Gary McGraw: This is a Silver Bullet Security Podcast with Gary McGraw. I’m your host, Gary McGraw, vice president of security technology at Synopsys and author of “Software Security.” This podcast series is co-sponsored by Synopsys and IEEE Security & Privacy magazine. For more, see www.computer.org/security and www.synopsys.com/silverbullet. This is the 144th in a series of interviews with security gurus, and I am super pleased to have today with me Ron Gula. Hi, Ron.
Ron Gula: Hey, Gary. How’s it going?
Gary: Pretty good. Let’s read about Ron. Ron Gula is co-founder with his wife, Cyndi, of Gula Tech Adventures, a cyber security investment fund. Ron started his security career as a network pen tester from the NSA. At BBN, Ron ran USinternetworking’s team of penetration testers and incident responders. As CTO of Network Security Wizards, Ron focused on security monitoring and produced the Dragon IDS system. As CEO and co-founder of Tenable Network Security, Ron led the company from 2002 to 2016, scaling to over 20,000 customers. He holds a B.S. in EE from Clarkson and an M.S. in EE and computer engineering from Southern Illinois University Edwardsville. Ron lives with Cyndi in Maryland. So thanks for joining us.
Ron: Hey, thanks for having us on the 144th episode.
Ron: Thank you for doing that many podcasts. That’s awesome.
Gary: Twelve years in a row of Silver Bullet without missing a month, so you got to…
Ron: And 12, 12. We’re the square of that, with 144. That’s great.
Gary: There you go. We’re the square. So you’ve had a little taste of lots of things in your long security career, starting in the government and then going commercial. Can you compare and contrast government security solutions with commercial solutions, given your perspective today?
Ron: Yeah. The government has an edge in large-scale systems. So if you’re going to build something for the government, it tends to be very centralized. And people think of things like the DoD or large government agencies like Department of State, where there’s a lot of central authority, there’s a lot of budget, but there’s also a lot of kind of moving parts, which gets you into a lot of bureaucracy. So a lot of the cyber programs I’ve been involved with for the past 20 years have been dominated by those themes—a lot of budget, a lot of people, and a lot of centralization—and a lot of times, one solution doesn’t fit everywhere, so you end up having exception after exception after exception.
When you switch over to commercial land, you have the opposite of all those things. You don’t have as much centralization as you have in the government. You don’t have as much resources, and you certainly don’t have as much people. So in the commercial area, you tend to see things dominated by flavors of the month of certain types of cyber technologies or perhaps minimum compliance standards. And so yeah, two completely different things. And they started merging about four or five years ago, when the commercial people realized that cyber was somewhat important and they started hiring all those government and military cyber experts that are in the area around here in Maryland.
Gary: So I have a completely different perspective than you do, but I’ve been working with gigantic multinational banks for 20 years. So in my view, like everything that you said about government applies to, say, I don’t know, Bank of America, who has 380,000 employees.
Ron: So I don’t disagree with that, and I will definitely agree that these larger, big, big—like your Fortune 20s, your Fortune 50s, I agree are very bureaucratic. But there’s a difference that even those banks are somewhat governed by a profit margin.
Ron: And they’re somewhat governed by, in some cases, even more compliance, especially if they’re multinational. But yeah, there is a good parallel there.
Gary: So render a 30-second opinion on each of these things. No. 1 is FISMA.
Ron: Thirty seconds? I’ve already lost five.
Gary: You’ve already used seven.
Ron: If I finish my FISMA report…no. FISMA is an exercise in trying to document everything that should be done and is not humanly possible. It’s almost like dogma. The idea is better than the actual creed. And I forget the exact dogma quote, but that’s kind of what we’re talking about with compliance and security here.
Gary: Your dogma ate my karma. I think that’s the quote.
Ron: That’s right.
Gary: All right, No. 2: NSA offense versus NSA defense.
Ron: Offense always wins. I don’t need 30 seconds to describe that.
Gary: All right, No. 3: the NIST Framework.
Ron: The NIST Framework is the best measurement of security. Most people don’t measure up to what it measures, though.
Gary: Right. But you don’t think it’s too vague?
