Chris Wysopal is the Founder and CTO of Veracode, a $2.5 billion software supply chain security company that pioneered the field of application security and was one of the first companies to embrace software as a service. On today’s episode, Jon Sakoda speaks with Chris on his early fame as a cybersecurity researcher and the highs and lows of building Veracode across three decades.
Chris Wysopal is the Founder and CTO of Veracode, a $2.5 billion software supply chain security company that pioneered the field of application security and was one of the first companies to embrace software as a service. On today’s episode, Jon Sakoda speaks with Chris on his early fame as a cybersecurity researcher and the highs and lows of building Veracode across three decades:
CHRIS WYSOPAL: And so, they laid us off. And we decided that we wanted to raise funding and see if we could convince Symantec to sell us the code that we had been working on with seven people for two years. And that’s ultimately what we did. But it certainly wasn’t easy.
JON SAKODA: Welcome to the Decibel Podcast. I’m excited to welcome my friend Chris Wysopal, the founder of Veracode, to the show. Chris is a famous founder, hacker, and early pioneer in software supply chain security. He is a true legend and mentor to many founders, Chris, thank you so much for joining us today, and welcome to the show.
CHRIS WYSOPAL: Hi, Jon. It’s great to be here. And I’m quite happy to have a conversation with you today.
JON SAKODA: Chris, if you don’t mind, I always like to start these conversations at the very beginning. Would you mind telling everybody about your personal journey? Where did you grow up? What was life like in your house? And what did your parents do?
CHRIS WYSOPAL: My family moved to the Boston area when I was four years old, and I’ve been here since, so quite a long time. And my dad actually brought us here because he got a new job as a materials engineer. And he had got a job at General Electric in Lynn, Massachusetts, which was where they built aircraft engines. It was a great opportunity for him. So we grew up in the suburbs of Boston near Lynn. I actually learned a huge amount from him about engineering and quality. But I think I followed a bit in his footsteps. I was interested in computers. And it took me down the path of going into software engineering and computer engineering, ultimately.
JON SAKODA: You have told stories in the past about how you and your family couldn’t initially afford a computer, but you did eventually find a way to teach yourself programming. Would you mind retelling the story? It’s one of my favorites that you’ve shared in the past.
CHRIS WYSOPAL: Yeah. It’s interesting, because I knew some kids who had computers at home, but we didn’t have one. And I ended up starting to want to learn about computers. So, I would just read books about computers, right? So, we all know that you can’t really learn programming from just reading a book. You actually have to do it, because it’s a whole process. So, I would write out programs on paper, and I would think about loops and branches and things like that. And then I would take them to my local Radio Shack store. And I convinced the manager to let me use the computer there, the TRS- 80. And I would bring my own cassette. You used to save on cassettes. This is, like, pre-floppy days, even.
And I would type in my program, run it, debug it, save it on my cassette. And then that way, I could work on it again if I could come back. And the manager kind of liked it, because he thought seeing a 12-year-old on the computer would be good for sales, because parents would come and say, “Hey, my kid can learn from using the computer.” So I ended up having a pretty good relationship. But of course, I was just stuck with the TRS-80, and that was all I had access to.
JON SAKODA: People who have listened to our podcast know that many cybersecurity founders start out either as creators or hackers or gamers. Do you recall what your persona was growing up?
CHRIS WYSOPAL: I think I was more on the researcher/deconstructer side than the creator side at first. An example would be, I wanted to understand how our home phone worked. And so, I took it
upon myself to—you could take things apart a lot easier back then. Everything wasn’t form pressed to fit, right, then. The screw sizes were just normal Phillips screws. And so, I took it upon myself to take apart the family phone, take the shell off, have it ring, use the phone and try to understand how these four wires coming out of the wall are turning into this whole system of ringing and dialing and communicating. And so, one of the things I learned really early on was, you probably don’t want to experiment on something that’s kind of mission critical and you need to use every day. Because when my mom drove up the driveway, I quickly realized, “Oh no, I need to put the phone back together again.” So I quickly kind of got the shell back on so that it at least looked like it was back together again, and then thought about how am I going to get the rest back together again.
