utterly destroy you on the battlefield, but I respect you” lol. I often look at the industrial cybersecurity community and industry practitioners that I respect pontificating on the market, who will be winners, what that means, what products will be needed, etc. and I struggle not to roll my eyes a bit as they have never built companies or products in that space. I have to force myself to realize that what they’re doing is still an important part of the equation and very useful to folks. But I do also understand that they are also extremely biased, operating with completely different experience, and sometimes are advising on things that they have far less experience in than people realize especially compared to the companies that live it day to day and are on that unique journey. I’ve had heated arguments with people I respect and call friends simply because their experience guides them to view things so differently than the experience I have. And yet, that’s ok. Actually it’s really useful for everyone. And taking a step back to just keep that in mind is vital to not becoming arrogant or being misguided yourself. To solve a problem as complex as any that guides you down such a unique path is going to require thought process and input from everyone, welcoming it is important especially when it seems counter to your own experiences.

Why say all this? To stress the point that in this community, this industry, this time, etc. things are so specific that any lessons learned I have may not really apply to you in your journey. And it’s so different that even the founders that have built a company before may not have experiences that help or relate to you; I found the “entrepreneur” networks to be largely disappointing with experiences that didn’t translate to the challenges my team is facing. I found the folks in my company and their insights as well as the experiences and insights of our customers to be far more useful to me. But maybe those networks work for you. I don’t think I’m special, but I think this journey is unique. Yours is too. Hopefully my thoughts are useful but don’t take them as the only thoughts nor any of my takes as the only way to view those topics (hell maybe I’m wrong on plenty and will have different views in a few years). Instead, I’d focus more on how my opinions have changed and be open minded to have yours change as well.

No, Norse is Not a Bellwether of the Threat Intel Industry but Does Hold Lessons Learned

January 30, 2016

Brian Krebs published an outstanding report today titled “Sources: Security Firm Norse Corp. Imploding” which has led to the emergence of a number of blogs and social media rumblings about what this means for the cyber threat intelligence community. Some have already begun positioning that this is the fall of threat intelligence. I would not only disagree and believe this to be a mostly isolated case but position that if anything this is a good sign of the community’s growing maturity. The purpose of this blog is to discuss why Norse’s potential and impending implosion does hold some lessons learned for the industry but holds no prediction of negative things to come for the threat intelligence community as a whole.

Before elaborating on these points though, I want to start off with the much needed statement about the people at Norse. To anyone in the community that holds strong negative feelings for Norse (and you are not alone) please be conscious that many of the individuals working at Norse were professionals and very talented. Many of the negative feelings towards the company were likely based on the marketing efforts and mislabeling of the content and value of their product; not negativity towards the people that work there. I hope the former employees land softly at their next jobs and I would encourage companies looking to hire to think of these individuals without prejudice.

With regards to Norse it was in many ways a good looking company. It garnered national media level attention through smart placement of their cyber attack map (yes the pew pew cyber map analysts have mostly grown to hate – but it looked good in media). There were some key employees recruited who were well respected in the industry. And it raised tens of millions of dollars in investments to appear as an exciting California security startup. So now that the company is apparently imploding it does seem natural to think that this may be an indication of things to come with regards to the threat intelligence industry and for a ripple effect in investments into this space. However, I would state this as wholly inaccurate although there are some lessons learned here for both investors and security startups.

First, Norse Corp. may have garnered national level attention but most of it was not actually good attention. Also, they billed themselves as a threat intelligence company when, in my opinion, they simply were not. Folks who are familiar with me, or read it in the Krebs report, will remember that I came out very publicly chastising their dangerous assessment that there were Iranian attacks on U.S. industrial control systems. The key reason that they had a bad assessment is actually why Norse was always doomed to fail. The company was interpreting Internet scanning data against their high level sensors as attack intelligence. Most threat intelligence companies rely upon enriched data complemented with access to incident response data of actual intrusions; not scanning activity. Norse also held no verifiable industrial control system expertise but were quick to make assessments about these systems. And further when they stated that there were attacks on control systems by Iran what the data seemed to show was they actually should have said scans against systems trying to mimic industrial control systems by Iranian IP addresses. The effort by them and the think tank AEI to state that there should be policy considerations in the Iranian nuclear negotiations based off of this data is a great representation of what not to do in the industry. Simply put, they were interpreting data as intelligence. There is a huge difference between data, information, and intelligence as I outlined here. While their product and Internet level scanning data was interesting and potentially very valuable for research it was not threat intelligence. So while they may have billed themselves as significant players in the threat intelligence community they were never really accepted by the community, or participating in it, by most leading analysts and companies. Therefore, they aren’t a bellwether of the threat intelligence industry or of other companies having trouble simply because they weren’t really ever in “the industry.” The threat intelligence community can be fairly small and making strategic mistakes can have significant lasting impact. Trust is a huge part of the equation in this community.

Second, this case-study of Norse holds great lessons learned. First, because trust is a significant part of doing intelligence work and in participating in this community there is a requirement for companies to realize they are dependent on the ecosystem and are not living in a bubble. Formal and informal relationships, company partnerships, and information sharing can help companies succeed quickly. It is not a competitive landscape in such that companies should think that success is a finite item where one company’s success means less is available for others. Quite the opposite. As threat intelligence is used more appropriately throughout the industry it will continually open up the market. For example, threat intelligence is meant to make good security programs better or to help give important context and information to strategic level organization decision makers – it is not meant to replace bad security programs or act as a magical solution for security. Second, threat intelligence companies should be very careful in lining up their marketing efforts with an honest assessment of what the company’s product or services actually produce. This should apply to any security startup but it is vital in the threat intelligence community. Whereas claims around general security can be difficult to interpret there are definitive ways to look at company claims in intelligence and dismiss them completely as hype. This dismissal is hard to recover from. Finally, an important lesson learned here is for investors and Venture Capital firms to dig deep not only into what is being shown by the company but also in how they are perceived in the community. There are many “experts” in this community who’ve never held the appropriate positions or roles to ever have been put in a situation to speak with expertise about threat intelligence. As an example, one of my critiques of Norse was that their “intelligence report” on industrial control system attacks was not written by anyone with industrial control system expertise. Just as we would expect a Russian intelligence analyst to have an understanding of Russia or even speak Russian the community and investors should demand that assessments are qualified by actual expertise not just general “cyber” expertise.

Venture Capital firms invest in companies with the expectation of not getting an immediate return on investment. In an overly simplified stereotype most Venture Capital funds expect not to see their returns for five to seven years with events such as an IPO or company merger/acquisition. Following that logic, it is reasonable to believe that investments made five to seven years ago are starting to be looked at for their return on investment to the Venture Capital firms. The landscape for investment will likely become much more competitive. There will be lessons learned from investing in good-sounding but under-performing companies. Investors and industry analysts will demand more proof of claims, understand what hype looks like a bit better, and invest even more intelligently. This is a good thing for the industry. I doubt Norse will be the last company to fail in the threat intelligence industry but the industry and investments into it will likely continue to grow. The focus will be on smarter money.