Ron: I think there’s lots of ways to measure risk and try to prescribe things like measuring it. (I say “risk,” meaning cyber risk.) And I like the fact that it talks about before an attack and knowing your assets all the way to planning on recovery, versus other things that are more focused on maintaining a baseline or just preventing attacks. So I like the fact that it’s broader in those areas.
Gary: Cool. Well, that’s very interesting. I didn’t expect any of the answers I got for the first two sets of questions, so who knows where we’re going to go today? You worked at BBN, at Network Security Wizards, and at Tenable. And now you’re involved in a multiplicity of startups through GTA. I think it’s something like 24. So what is your favorite stage of business to operate?
Ron: Wow. The favorite stage of business to operate is the one that has happy customers and that you’re profitable and making people successful. That’s the great stage. And the cool thing about that is you’re always trying to get to that level. I mean, when I left Tenable, we were still trying to get to that next level, right? We had almost $100 million in revenue, and “Oh, we could do 250 in a couple of years.” At the same time, I get a lot of enjoyment out of working with startups, people who have pre-revenue, ideas. This is going to sound very ominous, but one of my favorite things is telling people not to do companies because it’s a bad idea.
Gary: No, I totally think that’s great insight.
Ron: And that’s…if you can help somebody like not hurt themselves for two years? Occasionally I’m wrong, and that’s OK. People should not listen to one person. But for the most part, it’s like, “Hey, look. Everybody’s working on that. You’re two years late for that. Don’t do that.” That’s very valuable advice.
Gary: So that was…
Ron: So I’m really enjoying all stages. And if you look across our portfolio, some of these guys are on their Series B, Series C. People like ThreatConnect, people like Contrast, for example, and Flashpoint, and other people who are startups, and we have stealth people that haven’t even kind of come out yet. So I’m enjoying all aspects of that. This market moves so fast, and there’s so many smart people. I’m really enjoying doing what we’re doing now.
Gary: So in your view, what are the kind of classic stages of a security business from ideation all the way to whatever?
Ron: Well, you’ve got pre-revenue, and you have ideas. And sometimes people will iterate on an idea before they have their launch or their “Hey, we’re not stealth anymore.” And then you’ve got the “OK, well, we’re not stealth anymore. We have a website, and it’s been a year, and we don’t have any customers yet.” So getting those first customers is really kind of interesting.
And then you’ve got the whole “I’m growing a company,” where you actually…you’re measuring things like the cost of acquiring a customer.
Are the customers using your products the way that you’ve grown? And then you have that whole question of, what do you want to be when you grow up? Are you going to go out and raise a ton of money to grow really, really fast? Are you going to keep growing organically? Is there a services component where you can start looking at maybe acquisitions and tangential things? There’s so many different ways to grow a business. It’s fun getting to go along on many different rides now versus being the captain of your own vessel, so to speak.
Gary: Cool. In my personal experience, technology transfer from the lab to the world takes about a decade, no matter what the tech is. That’s just what’s happened to me. So same kind of timeframe for you? Do you agree that that seems to take a decade?
Ron: Yeah. And it’s even worse than that. Because there’s so many talented people at these national labs, you get sort of the not-invented-here syndrome that you’ll get at a successful commercial company, where they won’t give the due of maybe a really good commercial solution bringing it into those labs. So I actually see that tech transfer going slow both ways, which is interesting. It’s a very odd situation. In Tenable we actually sold a lot to all the different national labs, and it’s a very interesting process when you go in and have to present to like a panel of Ph.Ds. And actually I had some of our current portfolio companies going through this as well.
I don’t see a whole lot of tech coming out of those national labs in cyber that becomes productized. Probably, I think the best one—and I’m probably going to get called out for this if I’m wrong—but I believe Lancope was based on NSA Tech Transfer, which is now at Cisco. And Dr. Copeland down in Atlanta, I think they did that. That’s the one that I can point to the most. And unfortunately, when you speak to politicians about this, they don’t really hear this on the cyber side, because other things, such as deep space research, things like medical research, it does take decades to really perfect something and then transfer it out.
