Along with the movers and shakers who drove the development of the information security space through technological ingenuity, policy creation, standards development and more, there are those IT professionals who have contributed to its evolution with their entrepreneurial spirit. Although there have been many throughout the years who have launched successful IT security companies, the sampling of individuals noted in this feature exemplify the drive, endurance, tenacity and business acumen it takes to establish companies based on strong, innovative technologies that can remain viable all their own or be snapped up by larger players looking to stay in the game by expanding their offerings.
Over the years, Jay Chaudhry has been a founder, primary investor and/or chairman and CEO of several successful start-up technology companies. Currently the CEO of Zscaler, he says he is driven by a sense of accomplishment. “Dreaming of difficult problems to solve and seeing Fortune 500 companies using our solution to solve their problems gives me immense satisfaction. CipherTrust [the email security company he founded and ran], was protecting about 45 percent of Fortune 500 companies. AirDefense [which pioneered the wireless LAN intrusion detection and prevention market] had similar success. Zscaler was just an idea two years ago.”
The biggest factors in determining which venture to start and when, he says, is time to market and assembling a core team. “If we start the venture too early (before the market is ready), we starve. If we start too late, we become a me-too. Starting a new venture in a new area early enough so that you have at least 18 months to build serious technology is key to success. When I started Zscaler in 2007, cloud security was not that hot. Over the past year, it has picked up a lot of momentum and is at its inflection point.”
When asked about the state of the IT security industry he says it’s changing like other IT segments. “In fact, it changes at a faster rate because you are in a constant race against the bad guys. Also, IT security has flourished by introducing leading-edge point products. Now, customers are demanding consolidation, hence start-ups need to provide broader security solutions or at least have better integration with other security solutions in place.”
Innovation comes from startups that are nimble, passionate and fast moving, he explains further. There is plenty of room for start-ups in security to innovate and, eventually, larger companies will acquire most of them. This is a fine process, he adds, because it works well for both sides since larger companies can’t innovate at the pace the security market requires.
As for the future, Chaudry says the shift to cloud computing is real, but there is a correct approach to implementing it. “The common mistake vendors are making is taking yesterday’s appliance-based technology model, putting it in data centers and calling it cloud security.”
co-founder and CEO, Trend Micro
Eva Chen saw a need even before there was one. It was around 1970, when the U.S. Department of Defense’s Advanced Research Projects Agency (ARPA) established what many consider to be the globe’s first packet switching network that actually worked. Noted as the lead into what would come to be called the World Wide Web, ARPA was all about finding innovative, distributed and robust ways of communication using computer networks during the Cold War era. And even though the establishment of the internet as we now know it followed in the early 1990s, there were those in technology circles pondering the security issues that could pop up when everyone around the world began leveraging a widespread computer network open to all.
Fast forward to 1988 – a time when a market for information security solutions was far from the minds of those in the mainstream toying with basic coding on their Commadore 64s. But, Chen, co-founder and long-time CEO of anti-malware provider Trend Micro, says she, her brother-in-law Steve and sister Jenny Chang easily discerned the security needs. Chen says she’ll remain at the helm of the company for some time to come, and sees tremendous opportunities for her company and the information security space generally.
Having had the luxury to witness first-hand the changes taking place in the industry over these last two decades, Chen explains that there is simply more networking via computers going on these days, with more data being exchanged and more people using the worldwide digital infrastructure. Rest assured, given the evolution of the space, information security will feel further impacts, she adds. “Cloud computing, virtualization, 3G networks, SaaS models are all going to impact how security should be done,” she says. “CISOs need to think again about their infrastructure protection, as well as data protection.”
And for those technologists considering doing something about a perceived entrepreneurial spirit, she advises them to understand how they’re trying to help their intended customers.
“Focus keenly on the customer problem, the real problems, and [don’t fall] into the marketing hype,” she says. For her, this was key, and has allowed her to find immense gratification from all she and her employees have undertaken over the last 21 years, especially when it comes to “being part of a force to help secure the exchange of digital information.”
co-founder and managing director, .406 Ventures
It was a time when organizations just really were beginning to design and implement various self-service web applications for customers, staff and partners. And though it was just beginning, Maria Cirino quickly learned that such applications would come to naught without security. The need for security expertise was obvious to her corporate customers, but it was finding the right professionals to help them that proved difficult. While product vendors abounded there was a dearth of managed security service providers (MSSPs).
“I had been an executive at Razorfish, a web design/development company, and the work we were doing for clients made applications fundamentally much less secure then when they were on mainframe hardware,” she explains. “At the time we started Guardent, there were very few managed security companies out there. There were lots of information security consulting firms, but few recognized the need to build out a comprehensive managed security platform to address the burgeoning security issues. I recall one competitor on the consulting side – we always maintained a small consulting practice to complement our managed security business – publicly stating that they were never going to enter the managed security fray,” she says. “That was a happy day for me. They were a worthy consulting competitor, but I felt we could dominate the managed security business if we had an opportunity to create a leadership position before the field got really crowded. It worked out well.”