But I think part of my first engineering mindset was, let me learn from the world around me. Let me learn how these things work. And so, I really felt like I had sort of a dual—I wanted to write software. I wanted to actually learn how the computer worked by building by own programs. But then I also wanted to take things apart. So, I know today I run a software company, which is definitely a building. But I think part of my journey to get to where I am now was a lot of deconstruction and pulling things apart.
JON SAKODA: Speaking of deconstruction, you frequently tell the story about how you started your career at Lotus, and it was at Lotus and another company called Radnet where you learned about the massive security vulnerabilities between enterprise software and the outside world. Would you mind retelling this whole story?
CHRIS WYSOPAL: Yeah. So, I mean, Lotus was an interesting company. I mean, the fact that it was in Cambridge, Massachusetts, the fact that it was so closely related to MIT and Harvard and what was going on in Cambridge at the time, including the Free Software Foundation. People don’t realize that that’s been around since, like, the late ‘80s. It was just sort of an exciting time. And at that time, Lotus was actually the biggest software company in the world. This is, like, before Microsoft completely dwarfed Lotus five or six years later. So, I was working there around 1990. And it was just an exciting place to be. And learning as a young engineer, it was a great place to see sort of the whole business of software. And obviously, the focus was on spreadsheets. But really, the first product to think about security was Lotus Notes. And I was not on the Lotus Notes team. But of course, we used it.
And that was really the first product at Lotus that started to think about security. And they actually did a really good job of thinking about security. They built in security from the very beginning. But I had decided that—I was at Lotus for seven years, and it was my first job—and that I had kind of learned all I was going to learn at Lotus. And that’s when I decided to leave. And I did consulting for, like, a year. But then I quickly joined up with Radnet, which you mentioned, which was the first startup I worked for. And it was started by three people from Lotus who thought that Lotus was taking way too long to bring Lotus Notes to the internet. And the internet was this exciting opportunity to do client server- based computing, where the client is a browser.
And so, that’s when I started to really understand, security is going to be a big issue here, because this thing’s on the internet. You can connect to it with a browser. I started to learn about how you can attack applications over the internet. And I think that really was the formative time in my professional life which I decided, this is something that everyone’s going to need. Everyone’s going to need to secure the software they were writing. And it was because I was writing one of the first applications on the internet. And so, even though I had been doing a little bit of exploring in the hacker world, it kind of gelled that it wasn’t really two worlds. It was one world. It was just like, there was people trying to
build systems that they were hoping were secure, and then there was this other world of people that were exploring how to break into systems.
And so, around ‘94 or ‘95, when I was working at Radnet, and I started to get involved with the L0pht, that’s where it kind of all gelled together, that this is something that is going to be a business. People are going to need to understand how to secure the software they’re writing.
JON SAKODA: I know we’re going to talk more about the L0pht in a second. But before we get there, I think we need to remind everyone about an early movement that you created to push software companies like Lotus, and famously, or infamously, you were one of the few to actually get Microsoft to be more open about their security issues and actually responsibly address them. How did that all start?
CHRIS WYSOPAL: A couple years after leaving Lotus and being at Radnet, I discovered a vulnerability in one of Lotus’s products. And I told them about the vulnerability. And they were very thankful and grateful that I did that. And they fixed it right away and put out a new release. And then they asked me and one of my colleagues from the L0pht, Mudge, to come in and talk to the architecture group at Lotus about how they can prevent this problem. Now remember, this is like, 1994. And we’re like, “Wow, these guys get it. They’re doing the right thing.” And part of that might’ve been because we were local. Part of that might’ve been because I worked there before. It might’ve opened some doors. And so, that was like, a good experience, right, between researcher and vendor.