Here in Maryland, I’m on Governor Hogan’s Excel [Maryland] advisory board, where we talk about ways to grow life sciences and cyber, and I say, “Look, I mean, we should take all the tech,” and like the Applied Physics Lab here in Maryland. And just literally, if you’re going to make a company in Maryland, just here, the tech is not what makes the company. You need a team, you need founders, you need leaders. The tech is almost irrelevant. And most venture capital people will tell you this: It’s not the idea that makes a company. It’s the people leading the company, it’s the market, it’s all of those things, and the idea is like one of the least important things. You need it, but it’s one of the least important things you need.
Gary: Yeah. I totally agree. If you had to name kind of the most important component in tech transfer—let’s just say from the lab, national lab, or scientific research out into the commercial world—what would that component be?
Ron: Well, it’s got to be market fit. So it’s one of those things. You can’t come up with a solution to a problem that nobody knows that they have or is not willing to purchase. So a lot of times, the tech that’s created is amazing tech, and I love the innovation. I love how smart people are that they can come up with these research things. But sometimes the problems that are being solved aren’t the kind of thing that’s going to get somebody really excited in the corporate world.
And like a really good example—again, this is one of those things, we call out certain things. This market is moving so fast where you have different technology shifts every four or five years across many different technology platforms, and you see sort of a rehash of asset discovery, intrusion detection, how do I know assurance, compliance, and all that kind of stuff. So where do you fit something that’s really innovative? And there’s…in a market when you’ve got, what, 2,000 cyber product vendors? So it’s a hard thing to do.
Gary: So you ran Tenable for 14 years, which is a good long time. Tell us two important lessons that you learned, one positive and one negative.
Ron: So I think let’s start with the negative first. I like bad news first. So when we did Tenable, when we started, I had a lot of great help. Really good cofounders, got to work with my wife. I was very, very lucky to work where we were at. And we were very successful. And what is success, you know? You’re selling a product, the customers are happy, and the year after, you do more of that, right? So we did that pretty much the first five or six years. But then other products in the space, other companies in the space, started raising venture capital. So even though we were successful and we had a lot of money in the bank, other companies who were not as successful went out and raised $50 million. And all of a sudden, we looked like a small company even though we had that. So one of the negative things that I learned is, perception is reality.
Ron: So the year that we had like 200 people, there was a company we would’ve acquired. I don’t want to say which one. And the founder of that company was actually in Maryland going through after visiting DC, and he thought we were 20 people, and we were 200 people. So that’s one of those negative things. So when people say, “Hey, there’s too much marketing. There’s too much whatever”…
Ron: Don’t confuse the fact that somebody’s trying to tell their story with the fact that there’s 2,000 companies. It’s just hard to keep that straight.
Gary: Yeah. We had that in spades too, because we didn’t do very much marketing and we’d been making tons of money for years. And that was very hard for the market to understand. It’s like, “What? You’re not leveraged to the ears? What? What’s going on?”
Ron: Yeah. And then…and I think a positive story is you can’t do everything by yourself. And as soon as—and this is really more for the founders who are out there. And there was one meeting I had where I ran the meeting. We were 20 people. Marcus Ranum worked at Tenable for a long time, and he kind of mentioned something to me after. He goes, “You know, you’re like the nexus of the company.” And I said, “Oh, yeah.” And I took that to heart. And I really tried to surround myself with people who were a lot smarter and a lot better at doing things than I was. And I see people make this mistake. I will say the ones in my portfolio know who I’m talking about, but it’s the founder who does everything. They’re working 80-hour weeks. And again, there’s nothing wrong with working hard. But doing everything and not letting go, you will hold yourself back. There’s only so much you can do.
So a really good thing that I learned was delegation, communication. Even to the point that we were trying to practice…“perception management” is the wrong thing, but you don’t want to leave people guessing, right? If you’re going to make a release, try to communicate that. And people who work at Tenable know that we got better at this over the years. And depending on where you are in the organization, people are always kind of saying, “What’s good?” But having the ability to let go is something I learned, and I’m trying to kind of help the other people I’m working with now as they scale up.