Also proving serendipitous for Cirino and her partners Dan McCall and David Samuels (who are no longer with the company), was the fact that there were plenty of venture capitalists around to invest in IT security companies. They, too, saw that the information security market was only going to get hotter as more and more companies began leveraging the internet to conduct business.
“I was fortunate to run into early investors, like Sequoia, Charles River and NEA, that shared that vision and wanted to back a start-up information security company,” she says.
Plus, the early days of 2000 saw VC bucks “flowing freely,” she adds. And, even though a “challenging” recession soon followed, the information security market proved a sweet spot.
“Had we not picked something essential, like information security, I’m not sure we would have survived. When companies weren’t spending money on anything, they were still spending on security because they had to in order to continue to run their businesses and achieve their compliance objectives,” she explains. “Our service reduced operational costs and delivered better security. It was the right message even in a difficult time.”
No wonder, then, that longstanding IT security company VeriSign scooped up the young MSSP in 2005. After the acquisition, Cirino stayed on with VeriSign for two years. But, as an “inveterate entrepreneur” and given her background working with early-stage companies, she was longing to launch another organization.
“So in 2006, I helped start a company now in our portfolio called Veracode, today a market leading provider of cloud-based automated application security reviews,” she says. “Working with the Veracode technology founders to help them craft the company’s plan and positioning and helping them get VC funding was a very gratifying experience and helped me realize that starting a VC firm would give me the opportunity to work continuously with talented entrepreneurs. Shortly after we launched Veracode, I teamed with my two partners to start raising Fund I for .406 Ventures.”
Launched in 2006, .406 Ventures is an early-stage venture capital firm that allows Cirino to invest in people with strong concepts backing up start-ups that likely will become market-leading organizations.
“We believe that an investment size should be driven by the requirements of the business, not the size of the VC fund. We invest in areas in which we have good operating expertise and deep networks so that we can be helpful to our companies.”
Back in the days of the Gopher search service, an ancestor to the World Wide Web that first hit in 1991 and typically was used in universities up until about 1993, Ron Gula found himself doing a little bit of research on UFOs. He had always liked UFOs and the internet – specifically Gopher as it exposed him to a lot more than he could find at the store.As he sifted through documents, he came across Phrack, the popular for-hackers-by-hackers ezine launched in 1989.
“I was hooked. I was amazed that software security could be so easy to bypass and complex to secure,” he says. “I was a penetration tester for the government [he started his IT security career at the National Security Agency] when TCP/IP session hijacking was the ‘hot’ technique and everyone had their own zero days. At that time, after a pen test, I liked to physically find the computers that had been compromised during the pen test and talk with the administrators who ran them. I learned a lot by doing penetration testing.”
Later, Gula was using ISS RealSecure at US Internetworking and wanted something that had more forensics and speed. This led him to create the Dragon Intrusion Detection System (IDS) and found the company that sold it, Network Security Wizards (NSW).
After a two-year stint at Enterasys, which had acquired Dragon and Gula’s NSW in 2000, he grew dissatisfied. “Dragon had some limited vulnerability and IDS correlation and I had worked with Renaud Deraison [creator of well-known network vulnerability scanner Nessus] to make sure we could take Dragon events and Nessus vulnerabilities back in 2000. I approached Renaud to help start Tenable shortly after leaving Enterasys and we found we had a lot in common in how we wanted to grow Nessus, support our customers and generally run the business. Jack Huffard, formerly director of corporate development of Enterasys Networks, joined up as well.”
Supported by a huge open source community, the scanner at this time was free to all and was forming the basis for numerous commercial products through test scripts. Jumping into the fray was an easy call. Although Nessus is now a commercial product, it’s still free to home-users. Getting it to this point, however, required plenty of forethought and planning.
“Along the way, each of the steps we took allowed us to re-invest in Nessus, but each step was a potential major trial,” says Gula. “Fortunately for us, we’ve had very positive responses from the Nessus community along the way and have not had any major trails we’ve had to overcome.”
Having just celebrated its seventh anniversary, Tenable has come a long way. And the team hasn’t changed much at all. Gula still is the CEO and CTO, Deraison is chief research officer and Huffard, who, during his time at Enterasys worked on the NSW acquisition, is president and chief operating officer. Then in 2004, Marcus Ranum, inventor of the proxy firewall, came on as the company’s CSO.