And then, if I switch gears, the response from companies like Microsoft initially was to downplay everything and try to make us go away. But a few years later, they realized that that wasn’t going to work—that more people were figuring out how to break their software. They were going to have to do something about it. And that was when what I call sort of the birth of responsible disclosure, even though people don’t like the term “responsible disclosure.” It was—the Microsoft Security Response Center asked us to please don’t publish your details until we had a chance to triage the bug, validate it if it’s real, and then come up with a plan, and then fix it. And can you just wait? Because if you’re really out there to protect customers, which we were saying we were doing. Like, hey, we’re doing this to protect customers, not to pull down big corporations’ pants and laugh at them—then you’ll do that, right? And we said yes, we would do that.
So I think Microsoft got to the right place eventually. It just took a little bit longer. And I just—I always look back and say, maybe if things had gone differently. But I can only do what I can do on my side.
JON SAKODA: Well, I would say Microsoft has evolved, and you obviously played a big role. I think you mentioned L0pht a couple times, so maybe we should take a step back. Remind everybody, what was L0pht? What was special about the group? Why were hackers organizing themselves back then? And how did you all eventually become one of the most famous groups of hackers in the early history of the internet?
CHRIS WYSOPAL: I think one of the things that really made the L0pht special was, it was a physical space. We could come to a physical space in Boston and hang out, and share what we’d been working on, share equipment and table space, like a real hacker space, like share a workbench with soldering irons and oscilloscopes. Share Linux boxes so that you could put something on that, whether it was hardware or software, and share figuring out how to put a website on the internet in 1993, and get a Class C, and have an internet connection. We had a Class C at the L0pht, where every machine, you
need an IP address. You want to experiment. You can go and do that. All that stuff seems pretty easy now. But having it be something you had to learn along the way made you have to learn sort of the full stack of everything you had to do. And it was really a great foundation for understanding a startup company.
Later, we kind of grew a mission. But earlier on, it was like, let’s be efficient about exploring technology: software, networks, hardware, radio. We started to sort of gel around one type of exploration. And that was really around vulnerability research. And it was both on software side and the hardware side. So starting probably around ‘95, ‘96, we started to get more almost professional about what we were doing. And we wanted to engage with the world with what we were doing. And the press ate it up because we’re using hacker names, and we’re talking about vulnerabilities in technologies that everyone is starting to use.
So, we had local news camera crews coming, the BBC coming. MTV even came. It was a time where we got very excited about being able to share what we were discovering. And what we were discovering was software was built really insecurely, and everyone is at risk, and this is a disaster sort of waiting to happen. And so, that’s where our mission started to be letting the world know that software is horribly broken. But it can be fixed, because we know how to find the problems. So, if the vendors would just find the problems, things would be a lot better. But going from us saying that to vendors actually making better software, that’s a whole other story that takes 10 years, I think.
So today, it is fairly common for hackers or researchers to go public with vulnerabilities. And I think vendors actually now even have bug bounties. And you’ve been a pioneer in making all of this a reality. But back then, I think it was fair to say that you were highly criticized. You guys were viewed as helping, but also hurting the ecosystem. Was it complicated? Talk to us a little bit about the public perception back then.
CHRIS WYSOPAL: So, it was interesting because whenever we’d be on these documentaries with, like, the BBC, there was this sort of “us versus them,” because that’s the way the media would like to frame it, right? And so, they’d have a guy who was the head of security at MIT trying to protect MIT’s network. And they would be like, “Oh, these guys are the problem. They’re telling the world how to break into these systems.” And they would set up this scenario where it was “us versus them,” where we’re basically saying, “Actually, the software vendors are the problems. They created the software. They took money for it. Yet it has these security vulnerabilities in the problem. Even worse, when people come to them, they try to bury it instead of fix the issue.” But instead of taking it out on the vendors, they would take it out on us. And so, I think it was misplaced anger.
But we eventually got through it. And I think one of the ways that happened was we got a huge amount of credibility from testifying at the US Senate in ‘98, where they wanted to ask us, “What is your take on government computer security? What do you think the problems are? What do you think the solutions are?” And the fact that they were asking us, who were just people breaking systems, as opposed to the people that were trying to secure the systems, I think we got a lot of credibility by just being taken seriously. Not being treated like criminals; being treated like people who had an important thing to say that the legislators were going to have to take under advisement and think about, “How do we move forward now that we know these things?”
