Why a failed fighter pilot made a better founder (and took a company public)

likes
+ Add to

Joining me is a founder who has been in the security space for years. He launched and sold one company. He launched and took another company public.

Now he wants people to learn from his experiences and he’s investing in other entrepreneurs. I want to find out specifically how he tool a company public.

Ron Gula is the founder of Tenable, tech vulnerability management company.

Ron Gula

Ron Gula

Tenable

Ron Gula is the founder of Tenable, tech vulnerability management company.

roll-angle

Full Interview Transcript

Andrew: Hey there, freedom fighters. My name is Andrew Warner. I’m the founder of Mixergy, where I interview entrepreneurs about how they built their businesses. And I do it for an audience of real entrepreneurs, many of whom are not just listening to these interviews as they build their companies, but often end up coming back here to talk about how they built their companies while listening. So really, this is not the wannabe entrepreneur type site. It’s a place where people are really learning to build their companies.

Joining me is an entrepreneur who’s been in the security space for years. He had one company that he launched and sold it, another one that he launched, it went public, and now I don’t know if you’re a goody two-shoes or what, Ron, but now he’s at a point in his life, where he says, “Look, learn, earn, return” is his mantra, which is he wanted to learn, he’s earned, and now he’s at a place in his life where he wants to return. One way that he’s returning is by helping you learn from his experience. And the other way is by investing in entrepreneurs.

So there’s a lot we can cover here. I thought we’d kind of focus on one story but cover the rest. So the story we’ll talk about is the founding, creation, and hopefully how he went public with a company called Tenable. It’s a leader in tech vulnerability management. Don’t be scared by that. I’ll be honest I was before I started doing my research, but we’ll make sure that we fully understand it and keep it exciting.

And the second thing that I thought we’d touch on is the investment firm. He runs an organization called Gula Tech Adventures. His name is Ron Gula, Gula Tech Adventures named after you. Am I pronouncing your name right? I feel like I’m constantly like worried that I get it wrong.

Ron: No, you’re doing great. I’m just going to sit back and listen.

Andrew: Let’s do it all. You know what? I’ll say one more thing, and then I’ll launch into the questions, give you space to talk. This interview is sponsored by two companies, one of which Ron is using, it’s called HostGator for hosting websites. And the second, Ron might end up using them or maybe one of his investment companies will, it’s called Toptal for hiring developers. I’ll talk about those later.

Ron, I’ve never taken a company public. Do you remember the day that you went public with Tenable?

Ron: Yes, it was earlier this 2018. We got to go to New York City. We got to go on the NASDAQ, TENB, if anybody is checking. And when your company goes public, you get to have a lot of friends and family there, and it’s a lot like a wedding. They give you champagne, and at the end, you know there’s no bell, there’s an iPad, you actually press a button on the iPad to pop the numbers, shut the market down. You walk out to Times Square and your logo is everywhere and it’s just amazing.

Andrew: It’s got to be a great feeling. Did you grow up as a kid wanting to go public at some point?

Ron: No. I didn’t have any idea. I grew up in upstate New York. I went into the Air Force. I wanted to be a fighter pilot.

Andrew: Wow. And here you are with a company. I checked it out before we started the interview, it’s over $2 billion in market valuation, right?

Ron: It is. It is.

Andrew: It is.

Ron: I mean, the tech market kind of took a step back a couple months ago, but being a public company, it really does separate you from a lot of other companies that are out there and it’s a lot of great things for . . .

Andrew: Because of more trust you mean?

Ron: Yeah, of course. There are resources. There’s trust. There are new types of customers. I mean, we started with nothing, right? So zero revenue, you got to start there. And I can remember talking to customers, “Oh, you guys don’t have a million dollars in revenue. When you get to a million dollars, we’ll do that.” We crossed $100 million in revenue mark and there were still some organizations were like, “Yeah, you guys aren’t mainstream yet.” So there’s always a bigger fish. There’s always a bigger customer.

Andrew: I feel like that’s true in your industry versus like online marketing software where people are excited to try the tool that nobody has tried from a new a company that’s just starting. By the way, you went to the Air Force to learn to fly.

Ron: Correct.

Andrew: How did that work out for you?

Ron: I don’t fly right now. I love airplanes. I’m still big fan of all forms of aviation. So I was a double E. I went to Clarkson University, and I competed to go into a fighter pilot school. It turns out I black out at like 3.5 Gs. That’s not a good quality to have in a fighter pilot but . . .

Andrew: How fast do they go? Three and a half Gs is where you black out. That seems like pretty fast.

Ron: It’s like on a roller coaster when you turn real fast and that you see the pilot pass out and stuff like that. There’s your image of me as an entrepreneur. Like I got to get out of this and do something else. So, yes.

Andrew: Okay. Wait, so were you supposed to get beyond 3.5 G? How many G forces do you need?

Ron: I don’t know. Like nine.

Andrew: Nine? That’s nine times gravity on your face and you’re supposed to take it and at a third of that you passed out. You said, “This is not right for me.”

Ron: It might have been four, but yeah. It wasn’t a good number.

Andrew: Okay. So then what did you end up doing instead?

Ron: I had always been into computers. And as an officer, I went to an Air Force communication school where they were literally teaching the internet, TCP/IP, concepts of call routing. We all can’t place a call at the same time, you know, things like that. And right around that time cyber security was started. Nobody called it cyber, they call it fracking, hacking, cracking, all these different things. And I really, really liked that. I was drawn to it. I’m a double E, an electrical engineer. And I ended up at the National Security Agency doing basically vulnerability assessments and penetration tests, right, pretty much when that was all being invented.

Andrew: For the government?

Ron: For the government.

Andrew: I mean, like, you’re checking to see are government securities safe? At a time when they might have been using floppy disks.

Ron: There were floppy disks. I put my hands on many classified floppy disks. Yes, that happens. There used to be if you’ve ever heard about “Don’t pick up USB devices in the parking lot?” Well, that literally was don’t pick up floppy disks in the parking lot. That’s how it started, right?