Gary: Yeah. Super important lesson, I think. So you anticipated my next question was that you had this Battlestar Galactica–like collection of security gurus at Tenable, and that was a pretty fun group. There was Marcus Ranum and Jack Daniel and a few other guys. So what value did you get from those guys? I think you just expressed it, but tell us again.
Ron: Well, there’s a couple different ways to look at that. I mean, I had some people that worked with Cyndi and me at our previous companies who worked at Tenable for a long time. There’s people like Marcus Ranum, where we competed at. In the intrusion detection space, we were different. There’s guys like Jack Daniel, who I recruited for a long time. Guys like Paul Asadoorian, who kind of had his own podcast and really helped kind of take over. But there’s 20 or 30, if not 50, people that I personally recruited and tried to get into Tenable that helped make the culture, helped make the right environment, gave us…not credibility, if you will, but gave us the ability to kind of complete the story, the picture.
Again, along that line, you can’t go everywhere. And I think if people met me earlier, in the early Tenable days, I would say, “Look, I don’t want this to be ‘The Ron Gula Show,’” right? I very much was trying to make sure all the co-founders were involved, that people who were…the sales engineers, that they felt like they were really kind of pressed—“press” is the wrong word, but they were the ones bringing the message of how the products worked, how they demoed. And that was the kind of stuff we really tried to do when we brought those folks in.
Gary: Got it. So it was kind of about bouncing ideas and plans and positionings and sales pitches against those guys and seeing what they had to say?
Ron: Yeah, and this is…As Tenable’s getting larger and larger, it’s kind of hard to have this, but like Paul Asadoorian had his own…it wasn’t “Security Weekly” at the time, but he had his own podcast, and that was great. There were a lot of people we encouraged to speak at conferences. And yes, you’re speaking at conferences, and what are you speaking about? Is this a Tenable thing? Is this not? When you’re 30 people, when you’re 40 people, when you’re 100 people, that’s a good thing. You want people out there. The larger you get and sort of the more corporate you get, you can’t do that as much. So you’re seeing Tenable doing things like their own user conferences now and getting William Shatner to talk, which is just great, but it’s more indicative of the size and success of the company and less about, what can we do to get the maximum value out of the 100 people or 50 people that are at the company?
Gary: I think the answer now is definitely William Shatner, for sure.
Ron: William Shatner’s the answer to everything. Watch this. What’s your next question? I’ll leave in a William Shatner answer.
Gary: We’ll just say William Shatner.
Ron: There you go.
Gary: We’ll be right back after this message.
If you like what you’re hearing on Silver Bullet, make sure to check out my other projects on garymcgraw.com. There, you can find writings, videos, and even original music.
Gary: So the next question is now at GTA, which is what I call your Gula Tech Adventures, you have a portfolio of 24 companies, which seems to be a pretty high number to me, but it’s a very impressive set of companies. So what’s the rationale behind your portfolio, and what’s your average investment size in dollars and energy and so on in the stuff that you’re doing now?
Ron: Got it. So the question is, is it a lot? Is it a little? I think we could do a bit more, and the thing to realize is we’re not running these companies.
Gary: Oh, I know that. Yeah.
Ron: Yeah, we’re not running these companies. So Cyndi and I, we can get really involved in a lot of things. We just did two different CEO searches for…well, two different CEO searches for two different companies. If we were talking about six months, seven months ago, we would’ve said, “Hey, look. Three of these companies are doing their Series B or C raises, and we’re being somewhat helpful with that.” We do a lot of passing of like résumés around. So if you’re a C programmer or a sales, enterprise, cyber person, firstname.lastname@example.org. Contact us. We’ll sort of vet it and put it in front of these people.
The bottom line is that we still put in about 45, 50 hours a week trying to work on different aspects of these companies with problems that they have. But at the same time, we’re still making our own schedules, right? So I’m really enjoying doing these types of things. And the thing is, Cyndi and I, we’ve done two different companies, very successful people. We’re investing our own money. So the good thing is we don’t have an investment committee. So literally I’ve gone from pitch to a check…
Gary: You do. It’s just you and Cyndi.