So I think that event made it so that people didn’t think of us nearly as much as the bad guy. And the vendors are neutral, right? It moved us beyond that, which I saw as a sticking point for us making progress.
JON SAKODA: I know ultimately it must feel fulfilling to have survived it all. But while companies and governments are angry and threatening you, did you guys ever question whether all this hacking was worth it?
CHRIS WYSOPAL: Interestingly enough, I think the most stressful time was when there was a backlash from the hacker community. The hacker community was coming at us and saying, “No more disclosure. White hats are bad.” And then when the L0pht basically sold out, quite literally, to become the security research arm of @stake, which was a newly formed security consulting startup, that was when it really was like, these guys are selling out. And we weren’t the exact first people to sort of say, “I’m a hacker and now I’m going to go do it for hire, for good.” But we were probably, at the time, the most prolific. And definitely the one that everyone knew about. And we got a lot of backlash from the community. People said we’re working with the feds, we’re all narcs. And that was actually more stressful than anything vendors or the government did.
JON SAKODA: I think this is a fascinating part of the story. So, ironically, the people who were most unhappy with the success of the L0pht disclosing vulnerabilities in software were the hackers themselves.
CHRIS WYSOPAL: Yeah. I mean, we used to always make the analogy between, like, a garage band that plays small clubs to a small community, and a band that breaks out and signs the record contract, and has a much bigger audience, and probably does have to compromise a little bit on the edges, right? It’s rare that you don’t have to compromise at all when you get that. So, we kind of thought of ourselves as, you know, at the L0pht, we were the garage band playing to our local community. But we wanted to branch out and change the way the whole world thinks about software. Because the whole world’s going to run on software. And so, we got the inevitable backlash from the people who just wanted it to be the same.
JON SAKODA: I was listening to a podcast about the success of the L0pht and recalled that you once said that the L0pht members were all a little introverted. And I think it’s fascinating to think that at one point, you were on television, you were testifying before Congress, you were on a world tour. Did the experience in some ways teach you how to become a more extroverted leader?
CHRIS WYSOPAL: Yeah. So, no, I’m definitely a little introverted. And to some degree, a lot of that community is, because if you’re out spending a lot of time playing sports and going to social engagements, and worrying about how you look and interacting with people and all of that type of stuff, you have less time to maybe write programs as a teenager.
So, I think you’re never completely comfortable with the public speaking or going out on a limb in a meeting, perhaps, where people don’t know who you are, and speaking up. But I think that you learn that you’re not going to get to your goals, you’re not going to get the results that you want, unless you do those things, and you take it as, it’s just another part of work that doesn’t necessarily come easy to you. So, just because it doesn’t come easy to you doesn’t mean you can’t do it. It just feels like more work. And you have to prepare, and maybe you have to be coached. Maybe you have to put more energy into it. And when you’re done, you’re exhausted.
I know there are CEOs that are introverted, and they have to get up in front of their whole company and talk. And they have to talk to lots of people all the time. So, it can be done. And I think a lot of people in our community have had to sort of overcome that to become founders or to become leaders in their company.
JON SAKODA: I think, though, this is great advice. And I know many of the founders that we’ve had on the show are admittedly quite introverted. So, thank you for being so open about this. Can we transition to the Veracode founding story? When did you decide to start the company?
CHRIS WYSOPAL: I can’t tell the story about the founding of Veracode without talking a little bit about @stake, because I don’t think Veracode would’ve happened if it wasn’t for @stake. Because that’s where we started incubating the technology that Veracode was actually founded with. And what we were doing at @stake is, we were working on, me and Christien Rioux, the other co-founder of Veracode—and he also was at the L0pht—were working on this technology that could basically reverse engineer binaries, and then scan those binaries for different things.