Andrew: Because literally they would be floppy disks in government parking lots. People would stick them in their computers to see if there was shareware or something free to use and then they’d get a virus and that’s how a government agency would have a state and legal [problem 00:05:51].

Ron: They would called it sneakernet. Just a lot of different ways to get something. And it used to be you would have a stack of floppies around just because maybe I need to give you a file. Hey, let me grab a floppy and put it over. So that was a very real thing back in the day.

Andrew: I think even Drew Houston, when he first launched Dropbox, was on Hacker News saying, “You know how you have to use USB keys to take data back and forth? Well, here’s a new way.” So it’s not that long ago, the sneakernet was a pain for people to use. You told our producer or maybe in her research she found that the NSA and the military you said does not create entrepreneurs but somehow it does lead to entrepreneurial thinking. How? I don’t think of them as an entrepreneurial organization.

Ron: Yeah, so it’s interesting. So I live in Maryland, so very close to Washington, D.C. and there’s plenty of government agencies around here. And when people think of, you know, technology, they don’t think of the Food and Drug Administration, right, or HealthCare.gov or anything like that. But the reality is, is there are thousands and hundreds of thousands of developers working on those things every day. The government has really led the way in a number of areas. The first thing they’ve got, they’ve got top down. If they make a decision and they’re like, “Hey, we’re all going to upgrade to Windows 10 tomorrow,” they can actually do that. So organizations like the Air Force and the DOD can make those kind of decisions. And I talked to major banks and universities who don’t have that kind of control over what’s on the network. And they’ve really, you know, advanced quite a bit.

Andrew: Right. Right. Even in my company, I’m trying to get everyone to go to a Mac. I literally bought someone a Mac just to switch her from a PC. She’s just leaving it on the side. And you’re saying, “Look at the government, they buy you a Mac, they tell you to use it, you got to use it.” You’re nodding. Yeah.

Ron: It does become a little bit of bureaucracy. But the other thing they have is they’ve got access to tremendous, you know, resources. So you’ve got the NSA, Applied Physics Lab, all the national agencies, all the different types of research organizations. They actually will innovate and come out with a lot of interesting technology, and they’ll actually drive vendors to be a lot harder. Tenable is a better vendor because of our work with the government and their needs are not ubiquitous, but they do push companies like Tenable forward.

Andrew: I’m going to skip ahead a little bit. You left NSA. You worked for an organization called BBN. You then from there went to US Internetworking, one of the first cloud companies. You talked to our producer about that. And you said that’s where you got your idea for the first company called Network Security Wizards. What’s the thing that led you to that? Because that was a huge win. I don’t mean to dismiss it by passing over pretty fast, which is what we’ll do. But what was the issue that led you to create that?

Ron: Yeah. So US Internetworking was one of the first SaaS companies, and they literally were doing things like buying one giant copy of PeopleSoft and then selling it to multiple customers. Everybody is familiar with this model now. But in the late ’90s, it was pretty revolutionary. So anyway, we had all this data that we were hosting and applications we were hosting for customers. That’s a pretty big target.

So at the time I was using a vendor called ISS Realsecure. It’s one of the leaders in network intrusion detection, and it couldn’t keep up with the amount of traffic we had. It couldn’t keep up with the types of attacks we had. And we couldn’t do things like forensics. We couldn’t go back, you know, 100 days ago and what was happening on server number 3. So I was like, “Look, I think this is where the internet is going. I think this is where, you know, the hunt mission and the cyber mission’s going. And I’d like to do a product in this space.” And that’s kind of where the idea came from.

Andrew: Why not bring it to them and say, “Look, as an organization . . . ” I’m looking at some data on them. I think they brought Microsoft Office to the web before Microsoft did, right? So people can go and use Microsoft Office in the cloud, am I right?

Ron: Well, I don’t think US Internetworking there. They’re kind of more of a precursor of like the Salesforces, the SaaS type applications. They were not really set up to do this kind of product offering. If there was a way to do it, you know, as a service, like as a monitoring service, then it would have made a lot more sense. But at the time, nobody wanted to outsource their cyber security. They didn’t even have like cyber security. They didn’t . . .

Andrew: Oh, I see. You’re saying, “Look, they were not a cyber security company. They might have been able to get software into the cloud, but security is a whole other thing and they weren’t open to doing it internally.” And it seems like that’s not the direction you want to go in anyway.

Ron: That’s not the type of vendor they wanted to be.

Andrew: Got it. I thought you were saying that they weren’t doing Microsoft’s. Then I start doing research and go, “No, wait a minute, I found a MarketWatch article from the late ’90s about how they were developing Office for the web.” And now you’re saying . . .

Ron: And if you look at like the modern market today, if you put a database server on Amazon, you can get everything, the packets, the logs, the actual telemetry from that thing. But back in the day, if you were hosting Exchange or another kind of standalone application in a distributed kind of a manner, that’s not the kind of thing people had the staff to go and look at. That was a very new concept.

Andrew: Did you start that with your wife?

Ron: We did. I came home one day and I always say that the two best thing she ever said was yes to get married and saying, “Yeah, why don’t you quit that job and we’ll start a company?” So that was pretty cool.

Andrew: What was the responsibility breakdown between the two of you?

Ron: So Cyndi actually did a lot of the non-technical stuff, which is actually fairly complex. So payroll, marketing, human resources, facilities, insurance, you know, collections, finances, all that kind of stuff. And she’s carried that forward. She was actually a major part of Tenable Network Security and a major part of what we’re doing with Gula Tech Adventures. That type of know-how.

Andrew: I think that there’s, like, also a 21-year-old in Jakarta with the same name as your wife who’s like an internet famous person, who every time I search for your wife ends up coming up. Do you know who I’m talking about?

Ron: I’ve seen the searches. Gula also means sugar in Southeast Asia.

Andrew: Okay, so it does make it a little bit hard to research her. But coming back into this, you sold the business within 18 months. What could you have possibly build that was so strong that in 18 months you could sell it?