Ron: It’s just us. And so that’s good. So there’s no quick sort of investment committee, anything like that. And we tend to partner with the more established venture capitalists. When I say “more established,” people who have partners, people who’ve advertised that they’ve raised a fund, people who they’ve done…The good thing is that at angel levels and at Series Seed and A rounds, you can be a very effective investor with anywhere from $50,000 to $1 million.
Ron: And so we’ve done investments in those kind of areas. But at the same time, it’s not like we’re going…Like I used to actually have investment sizes and things like that on our website, and I took them down, because sometimes when you’re starting out, sometimes they just need…Like there’s a couple of companies we’re tracking here in Maryland, we haven’t even talked about investing yet. They’re not ready, and they might not even get there yet. And frankly, if they go raise the half a million dollars and hired three or four people and they don’t know what they want to be when they grow up, it’s not going to solve that solution.
Gary: Exactly. Yep.
Ron: So we’re looking for a fit. We’re not looking for a quick hit but…And also when you look at 25, about 10 of these we did as angel people while I was at Tenable. So, for example, StackRox. Sameer’s doing a lot of great work in the container security space. When we met, he was an entrepreneur in residence at Excell Partners, the VC firm that invested in Tenable. That was more or less what you would call an angel investment.
Ron: But one of the reasons we set up GTA with a website and as a fund and with the portfolio is three things. We want to be able to communicate effectively. We meet with CIOs, CSOs, VARs all the time. We want to operate as a venture capital partner. We do events. We’re sponsoring a variety of events right now, different types of things, so we’re operating with overhead—dinners and that kind of stuff.
And then the last thing that’s the most important is we want to kind of inspire people to start a company, and not just any type of company. We want people to specifically start cyber product companies, and I want them to start it. We live in Maryland. We’re next to Virginia. This area has more cyber security expertise than anywhere else per capita in the world, yet you don’t see the next 20 Cigitals, the next Tenables, the next 20 Sourcefires, right? And my tagline is, where are the next 10 Tenables? So I want people to start cyber product companies, and I think this area from northern Virginia all the way up to Baltimore is a great place to start those companies because that expertise is here.
Gary: Very interesting. So kind of a selfish question, since we’ve been talking about Marcus and I’ve served in a couple of technical advisory boards over the years with him, do you think that security startups need a technical advisory board?
Ron: Yes and no. So it depends on what you’re going for. So for example, if you were starting an MSSP focusing on, I don’t know, healthcare insurance, I think you need a combination of things. You need a technical advisory board. You probably need a customer advisory board, because you’re all about nuances in that market and serving that market. If you’re going to start the next Uber and nobody has come out with anything like that in the past, that advisory board’s not going to really help you, unless you’ve got a wide variety of folks in there. So when I think of technical advisory boards, you don’t want to make the same mistakes twice, but at the same time, there’s a lot of new tech out there that perhaps folks like ourselves might not be as up on. It actually could be a hindrance and give the wrong advice. So it really depends.
Gary: Yep, that makes sense. What’s more important in product development: technology or market understanding?
Ron: Market understanding. Market understanding. For one big reason. Most customers only use 10% of the features that you send them. And so that means the other 90% that you worked really hard on and did a big QA, did a lot of development, a lot of testing, a lot of documentation—it’s not used. And this is something that I thought was just something at Tenable, but the reality is I’m seeing this across the board. And one of the ways this manifests itself is the engineer-led sort of company or the engineer-led product development where “If I just add a few more features, the products going to fly off the shelves, or the customer is going to understand or they’re going to do that.” So features doesn’t equal sales.
This is where it comes to communication. I’m not overmarketing what’s going on, but making sure you’re solving a problem for the customer. And even if that problem requires somewhat of a religious change at the customer side, you can lose that argument, especially if you’re too early or too late. But for the most part, it’s all about educating the customer and making sure that you’re on the same wavelength.
Gary: So when does a startup need to develop professional product management, in your view?