And so, we had a team of seven people working on this for a couple of years. And we were making great progress. And I was getting feedback from the consultants using the tool on our engagements. And Christien was working on these algorithms that had never been done before. And so, we had this cool technology. And we showed it to AT&T. AT&T actually had a purchase order with us for one license of it so they could run it on their software. And right when that was just in flight, Symantec bought @stake. And they bought @stake for the consulting business. And it turns out they weren’t interested in any of the tools. So, we actually never even sold our one copy to AT&T. And we all became Symantec employees.
And we kept doing what we were doing until they eventually came around and inspected, what are all these different people doing? And they said, “Oh no, this doesn’t fit anything into Symantec’s software strategy,” right? “We don’t do anything with development tools.” So they basically shut us down and said, “Okay, well, you guys can go do consulting. Or maybe we can find you something else to do at Symantec.” And we said, “No, we’re not really interested in that. We’re interested in doing automated software security scanning.” And so, they laid us off. And we decided that we wanted to raise funding and see if we could convince Symantec to sell us the code that we had been working on with seven people for two years. And that’s ultimately what we did. But it certainly wasn’t easy.
JON SAKODA: And leading up to this point, Chris, did you know you wanted to be a founder? Had you felt like you had been waiting to be an entrepreneur leading up to this moment?
CHRIS WYSOPAL: Yeah. This was where I actually jumped into the founder’s seat, right? At Radnet, after the three founders, I was the second employee they hired, so I had worked at an early stage company. @stake, I think I was probably employee number 30. But it is very different being in the founder’s seat. Because you have this responsibility that if I don’t do my job right, this will just not happen, right? It won’t happen at all. Because everyone is relying on you to figure out how to do all these things, like fundraising and strategy, and who are you going to hire first, and what are you doing to build first? What’s the plan?
And that was the first time I was thrust into that. Now of course, you have help from board members once you have funding. But really, Christien and I were fairly on our own. And I know I just didn’t have a lot of the answers. But I just felt at the time like, this is what we have to do. Christien and I both
felt, the world needs this technology. And we have put two years into this so far. We can see that this is something that’s valuable. And we’re just not willing to just not do this. So, there was something very compelling, and it’s hard to describe.
JON SAKODA: I know that you’ve been honest in public that the early years of Veracode were really tough. Would you mind retelling the story about some of those hardships?
CHRIS WYSOPAL: So, this was a hard time in my marriage. And I actually got separated in the first few months of Veracode actually getting funded. So, this was a pretty hard time with my marriage, where I was just kind of struggling. I was out of work, right? I was laid off. I didn’t have a steady income. I was trying to do consulting here and there. And in the meantime, try to raise money and try to come up with a business plan. So, I’m an older founder, right? I founded Veracode when I was 40. So, I did have two kids that were elementary school, and I was married, and I did have a mortgage, and all of those things. So, that definitely put a lot of stress on my personal life. There are some benefits to being older because you’ve seen more. Like, I had been through two startups and the L0pht experience by this time. But I would say the personal toll was pretty high at the beginning.
JON SAKODA: I really appreciate you sharing this part of the story. I am sure there are listeners that also are going through similar experiences as you did back then, so thank you for making them feel less alone, and inspired by your success. If maybe I can transition to the early innings of your commercial success at Veracode, you were, as I recall, one of the first companies to use Software as a Service. How did you guys decide to build Veracode as a SaaS company during the desktop era? This must have been back in 2006?
CHRIS WYSOPAL: Yeah. So, the idea for SaaS—and we called it On Demand Software back then, because Nyst hadn’t coined the word “SaaS” yet—really came from one of our investors. So, since Christien and I were both technical and didn’t have much business experience, when we finally found investors that would listen to us, it actually happened at Atlas Venture in Boston, which kind of split off and changed the name, and I think it’s now Accomplice in Boston, and Jeff Fagnan was the partner from there who took a chance on us. And part of the reason he did that was because he had Maria Cirino visiting him, and she was interested in getting involved in the VC world. And she was trying to figure out what her next act was.