“When we launched, there was no cloud computing, PCI, FDCC, iPhones, data leakage products or even multi-core CPUs. There were also a lot less people in computer security,” Gula says. “Today, of course, all of this has changed and we’ve gotten a whole new set of security issues to deal with. I wanted to ‘join the fray,’ so to speak, because I felt Tenable could offer a set of security technologies that set itself apart from traditional public companies or [VC-backed] start-ups. Because we are solely dependent on our customers for our existence, I think we are a lot more focused on them and this has allowed us to grow consistently over the past seven years.”
As a result, 2009 proved a record year for the company full of even more development of new products. “In early 2010, we plan to bring these to market and I feel it will transform Tenable by letting us play deeper roles in SIM/log management, vulnerability management and SaaS industries,” explains Gula. “I expect to be involved with Tenable for a very long time and hope to help it become one of the most respected security companies of the next decade.”
Elizabeth (Betsy) Nichols is a serial entrepreneur who has used her expertise in applied mathematics to develop solutions in satellite mission optimization, industrial process control, war gaming, economic modeling, enterprise and systems network management and, most recently, security metrics.
With respect to advancing the state of the art and science of security metrics, Betsy Nichols attributes the earliest work in security metrics to Dan Geer and Andrew Jaquith, a Forrester analyst, both of whom probably began their work about a year earlier than she did, she says. However, she believes that she was the first to start a company dedicated to security metrics. There are now several companies working in this area – selling services, products, and best practices – including PlexLogic, where she serves as CTO.
Ironically, when asked about the efficiency of security metrics in the marketplace, she responds that she wishes there were some good metrics to track progress. “Sadly, corporate entities are reluctant to share the data that is required to measure progress. It’s understandable, given the legal and reputational risks associated with sharing certain types of data.”
Nichols is optimistic about future developments. “Security and the metrics necessary to measure, analyze and improve should be built into systems at design time. I see some of the larger, thought-leading enterprises starting to do this. I think this trend will continue and expand. Most maturity models identify metrics as a prerequisite for achieving the highest level. Specifically, a mature security program must provide for continuous measurement and a feedback loop to drive improvement. IT security is maturing and metrics will play a critical role,” she explains.
founder, CEO and chairman, Check Point Software Technologies
Sometimes referred to as the Bill Gates of Israel, Gil Shwed, a programmer and entrepreneur, is best known as the founder, CEO and chairman of Check Point Software Technologies.
In 1993, Shwed invented and patented stateful inspection, a firewall architecture. Together with Check Point’s two co-founders, Shlomo Kramer and Marius Nacht, he wrote the original version of FireWall-1, the company’s flagship software solution that became the world’s first commercially available firewall product in 1994 (Shwed says it has never been breached). In the following years, he led Ramat Gan, Israel-based Check Point to be the first with VPN solutions and the company now is a leading VPN vendor.
The urge to create new things and have more people use and benefit from his organization’s innovations is the key motivation for him, he says. Waking up and asking, “What can we do better, how can we help our customers be more secure and make complex things be simple to them?”
In the past two decades, firewalls have become part of the internet fabric. “When we started Check Point in 1993, the internet had just opened for companies to connect. The first question that came along by almost every IT manager was, ‘How can we connect and be secure?’ We were fortunate to have the answer to this question. Sixteen years have passed and our firewalls – which are much more comprehensive and sophisticated gateways these days – are still an essential part of every network design and are simply an enabler for network connectivity.”
The IT security industry has grown and evolved since those pioneering days, he says. “It is great to see so many enterpreneurs, ideas and solution to almost every security issue,” he says. However, he points out that there are a few drawbacks. “Most of today’s technologies are not simple enough for every organization to use. There are way too many technologies that don’t integrate with one another. There’s a strong need for consolidaing these technologies into unified products that are well architected and make it simple for customers to actualy enjoy the benefit that many technologies offer.”
founder, president and CEO, ESET, LLC
Armed with a degree in mathematical physics from Comenius University in the former Czechoslovakia and a doctorate in natural sciences in the field of quantum theory, Anton Zajac contentedly began a teaching post at the University of San Diego in the early 1990s. After having visited the city during an earlier gig at an institution in Mexico, he left yearning to set down roots in California’s second largest city. As he taught, he launched his first company, which focused on research services for the high-tech market. Then, his interests changed.
“I am a theoretical physicist and programming was my primary research tool. I worked at the University of San Diego when the Michelangelo worm caused havoc in the media,” says Zajac. “That was the triggering point. I knew a brand new force had been unleashed that will, for a long time, impact deeply all we do and how we live our lives. Sooner or later, the cyberworld will have its underground.”
Pondering how the space would evolve and gaining a better understanding of what he expected the market to be in five to 10 years, Zajac sold off his first company to focus more on a new venture.
