In 2014 I began my quest to interview some of the most interesting folks in the Colorado security community. The goal of this series is to highlight different perspectives in the region, and have some fun doing it. In March, I interviewed information lawyer Dave Navetta. In April I sat down with Chris Petersen, co-founder of Boulder-based Log Rhythm, in June I spoke with Johan Hybinette, CISO for Hosting.com, then in October I met with Jericho from Attrition.org.
For my next conversation I set out to talk with the biggest security shop in town… Accuvant I reached out through some of my friends over there and was set up a meeting with one of the co-founders, Dan Wilson. Originally we were scheduled to meet November 5th… the day of the announcement of the joining forces of between Accuvant and FishNet Security. Accuvant and FishNet Security have been the clear leaders in the security VAR and reseller space. Their union is sure to change the landscape of the information security industry. This made the opportunity to talk with Dan even more exciting for me. With all the surrounding activity and the holidays, we were able to get together for lunch on January 16th.
We sat at an upstairs table at Hapa sushi downtown. Our conversation blew way past the scheduled hour, it was fast-paced, and covered a lot of topics. Below I have summarized the key points of the conversation and tried to give you some insight into the founding and building of Accuvant – one of the biggest security companies in the world, and one of Colorado’s biggest success stories.
My questions are indicated in bold, with Dan’s responses paraphrased below.
I am a Colorado guy. My parents moved here when I was two years old, and I’ve been here ever since. I graduated from CU Boulder, and continue to live on the north side of town.
What’s your background in security?
Dan Burns (Accuvant co-founder) and I both got into IT in about 1992 working for a local Sun Microsystems distributor called Access Graphics. We both worked there for 4-5 years. Sometime around the beginning of 1997 Dan Burns left and joined another company called Netrex. Netrex was one of the first managed security providers, and really one of the first VAR model plays.
Netrex had their start providing security to the automotive industry. They built a SOC (security operations center) to support their work for the automotive industry. It was successful, and they sold the same concept to US West here in Denver.
I remember sitting around a table at Siamese Plate in Boulder, with Dan Burns and another colleague who had moved to Netrex. They were telling me about this security thing, and how it really seemed to be a big opportunity. I remember replying with something like, “I don’t know… I am doing pretty well selling Sun Sparc chips. I don’t really see that market going away.” They twisted my arm, and in the end the three of us opened up the Denver office to support US West.
Over the next few years they really blew up. They grew from those first two offices to 12-15. In 1999 they were acquired by ISS (before IBM bought ISS). I stayed for about a year and a half after the acquisition. So, like a lot of other folks in the security industry, I have ISS somewhere in my history.
Why not stay around there at ISS?
I’ve found in my career that I prefer not to be required to sell a specific manufacturer’s products. Regardless of how good the product is, being told I need to sell a few specific solutions limits the options I can provide customers. When innovation is going so fast, and technology continues changing, having the ability to recommend multiple manufacturers is the best way to serve a customer.
So what came after Netrex?
I moved to Exault, another small security company, very similar to Netrex. I was only there a few months before that company was acquired by VeriSign.
Dan Burns, William Strub, Scott Walker and I had all worked together at Netrex. We believed that there was a big need for a company like Netrex or Exault in the security space. There was so much confusion in the security industry, where customers didn’t know who to trust about technology and solutions. We believed that where Netrex and Exault had gone wrong was in selling so quickly. We knew we could do a lot of similar things to what they had done, while avoiding some of the mistakes they had made, and make a successful organization. We would build a company with a strong services arm, wouldn’t be beholden to a specific product set, and try to make sure we anticipate customer needs.
Accuvant was the fruit of those conversations. It was born in 2002 at Willie G’s here in Denver. The business plan was literally born on the back of a cocktail napkin.
Just the four of you to start?
Yes, just the four initially. I led partnerships, Dan Burns was leading sales, Scott handled operations, and Bill was leading consulting. Shortly after we brought over another Netrex alumni, David Bonvillain, to start up our strategic services; what would eventually become Accuvant Labs. We brought him from the hacker community, similar to the Jericho type group. David and Jericho would almost certainly have run into each other multiple times.
What about the name Accuvant? Was that the original name? Where did it come from?
Yes, that was the original name we came up with.
At the time we had a methodology we called AIM, (assess, implement and monitor). So we looked for a name based on Accuracy. We tried a bunch of different prefix and suffixes, and Accuvant came from combining accuracy and savant. We came up with about 10 different options, took them to our friends and family, and we picked the one that had the most votes.
So, it wasn’t exactly scientific method that got us the name. Scott Walker joked that the name is Latin for “This domain name is available.”
How did you fund the company? Did you take capital?
Not really. We took a little bit of friends and family money, but mostly we bootstrapped. For the first couple years we took no salary. And for the few years after that we took minimal salaries. I was fortunate that my wife was working to help our family pay the bills, but a couple of the other guys weren’t so lucky, and they really had to burn through their savings as the company got up and running.
We were able to bootstrap it because it is a low cost business model. Most of the expense comes in compensation, and most of that is variable comp since we’re such a sales heavy organization.