Ron: Yeah. So at the time, so basically what the software was, was an application that ran on Linux. You would install it in a manner where you could look at the packet. So maybe on a span port of a router or a switch, perhaps a firewall, but you could basically see all the packets going into and out of any type of organization. And people were finding back doors, attacks from China, you know, employees who are abusing their resources on the network. Everywhere we sold it we ended up selling more, and even though this goes back, we had most major banks, most major telecoms were using it, and we were within a month being acquired. We were recognized by Gartner for being like the upper right leader in this. So it was a fairly amazing thing to do it in that amount of time with only like six employees. That was a lot of fun.

Andrew: And you were the first developer of it?

Ron: I was.

Andrew: You were the one who did it. Why sell it? I guess you kind of sold it at the height of the bubble, right? This the year 2000 when you sold it. Am I right?

Ron: It was late 2000, and we had a couple offers. There were a lot of interesting strategies of people wanting us to plug this in and whatnot. But what I wanted to do is I wanted to learn. I was not trained. I was not an MBA. I did not have a lot of entrepreneurial growing companies and selling them. I didn’t speak the way I speak now about that kind of stuff. So I thought it was great. We sold it to Enterasys Networks, and they were a public company. They had things like third level support. I’m like, “Wow, three levels of support. I should learn that.” Because I really, really envisioned one level of support. So it was a great place to go.

And now, when we’re investing in companies, I always look for that and we go [along 00:13:30] and we’re creating a large company perhaps with public potential or are we are we going to get a single or a double? And is that going to be okay for the founder? And for a lot of first-time founders, having a small acquisition and exit for your first success is a great thing. It changes your life, and it it’s very satisfying.

Andrew: How small was this? I’m going back to like old Computerworld articles from 2000, September 15th about this. I can get a sense of how big the business was.

Ron: Yeah, it was more than $10 million of an acquisition price, but we never really disclose it. It was enough to let us . . . if we wanted to, we could have just not work. And once you start making that kind of money, it changes your life. And you realize that you’re not only changing your life and your family’s life, but your employees’ lives as well and how they look at themselves.

One of my greatest things I’m proud about with Network Security Wizards is a lot of those people have gone on to have major roles at companies like Cylance, at companies like RSA. So this concept of being an entrepreneur and creating other entrepreneurs, they say, you know, leaders create leaders, not followers, entrepreneurs should be creating more and more entrepreneurs. And we’ve really been doing that pretty much our whole career.

Andrew: I had to use that for our team. One of the things that we’re doing internally is just every month focusing on one of our principles of operation at the company. And one of them is act like a CEO. And phrases like that coming frankly from you with your experience, I think will go a long way to explain to people why I’m doing it. It’s not that I’m shirking my responsibility and saying, “You are the boss of our partnership,” but I’m trying to make you into a leader that. By the way, as you’re saying, leader, I’m looking over your shoulder and I see a robot on a printer. What is that?

Ron: That’s Mazinga. He’s one of the “Shogun Warriors.” I’m a big Godzilla fan. And they had a release of three robots and a giant Godzilla. My giant Godzilla is downstairs.

Andrew: Did you get all three?

Ron: I just have that robot and Godzilla.

Andrew: Got it, okay. What are you doing when you’re not working? I’m trying to get a sense of you beyond this. Yeah.

Ron: Yeah. Piano, progressive music, rock and roll, smoke cigars, [relax with guys 00:15:29], spend time with the family.

Andrew: You play with a band or on your own?

Ron: Not a band yet. Not there yet. My son plays guitar, and we can actually play some stuff together which is fun.

Andrew: That’s got to be [weird 00:15:40] around the house?

Ron: Yeah.

Andrew: Right. Let me take a moment to talk about my first sponsor and then we’re going to get into how you came up with the idea for Tenable, kind of the next business.

So the first sponsor is a company called Toptal. I got to tell you about them because I think you might need them for . . . how many companies have you invested in so far?

Ron: Thirty.

Andrew: Thirty. In about a year and a half, am I right?

Ron: So about three years.

Andrew: About three years. Okay. So I guess Gula Tech Adventures was founded in 2007, according to LinkedIn, but maybe you rolled in some of your personal investments from before into it?

Ron: Exactly what happened. We had invested in about 10 companies while I was CEO at Tenable, and we kind of rolled all that into our operations at Gula Tech Adventures.

Andrew: And you have limited partners?

Ron: No, we’ve been lucky enough to self-fund. But what we do is they say, you know, “If you want to go fast, go alone. If you want to go far, go with others.” So every time we do an investment, we invest with another major venture capital firm, Grotech, Clear Skies, Strategic Cyber Ventures, Blu Ventures, lots of fun.

Andrew: So your portfolio could benefit from this. The idea behind Toptal is the founder said it really is a really tough process to hire. And they said everyone is working on making it easier to cull resumes, easier to place ads on lots of different job board sites. But what if there was an easier way to do the whole thing that didn’t involve job board sites? And their idea was you call them up, you talk to a matcher, you tell the matcher what software you’re working with, what your team is like, what your quirks are, what you’re looking for. And then they go to their network of developers, they find the right person or two that they think you might be into. They introduce you. If you like, you get to start working with them almost within a week. If you don’t, nothing lost. That’s the idea behind it.

They came out of the gate doing so well. Andreessen Horowitz invested in them. I said, “Are you guys looking for the next round and so on?” They said, “Do you know our financials?” I said, “No, because you’re so freaking secretive.” I said, “What is it? Over $10 million?” They laughed. Of course it is. Their numbers, I think they said over $100 million, and then they just shot me this look. They’re a pretty scary bunch when you ask them about private information.

What they really are good at is matching you with great developers, and that’s what’s allowed them to grow so fast and be such a great company. Anyone out there who’s looking to hire developers, really, like so many people who I have interviewed you guys should go check out toptal.com/mixergy. When you go there, you’re going to get 80 hours of Toptal developer credit when you pay for your first 80 hours in addition to a no-risk trial period. That means if you’re not happy, you don’t pay.