She had started this company, Guardent, which was in Boston, which was one of the first MSSPs. And so, she was talking with Jeff at Atlas at the same time that we were getting used to Atlas. And she said, “I know these guys. I competed with them. I was at Guardent.” She was the CEO and founder of Guardent. And we competed head-to-head. So she’s like, “I know these guys. These guys are really smart. We should see what they’re thinking.”
And so, it came together with us saying, “Hey, let’s reverse engineer binaries and find vulnerabilities.” And Jeff and Maria saying, “Okay, well, what’s the business model? Our partners really want to invest in these On Demand Software companies. Can you turn this into an On Demand Software company?” And so, we said, “That’s interesting, right?” A developer tool or a software analysis tool that is not on the desktop, that’s in the cloud. And we came around, like that actually could be beneficial, because then we would start collecting all this data longitudinally along the lifetime of this piece of software, all these other pieces of software. Another big advantage was, we could be a third party between a vendor and a customer. A bank is buying software from this small company that they’ve never seen before. They could have us assess it, and they could trust the results.
So, the idea actually came from Maria. And it was one of the things that really made Veracode different than whatever other companies were doing.
JON SAKODA: You guys were clearly early to software as a service. You also were early to scanning software and one thing that I always like to remind people is that there's never a greenfield market for software. There's always legacy languages. How did you guys go about tackling that problem?
CHRIS WYSOPAL: Yeah. So, that was a pretty painful process. You go to your Rolodex of people that you know. And one of the people we knew was doing security at Adobe. And at the time, Adobe’s biggest problem was Flash. And they said, “If you could only tell us all the vulnerabilities in Flash, that would be great.” And so, they sent us the Flash code. And I have to tell you, this is probably the most complicated and dense code that we had ever seen. And it was really painful code for us to analyze. I think the first time we tried to analyze it, it took us, like, a month of CPU time. It was just ridiculous. And we realized, that’s not going to work. That’s not going to work for anybody. We have to figure out how to make this a lot faster on.
And then the varieties of code we would get, it’s just—when you start to see, there’s lots of different languages. There are lots of different ways people are writing software. And you kind of had to say, “If we support the language that your code is written in, we should be able to scan it accurately and give you back results.” I mean, that was, like, the customer expectation. So, it was a challenge in the beginning.
JON SAKODA: I can definitely imagine it being difficult to convince people to try the product in the very beginning. How did you crack the code and convince people to try it, and what were the lessons that you learned in finding product-market fit?
CHRIS WYSOPAL: I think part of it was getting to critical mass of language coverage, where we supported Java applications and .net applications, and PHP applications. And companies would say, “Yeah, I have a whole sprawl of all these different web applications that were all developed all these different ways. And I’m seeing attacks against them.” So, part of it, I think, was really starting to go wider with companies that had a wide software problem. So, as opposed to that really critical trading system, that if it’s taken down, Goldman Sachs loses millions of dollars, it was more the companies that sort of had a sprawling application estate, and they needed someone who had coverage of their most important risks over sort of a wide range of applications. And that became the kind of solution that didn’t go really deep in one area, but did a pretty good job over a wide area.
JON SAKODA: I think many people know that Veracode ultimately became widely successful. You were acquired by @stake. You spun out of Symantec. You then were VC-backed. You were acquired by a PE firm. I guess the only thing you haven’t done yet is take Veracode public.
CHRIS WYSOPAL: That’s the joke I always make. I say, “Well, I haven’t IPO-ed yet, so I think I should be just really working towards that, because then I’ll have done every type of liquidity.”
JON SAKODA: I believe in the land of startups, we call that batting the cycle.
CHRIS WYSOPAL: I’ll have batted the cycle, right? I don’t have the home run yet. I just have a triple.
JON SAKODA: I am hopeful that the IPO is not terribly far away for you all. And I’m sure that will be yet another feather in your cap. Looking ahead, is there another chapter of the book for you? Any thoughts on what might come next?