We really had a credo, and still do, that we want to reinvest profit back into the business to grow it. A lot of the money that would have gone into our own pockets has gone back into the business.
Were you located downtown right off the bat?
Yeah, we were in the old post office building, at 17th and California. In class D office space. It was a humble beginning. I remember flickering lightbulbs and card tables. And we signed a long-term lease to reduce costs, so even after we started to have good success we were there for a couple years. I remember starting every meeting with a short apology about the conditions, and trying to convince customers that, despite our surroundings, we were doing pretty well.
The company kicked off in 2002, tell me about the beginning?
When we had first imagined the company we thought a big part of our model would be selling Checkpoint and op sec support around that. We had years of prior experience and relationships with them, and thought that would give a leg up. What we experienced was that a ton of competitors came out of the woodwork to offer Checkpoint and that our history and relationships didn’t really give us much. We found ourselves mired in a very competitive space, so it quickly went to price.
We were fortunate to partner with OneSecure early on. They were one of the very first IPS solutions. The fact that we were able to offer something to our clients that was a little off the beaten path was a differentiator for us. Rather than having to sell the same few products that all the other VARs were offering, we had something different.
Netscreen (later Juniper) was another big early play for us that allowed us some differentiation. The SSL VPN technology was just emerging at the time, and we were able to use that to get an edge in the market.
Now, remember my position with the company was as the head of partner relationships. So I can’t help but talk about the technologies we brought on to help us. But we have always been about services, and our services really set us apart. Since the beginning we have focused on delivering a whole solution to our clients, rather than a technology. My focus on technology is mostly based on my role in the company.
What about expansion?
We had a goal from the beginning to open a new office every quarter for the first 3 years. We were able to accomplish that. So by the end of the third year we had 12 offices located around the country. Now, an office in a town might only mean 1 or 2 people working from home, but we at least had a presence in a dozen cities early on. We’ve slowed down since then, but with the pending union with FishNet Security we will have a presence in over 40 cities.
How did that transition from scrappy start-up to successful company go?
We were driving so hard for such a long time; it took a while for us to realize we were there. We had hired quite a few individual contributors in the first several years, but it wasn’t until about 5 years in that we started to bring in help at the management level. Specifically in the finance area we brought in Ed Wittman. We needed someone with a CFO background to help us out. I think the first thing he told us was that we were badly underpaying ourselves. It was this outsider’s perspective that helped a lightbulb appeared over our heads… Yeah, we are doing pretty well now. We don’t need to continue running the place check to check and hand to mouth.
Now, don’t misunderstand. It’s still extremely important to us that we reinvest everything we can back into the company. This is something that Dan Burns regularly talks about, and is a focus for us.
Did you guys ever get any pressure to move the headquarters out to Silicon Valley?
No, not really. It was (and still is) our goal to build a national presence. In order to work with large national customers we needed to have a presence where they did business, which was a big part of why it was an early objective of ours to grow out to those 12 locations in the first three years. And certainly the Bay Area was one of the first ones we opened. Because we were able to develop that footprint throughout the country, grew organically and never sought to take funding, we never were pressured to move the headquarters to California.
When we sold a majority stake in the company to a private equity firm in 2008, there was no conversation about it even then. We are Denver guys, and we plan to have a strong presence here long term.
One unique thing about Accuvant – I understand that you guys operated for the first decade or so without a CEO. How did that work?
Yes, it wasn’t until a few years ago that we named Dan Burns the CEO. For most of our history we really operated as a four-person committee. And sometimes the committee grew even bigger. It was a really powerful way for us to build the company, with different people focusing on different areas. No single “buck stops here” person. Bill was very technical, Scott had a great head for numbers (and was our de facto CFO before we had one), and Dan Burns and I were handling the sales… his team to customers and mine to partners.
In 2009, before we had a CEO, we were nominated by Ernst and Young for an entrepreneur of the year award. We were about 400 million in revenue at the time. The judge from Ernst and Young just kept saying, “It’s impossible to build a company that big without a single throat to choke.”
Eventually that proved to be right. As effective and successful as it was, we eventually had some differences of opinions that couldn’t be worked through without a single chief executive. We all had budget control, and we all had a ‘highest priority’ which didn’t always align. Getting a single CEO eventually allowed us to ensure we had an aligned strategy throughout the company.
Can you share any of Accuvant’s missteps?
Yeah, sure. We did a deal to acquire a company called Ciphent in 2010. The thinking was that it would ramp up our managed services capability, would give us a presence in the northeast that we lacked, and would help our federal practice. But the Ciphent deal itself was not a misstep. It was a 1+1=3 opportunity. The misstep was in our integration effort. We encountered some unexpected hurdles that I’m sure many companies face when going through their first integration. Our two cultures were drastically different, which we should have realized earlier in the process and that definitely had a short-term impact on the business.