But I’ll tell you this, they’re still paying the developer. So you’re not like you’re screwing a developer because you decide that you’re not happy. They know that once they match you up, you’re likely to do really well, and so they want to stand by their people. So Ron and everyone else who is listening to me, that’s top as in top of your head, tal as in talent, toptal.com/mixergy.

All right. By the way, how are you so well lit? I’m like a professional here with my setup and my lights and I think my lights are darkening me up. You’re looking good. You have a professional setup?

Ron: I have lighting designed to do this.

Andrew: You really did?

Ron: I don’t do the green screen though. The green screen is a little too much.

Andrew: But there’s a light now pointing at your face?

Ron: I’ve got the right lighting.

Andrew: Impressive and it doesn’t look like. It looks like we’re just having a casual conversation because most of the meetings you take are online through Zoom.

Ron: Correct.

Andrew: By the way, as we were talking about Zoom, you told me about Tenable and their relationship with . . . possible relationship with them. What happened with Zoom? I think this will give us a sense of what Tenable does.

Ron: Yeah. So Tenable is in the business of cataloguing vulnerability. So when somebody says there’s more vulnerabilities this year than any year past, most of the vulnerabilities that Tenable helps you find, they did not discover. They were discovered by hackers, by researchers, whatever. But Tenable does have a very advanced research and development and threat team. And they actually found a vulnerability in Zoom that would allow somebody else more or less to listen in on perhaps even this conversation that we’re having right now.

Andrew: Which frankly, I would love. I want my ratings to go up, but like most people they don’t. And so you’re saying even if they weren’t a client, Tenable might go in and just inspect their software, check out the way that they . . . Yeah, I see. And then report it to them?

Ron: Mm-hmm. And it’s funny. So if I told you, I don’t know what kind of software you’re using to record this, but if I said, “Oh, by the way, I found a vulnerability in that the other day. What do you do with that?” It’s kind of up to me to kind of . . . the ethical thing to do is for me to work with a vendor, get them to do a fix. And then you might not even know it’s a vulnerability, but you’ll see patch number 38 comes out the next day. And when you think about all the different software that you’re using, and people might even not realize that Zoom, it’s not a web piece of code, like this web interface, they actually download stuff to your computer. So if you don’t do those updates, you could be vulnerable to a number of things. Tenable allows you to track not only stuff like that, but millions of other things.

Andrew: I see. So you’re saying because your clients might be using Zoom, your clients need to know about it. Even if Zoom is not a client, people who are clients of Tenable might be using Zoom and they need to know that this is a problem.

Ron: Absolutely. Absolutely.

Andrew: Okay. So now I understand and then let’s go back in time, the idea for Tenable came to you when you were . . . actually after the sale of Network Security Wizards, am I right?

Ron: That’s correct. So when we sold Network Security Wizards, we sold it to Enterasys. And the Biz Dev team and Enterasys was really good. They’ve got to know them really well, and my co-founders of Tenable, one of them was Jack Huffard. He was at running Biz Dev at Enterasys, and we became friends. And we started talking about what would be sort of the next phase of this. And if you think about it, I was doing basically simulating hackers when I was NSA and BBM, breaking into networks and telling you what you could do better. Dragon, the Network Security Wizards product kind of sat back and waited for somebody to attack you and tell you when you got attacked. Tenable kind of combined both of those things, and it would proactively tell you all the things you could be doing to maybe stop that bad guy before they broke in.

Andrew: By doing what? What was the first iteration of it going to be?

Ron: So the first iteration was just trying to get a sense of everything you have and all the problems that you have. If you just think personally right now, you probably have multiple phones, multiple iPads, multiple laptops, you have your office IT footprint now and you’re just you. You probably have a support staff. Now imagine you’re Coca-Cola or the DOD or you’re Exxon, it’s really hard to kind of put all that on one list. The first iteration of Tenable not only made discovering everything you had really easy, it made auditing everything you had just as easy.

Andrew: Because it would pull in the data that they already had or because it was going to grab new data, or both?

Ron: So this is the beauty of it, right, so you could plug into almost any network and get a list of everything that was on the network and all those problems without any real input. Now, you can add a little bit of stuff, which makes that process better, or you can basically have that untethered, unvarnished view of what’s on your network. And the problem that solves is when you go to IT and you ask them, “Hey, how’s it going?” And they say, “Hey, everything is great.” “Okay, I guess we’re done.” You know, the reality is most IT people, most organizations back 20 years ago, 15 years ago, they really didn’t know everything they had.

And you hear all these horror stories of, you know, there’s a printer on the network in the wall somewhere, we’re not too sure when that happened, but it happened. And then but because of that base, that rich base that Tenable had over the past 15 years, every major technology revolution we’ve been able to get part of. So whether it was bring your own device, whether it was virtualization, whether it was moving to the cloud, whether it was just, “Hey, there’s Mac computers on our network next to Windows, Tenable had the ability to not only recognize those things, but talk to them and tell you what your biggest problem was.

Andrew: You know, Ron, I’ve installed something called Plume in my house. These cute little devices you plug all over the house to give you Wi-Fi everywhere. I finally don’t have an issue with Wi-Fi in the backyard or anywhere. But it also reports back what’s connected to the network, and usually I can tell an iPhone that’s connected, I can see that it’s an Alexa or Echo device. Every once a while I see something random that I don’t know. I feel like that’s the type of thing you’re saying the businesses used to deal with. And now it’s handled. Do you think that’s an issue that consumers will eventually have? Do you see this becoming a consumer like problem that needs a Tenable type solution?