CHRIS WYSOPAL: So, I agree, I would love the IPO chapter, because I do want to complete the circle around the bases. But even if that doesn’t happen, I’ve thought about starting another company. I’m kind of scratching that itch by being an advisor and an angel investor for a half dozen companies at all different sort of stages. I was on the board of a startup for a while. So, I’ve sort of been scratching that itch a bit, because it is exciting to be part of those early stages when you’re just trying to figure things out.
So, I don’t know. I don’t know if I leave Veracode at some point, whether I can just keep doing that, and that will be enough, or I’ll just have to start something myself. I think the jury is still out on that one.
JON SAKODA: Now that you had a chance to tell the whole story, looking back, what are some of the highest highs, and what do you think might be some of the lowest lows?
CHRIS WYSOPAL: So—and this is probably cliché for a lot of founders—but I think the highest highs were when we got our initial funding, because it certainly wasn’t guaranteed that someone was going to fund this. And that was exciting, because I’m like, “Yes, we’re really doing this now.” And then, of course, when we had our liquidity event, I would say that was also very exciting.
On the low side, I would say the lowest low was in 2008 when we had the financial crisis, and we were looking for our B round, that was very stressful, because not every VC firm was financing all of its investments. They couldn’t. So, there were three VCs that came in with our first A round. And one of them dropped out for the B. And that caused—I forget—it was a breach of covenant to not go in pro rata for the B round, which meant that the VCs wanted to wash out all of their ownership, which means $1,000 for one reverse split to wash them out. And then, of course, they were going to say they were going to make everyone whole, right? “Well, we’ll make all the employees whole and all that.” But it’s a very stressful time. You’re like, “Will I be made whole? And how is that going to look?” And frankly, anyone who left the company before that was going to get washed out, right?
So, it was a stressful time for some of the early employees that weren’t there anymore, that were still friends. So, that was just the financing. But when are people going to start spending money on software again? So, I think the 2008 crisis was definitely the low point. And I figured, if we got through that, then we could probably get through anything.
JON SAKODA: There are likely a lot of parallels between what founders were going through back then in 2008 and now. What advice do you have for founders today who are trying to survive a tougher funding environment?
CHRIS WYSOPAL: Yeah. I think the advice I would give is, by being around for a fairly long time, that these things are cyclical, that they do go up and down. You just don’t know how long it’s gonna take till—where the bottom’s going to be or how long it’s going to take to come around. But you just have to plan that it will eventually come back. But you’re going to have to probably change your planning, right? So, you’re going to have to probably lengthen your runway, right, by cutting costs and maybe not looking for that next round.
I know a lot of people will say, “Well, I’m going to take a bigger round because I was just close about to close one, and I don’t know when I’ll get my next one.” That’s another, of course, strategy. But I think the overall thing to think about is that it is cyclical. And if what you’re doing made sense when you started doing it, it will probably make sense later, especially if it’s in cybersecurity. These problems aren’t going away any time soon. So, I would say stick with it, and the market will come back around to you.
JON SAKODA: Chris, that is such great advice. And if you don’t mind, if I can ask just one more question, you’ve been an amazing guest, and thank you for being so forthcoming and personal, and for sharing all this time with us. Are there any lessons you would share with your younger self?
CHRIS WYSOPAL: Yeah. I think my advice to my younger self would be, get a better understanding of business early on. Even if you’re not going to found a company, it’s something that will help you. So, understand contracts and the range of things that are possible and normal. Get a business advisor or a legal counsel that can advise you. Get some experts in those things that you aren’t expert in. You might be really deep technically, and you might be selling your services as a consultant. You might write a little piece of software that you sell to somebody, or you sell it yourself. It doesn’t have to be as big as founding a company. But it could be that.
And I think if I had, earlier on, read some more business books or gathered up some more business- aware friends or advisors, mentors, that would have served me well. So, maybe strike up a relationship with someone who can help you in areas that isn’t your strong suit.
JON SAKODA: Chris, you have been an inspiration to many founders. Software is so much safer thanks to your work. And I am so grateful that you took the time to come on the show and share your words of wisdom with everyone.
CHRIS WYSOPAL: I was very happy to share this with you, Jon. Thanks for inviting me.