Ron: Wow. A couple of different things, and I think a lot of people who’ve worked with me in the past realize that I’m not a professional product manager, even though I help create a variety of Gartner Magic Quadrant material and companies that made, you know, tons and tons of revenue. I think it actually starts with a much more basic question. And it’s that if you’re going to go into business and you’re going to sell a product, whether it’s a cyber product or…what is your goal? And this is the basic question I ask people when they’re starting a business. Do they want to be Elon Musk? Are they doing it for the benefit of the world? Well, why aren’t they just open-sourcing it and volunteering everything away?
A lot of people don’t understand the basics of, what they want to be when they grow up. Is it a quick exit? Is it a feature? Is this going to be a platform? What kind of sales force, go-to-market are we going to have? Is this e-commerce only? What is sort of that vision of how they want to interact with the customer? And at that point, OK, now that you know what you want to do, how are you going to go and do it? What features do you need? What type of things do you need?
A more tactical way to answer that is when you have too much stuff to track, where you’re maybe integrating with too many things, you’ve got too many builds or different OSs…Like let’s say you’re doing a product, and it’s slightly different for every version of Android that’s out there. You probably need to start planning a bit better about your build and your QA and when features are shipping for which platform. But if you’re early, I see most people are successful just by following their biggest customers and making sure that they’re happy and implementing those features, as long as those features are in line with your vision of where you want to go. Otherwise, it can be an overhead, right? A great product manager, unless they’re a founder and they’re working for stock and deferred salary, that’s going to be a very, very high overhead for, what does it look like, a C or Go programmer.
Gary: Yeah. I mean, that’s the challenge that a lot of technical people face, which is why I ask you that, is, well, when should we hire somebody like that? Do we really need somebody like that? How do we make that decision? And I think your answer kind of began to put some data out to make that decision work.
Ron: And I’m a big fan of product managers. I’m a big fan of anybody who can help you organize things, because that’s one of those things where if you’re the CEO or you’re the head of R&D and that’s your special sauce and somehow you’re not going to let that go, you’re going to end up limiting the company. Because eventually what you want to get to is where you have four or five product managers, all doing different parts and different things, and it can’t…Like, if you have a cyber product that touches other technologies, those other technologies have their own roadmaps. Just staying on top of that and knowing when to escalate—“Hey, these guys released a new API” or “These guys just got acquired by our biggest competitor”—just tracking that kind of stuff is really, really time-consuming to do it well. And a lot of people think they’re doing it well, but they’re really not.
Gary: Oh, and it’s super important. I can’t tell you how many times I’ve seen a tech stack that required shimming the browser, and you’re just like, “OK. There are a few of those. How are you going to keep on top of every single browser that everybody uses?”
Ron: Exactly, exactly.
Gary: All right. So interesting conversation. Last question for you, which is a real flyer. So when you retire, what do you and Cyndi plan to do for fun?
Ron: Well, we’re having a lot of fun right now.
Gary: It’s a trick question.
Ron: Yeah, we’re having a lot of fun right now. So just being transparent, you know, I hope anybody out there who’s done a successful company in cyber has the chance to sort of give back. And they don’t have to give…they can give back however they want. They can volunteer, they can teach at a university, they can work at an incubator. We’re choosing to kind of give back with a little bit of an investment and our time, and we’re getting a great deal out of that. We work out of our house. We spend a lot of time with our kids. And it’s a good outcome for the Gulas. Long term, we’re really, really involved with trying to make this mid-Atlantic region and, being in Maryland, trying to make Maryland more friendly to starting cyber product companies. And I’m really hoping that four or five years from now, we can point to the next 10 Tenables that we’ve either inspired or helped create. And that’ll be a lot of fun.
Gary: Cool. Sounds good. Well, thanks for your time today.
Ron: Hey, thank you, and congratulations on the 144th podcast.
Gary: One forty-four, 12 squared. This has been a Silver Bullet Security Podcast with Gary McGraw. Silver Bullet is co-sponsored by Synopsys and IEEE Security & Privacy magazine and syndicated by Search Security. The January/February issue of IEEE S&P magazine includes our interview with Eli Lilly CSO Wafaa Mamilli, one of 12 interviews carried out over a year focused exclusively on women in security. Show links, notes, and an online discussion can be found on the Silver Bullet webpage at www.synopsys.com/silverbullet. This is Gary McGraw.