Ron: Yeah. So you actually hit on a number of issues right there. So I talked about virtualization, bring your own devices, going to the cloud. This next phase we’re in is the IoT, right, the Internet of Things. They’re tiny little devices, you know, this webcam that I’m on, you know, this microphone. It actually has little computers in it that has firmware, maybe applications and people give those devices access to very sensitive things. I’ve seen people load their Facebook profiles, for example, on their smart TVs, right, or their Dropbox, you know, photo sharing on their on their iPads and devices. Well, that’s great. But the question is, is at the end of the day, if you don’t know all those things that you’ve given permission to and what you have, you might not even know what’s on your network right now. Those transient devices could be . . . I don’t know if you have kids, but they could be your neighbor’s Wi-Fi connecting in maybe illegally.

Andrew: Frankly, it could have been me and maybe I bought GoPro camera and GoPro doesn’t use its name when it broadcasts out. The problem with consumers is you can tell them all day and they’re thinking, “I don’t have a problem. It’s not going to really change my life. Someone else is on the network. Even if they’re stealing my password, it’s what do I have to hide type issues?” When it comes to businesses, did they know what at the time? Was this enough of a problem that when you came to them . . . It was.

Ron: Yeah.

Andrew: How did you know this was enough of a problem that they would want to [inaudible 00:25:36]?

Ron: In the early 2000s, most people were focused on basic defenses—antivirus and firewall. So if I have an antivirus and I have a firewall, I must surely be good. But if you’re a hacker or you’re a nation state and I’m trying to break into a bank or a government that has antivirus and firewalls, you can do things to bypass those. So that’s sort of birth this cyber industry. For the last 20 years we’ve been coming up with attack and defensive techniques to do that. And now we’re at a point where if you’re a major bank and you don’t have 50 people sitting there who are just looking for random things happening on the network because it might be China or Russia, you’re not doing your job. I mean, that’s how far things have gone. Banks and things like that have their own intelligence agencies looking for these cyber-attacks. It’s amazing.

Andrew: The first version of the software was open-source software created by one of your co-founders Renaud Deraison.

Ron: Renaud Deraison.

Andrew: Renaud Deraison. I think he’s still with Tenable, am I right?

Ron: He is. He’s the Chief Technical Officer.

Andrew: So did he have it before you guys formed Tenable as an open-source software?

Ron: Correct. So back in the late 1900s, early 2000s, open-source was a very big deal. It’s a big deal today, but a lot of people use it behind their cloud applications. They see it on GitHub and things like that. But back in the day people could download Nessus, compile it, run a scan of the network, and then get some interesting results. The reality was that most people who use Nessus were users. Kind of like kind of like Chrome. Very few people want to download Chrome and compile it and then start using it. They want free good software.

So over the years Tenable kind of realized that we pivoted to more of a commercial model, which allowed us to keep Nessus really, really good. Think about all the different these technology iterations, we’ve had to go through virtualization, cloud, things like that. We were able to keep investing in that without sort of letting our competitors use it, which is really the only people who were using it, you know, who needed the source code or people who were competing against us and not innovating and helping the community.

Andrew: Let me break that down. So first of all, he was 17 when he first released this software, his open-source software, right? I think in 2002?

Ron: I’m not sure what’s more impressive, either doing that or learning to speak English from watching “The Simpsons.”

Andrew: Is that how he learned it? Where is he from?

Ron: He’s from Paris, France.

Andrew: Okay. Wow. So “The Simpsons” has a benefit. I love that show. It’s been a long time since I watched it. Seventeen, he created it. You then connected with him at that point. I’m assuming you knew him before.

Ron: Yeah, the previous company, we had actually done some integrations where the intrusion detection system, let’s say, I was going to attack you with an attack that only worked on Windows computers but you had a Mac computer. Well, I could take the data from Nessus and basically say, “If I see a Windows attack go into a Mac computer, I can probably ignore that.” So we had a relationship back then. So when we started Tenable, we said, “Look, I think we can really invest in this and make this the building block for doing that discovery of the network and the auditing of everything that was on the network.”

Andrew: With the idea that you would offer it open-source and then eventually do what with it? When you first started, what do you think you were going to do with it?

Ron: Yeah, day one, there was never a plan to, “Hey, we’re going to close source it,” or anything like that. The plan was to keep Nessus and to keep the community growing and always invest in it. And that’s something Tenable has always done. But what we had was this very sophisticated enterprise product called SecurityCenter. We originally called it Lightning, but it’s called SecurityCenter. If you look at it today on the Tenable website, you can get a sense of what it does. It really could organize all that data. So for your device that you had at your house, my guess if we scanned it with Nessus, we’d probably get maybe 15 to 30 pieces of information from that. It could be a vulnerability. It could be just telling you what it is for real, who the vendor is. Now imagine you have 100,000 computers on the network, now you’ve got 30 million pieces of information. You’re not going to read that. You need to organize that, chart it, filter it, create dashboards, and that’s what SecurityCenter did.

Andrew: Got it. So Nessus would offer it on a smaller scale, you went bigger. Nessus would require more user . . . I don’t know, setup I guess is a simplified way to do it. And you said we’re going to make it easier for people who aren’t looking to compile their own software.

Ron: Yeah, Nessus has . . . a lot of people still use Nessus today. If I could walk into your network with Nessus on my laptop, I could plug it in. I could ask you nicely to kind of scan your network. And then it would give you some information. But then I said, “Oh, by the way, you have a Mac laptop?” “Yeah.” “Well, maybe if you gave me the password for your Mac laptop, I could log in and get more of an IT view of that and tell you what patches were being missed, or maybe even test it for malware.” But now you’ve just given me the password. Or maybe you only give me the password, or maybe you want to have sort of a way to authorize me to scan with your password but I don’t know. Well, that’s really an enterprise feature. And that’s the kind of stuff that we would do in SecurityCenter at scale so that you could do better audits.

Andrew: You told that producer about the difficulty of going from an audience of free users to one that’s paid customers. Can you talk a little bit about that here?