“I launched ESET, LLC, in San Diego in 1999 with my colleagues Maros Grund, Rudolf Hruby, Richard Marko, Peter Pasko and Miroslav Trnka. This was a few years after ESET was founded in Europe. In 1997 to 1998, ESET pioneered heuristics technology. I decided to launch a worldwide organization because I strongly believed the new technology would set the new standard in anti-virus protection and [would] win the hearts and minds of many clients,” he explains. “With limited resources and without VC funding, it would take a lot of time and effort, but it happened.”
When ESET started, there were just a few viruses created a month, he explains. “Now, 20 years later, our Threatsense.Net technology detects over 100,000 unique malicious samples every day.”
Today, ESET is known as a leading developer of software solutions that proactively protect corporate infrastructures against various types of malware. And, because of how dynamic the industry and its threats are now, it’s important to Zajac that his company focus on continual development of “smart applications” – which, really, was the original impetus behind the launch of his company.
“In spite of a few major players dominating the market, I believed a new security paradigm was necessary,” says Zajac. “A successful work in science should lead to new and useful ideas. If this happens, there is a temptation to implement them in real life. Commercial success of scientific achievements is the final Rosetta Stone of every scientist.”
Groundbreakers: More start-ups
• Jon Darbyshire, founder, president and CEO of Archer Technologies, founded his company in 2000 to offer enterprise-wide IT risk and compliance management solutions to replace traditional manual processes. He has built up Archer’s enterprise governance, risk and compliance solutions, and he is credited with making the tools easy to deploy.
• When Phil Zimmerman wrote one of the first email encryption programs, Pretty Good Privacy, in the early 1990s, Phil Dunkelberger became involved throughout a three-year legal battle with the U.S. government over PGP’s use of cryptographic tools. Zimmermann created PGP with Dunkelberger running operations. The company was subsequently acquired by Network Associates (which was to become McAfee) in 1997 and, in 2002, investors bought the rights back from McAfee and the second PGP Corp. came into being with Dunkelberger in charge once more.
• Chet Hosmer is one of the co-founders and now the SVP and chief scientist of Wetstone Technologies. He has been a developer of software and hardware for more than 25 years, focusing for the past 15 years on R&D of information security technologies, primarily in the areas of cyber forensics, secure time, and intrusion detection and response. Hosmer is a co-chair of the National Institute of Justice’s Electronic Crime and Terrorism Partnership Initiative’s Technology Working Group, a member of the IEEE, ACM, and he is on the editorial board for the Journal of Digital Forensic Practice.
• Christopher Klaus is the founder and CEO of Kaneva, as well as founder and former CTO of Internet Security Systems (ISS), which he formed while still a college student. Klaus developed the first version of Internet Scanner in 1992. Two years later, he founded ISS to further develop and market the tool. IBM acquired the company in 2006.
• Long retired from the company he founded (and now teaching yoga and sailing the Caribbean), John McAfee is a computer programmer who was one of the pioneers in developing anti-virus software. His career began as a programmer and software consultant with NASA, Univac and Xerox and later Computer Sciences Corporation. Quitting Lockheed, he began working out of his home in California to evolve his anti-virus software coding and eventually launched McAfee Associates, renamed Network Associates, and finally McAfee. Other business ventures that he founded included Tribal Voice, which developed one of the first instant messaging programs, PowWow.
Despite having lost a major portion of his personal wealth due to the collapse of Lehman Bros., he claimed recently that he is not disturbed by any of his losses. In the true spirit of a yoga enthusiast, he says he has deaccessioned a good deal of the property and material goods he’s accumulated over the years, in what he admits was an excess of spending, including donating a million dollar boat to the Belizean Coast Guard.
• Peter Norton‘s is arguably one of the most recognizable names in the computer software industry. During the 1980s, he had a phenomenal impact on the PC-software market as the creator of numerous programs, including Norton Utilities and Norton AntiVirus, which have been installed by millions of users worldwide. In 1990, Norton sold his business to Symantec in a deal valued at $70 million, but his brand lives on among Symantec’s line of consumer products.
• David Ulevitch is the founder of OpenDNS. As a college student, Ulevitch wrote his own web-based DNS management software, which evolved into his first company, EveryDNS, which now supports 93,000 accounts worldwide. With partners, he created OpenDNS, now the world’s largest DNS service provider.
• Amit and Dov Yoran (Dov, pictured left) co-founded Riptech, a leading managed security services company at the time that was eventually acquired by Symantec in 2002. Amit was the company’s CEO until this transaction and then served as the vice president of worldwide managed security services at Symantec. Dov also moved to Symantec after the acquisition. In addition, he has held leadership roles at Solutionary and Accenture. Amit has held many public and private posts, and now is serving as chairman and CEO of NetWitness. Dov, meanwhile, is a founding member of the Cloud Security Alliance and participates on a number of corporate advisory boards.