On April 22, cybersecurity training and awareness company KnowBe4 launched an initial public offering, opening up sales of company stock to the public starting at $16 a share (that increased to just over $24 by the closing bell).
SC Media spoke with CEO and founder Stu Sjouwerman about the motivation behind the move to go public: how it changes their target customer base and underlying technologies, and why the company is more interested in using automation and AI to further explore the human layer of cybersecurity than turning KnowBe4’s platform into “another filter” for email security.
You can find KnowBe4’s filings with the Securities and Exchange Commission, including their IPO prospectus, here.
Could you start off by telling us why you’re taking KnowBe4 public, and what you are hoping it will bring to the company over the long term?
Sjouwerman: The main reason is international expansion. If you look at this particular market – the human layer, the last line of defense – it’s maturing differently in different geographies. For the U.S., they started to hockey stick about six years ago. For the U.K. it was three years ago. And there’s a couple new markets, like the Middle East and Japan, that are just starting. We have offices [in some of those places] but now we need to build these offices out, and that’s why it was a good time for the IPO.
An IPO tends to bring a whole new set of regulatory and compliance issues. Internally, what sort of ramping up did you have to do to ensure the relevant data is handled the right way in terms of compliance and security?
Well, it was a really good exercise. Obviously you have Sarbanes-Oxley compliance…We are in the middle of getting FedRAMP Moderate certified and then we have a couple of [International Organizations of Standardization] certifications coming down the pike in the next month or so. So we’ve done a lot of work to get compliant but at the same time, get our networks tightened up significantly, which was a good exercise.
Your prospectus says that in addition to pursuing international customers, KnowBe4 is also looking to expand sales with larger enterprise companies. What’s different about your approach when you’re going after that market versus small and medium sized businesses?
About 10 or 11 years ago, when I came to the conclusion that there was this huge problem of social engineering, the only two companies were PhishMe and Wombat. And they were only focused on the global 2000 at a very high price point.
I said this is a market that everybody needs, small and medium businesses specifically because they don’t have the defenses that are in place at large enterprises. I built the platform so that it would scale; we could have enabled large enterprises from day one, but for the first five years I just took SMBs and now we basically own that market. Then we started adding enterprise features so we could support Active Directory, Azure and cloud-based directories – that sort of stuff.
And on the change from international expansion: our business is unique in that it’s not just translating phishing attacks to different languages. It’s localizations, which is a whole tier above translations. You can’t send a Bank of America phishing attack in France. It needs to be French, needs to be a French bank. It needs to be a good fit. So we pour in a huge amount of resources to get all our core modules and related collateral, like phishing in 34 languages.
Your prospectus also notes that you’re looking to pursue strategic acquisitions. KnowBe4 is primarily known for its cybersecurity trainings and education. Are you looking to be more than that and how does going public further those goals?
The security awareness platform is what we started with. We did two years ago add a product called PhishER, which is a [Security Automation and Orchestration] offering and which is ultimately nothing more than tools and process combined.
We are adding features to PhishER and we are increasing the capabilities of the security awareness platform with AI recommended phishing templates, training models… the whole platform is going to be AI-driven ultimately. That is certainly helping to build that human firewall, one person at a time and granularly, specifically, for that person based on their strengths and weaknesses.
So there’s lots of development still possible and enormous opportunity, but we’re not going to be a filter. We’re not going to block emails, there’s dozens of companies doing that. I was there. Been there, done that, I’ve worn the torn t-shirt. There’s a huge opportunity on the human layer so that’s where we’re going to expand.
So is SOAR where we can expect to see the biggest strategic development in the services you offer?
Yes, and the next adjacency is basically user behavior management, because it’s not just phishing. Social engineering comes in multiple different flavors…and we are getting the awareness up on all those different attack surfaces or attack factors, if you will.
In your SEC filings you say you want to build a platform that’s capable of changing insecure behaviors and reinforcing secure ones. Is that where you see investments like SOAR and AI paying off?
Yeah, exactly. Look, old school is herd them in the breakroom, keep them awake with coffee and donuts and then it’s death by PowerPoint. We all know that doesn’t work.
What you really need to do – and this is now essentially scientifically validated – is at least once a month you need to send your employees a simulated phishing attack. Because that provides the numbers that keep people on their toes with security top of mind… that little bit of skepticism about whether there really is a PS5 in stock at a 60% discount. They should go “Hmm, I don’t think so.”
You tell potential investors that while you expect this growth strategy to pay off in the long term, it might result in a negative impact on profitability early on. Is that just because of the potential upfront costs associated with acquisitions or are there other reasons?
We have been cashflow positive for a number of years already. However, sometimes you decide to pull the trigger on a transaction that will cause that cash flow to dip. A good example is MediaPRO, which we acquired earlier this year. So yes, there will be fluctuations for sure.
The IPO is essentially extremely useful to even out those kind of bumps so you’re not dipping into your bank account without sufficient buffer or additional capital sitting there on your balance sheet. It will make it easier for us to pull the trigger on M&A transactions when we see a good candidate. We have a shortlist [of potential acquisitions] but we save those announcements for the quarterly earnings calls.
What can we expect to see from the company over the next six to 12 months, beyond what we already discussed?
We’re currently at about $60 billion per year in information security spending [globally] but it’s just not working. What we’re trying to do and where you can see us continue to move is into strengthening that human firewall, because well over half of breaches are caused by humans. So you will see us move into areas that help enterprises really clamp down on the human error in those data breaches. That’s the direction we’re going.