Ron: So when you have people who are paying you, there’s a certain level of expertise and support that they want. They want their features implemented. They want their bugs fixed. They want to have training. They want to have a very rich experience. And at Tenable as we progress, we really pioneered a lot of the things that you see today in a modern sort of SaaS organization. You see customer support, customer success. You need a customer-driven discussion portal where only the customers talk to each other, right? All that kind of stuff we had over the years in forms of mailing list. We moved them over to [webtask 00:31:34]. It was a fairly big investment because at the same time, just telling people, “Hey, run a scan and get your results in . . . ” That’s not good enough for the modern network. You really have to have a finger on what their issues are, what the major vulnerabilities of the week are, and how people are performing security assessments.

Andrew: I see an article here from CNET from 2005 about when Nessus security tool closes source. At the time, there were 75,000 organizations worldwide using it. How did it go over with them?

Ron: So we communicated very, very well. And we actually made sure that when we did the communication, there was a lot of planning. And we also introduced a number of things. We introduced a free education version. We produced a fully supported version for nonprofits. We made it very clear what people could do and couldn’t do. Previously, we had messed around with some other different models, such as delaying vulnerability testing, and this was our free . . . Like, imagine I showed up to your network, you know, “Hey, Ron, how much does this cost?” “Hey, it costs $1,000 for you to use. But I got a free one that can scan with last month’s vulnerability.” Guess what everybody did? Everybody was scanning with last month’s [inaudible 00:32:48].

Andrew: Really. Oh, I thought I would say that’s useless last month. Really?

Ron: Yeah, we call it the delayed fee, the 30-day fee. And we were like . . . and we actually had paying . . . people were using the free product and doing a paying scan of it. With that and people were saying . . . again, if you go back 10, 15 years ago, or more like 10 years ago, you know, people would let vulnerability sit there for 90 days if not longer. It’s not like today where if you’re vulnerable and you’re on the internet, you’re probably of malware or botnet on that note immediately.

Andrew: I see an email that someone at your organization sent out from back 2005. I love the Internet Archive. I can even find old emails. And where you basically, you guys as a team said, “There are people who are competitors who are using our open-source against us. They’re selling or renting appliances, exploiting loopholes in the GPL license that we’re using. And they’re basically profiting off of something that we can profit off of,” and that’s part of what it was.

All right. Let me take a moment talk about my second sponsor, someone that you as a customer, and then we’ll continue with the story, and I want to catch up with how you’re making investment decisions today.

Second sponsor is a company called HostGator. Before we started you said, “Hey, I use them.” How do you even know they use HostGator? You don’t have like a guy who has a guy who installs this for you?

Ron: I’m still really technical. I actually run most of the products that we invest in. I set up our own website and, yes, feel free to go to www.gula.tech and check out the great goodness that HostGator can deliver you.

Andrew: Gula.tech. You personally went to Host Gator. You personally created the domain and everything and installed WordPress.

Ron: Yes.

Andrew: Why? What’s the reason why you were doing it instead of saying . . .

Ron: I didn’t do WordPress. I upload my own . . .

Andrew: Oh, I let me see.

Ron: I just have a static website. So I don’t need WordPress.

Andrew: How did I not even like look at your source code? I see your source code right here. All right. I see the font, awesome. I see your CSS. Oh, the CSS is right there. This is you?

Ron: Amen.

Andrew: Why? Most people would like wait for the day when they didn’t have to do this stuff? Why are you still doing it? And you’re actually like creating a basic host HTML website. Look, even the bottom. By the way, we are 8 days into 2019. Your copyright is already updated. Most people don’t update it.

Ron: I appreciate the attention to detail. So anybody who knows me and has worked with me, I tend to book my own flights, manage my own calendar. You know, I don’t have assistants. You know, I’ve always liked to be very personal with people, and that includes, you know, running a website. If I’m going to communicate to people, you know, a lot of people say, “Why have a website?” They’re going to invest, you know, money into a website, well, a couple things. I want it to be easy for people to find us. I want it to be easy for people to understand our story. But most of all, if you go to our list of companies that we’ve invested, I’ll give you a bunch of reasons why we invested in these companies. So websites are perfect for that.

Andrew: All right. I see it on your site. Why don’t we close it out with why HostGator? You could have picked anyone. Was there a reason or was it just kind of a random thing?

Ron: I wanted something I could SSH into and actually get a Linux show.

Andrew: All right. If you’re not as tech savvy as Ron, because I know many people in the Mixergy audience are, I’ve got to tell you, all you have to do is go to hostgator.com/mixergy. They’ve got one click install of WordPress or many other open source publishing platforms. And within minutes, you can be up and running with your website. Frankly, hosting is kind of a solid solution right now. You might as well go with a company that offers you a really good price and stable dependable service.

I will be open with you, Ron, and everyone else who’s listening to me about how they make their money beyond it. I don’t know that this is part of what they’re paying me to say. But I always was suspicious. How are they charging so little for this? They can’t possibly be making a profit. First of all, they have a lot of customers and they can actually spread their costs over a big portfolio of customers. But second, they bought an email publishing company. So when someone who’s starting their website starts to do email, they might switch over to the one that HostGator has.

They’re buying these other businesses too that when you need them, if you need them, you’re more likely to buy someone from . . . that service from HostGator. And that’s really where their margins are in the growth. So they want you to do well, they want me to do well. All you have to do if you want to get started and get an even lower rate than everyone else from HostGator, just go to hostgator.com/mixergy. When you go there, you’re going to get incredibly low price and you’ll be tagged to as a Mixergy customer, which means we, me, I and my team, often it’s me, will get, if you ever have an issue, we want to jump right in there and do our best to help you. Hostgator.com/mixergy.

How did you get your customers at the beginning? Was it just converting people from open-source to pay? And even if that’s what you did, it’s not an easy transition. How’d you get customers?

Ron: So that’s a great question. And, you know, the internet and companies in general has really matured over the years. Like people have the concept of funnels and lead generation and, you know, conversions. And, you know, when I started Tenable, I didn’t understand a lot of that. I thought you build it, you have a website, people would come. But we would basically be getting customers from a number of different places. Yes, a lot of the open-source people, a lot of the Nessus users would want the more advanced version, and that was something we tracked. How often could we, you know, convert a customer and what was that ratio? What could [be looked at 00:37:58]? So that was definitely something we tracked.