For a long time after, the only lesson we learned from that was to never make a deal. But I believe our experience with Ciphent has really informed how we are doing integration with FishNet Security right now. The Ciphent acquisition was obviously a different scale… they were a 40-person organization, versus now with FishNet Security, it’s two 650-person organizations. But that experience taught that it’s not reasonable to expect people to just come together and use their spare time to figure out the details. We are being very deliberate, and bringing in outside help to assist with the integration, and putting some of our best people on the integration on a full-time basis.
I’ve had the chance to talk to a number of folks in the industry about the union with FishNet Security, and what the resultant company will look like. There is some skepticism out there that the end result will be greater than the sum of their parts. Obviously you guys wouldn’t have made this move if you agreed. Why do you believe the two companies are stronger together?
Well, clearly the proof will be in the pudding. We strongly believe that’s true, and there are an awful lot of other smart people who agree and supported this combination.
There are some real good reasons to think this is a strong union. The overlap of key clients between our companies is extremely small, about 3%. To be clear about what that means, it doesn’t mean that we don’t have a presence in those companies; it’s that 80-90% of their business goes to one of the companies or the other. We see that in security, companies want to have a trusted advisor, and will generally stick with one partner for most of their business.
I have heard the Accuvant/FishNet Security union compared to Coke and Pepsi joining forces – where people simply have a preference for one business over the other. In such a case, the consumer who liked one company over the other might lose out on their choice. Do you believe that is a risk to customers?
That concern makes complete sense. The answer is that this is a relationship business. Of course there will be adoption of process improvements from both Accuvant and FishNet Security into the new company. Things like client invoicing and SOW creation will see improvements as we utilize the best from both companies. However, from an end-client perspective, it all comes down to the people you work with. Our clients will continue to work with the people who have made their experience a success.
The reason both FishNet Securityand Accuvant have been successful in those accounts is due to the people who service the clients. Sales, pre-sales technicians and delivery people who do a great job. Those people will still be the face, hands and feet of the company.
I don’t think it’s unreasonable to say that the standardization of the back-office processes will deliver a much smoother experience to the customers, with no loss in the high-touch experience from the professionals they’ve come to trust.
Both Accuvant and FishNet Security have invested heavily in building unique offerings. For example, Accuvant’s office of the CISO under Jason Clark. They are investing in research and putting together tools to offer strategic assistance to CISOs. Or what Ryan Smith’s team is doing in R&D. They are looking to solve challenging technical problems for the industry. Exploit development and research are among their focus, and it really makes us much stronger as a company.
On the other hand, FishNet Security has invested in developing a very strong Identity and Access Management (IAM) practice. We at Accuvant decided not to focus intensely in that area because FishNet Security was already doing it so well.
The larger organization will also allow us to offer these services to both sets of clients, and going forward, expand on the special resources we can offer.
What are the biggest challenges of the company?
It’s definitely finding the right talent and finding enough of it. The supply of skilled security professionals has not been able to keep up with the demand, and the shortage is continuing to get worse.
What are you guys doing to address the talent shortage?
David Brown is running a program we recently created, which is a sort of cybersecurity boot camp. We bring in those who just graduated from a security college program or former military and give them a 3 month training program. This program equips them to step into a role within Accuvant. The first portion of the training is general security training, where they learn about each of the disciplines. Then for the remainder they are placed on a track based on their future job: sales engineer, pen testing, risk management, managed services, etc. We just graduated our first class of 10, and they are now starting on their job in the field. We will probably look to increase the throughput on the program once we prove it out.
We’ve realized that we need 500 additional people by the end of next year. Clearly this model won’t scale up to provide that many immediately, but it helps fill the gap.
For those who are thinking of jumping into the security field, what do you recommend? What’s the right first step?
Get a really strong understanding in one of the key disciplines. Data scientist is one of the areas where there is a huge shortage right now. Knowing how to manipulate data to pull out the information you want is a big need in security. It’s not even necessarily a security skillset, but it’s one we lean on heavily.
Another area I’d recommend is developing a strong background in risk management. Figure out how to talk intelligently about how security relates to the company itself.
In terms of how to get started on that path… that’s simple; come work with us. Or, pick up a CISSP or other security book. Start learning and asking questions.
We are always looking for people to help with event management and correlation. Especially product-specific skill-sets. Go learn Splunk or QRadar, and learn how to analyze and act on the various log sources you’re pulling in.
We are also seeing a big move for all of our highly technical people, that they have the ability to code. Even for those in other disciplines, the ability to code has become an important requirement.
Last question for you; what are CISOs doing wrong out there? What can we do better?
There is a wide variety of maturity and career stages among CISO’s. There are a lot of them who are thinking programmatically. But there are also those who have a hard time getting out of the tactical, and for them we want to help them move their thinking up a level to the strategic. The tactical CISOs might see that they have X amount of budget, and will play a game moving resources around to play whack-a-mole, dealing with the issue of the day. They need to be enabled to go back to the board and tell the stories that will set a vision for where the program should be, and provide the resources to get there.
Thanks so much to Dan Wilson for taking the time to talk about Colorado security with me. I look forward to continuing this series and shining a light on more interesting members of the Colorado security community. If there’s someone you’d like to see spotlighted, drop me a note and I’ll see what I can do.