How to get a cybersecurity startup off the ground with Kevin O’Brien, GreatHorn
In this episode of the Cyber Work with Infosec podcast, host Chris Sienko spoke with Kevin O’Brien, the CEO and co-founder of GreatHorn, a high growth venture-based email security company located in Boston, Massachusetts. The company focuses on solving phishing credential theft malware, ransomware and business email compromise for cloud email platforms. It was named a Gartner cool vendor RSA innovation sandbox finalist and Infosec Awards cutting-edge winner.
Kevin brings deep industry experience, having been an early member of multiple successfully exited security companies, including CloudLock (Cisco), Conjur (CyberArk) and @stake (Symantec). Before founding GreatHorn, Kevin was Vice President of Marketing at Conjur, where he built the early go-to-market team responsible for initial market positioning and growth. Previously, he led product marketing and sales engineering efforts at CloudLock, the leading cloud access security company that now has more than 6 million enterprise users.
Kevin is especially qualified to comment on the topic of how to get a cybersecurity startup off the ground. He spoke at length about the skills and background it takes to start your own cybersecurity company.
Early interest in cybersecurity and tech
Kevin entered the security space around 1999. In the late 1990s, a group of hackers in Boston testified in front of the US Senate. Their message: should they wish to, they have the tools and ability to take the internet offline in about half an hour. They suggested not putting critical infrastructure on the internet due to its inherent insecurity.
“This opened up an immense economic opportunity for guys on my side of the table, though hardly a great thing for society at large,” says O’Brien. He started his career on the technical side, performing reverse engineering and penetration testing and working in assembler. “Probably the last time I was useful to anyone [on a technical level],” he quips.
How do you create a cybersecurity startup? Read the people who did it first!
Kevin advised that you to go online and read Paul Graham and the startup hacks of Alex Iskold to get a clear picture of starting a company. “Alex writes all about the dynamics of starting a company, finding a co-founder.”
Kevin says, “You can get books by David Cohen and Brad Feld who have written books about how to structure a venture deal. If you want to go get funding, what does that look like? We didn’t have any of that 20 years ago! As a result, our venture deals were worse and our outcomes were smaller. So, the starting place is to educate yourself on the structural components of building a company.”
The day-to-day responsibilities of the CEO of a cybersecurity startup
Kevin says, “In the early days, I built sales materials, decks, tried to draw business, wrote blog posts, did viral marketing, Whatever it took. Meanwhile, my co-founder was writing product and we were working on the design and whiteboarding everything together. That phase of birthing something from nothing is the most difficult.”
Of course, any startup that’s doing the job right will eventually get others to do this basic structural work and move on to higher-level concerns. Once you get customer traction, it’s important to be in front of customers and quantifying what works and what doesn’t. The reputation of the company’s product sits on your shoulders, which is why a startup CEO needs to be able to act as an effective liaison between the customers and those making the product.
As you move further up the development ladder and begin to manage teams, the challenge is to manage the best possible team you can afford (“Maybe you can afford all the best people you want to bring on, but sometimes you just can’t”). During this phase, personnel management can become all-consuming.
O’Brien describes a day split between many groups of people. On one hand, he spends the first hour and a half of his day on email with vendors and customers. The next part of his day requires time spent in briefings with his leadership team, his direct employees, as well as a good portion of time in interviews with prospective employees.
O’Brien distills the essence of leadership this way: “I think that the further down the path you are, the fewer decisions you should be making, but the decisions you have to make should be more directly impactful.” This is an important takeaway. Whether because they like the process of decision-making at all levels or they simply feel that this is what bosses should do, some CEOs dissipate their energy on tasks and decisions that can (and should) be delegated to qualified employees meant to make those decisions. “You will spend a lot of time listening and a lot of time taking in information. You may make a decision over a month about what you are going to be doing at this launch of this new product. What features does it need to have? How is it all going to shake out? You will not do this in a vacuum. You need to talk to people and collect that data.”
“First and foremost, your job as a CEO is don’t run out of money,” O’Brien states bluntly. Raising funds is the fundamental need for any new cybersecurity company.
CEOs also need to set the strategic vision and do it collaboratively: O’Brien says that setting the strategic vision for the company means getting people on board through conversation and consensus. Hire smart people and get them to tell you what you need to hear. “Let’s face it … you’re probably wrong, you just don’t know how yet! Get smart people to tell you these difficult things.”
Best parts of being a CEO
Kevin says, “The best part is getting to work with customers, listening to people who have spent significant money on an idea that started out way back in 2014 as an idea scribbled out on a piece of printer paper.” O’Brien notes that GreatHorn created its own market segment where one wasn’t before, and he feels the obligation to continue to innovate within that market sector.
The second best is working with his team. “I believe that you build the company you want to work for,” he states. You need to inspire, and lead, and listen, and grow people, and give them the opportunity to do the things you hired them to do, which means trusting them and empowering them.
On the more mundane side, O’Brien frankly notes that there is plenty of operational stuff that needs to be done that might not be quite as fun or fulfilling. “You’re the signer, and you’re the one in charge of making sure that everything runs. There’s that side, too.”
To certify or not to certify?
Kevin says, “I think it can be helpful to get your certifications, but I honestly don’t carry any certification at the moment. I believe that your ability to do your job that’s important.” If a certification can enhance your ability to do your job, it should be encouraged, but in Kevin O’Brien’s career, lack of certs clearly hasn’t held him back.
A deep dive into the mechanisms of GreatHorn’s email security systems
O’Brien describes three ways to address a threat. Your response can be deterministic, prescriptive, or heuristic. Being 100% deterministic is impossible — we don’t know all the threats out there, so we can’t simply solve for them. Prescriptive solutions allow one to break down attack vectors in real-time and try to understand them, which is where threat intelligence sources come from their architecture and data science platform. Prescriptive solutions are good because they can begin to learn based on past attacks and propose appropriate solutions that seem to fit the pattern.
Heuristic solutions can seem attractive, but they are hard to implement. “If you go completely by heuristic options, you spend all your time analyzing tons of data,” In the old days, it was said that you had one minute to detect, 10 minutes to analyze and 90 minutes to respond. By using this multi-tiered approach and by the sheer quantity of data analyzed (GreatHorn looks at billions of emails every month), you can create very realistic predictive models that can approach things both prescriptively and heuristically.
What do you mean by AI?
Kevin says, “Artificial intelligence that can feed data and make decisions instantly.” This doesn’t mean that machines are going to be able to think like humans. In O’Brien’s mind, it’s less about “Artificial Intelligence” and more about “Augmented human intelligence.” “The Rise of the Robots” will have to wait.
Some email security tips that aren’t being sufficiently implemented at the moment
According to O’Brien, security awareness education is a compliance exercise, not a security exercise. It’s insufficient on its own to move the needle on the number of successful phishing attacks. “You can’t train the problem away. What you can do is alert people to the problem.”
Using O’Brien’s analogy, it’s good if the fire marshal tells kids to leave the house if there’s a fire and not hide under the bed, but most people still have smoke detectors in their homes, too. It’s one thing to tell people that an email that comes to you with certain red flags that you should watch out for, but another still to have a product in place that can actually read the warning signs and let you know up front that the link in this email leads to a dangerous place. While educating the public about potential risks is good and recommended, having actual security measures in place is important as well.
To hear all of Kevin’s answers, check out the Cyber Work YouTube page to watch the full video.