And many of the companies I work with today have sort of a loss or a low end or a freemium type of model so we understand that. But then the second thing was just there was a market of vulnerability management vendors who wanted a certain set of features. Nessus didn’t qualify for that. They wanted a lot of other features. So we participated in that market and it was everything. It was briefing the analysts. It was showing up at conferences. It was showing up. It was doing webinars and podcasts. In some cases, it was riding these waves of technology. I’ve already mentioned some of them, like BYOD, cloud, virtualization.

Andrew: So let’s say, when bring your own device, BYOB came out as a thing in enterprise, what did you do to capitalize on it from a marketing point of view?

Ron: So a lot of it was supporting the technologies that were out there. So if you happen to have an iPhone, if you happen to have an Android device, and you put it on your homes Wi-Fi, it’s not really on all the time like your Wi-Fi is. Your Wi-Fi is on permanently. And not only that, that IP address kind of moves around. It might be a little bit different today than it was tomorrow. Yet it can still bring a lot of risk to your organization. So how do you engage that?

So we had two approaches. One, we could find those devices passively. We could look at your network traffic. And the same way that your Wi-Fi device finds those devices and tells you what’s out there, we did that. But we could also connect to the management frameworks that were out there. So if you had an MDM vendor, basically a vendor to manage those mobile devices, we could talk to that and merge its data with the Nessus data to give you a unified view of all of your data.

Andrew: And then they were helping to sell your product because you emerged in with them, because you were working with them.

Ron: We’ve learned a lot from different partnerships, a lot of different integrations. So another form of lead-gen would be if we had an integration with perhaps an IBM, you know, MDM vendor, maybe we’ll do a joint press release or joint webinar, or maybe we’ll do some share . . . or maybe there’s a value added reseller that sells both of those solutions. Getting to $100 million requires lots of different strategies like that.

Andrew: Who was it who came up with that? You’re the person who said you weren’t like super familiar with funnels at the time. Who was the person who you tapped in the early days to do this type of marketing?

Ron: Yeah, so one of the benefits I really had, it was Renaud and Jack Huffard. So Jack was president, very business sales . . .

Andrew: Still is, right?

Ron: Still is president today. Everyone knows CTO. And so I could actually live in a little bit of both areas. So it was very easy to make decisions, enable people and get those things going. And I’ll be honest, I mean, it was never, “Oh, wow, today we’re going to do X, Y, and Z because that’s the obvious thing to do and everybody agrees on.” There are still people today you have different views. Like, literally, I was at a security conference and people were giving me advice about how Nessus could be used to do even more things, right? So it’s that popular. It’s not very clear about how the best way of going about it. But again, creating a public company called Tenable is not a bad start, right?

Andrew: And Jack as a person with business development, partnership experience was the person who would figure out we need to do webinars with our vendors. We need to form relationships. We need to experiment. Is that right?

Ron: We would do a lot of different . . . It was always a joint conversation.

Andrew: You and [inaudible 00:41:22].

Ron: We would do more of what’s working and what’s not working. If you think about it, I mean, we were able to do some major things such as take Nessus closed source and do it in a manner that was very professional, very well communicated. And that’s how we approached that. Now, when we decided to do certain conferences and we were unhappy with the performance or we were very happy with the performance, we had those kind of conversations. I wish I could tell you that every day was 200% growth and 300% happiness but the reality is you have to have a give and take in a conversation.

Andrew: What was one of the unhappier moments? So far all I’ve done is talked about rainbows and unicorns. What was an unhappy moment?

Ron: I think if Tenable had any weakness, we didn’t switch out people who weren’t working as quickly as we should. And I guess that’s my failure as a leader keeping maybe somebody in place hoping they’re going to work out. But the reality is, is I think we were very hesitant to change up things early on, but, you know, in the long run, I have no regrets. I’m very happy how we went about things.

Andrew: Why did you call the company Tenable? I feel like . . . first of all, I love that you guys had the domain at some point you bought tenable.com.

Ron: That believe it or not, that was Jack.

Andrew: It was Jack buying it.

Ron: Yeah. We used to have Tenable Security. And the problem with that is Tenable Security is exactly an executive protection company out of Cleveland, Ohio. So occasionally, we would get calls, “Hey, I have an executive going to Brazil. I need an armored car.” So let that be a lesson for your listeners about brand and brand management. You know, Jack really was very good at going after and getting the name tenable.com. I’ve always wanted TNS, Tenable Network Security, but that’s a bank in like Bulgaria. We never really got that. But that’s really important to get that stuff done. Tenable means obtainable and defendable. So who doesn’t want obtainable and defendable networks?

Andrew: I always think of it like an argument. Tenable is a tenable position to have. I guess not enough people understood that. I’m surprised because now that I see an early version of your site, you had a pronunciation guide and a definition of the word.

Ron: That’s really true. As much as people speak English, we did have to remind them what Tenable was, and it became a really good part of the sales pitch. And a lot of times what would happen in IT is you would patch a computer and say, “I’m done,” and go home for the weekend. Well then, there’s a vulnerability. Well, I’m not secure anymore. So what am I going to patch again? And then so people would have these networks with this illusion of security that clearly wasn’t a tenable defendable network. And that’s a very military term. “Hey, can we take that hill?” “Yeah, we can take it but it’s not a tenable position.”

Andrew: I didn’t know that.

Ron: We work to keep security as a tenable position.

Andrew: Let’s talk about a couple of challenges while we’re here. One is, is it pronounced SIM like a SIM card or SIM?

Ron: SIM like a SIM card.

Andrew: SIM like a SIM card? What was SIM, that product?

Ron: The same is Security Information Management. So if you think about your phone and that Wi-Fi point or maybe your Roku or your TiVo, all of those things have telemetry and logs, and they all speak a slightly different language. But if you were going to bring them all together, you might get a sense of what was that device that transmitted through your network? Or if you had Edward Snowden on your network, you might want to go back and see what files Edward Snowden was looking at. So SIMs are products that allow all that data to come together to answer those types of questions.

Andrew: And why was that an issue?

Ron: And so it was an issue. So we actually had built a SIM at Tenable and that market was really mature but it had a lot of shortcomings. And we actually solved a lot of those shortcomings way ahead of like what was out there now. So like for your listeners, you know, when you have an established market and you come in and you make it 5% better, that’s not really a disruptive solution. Why don’t you switch out for 5% better, right? But if you really, actually, completely come out in a different angle, you might find it in such a way that I’m not expecting you to solve it that way so I’m not interested in that.

That was sort of the issue we had at Tenable. We really merged SIM with vulnerability management because vulnerability management was very periodic, once a month, once a quarter, and once a year for some of our customers, which in the old days, which was too slow. When you start doing vulnerability management continuously, you actually can answer a lot of the same questions that the malware people, and the security people are doing, so that we always had this kind of debate about who is doing what and what could the customer do with our data?

Andrew: How do you feel now as a person who is not creating a company yourself? Someone who built his own website, who has to code in his own HTML. Now you’re investing in other people and guiding them, but you don’t get to actually sit in the pilot seat.

Ron: It’s insanely rewarding. And people shouldn’t confuse having some attention to detail with being a control freak, right? I was able to . . . it took me a while, but I was able to finally sort of let go and really understand that if I can hire people who are smarter and better at doing something and then give them a clear mission, sense of purpose and a goal, you’re going to be a lot more successful than that.

Now with our portfolio, we have 30 companies. We’re minority investors. And, you know, we have a lot of experience to offer these people. But at the same time we’re not perfect. We don’t have perfect clarity on where the market is going. It’s a lot of fun to have that perspective not only on technology strategy, cyber strategy, but also business strategy, when should you raise, when should you sell, what’s your go-to-market, maybe it’s time to pivot. So I’m having an immense amount of fun.

Andrew: It seems like from looking at your portfolio on gula.tech/portfolio, a lot of it is about security, vulnerabilities, and things like that. Stop web attacks from within the web application. That’s runtime application, self-protection firm Enterasys Security, right? That’s the type of thing that you’re investing and it looks like.

Ron: So we really try to focus on three different areas — detecting the threat, stopping the threat, understanding the threat. Threat, threat, threat , that’s the first area. Second area is hygiene. Tenable can tell you a lot of things that’s wrong. It’s not going to fix anything. It doesn’t patch anything. It doesn’t block anything. It’s going to tell you what’s wrong. The hygiene is where you can actually start to really make it harder for an attacker to do things. And then the third area is basically new web technologies. If you and I we’re going to go on to HostGator and build a complex, you know, web app that had a database and maybe some other microservices and that sort of thing, you know, there’s a lot of other technologies you can build into that that we’ve invested in to help protect and secure that. So we’re focusing on those three areas.

Andrew: Look at this, when you launched, “The Washington Post” did an article on you. They said, “Ron Gula, NSA hacker turned CEO steps into the investment space.” How do you feel about now with the NSA’s reputation being known as a former NSA hacker?

Ron: Yeah. I always laugh about that because when we were . . . for example, when Tenable would do some of their information guides, one of the information guides you had was the NSA’s guide “Hardening a computer.” Like a list of steps you could do to do it. And I’d recommend this to our customers and they’d be like, “Oh, wow. Well, if I do this, the NSA can’t break into me.” So I always think people’s perceptions about the NSA and perhaps my role there, you know, it’s overblown, but it is the NSA, so it’s very interesting. I like to talk about it because I want to encourage other people who’ve had that experience to let them go and start companies.

Andrew: You mean people who were in the NSA to go and start other companies. Why? Why is that something you care about?

Ron: So it’s not like the whole NSA is going to leave and start a company. But people perhaps who are listening to your show. And I’ll be honest, if you go around the Beltway here in D.C., if you talk to people who work, they don’t aspire. They don’t have a whole lot of role models for going out and do it. It’s perhaps not like Silicon Valley where your neighbor and your neighbor’s neighbor are all on their third or fourth, you know, startups, or they went from Google to a startup and then back to Microsoft or whatever.

Here it’s a little bit more conservative. It’s a little bit more reserved, but in many ways, the technology and the capability is a lot more advanced than well thought out. But to the point when somebody has an idea, they’re like, “Well, let’s go put it on a website.” And they don’t understand that when you actually have a company that solves that problem, you have a marketing team to do education, a sales team to help you get it out there, support team to make it work. That actually can really, really solve a variety of problems.

Andrew: So you’re saying if the people who wrote those NSA guides to protecting your computer back then would have instead gone out and started their own companies that actually did the protection, they might have been better off and their clients would have been better off?

Ron: It’s a possibility. It is. It is. Certainly, just putting information on a website doesn’t make people do it. It’s a good first step though, right?

Andrew: Right. All right. Congratulations to you NSA hacker. I always wanted . . . I think as a kid I wanted to be known as a hacker, and I know my brother did. Anyone who is interested can go check out your website. It’s a . . . what was it again?

Ron: www.gula.tech.

Andrew: You put that www.gula.tech in there?

Ron: Why not?

Andrew: Yeah, I feel like you sometimes have to put the “www” when you have a non-traditional domain because people don’t realize it’s a domain. There it is, gula.tech for anyone wants to go check it out. Ron, thanks so much for doing this interview, and I want to thank the two sponsors who make this interview happen. The first hosting company that Ron and I both use, it’s called Host Gator. Check them out at hostgator.com/mixergy. Number two, hire developers from toptal.com/mixergy.

And finally, if you have a smart speaker really, yell at it, tell it to play a Mixergy episode. You’re going to love it. I used to say the name but if I say it then, you know, it starts to call out those speakers and the speaker start speaking out. You guys, if you’re listening, go call them out, have Mixergy on it. Ron, thank you. Bye, everyone.

Who should we feature on Mixergy? Let us know who you think would make a great interviewee.

x